Re: Guidance on tomcat8 update for (LTS) jessie
On Wed, Jun 27, 2018 at 08:33:48AM -0400, Antoine Beaupré wrote:
> As an outsider not very familiar with Tomcat, I guess the main question
> I would like to answer before figuring this out would be what kind of
> compatibility garantees does Tomcat provide between versions. If it
> respects semver conventions, a 8.0 -> 8.5 update might be
> non-destructive and actually beneficial to our users.
I reviewed the [MIGRATION GUIDE] and it is quite clear that there are
numerous incompatible changes between 8.0 and 8.5. There are also
benefits, but it would be a disruptive change for users. Additionally,
the [RELEASE NOTES] contain this:
Note: A large number of deprecated methods, fields and configuration options
were removed in the transition from 8.0.x to 8.5.x. If any of those
removals triggers significant problems for the user community that the
deletion may be reverted in a later point release.
> Once that is done, we need to figure out what to do with stretch and
> buster. The latter will most likely sync up with upstream's latest
> through regular unstable transitions, but how about stretch? Is there
> any compelling reason why it's not following upstream minor releases?
> We've used that process (following semver + upstream more closely on
> stable) to update packages like PHP in the past and it served us well,
> so I wonder if that would be the same situation... In that case, this
> would be a matter of, as you say, sync stretch to jessie, then update
> stretch, and sync jessie again.
Following the same approach as packages like PHP seems like a generally
good idea, but it seems like there is a possibilty of incompatible
changes even in point releases, as stated in the [MIGRATION GUIDE] in
the section on moving between 8.5.x point releases:
The Tomcat developers aim for each patch release to be fully
backwards compatible with the previous release. Occasionally, it is
necessary to break backwards compatibility in order to fix a bug. In
most cases, these changes will go unnoticed. This section lists
changes that are not fully backwards compatible and might cause
breakage when upgrading.
There are also configuration file differences indicating changes to
default values, but nothing between 8.5.14 and 8.5.32 looks problematic.
That is to say, from a practical perspective your suggestion should work
for the 8.5 packages in stretch.
> Otherwise, I would consider syncing jessie with stretch unless there are
> compelling compatibility issues between 8.0 and 8.5. I can research that
> further if necessary.
This does not appear to be a good approach at the moment, given the
considerable differences between 8.0 and 8.5.
For the time being, it seems like the best approach is to patch the
current jessie package for the two outstanding CVEs. The patches apply
with only minor tweaks required.
It is possible that we might continue to support tomcat 8.0 for some
time, but probably not for the next two years. I will send a separate
email to the debian-lts list with a recommendation on handling tomcat8
in jessie, since this one is rather long and is focused on dealing with
the currently outstanding CVEs.
[MIGRATION GUIDE] https://tomcat.apache.org/migration-85.html
[RELEASE NOTES] https://tomcat.apache.org/tomcat-8.5-doc/RELEASE-NOTES.txt
Roberto C. Sánchez