Re: Guidance on tomcat8 update for (LTS) jessie

[Antoine Beaupré <anarcat@orangeseeds.org>]

On 2018-06-29 21:44:36, Roberto C. Sánchez wrote:

[...]

> This does not appear to be a good approach at the moment, given the
> considerable differences between 8.0 and 8.5.
>
> For the time being, it seems like the best approach is to patch the
> current jessie package for the two outstanding CVEs.  The patches apply
> with only minor tweaks required.
>
> It is possible that we might continue to support tomcat 8.0 for some
> time, but probably not for the next two years.  I will send a separate
> email to the debian-lts list with a recommendation on handling tomcat8
> in jessie, since this one is rather long and is focused on dealing with
> the currently outstanding CVEs.

Thanks for the detailed analysis. With that extra information on hand, I
agree with your position. I wonder if reaching out upstream might be
worth our time, to insist on restoring backwards compatibility between
8.0 and 8.5. After all, they do seem open to that possibility in the
documents you have found, so voicing our concerns might be useful. They
might also prefer us supporting 8.5 than 8.0 because it will means less
weird users coming to *them* as well, so it's in their interest to
retain that backwards compatibility, really... :)

Cheers!

A.