On 03/05/2024 11:01, Michael Osipov wrote:
On 2024/05/03 08:59:17 Mark Thomas wrote:
<snip/>
There have been discussions about a new tomcat-shaded JAR that would
provide all the shaded dependencies we use both internally and with the
migration tool. My general concern with that is the volume of code. The
migration tool is already a 1MB JAR - most of it shaded code that is
never going to be used. There are tradeoffs to make there that need a
longer discussion. It is likely to be one of the topics at the Tomcat
Security day in Bratislava.
What is the benefit of a single JAR here for the public?
Removes the duplication of BCEL. We have a cut down version for JAR
scanning and a full version in the migration tool although we'd need to
check performance as that was one of the reasons for the trimmed down
version.
Simpler maintenance for us (just update versions in POM). May mean users
get updated dependencies faster. That said, if there was a real need for
an update we'd do it now anyway so...
Overall, probably more direct benefits for us than users. Users get the
indirect benefits of us spending less time managing these dependencies.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
