hey all, I was involved with a discussion on site here in Hamburg with Paul about it.
On Fri, May 26, 2023 at 10:58:48AM +0200, Moritz Muehlenhoff wrote: > On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote: > > First of all trapperkeeper-webserver-jetty9-clojure should add a build- > > dependency on logback to detect such regressions in advance. > > > > #1036250 is mainly a logback problem, not a tomcat problem. I still would > > like > > to hear Emmanuel's opinion. We still could revert to libtomcat9-java, if we > > don't find a solution though. > > > > The tomcatjss / dogtag-pki situation is simple too. If there is no way to > > make > > the application work with Tomcat 10, then there are three options: > > > > 1. Embed Tomcat 9 in your application by creating a standalone jar > > > > 2. Continue to use the current Tomcat 9 package as is but make sure that > > nobody > > else than dogtag-pki uses it. (Package descriptions should be adjusted, and > > the > > binary tomcat9 package should be probably removed too) Nobody should think > > that > > we support two major Tomcat versions. > > > > In any case the dogtag-pki maintainers must commit to at least three years > > of > > security support, web application + Tomcat 9. Otherwise this is pointless. > > > > 3. Remove dogtag-pki and tomcatjss from testing and prepare backports as > > soon > > as dogtag-pki and Co support Tomcat 10. > > Can't we just do the pragmatic fix of updating src:tomcat9 to only ship > libtomcat9-java and libtomcat9-embed-java? The maintenance burden for > security updates lies within the server stack, the percentage of issues > affecting the libtomcat9-java binary packages as used by rdeps will be small > to none? This indeed would have been the most desirable and pragmatic appraoch, which was looked at, but my (limited!) understanding of the situation is still that this won't work out as we have dogtak-pki's pki-server binary package depending on tomcat9-user: respighi:~$ dak rm --suite=bookworm -n -R -b tomcat9-user Will remove the following packages from bookworm: tomcat9-user | 9.0.70-1 | all Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> ------------------- Reason ------------------- ---------------------------------------------- Checking reverse dependencies... # Broken Depends: dogtag-pki: pki-server Dependency problem found. See the followup on that by Markus in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034824#45 the answer seems to be from the the answer from Timo Aaltonen, that a switch to tomcat10-user won't work ... Thus the proposal to at this stage keep in need the both source packages. Paul made another way forward in https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034824#98 which now involves one dependency rollback and documenting in release note and debian-security-support what support level we can we expect during the bookworm cycle for src:tomcat9. To otherwise drop tomcat9 and tomcat9-user binary package it would be needed to drop as well dogtag-pki. Does this make sense for you Moritz? Salvatore
