On Dec 7, 2007, at 2:44 PM, Joe Bohn wrote:
I was just looking into updating Tomcat for the Geronimo 2.1 release
with an eye toward getting a fix integrated for the Webdav servlet
security issue.
There are 3 possible approaches:
1) Apply the Webdav patch to the 6.0.13 image with the annotation
changes and one other minor change (basically our current
6.0.13_G543818 build plus the WebDav fix). Check this into our
private repository in trunk.
2) Checkout 6.0.14, apply the Webdav patch and annotation changes.
Check this into our private repository in trunk.
3) Checkout tomcat trunk (6.0.x) which already includes the Webdav
patch but not the annotation changes. Apply the annotation changes
for our private build and check it into our repository in trunk.
I personally think #2 is probably best although it might expose some
other issues in tomcat. We could always fall back to #1 if
necessary. There was an attempt made at a tomcat 6.0.15 a few weeks
back but it failed due to some context and tck issues ... hence my
reservations with 6.0.x since it probably has those same issues.
OK. Good, I think, to upgrade to 6.0.14. So, I like your plan # 2.
--kevan
