On Mon, Jun 24, 2024 at 3:21 PM Mark Thomas <ma...@apache.org> wrote:
> On 21/06/2024 15:35, Dimitris Soumis wrote: > > Hi all, > > > > I hope this message finds you well. I am writing to seek clarifications > and > > provide some suggestions regarding the Tomcat Native binary > distributions. > > > > Firstly, I have noticed that openssl.exe is included in the Tomcat Native > > binary distributions. It appears that the .dll file is sufficient for the > > component to function correctly. Thus, my question is why is openssl.exe > > included in the distribution? If openssl.exe is not essential, it might > be > > worth considering its removal from the distribution to minimize the > > vulnerability footprint. > > Its inclusion predates me acting as release manager for Tomcat Native. > If I had to guess, I'd guess that it was included so folks on Windows > had an OpenSSL binary to use to work with keys, certificates, signing > requests etc. > > > Secondly, I observed that Tomcat Native 1.3.0 does not include the .pdb > > file, which is present in version 2.0.7. I would like to confirm if this > is > > intentional. > > No. That looks like an oversight. > > > Additionally, Tomcat Native 1.3.0 contains a deprecated VERSIONS file. > > Could you be more specific about this. > I compared 1.3.x and 2.0.x versions: 1.3.x : https://github.com/apache/tomcat-native/blob/1.3.x/native/srclib/VERSIONS 2.0.x : https://github.com/apache/tomcat-native/blob/main/native/srclib/VERSIONS Formatting as well as minimum versions in 1.3.x seem out of date. > > I would also like to suggest pruning the "Building" and "Running the > tests" > > sections in the README.txt for both versions. These sections are not > > applicable to the binary distribution and their exclusion could make the > > documentation more concise and user-friendly. > > I think separate README files for source and binary will be more work to > manage and also more error prone. It might be simpler to mark those > sections with "(source distribution only)" or similar. > > > Lastly, I noticed a minor issue, the NOTICE file for both releases > contains > > an outdated copyright date. > > Could you be more specific. The NOTICE file in both tags looks to have > the correct date. > Although in the repo, the NOTICE file in both tags has the correct date, the latest binary releases seem to have been packed with an old NOTICE file containing the following: "Apache Tomcat Native Library Copyright 2002-2018 The Apache Software Foundation" > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
