+1 for 3)
Richard Zowalla <r...@apache.org> schrieb am Fr., 29. März 2024, 12:38: > Hi all, > > I want to bring to your attention, that we had recently some discussion > around our current strategy of backporting cve related fixes to TomEE > 9.1.x [1]. > > We are in a situation, in which the Tomcat community has decided to > stop Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 > (Servlet 6) and onwards. Therefore, we do not get any bug fixes, > improvements and need to manually backport potential security fixes; we > are actually in a fight, we cannot really win. > > A few might ask, why we can't just upgrade to Tomcat 10.1.x with TomEE > 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which requires > us to stay in line with Servlet 5. > > The bad thing is, that between Servlet 5 and Servlet 6, a few methods > got removed making it backwards incompatible with Servlet 5. > > So what are our options. From my pov, I can imagine the following: > > (1) Continue to backward CVE fixes and miss out important bug fixes, > improvements and stuff. > > (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from > Servlet 5) in order to stay up-2-date and remaining Servlet 5 > compatible (Tomcat community won't do that, see [2]). Romain posted the > actual diff here: [3]. Downside is, that we might break the TCK > signature test with this adjustment, so no TCK compliance anymore. > (Don't actually speaking about the TCK itself, which might also break > due to some changes in Servlet 6 in the way cookies are processed, > etc.) > > (3) We officially drop v9 (with a perspective, i.e. end of the year and > continue (1) until that date) and release a 10.0.0 within the next > couple of months well knowing that it might not pass the full TC > because we are in a hybrid state with CXF, etc. > > While I like the idea of (2), it will scatter our sparse resources even > more, because we need to release a forked Tomcat and I would personally > not really be happy to invest my time into maintaining a Tomcat fork > because it is time, I would like to invest into TomEE 10.x and it's > other dependencies. > > I am really keen to get some feedback on this discussion because we > somehow need to decide what we want to do with 9.1.x anyway. Even if a > possible outcome of this discussion is, that we just stay with (1). > > Gruß > Richard > > [1] https://github.com/apache/tomee/pull/1114 > [2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5 > [3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6 >