+1 for 3)

Richard Zowalla <r...@apache.org> schrieb am Fr., 29. März 2024, 12:38:

> Hi all,
>
> I want to bring to your attention, that we had recently some discussion
> around our current strategy of backporting cve related fixes to TomEE
> 9.1.x [1].
>
> We are in a situation, in which the Tomcat community has decided to
> stop Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1
> (Servlet 6) and onwards. Therefore, we do not get any bug fixes,
> improvements and need to manually backport potential security fixes; we
> are actually in a fight, we cannot really win.
>
> A few might ask, why we can't just upgrade to Tomcat 10.1.x with TomEE
> 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which requires
> us to stay in line with Servlet 5.
>
> The bad thing is, that between Servlet 5 and Servlet 6, a few methods
> got removed making it backwards incompatible with Servlet 5.
>
> So what are our options. From my pov, I can imagine the following:
>
> (1) Continue to backward CVE fixes and miss out important bug fixes,
> improvements and stuff.
>
> (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from
> Servlet 5) in order to stay up-2-date and remaining Servlet 5
> compatible (Tomcat community won't do that, see [2]). Romain posted the
> actual diff here: [3]. Downside is, that we might break the TCK
> signature test with this adjustment, so no TCK compliance anymore.
> (Don't actually speaking about the TCK itself, which might also break
> due to some changes in Servlet 6 in the way cookies are processed,
> etc.)
>
> (3) We officially drop v9 (with a perspective, i.e. end of the year and
> continue (1) until that date) and release a 10.0.0 within the next
> couple of months well knowing that it might not pass the full TC
> because we are in a hybrid state with CXF, etc.
>
> While I like the idea of (2), it will scatter our sparse resources even
> more, because we need to release a forked Tomcat and I would personally
> not really be happy to invest my time into maintaining a Tomcat fork
> because it is time, I would like to invest into TomEE 10.x and it's
> other dependencies.
>
> I am really keen to get some feedback on this discussion because we
> somehow need to decide what we want to do with 9.1.x anyway. Even if a
> possible outcome of this discussion is, that we just stay with (1).
>
> Gruß
> Richard
>
> [1] https://github.com/apache/tomee/pull/1114
> [2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5
> [3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6
>

Reply via email to