On Fri, Mar 29, 2024 at 12:39 PM Richard Zowalla <[email protected]> wrote: > > Hi all, > > I want to bring to your attention, that we had recently some discussion > around our current strategy of backporting cve related fixes to TomEE > 9.1.x [1]. > > We are in a situation, in which the Tomcat community has decided to > stop Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 > (Servlet 6) and onwards. Therefore, we do not get any bug fixes, > improvements and need to manually backport potential security fixes; we > are actually in a fight, we cannot really win. > > A few might ask, why we can't just upgrade to Tomcat 10.1.x with TomEE > 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which requires > us to stay in line with Servlet 5. > > The bad thing is, that between Servlet 5 and Servlet 6, a few methods > got removed making it backwards incompatible with Servlet 5. > > So what are our options. From my pov, I can imagine the following: > > (1) Continue to backward CVE fixes and miss out important bug fixes, > improvements and stuff. > > (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from > Servlet 5) in order to stay up-2-date and remaining Servlet 5 > compatible (Tomcat community won't do that, see [2]). Romain posted the > actual diff here: [3]. Downside is, that we might break the TCK > signature test with this adjustment, so no TCK compliance anymore. > (Don't actually speaking about the TCK itself, which might also break > due to some changes in Servlet 6 in the way cookies are processed, > etc.) > > (3) We officially drop v9 (with a perspective, i.e. end of the year and > continue (1) until that date) and release a 10.0.0 within the next > couple of months well knowing that it might not pass the full TC > because we are in a hybrid state with CXF, etc. > > While I like the idea of (2), it will scatter our sparse resources even > more, because we need to release a forked Tomcat and I would personally > not really be happy to invest my time into maintaining a Tomcat fork > because it is time, I would like to invest into TomEE 10.x and it's > other dependencies. > > I am really keen to get some feedback on this discussion because we > somehow need to decide what we want to do with 9.1.x anyway. Even if a > possible outcome of this discussion is, that we just stay with (1).
For what it is worth, I would like to apologize personally for helping create this mess ... I'm not convinced this was the wrong call though, given that it takes some effort to maintain a Tomcat branch and make releases from it, but still. The history from the Tomcat side is: - At the end of 2019, the plan about Tomcat 10.0 / 10.1 was laid out. Tomcat 10.0 would implement EE 9, then be EOLed after the first stable 10.1 release implementing EE 10: https://cwiki.apache.org/confluence/display/TOMCAT/Jakarta+EE+Release+Numbering - Then the Tomcat 10.0 EOL was announced and done: https://tomcat.apache.org/tomcat-10.0-eol.html The plan worked fine for Tomcat with barely anyone asking for more 10.0. There seems to be more activity around 10.1 than 9.0 these days, proving that people *are* migrating to Jakarta. This does not change the plan to continue 9.0 support without a set EOL date (extended support was decided due to the doubts on the Jakarta adoption rate). I don't really understand why many projects focused on EE 9, since this still looks like a useless release. It could be useful for developers to have a test bed for an upcoming move to the new package but that seems to end there. I expected most projects would actually be focused on EE 10 instead, which also has breaking changes of its own. Going through two very rapid rounds of breaking changes seemed insane. I actually ran into the EE 9 vs 10 issue myself: - OWB made the (right) call to release a CDI 4 impl (instead of CDI 3). - CXF 4 released support for EE 9 (not 10) which runs on CDI 3. It would be fine except it still uses previously deprecated APIs which have been dropped in CDI 4. So it doesn't run on OWB 4 (or 2 obviously). - OTOH, I had "CXF 3 + OWB 2 + execute the Tomcat migration tool" running just fine as EE 9 "implementations" on Tomcat 10.1 ... But due to the deprecation removals in EE 10, I cannot simply take OWB 4 and pretend it is EE 9. I wonder how many examples like that are out there ... Obviously I have to recommend doing 3) at this point. Rémy > > Gruß > Richard > > [1] https://github.com/apache/tomee/pull/1114 > [2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5 > [3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6
