About "I don't really understand why many projects focused on EE 9, since this still looks like a useless release"
=> I disagree, having a Java EE 8 -> Jakarta EE 9 migration path needing developers to rename javax into jakarta & find compatible dependencies has been a good "baby step" to leave Java EE without the additional trouble of break changes. This greatly lowered the migration cost on my side, so I would never complain about it - and of course I feel sorry for Tomcat's so short lifecycle on EE 9 support. (my 2 cents) Alex Le ven. 29 mars 2024 à 13:33, Thomas Andraschko <[email protected]> a écrit : > > +1 for 3) > > > Richard Zowalla <[email protected]> schrieb am Fr., 29. März 2024, 12:38: > > > Hi all, > > > > I want to bring to your attention, that we had recently some discussion > > around our current strategy of backporting cve related fixes to TomEE > > 9.1.x [1]. > > > > We are in a situation, in which the Tomcat community has decided to > > stop Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 > > (Servlet 6) and onwards. Therefore, we do not get any bug fixes, > > improvements and need to manually backport potential security fixes; we > > are actually in a fight, we cannot really win. > > > > A few might ask, why we can't just upgrade to Tomcat 10.1.x with TomEE > > 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which requires > > us to stay in line with Servlet 5. > > > > The bad thing is, that between Servlet 5 and Servlet 6, a few methods > > got removed making it backwards incompatible with Servlet 5. > > > > So what are our options. From my pov, I can imagine the following: > > > > (1) Continue to backward CVE fixes and miss out important bug fixes, > > improvements and stuff. > > > > (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from > > Servlet 5) in order to stay up-2-date and remaining Servlet 5 > > compatible (Tomcat community won't do that, see [2]). Romain posted the > > actual diff here: [3]. Downside is, that we might break the TCK > > signature test with this adjustment, so no TCK compliance anymore. > > (Don't actually speaking about the TCK itself, which might also break > > due to some changes in Servlet 6 in the way cookies are processed, > > etc.) > > > > (3) We officially drop v9 (with a perspective, i.e. end of the year and > > continue (1) until that date) and release a 10.0.0 within the next > > couple of months well knowing that it might not pass the full TC > > because we are in a hybrid state with CXF, etc. > > > > While I like the idea of (2), it will scatter our sparse resources even > > more, because we need to release a forked Tomcat and I would personally > > not really be happy to invest my time into maintaining a Tomcat fork > > because it is time, I would like to invest into TomEE 10.x and it's > > other dependencies. > > > > I am really keen to get some feedback on this discussion because we > > somehow need to decide what we want to do with 9.1.x anyway. Even if a > > possible outcome of this discussion is, that we just stay with (1). > > > > Gruß > > Richard > > > > [1] https://github.com/apache/tomee/pull/1114 > > [2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5 > > [3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6 > >
