I fully agree with Alex' point of view.
Frankie
> -----Ursprüngliche Nachricht-----
> Von: Alex The Rocker <alex.m3...@gmail.com>
> Gesendet: Freitag, 29. März 2024 14:28
> An: dev@tomee.apache.org
> Betreff: Re: [DISCUSS] TomEE 9.1.x and it's crippling dependency on EOL
> Tomcat 10.0.27 - Thoughts?
>
> About "I don't really understand why many projects focused on EE 9, since
> this still looks like a useless release"
>
> => I disagree, having a Java EE 8 -> Jakarta EE 9 migration path needing
> developers to rename javax into jakarta & find compatible dependencies has
> been a good "baby step" to leave Java EE without the additional trouble of
> break changes.
>
> This greatly lowered the migration cost on my side, so I would never
> complain about it - and of course I feel sorry for Tomcat's so short
> lifecycle on
> EE 9 support.
>
> (my 2 cents)
>
> Alex
>
> Le ven. 29 mars 2024 à 13:33, Thomas Andraschko
> <andraschko.tho...@gmail.com> a écrit :
> >
> > +1 for 3)
> >
> >
> > Richard Zowalla <r...@apache.org> schrieb am Fr., 29. März 2024, 12:38:
> >
> > > Hi all,
> > >
> > > I want to bring to your attention, that we had recently some
> > > discussion around our current strategy of backporting cve related
> > > fixes to TomEE 9.1.x [1].
> > >
> > > We are in a situation, in which the Tomcat community has decided to
> > > stop Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1
> > > (Servlet 6) and onwards. Therefore, we do not get any bug fixes,
> > > improvements and need to manually backport potential security fixes;
> > > we are actually in a fight, we cannot really win.
> > >
> > > A few might ask, why we can't just upgrade to Tomcat 10.1.x with
> > > TomEE 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which
> > > requires us to stay in line with Servlet 5.
> > >
> > > The bad thing is, that between Servlet 5 and Servlet 6, a few
> > > methods got removed making it backwards incompatible with Servlet 5.
> > >
> > > So what are our options. From my pov, I can imagine the following:
> > >
> > > (1) Continue to backward CVE fixes and miss out important bug fixes,
> > > improvements and stuff.
> > >
> > > (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from
> > > Servlet 5) in order to stay up-2-date and remaining Servlet 5
> > > compatible (Tomcat community won't do that, see [2]). Romain posted
> > > the actual diff here: [3]. Downside is, that we might break the TCK
> > > signature test with this adjustment, so no TCK compliance anymore.
> > > (Don't actually speaking about the TCK itself, which might also
> > > break due to some changes in Servlet 6 in the way cookies are
> > > processed,
> > > etc.)
> > >
> > > (3) We officially drop v9 (with a perspective, i.e. end of the year
> > > and continue (1) until that date) and release a 10.0.0 within the
> > > next couple of months well knowing that it might not pass the full
> > > TC because we are in a hybrid state with CXF, etc.
> > >
> > > While I like the idea of (2), it will scatter our sparse resources
> > > even more, because we need to release a forked Tomcat and I would
> > > personally not really be happy to invest my time into maintaining a
> > > Tomcat fork because it is time, I would like to invest into TomEE
> > > 10.x and it's other dependencies.
> > >
> > > I am really keen to get some feedback on this discussion because we
> > > somehow need to decide what we want to do with 9.1.x anyway. Even if
> > > a possible outcome of this discussion is, that we just stay with (1).
> > >
> > > Gruß
> > > Richard
> > >
> > > [1] https://github.com/apache/tomee/pull/1114
> > > [2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5
> > > [3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6
> > >
