Great discussion! For me it would make sense to stay with (1) until we have the first release of TomEE 10.x and then depending on the state of that release make a new decision on 9.x.
As I suspect (2) doesn't help very much since it would add more effort than it saves: instead of backporting CVEs from Tomcat 10.1 to 10.0 we would have to re-integrate the Servlet 5 stuff in every 10.1 release. Frankie > -----Ursprüngliche Nachricht----- > Von: Richard Zowalla <r...@apache.org> > Gesendet: Freitag, 29. März 2024 12:38 > An: dev@tomee.apache.org > Betreff: [DISCUSS] TomEE 9.1.x and it's crippling dependency on EOL Tomcat > 10.0.27 - Thoughts? > > Hi all, > > I want to bring to your attention, that we had recently some discussion > around our current strategy of backporting cve related fixes to TomEE 9.1.x > [1]. > > We are in a situation, in which the Tomcat community has decided to stop > Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 (Servlet 6) > and onwards. Therefore, we do not get any bug fixes, improvements and > need to manually backport potential security fixes; we are actually in a > fight, > we cannot really win. > > A few might ask, why we can't just upgrade to Tomcat 10.1.x with TomEE > 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which requires us to > stay in line with Servlet 5. > > The bad thing is, that between Servlet 5 and Servlet 6, a few methods got > removed making it backwards incompatible with Servlet 5. > > So what are our options. From my pov, I can imagine the following: > > (1) Continue to backward CVE fixes and miss out important bug fixes, > improvements and stuff. > > (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from Servlet > 5) in order to stay up-2-date and remaining Servlet 5 compatible (Tomcat > community won't do that, see [2]). Romain posted the actual diff here: [3]. > Downside is, that we might break the TCK signature test with this > adjustment, so no TCK compliance anymore. > (Don't actually speaking about the TCK itself, which might also break due to > some changes in Servlet 6 in the way cookies are processed, > etc.) > > (3) We officially drop v9 (with a perspective, i.e. end of the year and > continue > (1) until that date) and release a 10.0.0 within the next couple of months > well > knowing that it might not pass the full TC because we are in a hybrid state > with CXF, etc. > > While I like the idea of (2), it will scatter our sparse resources even more, > because we need to release a forked Tomcat and I would personally not really > be happy to invest my time into maintaining a Tomcat fork because it is time, > I > would like to invest into TomEE 10.x and it's other dependencies. > > I am really keen to get some feedback on this discussion because we > somehow need to decide what we want to do with 9.1.x anyway. Even if a > possible outcome of this discussion is, that we just stay with (1). > > Gruß > Richard > > [1] https://github.com/apache/tomee/pull/1114 > [2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5 > [3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6
