I guess one would net to try, but I think there are definitely some
breaking changes.
In the Spec there is a Appendix about that:
https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0#changes-since-jakarta-servlet-5-0
The spec indirectly references this pull-request:
https://github.com/jakartaee/servlet/pull/419 through issue
https://github.com/jakartaee/servlet/issues/418
Any code that directly uses these functions is definitely not going to
be compatible.
Though from my point of view they don't seem to important for individual
apps.
I also found this article to be useful:
https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Top-5-things-to-know-about-the-Jakarta-Servlet-60-API-release
On 29.03.24 16:40, Alex The Rocker wrote:
Great answer !
But something puzzles me: unless I have missed something, for year
with TomEE versions before TomEE 9, I have seen web application
relying on very old Java EE specifications running fine ; for example
Java EE 6 ones running with TomEE 8, and quite many still at Java EE 7
running also with TomEE 8.
But the current discussion mentioning the breaking change in Servlet 6
vs. Servlet 5 makes we worry : will it be still possible to run
Jakarta EE 9 web apps using TomEE 10 ?
(crossing fingers, hoping that the answer will be "yes")
Alex
Le ven. 29 mars 2024 à 16:36, Frank Jung
<kamin.feuer.2...@gmx.de.invalid> a écrit :
Great discussion!
For me it would make sense to stay with (1) until we have the first release of
TomEE 10.x and then depending on the state of that release make a new decision
on 9.x.
As I suspect (2) doesn't help very much since it would add more effort than it
saves: instead of backporting CVEs from Tomcat 10.1 to 10.0 we would have to
re-integrate the Servlet 5 stuff in every 10.1 release.
Frankie
-----Ursprüngliche Nachricht-----
Von: Richard Zowalla <r...@apache.org>
Gesendet: Freitag, 29. März 2024 12:38
An: dev@tomee.apache.org
Betreff: [DISCUSS] TomEE 9.1.x and it's crippling dependency on EOL Tomcat
10.0.27 - Thoughts?
Hi all,
I want to bring to your attention, that we had recently some discussion
around our current strategy of backporting cve related fixes to TomEE 9.1.x
[1].
We are in a situation, in which the Tomcat community has decided to stop
Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 (Servlet 6)
and onwards. Therefore, we do not get any bug fixes, improvements and
need to manually backport potential security fixes; we are actually in a fight,
we cannot really win.
A few might ask, why we can't just upgrade to Tomcat 10.1.x with TomEE
9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which requires us to
stay in line with Servlet 5.
The bad thing is, that between Servlet 5 and Servlet 6, a few methods got
removed making it backwards incompatible with Servlet 5.
So what are our options. From my pov, I can imagine the following:
(1) Continue to backward CVE fixes and miss out important bug fixes,
improvements and stuff.
(2) Fork Tomcat from 10.1.x and re-add the dropped methods (from Servlet
5) in order to stay up-2-date and remaining Servlet 5 compatible (Tomcat
community won't do that, see [2]). Romain posted the actual diff here: [3].
Downside is, that we might break the TCK signature test with this
adjustment, so no TCK compliance anymore.
(Don't actually speaking about the TCK itself, which might also break due to
some changes in Servlet 6 in the way cookies are processed,
etc.)
(3) We officially drop v9 (with a perspective, i.e. end of the year and continue
(1) until that date) and release a 10.0.0 within the next couple of months well
knowing that it might not pass the full TC because we are in a hybrid state
with CXF, etc.
While I like the idea of (2), it will scatter our sparse resources even more,
because we need to release a forked Tomcat and I would personally not really
be happy to invest my time into maintaining a Tomcat fork because it is time, I
would like to invest into TomEE 10.x and it's other dependencies.
I am really keen to get some feedback on this discussion because we
somehow need to decide what we want to do with 9.1.x anyway. Even if a
possible outcome of this discussion is, that we just stay with (1).
Gruß
Richard
[1] https://github.com/apache/tomee/pull/1114
[2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5
[3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6
