Guess the answer is "it depends". As long as your are not using old and deprecated APIs in the webapps, it shouldn't be a big deal.
Am Freitag, dem 29.03.2024 um 17:51 +0100 schrieb Benedict Eisenkrämer: > I guess one would net to try, but I think there are definitely some > breaking changes. > In the Spec there is a Appendix about that: > https://jakarta.ee/specifications/servlet/6.0/jakarta-servlet-spec-6.0#changes-since-jakarta-servlet-5-0 > The spec indirectly references this pull-request: > https://github.com/jakartaee/servlet/pull/419 through issue > https://github.com/jakartaee/servlet/issues/418 > Any code that directly uses these functions is definitely not going > to > be compatible. > Though from my point of view they don't seem to important for > individual > apps. > > I also found this article to be useful: > https://www.theserverside.com/blog/Coffee-Talk-Java-News-Stories-and-Opinions/Top-5-things-to-know-about-the-Jakarta-Servlet-60-API-release > > On 29.03.24 16:40, Alex The Rocker wrote: > > Great answer ! > > > > But something puzzles me: unless I have missed something, for year > > with TomEE versions before TomEE 9, I have seen web application > > relying on very old Java EE specifications running fine ; for > > example > > Java EE 6 ones running with TomEE 8, and quite many still at Java > > EE 7 > > running also with TomEE 8. > > > > But the current discussion mentioning the breaking change in > > Servlet 6 > > vs. Servlet 5 makes we worry : will it be still possible to run > > Jakarta EE 9 web apps using TomEE 10 ? > > > > (crossing fingers, hoping that the answer will be "yes") > > > > Alex > > > > Le ven. 29 mars 2024 à 16:36, Frank Jung > > <kamin.feuer.2...@gmx.de.invalid> a écrit : > > > Great discussion! > > > > > > For me it would make sense to stay with (1) until we have the > > > first release of TomEE 10.x and then depending on the state of > > > that release make a new decision on 9.x. > > > > > > As I suspect (2) doesn't help very much since it would add more > > > effort than it saves: instead of backporting CVEs from Tomcat > > > 10.1 to 10.0 we would have to re-integrate the Servlet 5 stuff in > > > every 10.1 release. > > > > > > Frankie > > > > -----Ursprüngliche Nachricht----- > > > > Von: Richard Zowalla <r...@apache.org> > > > > Gesendet: Freitag, 29. März 2024 12:38 > > > > An: dev@tomee.apache.org > > > > Betreff: [DISCUSS] TomEE 9.1.x and it's crippling dependency on > > > > EOL Tomcat > > > > 10.0.27 - Thoughts? > > > > > > > > Hi all, > > > > > > > > I want to bring to your attention, that we had recently some > > > > discussion > > > > around our current strategy of backporting cve related fixes to > > > > TomEE 9.1.x > > > > [1]. > > > > > > > > We are in a situation, in which the Tomcat community has > > > > decided to stop > > > > Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 > > > > (Servlet 6) > > > > and onwards. Therefore, we do not get any bug fixes, > > > > improvements and > > > > need to manually backport potential security fixes; we are > > > > actually in a fight, > > > > we cannot really win. > > > > > > > > A few might ask, why we can't just upgrade to Tomcat 10.1.x > > > > with TomEE > > > > 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which > > > > requires us to > > > > stay in line with Servlet 5. > > > > > > > > The bad thing is, that between Servlet 5 and Servlet 6, a few > > > > methods got > > > > removed making it backwards incompatible with Servlet 5. > > > > > > > > So what are our options. From my pov, I can imagine the > > > > following: > > > > > > > > (1) Continue to backward CVE fixes and miss out important bug > > > > fixes, > > > > improvements and stuff. > > > > > > > > (2) Fork Tomcat from 10.1.x and re-add the dropped methods > > > > (from Servlet > > > > 5) in order to stay up-2-date and remaining Servlet 5 > > > > compatible (Tomcat > > > > community won't do that, see [2]). Romain posted the actual > > > > diff here: [3]. > > > > Downside is, that we might break the TCK signature test with > > > > this > > > > adjustment, so no TCK compliance anymore. > > > > (Don't actually speaking about the TCK itself, which might also > > > > break due to > > > > some changes in Servlet 6 in the way cookies are processed, > > > > etc.) > > > > > > > > (3) We officially drop v9 (with a perspective, i.e. end of the > > > > year and continue > > > > (1) until that date) and release a 10.0.0 within the next > > > > couple of months well > > > > knowing that it might not pass the full TC because we are in a > > > > hybrid state > > > > with CXF, etc. > > > > > > > > While I like the idea of (2), it will scatter our sparse > > > > resources even more, > > > > because we need to release a forked Tomcat and I would > > > > personally not really > > > > be happy to invest my time into maintaining a Tomcat fork > > > > because it is time, I > > > > would like to invest into TomEE 10.x and it's other > > > > dependencies. > > > > > > > > I am really keen to get some feedback on this discussion > > > > because we > > > > somehow need to decide what we want to do with 9.1.x anyway. > > > > Even if a > > > > possible outcome of this discussion is, that we just stay with > > > > (1). > > > > > > > > Gruß > > > > Richard > > > > > > > > [1] https://github.com/apache/tomee/pull/1114 > > > > [2] > > > > https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5 > > > > [3] > > > > https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6 >
