Hey Rémy, thanks for your mail on this thread. I also read the thread on the tomcat list earlier today. I can totally understand the community decision regarding the EOL date of Tomcat 10.0 - so not an actual thing to feel sorry about - we just have to deal with it now (and we should have jumped into the discussion in 2019). I guess, that the most elegant way is to just focus all efforts on TomEE 10 and get a final release out of the door soonish (mostly blocked by CXF 4.1.x atm).
For end-users it is just a mess (imho) to get the difference between ee9, ee9.1 and ee10 and to just pick the right spec version and so on - it is sometimes like gambling to see, if something will actually work at runtime. Just want to respond on your "mess" experiance: - OWB did release relocated (= EE9) artifacts within their normal release cycle, so technically OWB does support EE9 as well as (now) EE10 with OWB4. - CXF 4.0.x runs fine with the relocated artifacts of OWB2 targeting EE9. This way we were able to get TomEE 9.1.x certified. There is indeed an issue in CXF's CDI integration with legacy deprecated CDI API usage, which also blocks the migration of Meecrowave (for example). Hopefully, there will be a CXF 4.1.x soonish (they are working on it). Long story short: You can try the relocated OWB2 artifacts with jakarta classifier if you want to go hybrid mode ;) - For all who are using Hibernate: 6.4.x won't work with TomEE 9.1.x because the Hibernate guys also removed compensation code (for JPA 3.0 vs JPA 3.1 changes). I can continue with a lot of other examples as we recently migrated a lot of our apps towards EE9 (or EE10 depending on the stack). Some frameworks or legacy libs are slowly moving towards EE9 (or sometimes EE10). Gruß Richard Am Freitag, dem 29.03.2024 um 14:16 +0100 schrieb Rémy Maucherat: > On Fri, Mar 29, 2024 at 12:39 PM Richard Zowalla <[email protected]> > wrote: > > > > Hi all, > > > > I want to bring to your attention, that we had recently some > > discussion > > around our current strategy of backporting cve related fixes to > > TomEE > > 9.1.x [1]. > > > > We are in a situation, in which the Tomcat community has decided to > > stop Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 > > (Servlet 6) and onwards. Therefore, we do not get any bug fixes, > > improvements and need to manually backport potential security > > fixes; we > > are actually in a fight, we cannot really win. > > > > A few might ask, why we can't just upgrade to Tomcat 10.1.x with > > TomEE > > 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which > > requires > > us to stay in line with Servlet 5. > > > > The bad thing is, that between Servlet 5 and Servlet 6, a few > > methods > > got removed making it backwards incompatible with Servlet 5. > > > > So what are our options. From my pov, I can imagine the following: > > > > (1) Continue to backward CVE fixes and miss out important bug > > fixes, > > improvements and stuff. > > > > (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from > > Servlet 5) in order to stay up-2-date and remaining Servlet 5 > > compatible (Tomcat community won't do that, see [2]). Romain posted > > the > > actual diff here: [3]. Downside is, that we might break the TCK > > signature test with this adjustment, so no TCK compliance anymore. > > (Don't actually speaking about the TCK itself, which might also > > break > > due to some changes in Servlet 6 in the way cookies are processed, > > etc.) > > > > (3) We officially drop v9 (with a perspective, i.e. end of the year > > and > > continue (1) until that date) and release a 10.0.0 within the next > > couple of months well knowing that it might not pass the full TC > > because we are in a hybrid state with CXF, etc. > > > > While I like the idea of (2), it will scatter our sparse resources > > even > > more, because we need to release a forked Tomcat and I would > > personally > > not really be happy to invest my time into maintaining a Tomcat > > fork > > because it is time, I would like to invest into TomEE 10.x and it's > > other dependencies. > > > > I am really keen to get some feedback on this discussion because we > > somehow need to decide what we want to do with 9.1.x anyway. Even > > if a > > possible outcome of this discussion is, that we just stay with (1). > > For what it is worth, I would like to apologize personally for > helping > create this mess ... I'm not convinced this was the wrong call > though, > given that it takes some effort to maintain a Tomcat branch and make > releases from it, but still. > > The history from the Tomcat side is: > - At the end of 2019, the plan about Tomcat 10.0 / 10.1 was laid out. > Tomcat 10.0 would implement EE 9, then be EOLed after the first > stable > 10.1 release implementing EE 10: > https://cwiki.apache.org/confluence/display/TOMCAT/Jakarta+EE+Release+Numbering > - Then the Tomcat 10.0 EOL was announced and done: > https://tomcat.apache.org/tomcat-10.0-eol.html > > The plan worked fine for Tomcat with barely anyone asking for more > 10.0. There seems to be more activity around 10.1 than 9.0 these > days, > proving that people *are* migrating to Jakarta. This does not change > the plan to continue 9.0 support without a set EOL date (extended > support was decided due to the doubts on the Jakarta adoption rate). > > I don't really understand why many projects focused on EE 9, since > this still looks like a useless release. It could be useful for > developers to have a test bed for an upcoming move to the new package > but that seems to end there. I expected most projects would actually > be focused on EE 10 instead, which also has breaking changes of its > own. Going through two very rapid rounds of breaking changes seemed > insane. > > I actually ran into the EE 9 vs 10 issue myself: > - OWB made the (right) call to release a CDI 4 impl (instead of CDI > 3). > - CXF 4 released support for EE 9 (not 10) which runs on CDI 3. It > would be fine except it still uses previously deprecated APIs which > have been dropped in CDI 4. So it doesn't run on OWB 4 (or 2 > obviously). > - OTOH, I had "CXF 3 + OWB 2 + execute the Tomcat migration tool" > running just fine as EE 9 "implementations" on Tomcat 10.1 ... But > due > to the deprecation removals in EE 10, I cannot simply take OWB 4 and > pretend it is EE 9. > I wonder how many examples like that are out there ... > > Obviously I have to recommend doing 3) at this point. > > Rémy > > > > > Gruß > > Richard > > > > [1] https://github.com/apache/tomee/pull/1114 > > [2] > > https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5 > > [3] > > https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6
