Re: Clarifications and Suggestions on Tomcat Native Binary Distributions
On 28/06/2024 10:23, Dimitris Soumis wrote: On Mon, Jun 24, 2024 at 3:21 PM Mark Thomas wrote: On 21/06/2024 15:35, Dimitris Soumis wrote: Additionally, Tomcat Native 1.3.0 contains a deprecated VERSIONS file. Could you be more specific about this. I compared 1.3.x and 2.0.x versions: 1.3.x : https://github.com/apache/tomcat-native/blob/1.3.x/native/srclib/VERSIONS 2.0.x : https://github.com/apache/tomcat-native/blob/main/native/srclib/VERSIONS Formatting as well as minimum versions in 1.3.x seem out of date. Those versions looks correct to me. 1.3.x needs to support OpenSSL 1.1.1 since that is in use with a large number of downstream distributions. Lastly, I noticed a minor issue, the NOTICE file for both releases contains an outdated copyright date. Could you be more specific. The NOTICE file in both tags looks to have the correct date. Although in the repo, the NOTICE file in both tags has the correct date, the latest binary releases seem to have been packed with an old NOTICE file containing the following: "Apache Tomcat Native Library Copyright 2002-2018 The Apache Software Foundation" Ah. Searching for 2018 found the culprits. I'll get that fixed. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Clarifications and Suggestions on Tomcat Native Binary Distributions
On Mon, Jun 24, 2024 at 3:21 PM Mark Thomas wrote: > On 21/06/2024 15:35, Dimitris Soumis wrote: > > Hi all, > > > > I hope this message finds you well. I am writing to seek clarifications > and > > provide some suggestions regarding the Tomcat Native binary > distributions. > > > > Firstly, I have noticed that openssl.exe is included in the Tomcat Native > > binary distributions. It appears that the .dll file is sufficient for the > > component to function correctly. Thus, my question is why is openssl.exe > > included in the distribution? If openssl.exe is not essential, it might > be > > worth considering its removal from the distribution to minimize the > > vulnerability footprint. > > Its inclusion predates me acting as release manager for Tomcat Native. > If I had to guess, I'd guess that it was included so folks on Windows > had an OpenSSL binary to use to work with keys, certificates, signing > requests etc. > > > Secondly, I observed that Tomcat Native 1.3.0 does not include the .pdb > > file, which is present in version 2.0.7. I would like to confirm if this > is > > intentional. > > No. That looks like an oversight. > > > Additionally, Tomcat Native 1.3.0 contains a deprecated VERSIONS file. > > Could you be more specific about this. > I compared 1.3.x and 2.0.x versions: 1.3.x : https://github.com/apache/tomcat-native/blob/1.3.x/native/srclib/VERSIONS 2.0.x : https://github.com/apache/tomcat-native/blob/main/native/srclib/VERSIONS Formatting as well as minimum versions in 1.3.x seem out of date. > > I would also like to suggest pruning the "Building" and "Running the > tests" > > sections in the README.txt for both versions. These sections are not > > applicable to the binary distribution and their exclusion could make the > > documentation more concise and user-friendly. > > I think separate README files for source and binary will be more work to > manage and also more error prone. It might be simpler to mark those > sections with "(source distribution only)" or similar. > > > Lastly, I noticed a minor issue, the NOTICE file for both releases > contains > > an outdated copyright date. > > Could you be more specific. The NOTICE file in both tags looks to have > the correct date. > Although in the repo, the NOTICE file in both tags has the correct date, the latest binary releases seem to have been packed with an old NOTICE file containing the following: "Apache Tomcat Native Library Copyright 2002-2018 The Apache Software Foundation" > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
Re: Clarifications and Suggestions on Tomcat Native Binary Distributions
Mark, On 6/24/24 08:14, Mark Thomas wrote: On 21/06/2024 15:35, Dimitris Soumis wrote: Hi all, I hope this message finds you well. I am writing to seek clarifications and provide some suggestions regarding the Tomcat Native binary distributions. Firstly, I have noticed that openssl.exe is included in the Tomcat Native binary distributions. It appears that the .dll file is sufficient for the component to function correctly. Thus, my question is why is openssl.exe included in the distribution? If openssl.exe is not essential, it might be worth considering its removal from the distribution to minimize the vulnerability footprint. Its inclusion predates me acting as release manager for Tomcat Native. If I had to guess, I'd guess that it was included so folks on Windows had an OpenSSL binary to use to work with keys, certificates, signing requests etc. +1 Secondly, I observed that Tomcat Native 1.3.0 does not include the .pdb file, which is present in version 2.0.7. I would like to confirm if this is intentional. No. That looks like an oversight. I feel like I've been told that providing "a debug version" or our .DLL files "was impossible" for #reasons. Would including the .PDB file actually improve anything for downstream users? Additionally, Tomcat Native 1.3.0 contains a deprecated VERSIONS file. Could you be more specific about this. I would also like to suggest pruning the "Building" and "Running the tests" sections in the README.txt for both versions. These sections are not applicable to the binary distribution and their exclusion could make the documentation more concise and user-friendly. I think separate README files for source and binary will be more work to manage and also more error prone. It might be simpler to mark those sections with "(source distribution only)" or similar. What would really make more sense would be to clean-up the whole source tree. It's still pretending that there is some significant Java portion of the project. Any time I check it out of revision-control or download a source distro, I *always* cd directly to tcnative/native and never do anything at all in tcnative/(root). The current tests are practicly useless. They do confirm that tcnative is being loaded, but not much else. I would love to have a proper test-harness for the non-Java components e.g. "make test" but maybe all we would really be testing would be plumbing, so ironically adding more Java code is the better solution. Thoughts? Lastly, I noticed a minor issue, the NOTICE file for both releases contains an outdated copyright date. Could you be more specific. The NOTICE file in both tags looks to have the correct date. -chris - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Clarifications and Suggestions on Tomcat Native Binary Distributions
On 21/06/2024 15:35, Dimitris Soumis wrote: Hi all, I hope this message finds you well. I am writing to seek clarifications and provide some suggestions regarding the Tomcat Native binary distributions. Firstly, I have noticed that openssl.exe is included in the Tomcat Native binary distributions. It appears that the .dll file is sufficient for the component to function correctly. Thus, my question is why is openssl.exe included in the distribution? If openssl.exe is not essential, it might be worth considering its removal from the distribution to minimize the vulnerability footprint. Its inclusion predates me acting as release manager for Tomcat Native. If I had to guess, I'd guess that it was included so folks on Windows had an OpenSSL binary to use to work with keys, certificates, signing requests etc. Secondly, I observed that Tomcat Native 1.3.0 does not include the .pdb file, which is present in version 2.0.7. I would like to confirm if this is intentional. No. That looks like an oversight. Additionally, Tomcat Native 1.3.0 contains a deprecated VERSIONS file. Could you be more specific about this. I would also like to suggest pruning the "Building" and "Running the tests" sections in the README.txt for both versions. These sections are not applicable to the binary distribution and their exclusion could make the documentation more concise and user-friendly. I think separate README files for source and binary will be more work to manage and also more error prone. It might be simpler to mark those sections with "(source distribution only)" or similar. Lastly, I noticed a minor issue, the NOTICE file for both releases contains an outdated copyright date. Could you be more specific. The NOTICE file in both tags looks to have the correct date. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Clarifications and Suggestions on Tomcat Native Binary Distributions
Hi all, I hope this message finds you well. I am writing to seek clarifications and provide some suggestions regarding the Tomcat Native binary distributions. Firstly, I have noticed that openssl.exe is included in the Tomcat Native binary distributions. It appears that the .dll file is sufficient for the component to function correctly. Thus, my question is why is openssl.exe included in the distribution? If openssl.exe is not essential, it might be worth considering its removal from the distribution to minimize the vulnerability footprint. Secondly, I observed that Tomcat Native 1.3.0 does not include the .pdb file, which is present in version 2.0.7. I would like to confirm if this is intentional. Additionally, Tomcat Native 1.3.0 contains a deprecated VERSIONS file. I would also like to suggest pruning the "Building" and "Running the tests" sections in the README.txt for both versions. These sections are not applicable to the binary distribution and their exclusion could make the documentation more concise and user-friendly. Lastly, I noticed a minor issue, the NOTICE file for both releases contains an outdated copyright date. Best regards, Dimitris
