Frequency of Tomcat version updates in TomEE ?
Hello, We are considering Apache TomEE+, but we are concerned by the lack of clear update policy of Tomcat version in TomEE TomEE+. Today (16th of July 2012): - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 - Apache Tomcat 7.0.29 is available since 8th of July. Although there is no know security vulnerabilities in Tomcat 7.0.27, it would be nice to have a clear statement on Apache TomEE/TomEE+ update policy with regard to the components it embeds (and not only Apache Tomcat) ; so that users could decide whether or not they want to bed on this new J2EE application server (yeah, we know it's J2EE with web profile). A commitment to update TomEE TomEE+ when an Apache Tomcat fix of security vulnerabilities within very short time (2 weeks) would clearly be nice, if possible. Regards, Alex
Re: Frequency of Tomcat version updates in TomEE ?
Hi, we have no official position regarding it from what i know but here two points: 1) if you look last update of tomcat or security update (i think of cxf) it took 2 days for the snapshot (we are already on tomcat 7.0.29) 2) regarding releases we are working on the 1.1.0 and then we'll refactor our trunk to ease releases so it should be more frequent 3) a lot of companies use TomEE and are concerned by security updates (including committer companies) so updates will be done - Romain 2012/7/16 Alex The Rocker alex.m3...@gmail.com Hello, We are considering Apache TomEE+, but we are concerned by the lack of clear update policy of Tomcat version in TomEE TomEE+. Today (16th of July 2012): - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 - Apache Tomcat 7.0.29 is available since 8th of July. Although there is no know security vulnerabilities in Tomcat 7.0.27, it would be nice to have a clear statement on Apache TomEE/TomEE+ update policy with regard to the components it embeds (and not only Apache Tomcat) ; so that users could decide whether or not they want to bed on this new J2EE application server (yeah, we know it's J2EE with web profile). A commitment to update TomEE TomEE+ when an Apache Tomcat fix of security vulnerabilities within very short time (2 weeks) would clearly be nice, if possible. Regards, Alex
Re: Frequency of Tomcat version updates in TomEE ?
Well, the Download tab (http://openejb.apache.org/downloads.html) show a list of fixes for TomEE / TomEE+ 1.0 which show that Tomcat version is 2.0.27 (we understand that were was a typo and 7.0.27). Where is it mentionned that Tomcat 7.0.29 is part of 1.0, if it is ? Alex On Mon, Jul 16, 2012 at 9:51 PM, Romain Manni-Bucau rmannibu...@gmail.comwrote: Hi, we have no official position regarding it from what i know but here two points: 1) if you look last update of tomcat or security update (i think of cxf) it took 2 days for the snapshot (we are already on tomcat 7.0.29) 2) regarding releases we are working on the 1.1.0 and then we'll refactor our trunk to ease releases so it should be more frequent 3) a lot of companies use TomEE and are concerned by security updates (including committer companies) so updates will be done - Romain 2012/7/16 Alex The Rocker alex.m3...@gmail.com Hello, We are considering Apache TomEE+, but we are concerned by the lack of clear update policy of Tomcat version in TomEE TomEE+. Today (16th of July 2012): - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 - Apache Tomcat 7.0.29 is available since 8th of July. Although there is no know security vulnerabilities in Tomcat 7.0.27, it would be nice to have a clear statement on Apache TomEE/TomEE+ update policy with regard to the components it embeds (and not only Apache Tomcat) ; so that users could decide whether or not they want to bed on this new J2EE application server (yeah, we know it's J2EE with web profile). A commitment to update TomEE TomEE+ when an Apache Tomcat fix of security vulnerabilities within very short time (2 weeks) would clearly be nice, if possible. Regards, Alex
Re: Frequency of Tomcat version updates in TomEE ?
i spoke about the snapshot which uses t7.0.29 - Romain 2012/7/16 Alex The Rocker alex.m3...@gmail.com Well, the Download tab (http://openejb.apache.org/downloads.html) show a list of fixes for TomEE / TomEE+ 1.0 which show that Tomcat version is 2.0.27 (we understand that were was a typo and 7.0.27). Where is it mentionned that Tomcat 7.0.29 is part of 1.0, if it is ? Alex On Mon, Jul 16, 2012 at 9:51 PM, Romain Manni-Bucau rmannibu...@gmail.comwrote: Hi, we have no official position regarding it from what i know but here two points: 1) if you look last update of tomcat or security update (i think of cxf) it took 2 days for the snapshot (we are already on tomcat 7.0.29) 2) regarding releases we are working on the 1.1.0 and then we'll refactor our trunk to ease releases so it should be more frequent 3) a lot of companies use TomEE and are concerned by security updates (including committer companies) so updates will be done - Romain 2012/7/16 Alex The Rocker alex.m3...@gmail.com Hello, We are considering Apache TomEE+, but we are concerned by the lack of clear update policy of Tomcat version in TomEE TomEE+. Today (16th of July 2012): - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 - Apache Tomcat 7.0.29 is available since 8th of July. Although there is no know security vulnerabilities in Tomcat 7.0.27, it would be nice to have a clear statement on Apache TomEE/TomEE+ update policy with regard to the components it embeds (and not only Apache Tomcat) ; so that users could decide whether or not they want to bed on this new J2EE application server (yeah, we know it's J2EE with web profile). A commitment to update TomEE TomEE+ when an Apache Tomcat fix of security vulnerabilities within very short time (2 weeks) would clearly be nice, if possible. Regards, Alex
Re: Frequency of Tomcat version updates in TomEE ?
First, love the name :) On Jul 16, 2012, at 12:31 PM, Alex The Rocker wrote: We are considering Apache TomEE+, but we are concerned by the lack of clear update policy of Tomcat version in TomEE TomEE+. [..] it would be nice to have a clear statement on Apache TomEE/TomEE+ update policy with regard to the components it embeds (and not only Apache Tomcat) ; so that users could decide whether or not they want to bed on this new J2EE application server (yeah, we know it's J2EE with web profile). A commitment to update TomEE TomEE+ when an Apache Tomcat fix of security vulnerabilities within very short time (2 weeks) would clearly be nice, if possible. Thanks for the note. There is definitely room for these kinds of considerations. There's been talk of keeping a branch just for upgrades and that could easily help with this kind of thing. Releasing an active trunk on short notice would be impossible, but a stable branch with nothing more than upgrades would be far easier. Creating new builds with upgrades is very quick (minutes) and we can easily have one up for public consumption with any upgrade in short order. They're currently published daily: http://tomee.apache.org/builds.html What's there are trunk builds, so unstable by definition. Were there to be a stable codeline that contained only upgrades and had builds also performed automatically every 24hrs, would that be enough? We could still release it of course, though a two week guarantee on that would be harder; one is an automated process and one is very manual. -David
