Re: Frequency of Tomcat version updates in TomEE ?
I guess a manual process will still be needed in order to turn any kind of automated build into an official stable version, unless automated test are covering 100% of potential regressions (wild dream, I guess:) ). My question about TomEE / TomEE+ upgrade process is meant to (when it'll be solved) make newcomers comfortable with TomEE / TomEE+. Security isn't an option, and today's public pages aren't giving a clear view of the relationships between TomEE / TomEE+ version and Tomcat version. A first improvement could be to include a small version matrix of all included components for a given TomEE / TomEE+ version Another improvement could be to give a roadmap of version updates. Alex On Tue, Jul 17, 2012 at 5:29 AM, David Blevins wrote: > First, love the name :) > > On Jul 16, 2012, at 12:31 PM, Alex The Rocker wrote: > > > We are considering Apache TomEE+, but we are concerned by the lack of > clear > > update policy of Tomcat version in TomEE & TomEE+. > [..] > > it > > would be nice to have a clear statement on Apache TomEE/TomEE+ update > > policy with regard to the components it embeds (and not only Apache > Tomcat) > > ; so that users could decide whether or not they want to bed on this > "new" > > J2EE application server (yeah, we know it's J2EE with web profile). > > > > A commitment to update TomEE & TomEE+ when an Apache Tomcat fix of > security > > vulnerabilities within very short time (<2 weeks) would clearly be nice, > if > > possible. > > Thanks for the note. There is definitely room for these kinds of > considerations. > > There's been talk of keeping a branch just for upgrades and that could > easily help with this kind of thing. Releasing an active trunk on short > notice would be impossible, but a stable branch with nothing more than > upgrades would be far easier. > > Creating new builds with upgrades is very quick (minutes) and we can > easily have one up for public consumption with any upgrade in short order. > They're currently published daily: > > http://tomee.apache.org/builds.html > > What's there are trunk builds, so unstable by definition. > > Were there to be a stable codeline that contained only upgrades and had > builds also performed automatically every 24hrs, would that be enough? > > We could still release it of course, though a two week guarantee on that > would be harder; one is an automated process and one is very manual. > > > -David > >
Re: Frequency of Tomcat version updates in TomEE ?
First, love the name :) On Jul 16, 2012, at 12:31 PM, Alex The Rocker wrote: > We are considering Apache TomEE+, but we are concerned by the lack of clear > update policy of Tomcat version in TomEE & TomEE+. [..] > it > would be nice to have a clear statement on Apache TomEE/TomEE+ update > policy with regard to the components it embeds (and not only Apache Tomcat) > ; so that users could decide whether or not they want to bed on this "new" > J2EE application server (yeah, we know it's J2EE with web profile). > > A commitment to update TomEE & TomEE+ when an Apache Tomcat fix of security > vulnerabilities within very short time (<2 weeks) would clearly be nice, if > possible. Thanks for the note. There is definitely room for these kinds of considerations. There's been talk of keeping a branch just for upgrades and that could easily help with this kind of thing. Releasing an active trunk on short notice would be impossible, but a stable branch with nothing more than upgrades would be far easier. Creating new builds with upgrades is very quick (minutes) and we can easily have one up for public consumption with any upgrade in short order. They're currently published daily: http://tomee.apache.org/builds.html What's there are trunk builds, so unstable by definition. Were there to be a stable codeline that contained only upgrades and had builds also performed automatically every 24hrs, would that be enough? We could still release it of course, though a two week guarantee on that would be harder; one is an automated process and one is very manual. -David
Re: Frequency of Tomcat version updates in TomEE ?
i spoke about the snapshot which uses t7.0.29 - Romain 2012/7/16 Alex The Rocker > Well, the "Download" tab (http://openejb.apache.org/downloads.html) show a > list of fixes for TomEE / TomEE+ 1.0 which show that Tomcat version is > 2.0.27 (we understand that were was a typo and 7.0.27). > Where is it mentionned that Tomcat 7.0.29 is part of 1.0, if it is ? > > Alex > > On Mon, Jul 16, 2012 at 9:51 PM, Romain Manni-Bucau > wrote: > > > Hi, > > > > we have no official position regarding it from what i know but here two > > points: > > 1) if you look last update of tomcat or security update (i think of cxf) > it > > took < 2 days for the snapshot (we are already on tomcat 7.0.29) > > 2) regarding releases we are working on the 1.1.0 and then we'll refactor > > our trunk to ease releases so it should be more frequent > > 3) a lot of companies use TomEE and are concerned by security updates > > (including committer companies) so updates will be done > > > > - Romain > > > > > > 2012/7/16 Alex The Rocker > > > > > Hello, > > > > > > We are considering Apache TomEE+, but we are concerned by the lack of > > clear > > > update policy of Tomcat version in TomEE & TomEE+. > > > Today (16th of July 2012): > > > - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 > > > - Apache Tomcat 7.0.29 is available since 8th of July. > > > > > > Although there is no know security vulnerabilities in Tomcat 7.0.27, it > > > would be nice to have a clear statement on Apache TomEE/TomEE+ update > > > policy with regard to the components it embeds (and not only Apache > > Tomcat) > > > ; so that users could decide whether or not they want to bed on this > > "new" > > > J2EE application server (yeah, we know it's J2EE with web profile). > > > > > > A commitment to update TomEE & TomEE+ when an Apache Tomcat fix of > > security > > > vulnerabilities within very short time (<2 weeks) would clearly be > nice, > > if > > > possible. > > > > > > Regards, > > > Alex > > > > > >
Re: Frequency of Tomcat version updates in TomEE ?
Well, the "Download" tab (http://openejb.apache.org/downloads.html) show a list of fixes for TomEE / TomEE+ 1.0 which show that Tomcat version is 2.0.27 (we understand that were was a typo and 7.0.27). Where is it mentionned that Tomcat 7.0.29 is part of 1.0, if it is ? Alex On Mon, Jul 16, 2012 at 9:51 PM, Romain Manni-Bucau wrote: > Hi, > > we have no official position regarding it from what i know but here two > points: > 1) if you look last update of tomcat or security update (i think of cxf) it > took < 2 days for the snapshot (we are already on tomcat 7.0.29) > 2) regarding releases we are working on the 1.1.0 and then we'll refactor > our trunk to ease releases so it should be more frequent > 3) a lot of companies use TomEE and are concerned by security updates > (including committer companies) so updates will be done > > - Romain > > > 2012/7/16 Alex The Rocker > > > Hello, > > > > We are considering Apache TomEE+, but we are concerned by the lack of > clear > > update policy of Tomcat version in TomEE & TomEE+. > > Today (16th of July 2012): > > - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 > > - Apache Tomcat 7.0.29 is available since 8th of July. > > > > Although there is no know security vulnerabilities in Tomcat 7.0.27, it > > would be nice to have a clear statement on Apache TomEE/TomEE+ update > > policy with regard to the components it embeds (and not only Apache > Tomcat) > > ; so that users could decide whether or not they want to bed on this > "new" > > J2EE application server (yeah, we know it's J2EE with web profile). > > > > A commitment to update TomEE & TomEE+ when an Apache Tomcat fix of > security > > vulnerabilities within very short time (<2 weeks) would clearly be nice, > if > > possible. > > > > Regards, > > Alex > > >
Re: Frequency of Tomcat version updates in TomEE ?
Hi, we have no official position regarding it from what i know but here two points: 1) if you look last update of tomcat or security update (i think of cxf) it took < 2 days for the snapshot (we are already on tomcat 7.0.29) 2) regarding releases we are working on the 1.1.0 and then we'll refactor our trunk to ease releases so it should be more frequent 3) a lot of companies use TomEE and are concerned by security updates (including committer companies) so updates will be done - Romain 2012/7/16 Alex The Rocker > Hello, > > We are considering Apache TomEE+, but we are concerned by the lack of clear > update policy of Tomcat version in TomEE & TomEE+. > Today (16th of July 2012): > - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 > - Apache Tomcat 7.0.29 is available since 8th of July. > > Although there is no know security vulnerabilities in Tomcat 7.0.27, it > would be nice to have a clear statement on Apache TomEE/TomEE+ update > policy with regard to the components it embeds (and not only Apache Tomcat) > ; so that users could decide whether or not they want to bed on this "new" > J2EE application server (yeah, we know it's J2EE with web profile). > > A commitment to update TomEE & TomEE+ when an Apache Tomcat fix of security > vulnerabilities within very short time (<2 weeks) would clearly be nice, if > possible. > > Regards, > Alex >
