Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread jean-frederic clere
Hi, The examples (servlet and JSP) have caused a list of security issues. I think we should remove them from the Tomcat binary packages (6.0 and 5.x at least). Any comments? Cheers Jean-Frederic - To unsubscribe, e-mail:

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Rainer Jung
I'm not sure. They provide an easy entry point for people using Tomcat because it is so simple to just use them. There are a couple of choices: - leave the examples in the download and take their security serious. This is what we do now. - leave the examples in the download, but don't bother

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Yoav Shapira
Hey, On 7/9/07, jean-frederic clere [EMAIL PROTECTED] wrote: The examples (servlet and JSP) have caused a list of security issues. I think we should remove them from the Tomcat binary packages (6.0 and 5.x at least). Any comments? I'd like to leave them in, as they're amazingly useful,

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread William A. Rowe, Jr.
Rainer Jung wrote: I'm not sure. They provide an easy entry point for people using Tomcat because it is so simple to just use them. There are a couple of choices: - leave the examples in the download and take their security serious. This is what we do now. good choice... - leave the

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread William L. Thomson Jr.
Just FYI, on Gentoo we do not install or provide the examples by default. One must set the examples USE flag for examples to be installed. Because of such they were kinda moot issues for the recent security issues for us on Gentoo. Most running TC in production, or are actually using it for

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Ian Darwin
It's nice if *someone* provides good reference examples; consider the mess in PHP development-by-example that's left the web in a half-usable state. Good reference examples? Do you want to encourage people to code getRequestDispatcher.forward() by hand? Or do you want them using one of the

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Ian Darwin
William L. Thomson Jr. wrote: Just FYI, on Gentoo we do not install or provide the examples by default. One must set the examples USE flag for examples to be installed. Because of such they were kinda moot issues for the recent security issues for us on Gentoo. Same thing on OpenBSD; there's a

RE: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Leech, Jonathan
09, 2007 11:13 AM To: Tomcat Developers List Subject: Re: Removing the examples (JSP/servlet) in TC Binaries William L. Thomson Jr. wrote: Just FYI, on Gentoo we do not install or provide the examples by default. One must set the examples USE flag for examples to be installed. Because

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Mladen Turk
jean-frederic clere wrote: Hi, The examples (servlet and JSP) have caused a list of security issues. I think we should remove them from the Tomcat binary packages (6.0 and 5.x at least). Any comments? If the examples are broken, then we have serious problems, either with examples or with

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Ian Darwin
Leech, Jonathan wrote: My 2 cents: - Don't install the examples by default. - Implement them in straight .jsp / servlets etc w/o using frameworks. - Encourage each framework to implement the same examples using their framework. Fair enough. How about installing by default a very simple

RE: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Leech, Jonathan
- From: Ian Darwin [mailto:[EMAIL PROTECTED] Sent: Monday, July 09, 2007 11:40 AM To: Tomcat Developers List Subject: Re: Removing the examples (JSP/servlet) in TC Binaries Leech, Jonathan wrote: My 2 cents: - Don't install the examples by default. - Implement them in straight .jsp / servlets etc

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Mark Thomas
jean-frederic clere wrote: Hi, The examples (servlet and JSP) have caused a list of security issues. I think we should remove them from the Tomcat binary packages (6.0 and 5.x at least). Any comments? +0. If they are removed I would suggest replacing them with a page that points to the

Re: Removing the examples (JSP/servlet) in TC Binaries

2007-07-09 Thread Remy Maucherat
Mladen Turk wrote: jean-frederic clere wrote: Hi, The examples (servlet and JSP) have caused a list of security issues. I think we should remove them from the Tomcat binary packages (6.0 and 5.x at least). Any comments? If the examples are broken, then we have serious problems, either with