Hello, We are considering Apache TomEE+, but we are concerned by the lack of clear update policy of Tomcat version in TomEE & TomEE+. Today (16th of July 2012): - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 - Apache Tomcat 7.0.29 is available since 8th of July.
Although there is no know security vulnerabilities in Tomcat 7.0.27, it would be nice to have a clear statement on Apache TomEE/TomEE+ update policy with regard to the components it embeds (and not only Apache Tomcat) ; so that users could decide whether or not they want to bed on this "new" J2EE application server (yeah, we know it's J2EE with web profile). A commitment to update TomEE & TomEE+ when an Apache Tomcat fix of security vulnerabilities within very short time (<2 weeks) would clearly be nice, if possible. Regards, Alex