Hi, we have no official position regarding it from what i know but here two points: 1) if you look last update of tomcat or security update (i think of cxf) it took < 2 days for the snapshot (we are already on tomcat 7.0.29) 2) regarding releases we are working on the 1.1.0 and then we'll refactor our trunk to ease releases so it should be more frequent 3) a lot of companies use TomEE and are concerned by security updates (including committer companies) so updates will be done
- Romain 2012/7/16 Alex The Rocker <alex.m3...@gmail.com> > Hello, > > We are considering Apache TomEE+, but we are concerned by the lack of clear > update policy of Tomcat version in TomEE & TomEE+. > Today (16th of July 2012): > - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 > - Apache Tomcat 7.0.29 is available since 8th of July. > > Although there is no know security vulnerabilities in Tomcat 7.0.27, it > would be nice to have a clear statement on Apache TomEE/TomEE+ update > policy with regard to the components it embeds (and not only Apache Tomcat) > ; so that users could decide whether or not they want to bed on this "new" > J2EE application server (yeah, we know it's J2EE with web profile). > > A commitment to update TomEE & TomEE+ when an Apache Tomcat fix of security > vulnerabilities within very short time (<2 weeks) would clearly be nice, if > possible. > > Regards, > Alex >
