Well, the "Download" tab (http://openejb.apache.org/downloads.html) show a list of fixes for TomEE / TomEE+ 1.0 which show that Tomcat version is 2.0.27 (we understand that were was a typo and 7.0.27). Where is it mentionned that Tomcat 7.0.29 is part of 1.0, if it is ?
Alex On Mon, Jul 16, 2012 at 9:51 PM, Romain Manni-Bucau <rmannibu...@gmail.com>wrote: > Hi, > > we have no official position regarding it from what i know but here two > points: > 1) if you look last update of tomcat or security update (i think of cxf) it > took < 2 days for the snapshot (we are already on tomcat 7.0.29) > 2) regarding releases we are working on the 1.1.0 and then we'll refactor > our trunk to ease releases so it should be more frequent > 3) a lot of companies use TomEE and are concerned by security updates > (including committer companies) so updates will be done > > - Romain > > > 2012/7/16 Alex The Rocker <alex.m3...@gmail.com> > > > Hello, > > > > We are considering Apache TomEE+, but we are concerned by the lack of > clear > > update policy of Tomcat version in TomEE & TomEE+. > > Today (16th of July 2012): > > - Apache TomEE(+) 1.0 is available with embedded Apache Tomcat 7.0.27 > > - Apache Tomcat 7.0.29 is available since 8th of July. > > > > Although there is no know security vulnerabilities in Tomcat 7.0.27, it > > would be nice to have a clear statement on Apache TomEE/TomEE+ update > > policy with regard to the components it embeds (and not only Apache > Tomcat) > > ; so that users could decide whether or not they want to bed on this > "new" > > J2EE application server (yeah, we know it's J2EE with web profile). > > > > A commitment to update TomEE & TomEE+ when an Apache Tomcat fix of > security > > vulnerabilities within very short time (<2 weeks) would clearly be nice, > if > > possible. > > > > Regards, > > Alex > > >