> > IMO a remark regarding Java 9 should be added to > > http://tomcat.apache.org/whichversion.html . > > Sounds good. I don't know of anything specific that does NOT work with > Java 9, but markt has been following the pre-releases of Java 9 pretty > closely, and has made adjustments (mostly disabling various > workarounds for bugs in previous JVMs) accordingly. There may be some > NEW items that may need to be worked-around -- those usually turn out > to be various ClassLoader-pinning memory-leaks -- but my guess is that > most Tomcat versions will work just find under Java 9 without any > special effort. > > Could you try (the latest patch-level of) whatever version of Tomcat > you are currently using with Java 9 and let us know how things go?
It looks like Tomcat 8.5.23 and Tomcat 9.0.1 Beta will be released soon and they include the fix mentioned in https://marc.info/?l=tomcat-dev&m=150617928913339&w=2 . So we will test Tomcat 8.5.23. > > 2. Currently MITM attacks by evil ISPs or WiFi networks are > > possible against people downloading tomcat from > > http://tomcat.apache.org/download-80.cgi . (The page has links to > > PGP, md5 and sha1 hashes for validation, but the links are on a > > http page that does not redirect to https. This means they could be > > replaced in case of MITM.) > > > > IMO a HTTP 301 redirect to the https version and HSTS headers > > should be added to http://tomcat.apache.org/ . > > Agreed about the redirect... not so sure about HSTS, as that affects > the whole domain. HSTS (RFC 6797) would only affect http://tomcat.apache.org/ . "HSTS preload" would affect the base domain and all subdomains. > > Should I try to submit issues in Bugzilla for both? > > Yes, please. Post-back with URLs to the BZ issues you raise. OK. Regards Oliver --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
