Chris cjb> large bureaucracy [...] I would not be cjb> surprised if there is a policy against dev kits and IDE's on cjb> production servers for security sake. Tomcat (whisper: with built-in cjb> compiler) is approved, but is the JDK allowed? Guess I can ask. cjb> Yeah, it's potentially a "distinction without a difference".
cs> Hard and fast rule: no compilers. [...] It's a checkbox security cs> "feature" that is all of meaningless, ineffective, and inconvenient. Yeah, I was thinking similar things from inference. cs> These days, most servers have all the code you'd already ever need cs> to "compile" and run an exploit even if there were no compiler there. cs> All you need is a nice, vulnerable pre-existing binary. That's kinda scary. I suppose the attitude is that as long as there are security updates still being published, that conforms to policy and is therefore OK. Actually, what else can be done once any software has been released into the wild? mt> I'd plan to stick to the LTS releases. cjb> Meh, not my call. Whatever the Powers That Be decide for the cjb> production environment, I'll probably match that in dev. cs> They will decide to stick with Java 8, even though it's EOL. The cs> decision will be made because (a) "there are some incompatibilities cs> with Java 11 which are hairy to untangle" and (b) "Java 8 hasn't cs> caused a breach, yet, so we'll probably be fine". Interesting theory... Care to make a friendly wager on that, say lunch and/or a beer? Wait, do you have some sort of inside info? Wager rescinded! ;-) My question would be how long after the 2019 EOL will Java 8 still be approved for use, be it official policy or unofficial inertia. Well, at least until the next major vulnerability is discovered and then everyone scrambles to cover their behinds and upgrade Java. cs> I'm having trouble convincing a partner vendor to move from cs> Java *6* up to Java 8. *facepalm* "Ha ha" (said the guy who is still in the process of upgrading from TC 6.0 to 8.5). -- Cris Berneburg CACI Lead Software Engineer --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org