Hi Christopher, On 18.06.21 20:54, Christopher Schultz wrote: >> I would only stick to the distro-provided packages, if it is a small >> (in other words not that important) application running in Tomcat. Just >> for reference: With Ubuntu 18.04, you would end up >> with 9.0.16 vs. 9.0.48 (Tomcat project) or 8.5.39 vs. 8.5.68 (Tomcat >> project), which is about 2 years old software.
> The above statement is *very* misleading. > > To understand why it's misleading, you have to understand the Debian "way" of > package-management. Ubuntu is Debian-derived and, although they have their > own package repositories, etc., they do > inherit from upstream and do make some changes on their own separate from > upstream. Thanks for picking that up, I was not clear enough by just referencing the security back ports in one sentence. It is right, that those distro packages get updates. My main point is, that due to the update policy of Ubuntu (and Debian as well), not all changes and updates will get into the distro packages. This might be an issue, especially if IT organisation stick to a specific distros version for a long time. This is not an issue with the distro policy or updates (never wanted to blame anyone from the Debian or Ubuntu team for that), but with the update policies of the running org. I was focusing on *Ubuntu 18.04* (which was mentioned by Onno), for that change log [1] mentions Wed, 11 Sep 2019 as last update. > All that junk at the end (-4~bpo9+1_all) indicates the various updates that > have been applied after the original 9.0.16. If you read the changelog[1] for > Buster, you'll see that it was last > updated as recently as 2021-04-12 to apply fixes for CVE-2021-25122 and > CVE-2021-25329 (thanks, Emmanuel!). In fact, in Buster, you are getting > 9.0.31. I'll bet if you look at the Ubuntu > changelog for your package, you'll find something similar. You are right, if you manage your base system and keep it updated to recent version (not my experience though), this will be fine. However if you stick as long as possible to a distros version (there is already a new Ubuntu LTS out for over a year, some time to update), you will have a gap to more recent Tomcat versions. Comparing Ubuntu 18.04 Tomcat versions to current Ubuntu or Debian versions, is not what was asked by the Onno. My experience is that some organisations try to stay on a specific distro version as long as possible. > If you are getting 9.0.16 from your Ubuntu repository, I think you may be > getting "left behind" by something. The current Ubuntu package should > actually be a base version of 9.0.43. Older > versions of Ubuntu have older base Tomcat versions. Again current vs. Ubuntu 18.04 is a different story. My apologies, I should have been clearer in my first post. [1] https://changelogs.ubuntu.com/changelogs/pool/universe/t/tomcat9/tomcat9_9.0.16-3ubuntu0.18.04.1/changelog regards, Thomas --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
