On Sat, Jan 20, 2024 at 4:29 AM Simon Matter <simon.mat...@invoca.ch> wrote: > > > Top posting since my comments are not 100% relevant to the issue in > > the thread (i.e. related but not in detail). > > > > It would be nice if Tomcat published EOL's since there are > > applications (like HIPAA webapps [I do remote cardiac monitoring]) > > that are automatically declared to be insecure if the underlying > > platform has any EOL'ed components (this why just upgraded from 9.0.35 > > to 9.0.85) and in some cases (like HIPAA) have goverment imposed fines > > if there is a breach due to using EOL'ed components. Thus there is a > > need for known/published EOL dates in such apps. > > Isn't it so that for every major version, like 9.0, all but the latest > should be considered EOL? Like for now, 9.0.85 is supported and 9.0.84 and > older should be considered EOL.
In large 24/7/365 production environments (especially life critical ones) it is often hard to do a migration and requires significant human labor to do. This is recognized by vendors when they publish EOL dates, for example OpenJDK 8 (LTS) is supported through 2030 (https://www.oracle.com/java/technologies/java-se-support-roadmap.html). Nonetheless we also upgraded to OpenJDK21 at the same time we upgraded tomcat [also upgraded the OS from FreeBSD 12 to FreeBSD 14] and it required about 500 source code fixes to a 100+k LOC project to make it compile correctly (we have a no warning policy and thus -Werror turned on). Luckily almost all the fixes were trivial but one or two were not and required several hours to plan how to fix them and another few days to do so (good example is significant change in behaviour in File.renameTo() without documentation [see another thread] thus we had to rewrite an entire low level I/O class to use Files.move() instead of File.renameTo() and other good example if new URL(String url) is now deprecated and needed to be rewritten as new URI(url).toURL() and put inside a totally different try catch block). -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org