Aryeh,
On 1/20/24 4:19 AM, Aryeh Friedman wrote:
Top posting since my comments are not 100% relevant to the issue in
the thread (i.e. related but not in detail).
It would be nice if Tomcat published EOL's since there are
applications (like HIPAA webapps [I do remote cardiac monitoring])
that are automatically declared to be insecure if the underlying
platform has any EOL'ed components (this why just upgraded from 9.0.35
to 9.0.85) and in some cases (like HIPAA) have goverment imposed fines
if there is a breach due to using EOL'ed components. Thus there is a
need for known/published EOL dates in such apps.
What makes you think that we don't publish EOLs?
There is an EOL date for Tomcat 8.5. There is no EOL date for Tomcat 9
(yet). Shall we just pick a date far into the future and say "we know
that 3 years from now, you are out of luck"? Or should we want until we
know what the data is going to be and /then/ publish it?
We have an (unwritten) policy to give 1 year of notice for any EOL
announcement. We aren't going to say "oh BTW this is the last release
YOLO" and walk away.
The announcement for 8.5's EOL date (2024-03-31) was made on 2022-12-13,
over a year in advance.
The announcement for 8.0's EOL date (2018-06-30) was made on 2017-06-30,
exactly a year in advance.
The announcement for 7.0's EOL date (2021-03-31) was made on 2020-03-02,
a year in advance.
The announcement for 6.0's EOL date (2016-12-31) was made on 2015-06-03,
18 months in advance. There were security updates made to Tomcat 6 which
extended *beyond* that EOL date, so we even supported it *after* the
announced EOL date.
You will have plenty of notice.
Plus if you are on Tomcat 9, you can /already upgrade to Tomcat 10 or
11/ neither of which have been EOL'd and are unlikely to experience such
things until long after Tomcat 9 goes EOL.
If you want to avoid being caught up by Tomcat 9's EOL, then upgrade in
advance.
I would like to mention that no Tomcat 9 releases have reached EOL. That
means that your 9.0.35 version had not reached any EOL per se. There
have been some security fixes applied in the intervening months which
may be important for your environment, but this team does not provide
support for specific releases.
HIPAA does not have a fine structure for use of out-of-date software. If
you suffer a breach and an investigation reveals that a CE or BA was
using software with known, unpatched vulnerabilites, *that's* what gets
you into trouble.
-chris
On Fri, Jan 19, 2024 at 6:58 PM Mark Thomas <ma...@apache.org> wrote:
On 19/01/2024 19:06, Francisco Dellanio Leite Alencar wrote:
@Mark Thomas,
Is it possible to consider that the minimum support time of Apache Tomcat 9.0.X
is until 2027 (10 years since Released)?
I'd say 2027 is a reasonable estimate of the likely EOL date for 9.0.x
but I'm not going to provide any guarantees on that.
The Tomcat community has committed to providing at least 12 months
notice of EOL of any major version.
More detail in the thread listed below against 9.0.x.
If long term support is your concern then I'd consider looking at Tomcat
10.1.x. It does require Java 11 (Tomcat 9.0.x requires Java 8) but it
will get you an additional ~3 years support.
I will take the opportunity to point out that what you get with Tomcat
is already pretty good.
- major versions support for ~10 years including new features, bug
fixes and security fixes
- monthly releases throughout that ~10 year period (with the odd gap)
- all reproducible bugs reported fixed in the next release (this is the
one where Tomcat really stands out)
- you can actually talk to the folks the maintain the code
If you really need 9.0.x and really need guarantees on dates then there
are commercial organizations that will sell you that service. Just make
sure you pick one that has the skills and in-depth Tomcat knowledge
necessary to deliver that support.
Mark
Thanks.
On 2024/01/08 08:42:28 Mark Thomas wrote:
On 08/01/2024 06:47, i...@flyingfischer.ch wrote:
https://endoflife.date/tomcat
Am 08.01.24 um 07:39 schrieb Deshmukh, Kedar:
Hello,
Could you please throw some light on Tomcat versions and its EOL plan?
See https://tomcat.apache.org/whichversion.html
1. 8.5.X
EOL 31 March 2024
2. 9.0.X
No plans.
See https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0
3. 10.0.X
Already EOL as of 31 October 2022
4. 10.1.X
No plans.
See https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
