On Fri, Jan 26, 2024 at 1:57 PM Christopher Schultz <ch...@christopherschultz.net> wrote: > > Aryeh, > > On 1/20/24 4:19 AM, Aryeh Friedman wrote: > > Top posting since my comments are not 100% relevant to the issue in > > the thread (i.e. related but not in detail). > > > > It would be nice if Tomcat published EOL's since there are > > applications (like HIPAA webapps [I do remote cardiac monitoring]) > > that are automatically declared to be insecure if the underlying > > platform has any EOL'ed components (this why just upgraded from 9.0.35 > > to 9.0.85) and in some cases (like HIPAA) have goverment imposed fines > > if there is a breach due to using EOL'ed components. Thus there is a > > need for known/published EOL dates in such apps. > > What makes you think that we don't publish EOLs? > > There is an EOL date for Tomcat 8.5. There is no EOL date for Tomcat 9 > (yet). Shall we just pick a date far into the future and say "we know > that 3 years from now, you are out of luck"? Or should we want until we > know what the data is going to be and /then/ publish it? > > We have an (unwritten) policy to give 1 year of notice for any EOL > announcement. We aren't going to say "oh BTW this is the last release > YOLO" and walk away. > > The announcement for 8.5's EOL date (2024-03-31) was made on 2022-12-13, > over a year in advance. > > The announcement for 8.0's EOL date (2018-06-30) was made on 2017-06-30, > exactly a year in advance. > > The announcement for 7.0's EOL date (2021-03-31) was made on 2020-03-02, > a year in advance. > > The announcement for 6.0's EOL date (2016-12-31) was made on 2015-06-03, > 18 months in advance. There were security updates made to Tomcat 6 which > extended *beyond* that EOL date, so we even supported it *after* the > announced EOL date. > > You will have plenty of notice.
Thanks for clarifying that. > > HIPAA does not have a fine structure for use of out-of-date software. If > you suffer a breach and an investigation reveals that a CE or BA was > using software with known, unpatched vulnerabilites, *that's* what gets > you into trouble. Not completely true while "officially" your correct in reality OCR (Office of Civil Rights of HHS) has a number of times said that EOL'ed is tell-tell sign of not meeting the security rule: https://www.proactive-info.com/blog/how-hipaa-compliance-relates-to-end-of-life If you wish I can send you privately a sanitized version of report we wrote for our client that details the implications of EOL and our current system (which we just did a whole sale upgrade specifically for HIPAA reasons and was triggered by a CVE posted on this list [among a few other minor CVE's in other system components]). -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
