You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomee.apache.org by Jean-Louis Monteiro <jl...@tomitribe.com> on 2023/04/18 08:01:32 UTC
Release TomEE 9.1.0
Hi all,
Looks like our backlog is starting to grow. We've done quite a lot of
updates and I was wondering if we should do a release for 9.1.0?
Note that there is an issue to fix before with the API Uber jar where the
tomcat classifier has the same content as the non tomcat classifier. This
was meant to not be the case, so in Tomcat we would use the API jars Tomcat
is providing.
See https://issues.apache.org/jira/browse/TOMEE-4199
Regards
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
Re: Release TomEE 9.1.0
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
It's not only TCK it's breaking backward compatibility and potentially
impacting users because we'll change APIs signature and of course
implementation in Tomcat.
EL 3, Servlet 6 and TagLib 3 have breaking changes and methods/classes
removed.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Tue, Apr 18, 2023 at 11:02 AM Richard Zowalla <rz...@apache.org> wrote:
> Hi,
>
> I am +1 for it, but we need to decide, if we want to port the commons
> fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and loose
> EE9.1 tck compliance).
>
> Gruß
> Richard
>
>
> Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis Monteiro:
> > Hi all,
> >
> > Looks like our backlog is starting to grow. We've done quite a lot of
> > updates and I was wondering if we should do a release for 9.1.0?
> >
> > Note that there is an issue to fix before with the API Uber jar where
> > the
> > tomcat classifier has the same content as the non tomcat classifier.
> > This
> > was meant to not be the case, so in Tomcat we would use the API jars
> > Tomcat
> > is providing.
> >
> > See https://issues.apache.org/jira/browse/TOMEE-4199
> >
> > Regards
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
>
>
Re: Release TomEE 9.1.0
Posted by Richard Zowalla <rz...@apache.org>.
Backporting the change and patching within TomEE shouldn't be a big
deal (as we already patch Tomcat within TomEE) :)
Am Dienstag, dem 18.04.2023 um 11:37 +0200 schrieb Swell:
> Fixing cve should have priority over tck results, right ? That said
> do we
> want to maintain efforts on 9.1 or focus our resources and time on
> 10.0 ?
>
> On the other hand, If we upgrade TomEE 9 with tomcat 10.1 we loose a
> status
> method of servlet api used by EE9 versions of resteasy/jersey/etc.
> Resulting in a no such method exception. That means users then must
> upgrade
> faulty dependencies to their EE10 equivalent.
>
> It will feel more natural to users to use a EE10 TomEE with EE10
> dependencies. Even it being milestone/alpha.
>
> -1 for a TomEE 9 release (mainly because tomcat 10.0 is EOL)
>
> My two cents … have a nice week!
> Swell
>
> On Tue 18 Apr 2023 at 11:02, Richard Zowalla <rz...@apache.org> wrote:
>
> > Hi,
> >
> > I am +1 for it, but we need to decide, if we want to port the
> > commons
> > fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and
> > loose
> > EE9.1 tck compliance).
> >
> > Gruß
> > Richard
> >
> >
> > Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis
> > Monteiro:
> > > Hi all,
> > >
> > > Looks like our backlog is starting to grow. We've done quite a
> > > lot of
> > > updates and I was wondering if we should do a release for 9.1.0?
> > >
> > > Note that there is an issue to fix before with the API Uber jar
> > > where
> > > the
> > > tomcat classifier has the same content as the non tomcat
> > > classifier.
> > > This
> > > was meant to not be the case, so in Tomcat we would use the API
> > > jars
> > > Tomcat
> > > is providing.
> > >
> > > See https://issues.apache.org/jira/browse/TOMEE-4199
> > >
> > > Regards
> > >
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> >
> >
Re: Release TomEE 9.1.0
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
Hi Richard,
I reviewed the PR and it looks good, so I don't see any reason why we would
not merge it.
Good point with the security scanners, we need to make sure it's somewhere
in the release notes, and in our website if possible.
Ok for a 9.1.0 because it's not only a patch, we have dependency upgrades
and our patching you just added.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Tue, Apr 25, 2023 at 10:07 AM Richard Zowalla <ri...@zowalla.com>
wrote:
> Hi,
>
> I've ported the cve-related changes for 10.0.x in [1].
> If we want to do 9.0.1 / 9.1.0 (whatever we want to name it), we should
> integrate these change, so happy to have some eyes on it.
>
> Patching Tomcat inside TomEE will most likely confuse security
> scanners, so we would need to add a disclaimer on the download pages to
> state, that we backported the cve patches.
>
> I am still +1 for a release as we (at university) have some internal
> webapps already running on 9.0 (so I and our CISO would be more than
> happy to get a "official" patched version).
>
> Don't think that we should than do more than necessary on 9.0.x / 9.1.x
> until we get a flying 10 alpha/milestone but as we didn't declare it
> eol, we should imho provide some sort of patched version rather sooner
> than later.
>
> Just my 2 cents ;-)
>
> Gruß
> Richard
>
>
>
>
>
> [1] https://github.com/apache/tomee/pull/1033
>
> Am Dienstag, dem 18.04.2023 um 11:49 +0200 schrieb Jean-Louis Monteiro:
> > Thanks Swell for providing more information on the consequences/side
> > effects.
> > This helps.
> >
> > I'd say it depends how fast we can get a 10.0
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Tue, Apr 18, 2023 at 11:38 AM Swell <so...@gmail.com>
> > wrote:
> >
> > > Fixing cve should have priority over tck results, right ? That said
> > > do we
> > > want to maintain efforts on 9.1 or focus our resources and time on
> > > 10.0 ?
> > >
> > > On the other hand, If we upgrade TomEE 9 with tomcat 10.1 we loose
> > > a status
> > > method of servlet api used by EE9 versions of resteasy/jersey/etc.
> > > Resulting in a no such method exception. That means users then must
> > > upgrade
> > > faulty dependencies to their EE10 equivalent.
> > >
> > > It will feel more natural to users to use a EE10 TomEE with EE10
> > > dependencies. Even it being milestone/alpha.
> > >
> > > -1 for a TomEE 9 release (mainly because tomcat 10.0 is EOL)
> > >
> > > My two cents … have a nice week!
> > > Swell
> > >
> > > On Tue 18 Apr 2023 at 11:02, Richard Zowalla <rz...@apache.org>
> > > wrote:
> > >
> > > > Hi,
> > > >
> > > > I am +1 for it, but we need to decide, if we want to port the
> > > > commons
> > > > fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and
> > > > loose
> > > > EE9.1 tck compliance).
> > > >
> > > > Gruß
> > > > Richard
> > > >
> > > >
> > > > Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis
> > > > Monteiro:
> > > > > Hi all,
> > > > >
> > > > > Looks like our backlog is starting to grow. We've done quite a
> > > > > lot of
> > > > > updates and I was wondering if we should do a release for
> > > > > 9.1.0?
> > > > >
> > > > > Note that there is an issue to fix before with the API Uber jar
> > > > > where
> > > > > the
> > > > > tomcat classifier has the same content as the non tomcat
> > > > > classifier.
> > > > > This
> > > > > was meant to not be the case, so in Tomcat we would use the API
> > > > > jars
> > > > > Tomcat
> > > > > is providing.
> > > > >
> > > > > See https://issues.apache.org/jira/browse/TOMEE-4199
> > > > >
> > > > > Regards
> > > > >
> > > > > --
> > > > > Jean-Louis Monteiro
> > > > > http://twitter.com/jlouismonteiro
> > > > > http://www.tomitribe.com
> > > >
> > > >
> > >
>
>
Re: Release TomEE 9.1.0
Posted by Richard Zowalla <ri...@zowalla.com>.
Hi,
I've ported the cve-related changes for 10.0.x in [1].
If we want to do 9.0.1 / 9.1.0 (whatever we want to name it), we should
integrate these change, so happy to have some eyes on it.
Patching Tomcat inside TomEE will most likely confuse security
scanners, so we would need to add a disclaimer on the download pages to
state, that we backported the cve patches.
I am still +1 for a release as we (at university) have some internal
webapps already running on 9.0 (so I and our CISO would be more than
happy to get a "official" patched version).
Don't think that we should than do more than necessary on 9.0.x / 9.1.x
until we get a flying 10 alpha/milestone but as we didn't declare it
eol, we should imho provide some sort of patched version rather sooner
than later.
Just my 2 cents ;-)
Gruß
Richard
[1] https://github.com/apache/tomee/pull/1033
Am Dienstag, dem 18.04.2023 um 11:49 +0200 schrieb Jean-Louis Monteiro:
> Thanks Swell for providing more information on the consequences/side
> effects.
> This helps.
>
> I'd say it depends how fast we can get a 10.0
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Tue, Apr 18, 2023 at 11:38 AM Swell <so...@gmail.com>
> wrote:
>
> > Fixing cve should have priority over tck results, right ? That said
> > do we
> > want to maintain efforts on 9.1 or focus our resources and time on
> > 10.0 ?
> >
> > On the other hand, If we upgrade TomEE 9 with tomcat 10.1 we loose
> > a status
> > method of servlet api used by EE9 versions of resteasy/jersey/etc.
> > Resulting in a no such method exception. That means users then must
> > upgrade
> > faulty dependencies to their EE10 equivalent.
> >
> > It will feel more natural to users to use a EE10 TomEE with EE10
> > dependencies. Even it being milestone/alpha.
> >
> > -1 for a TomEE 9 release (mainly because tomcat 10.0 is EOL)
> >
> > My two cents … have a nice week!
> > Swell
> >
> > On Tue 18 Apr 2023 at 11:02, Richard Zowalla <rz...@apache.org>
> > wrote:
> >
> > > Hi,
> > >
> > > I am +1 for it, but we need to decide, if we want to port the
> > > commons
> > > fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and
> > > loose
> > > EE9.1 tck compliance).
> > >
> > > Gruß
> > > Richard
> > >
> > >
> > > Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis
> > > Monteiro:
> > > > Hi all,
> > > >
> > > > Looks like our backlog is starting to grow. We've done quite a
> > > > lot of
> > > > updates and I was wondering if we should do a release for
> > > > 9.1.0?
> > > >
> > > > Note that there is an issue to fix before with the API Uber jar
> > > > where
> > > > the
> > > > tomcat classifier has the same content as the non tomcat
> > > > classifier.
> > > > This
> > > > was meant to not be the case, so in Tomcat we would use the API
> > > > jars
> > > > Tomcat
> > > > is providing.
> > > >
> > > > See https://issues.apache.org/jira/browse/TOMEE-4199
> > > >
> > > > Regards
> > > >
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > >
> > >
> >
Re: Release TomEE 9.1.0
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
Thanks Swell for providing more information on the consequences/side
effects.
This helps.
I'd say it depends how fast we can get a 10.0
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Tue, Apr 18, 2023 at 11:38 AM Swell <so...@gmail.com> wrote:
> Fixing cve should have priority over tck results, right ? That said do we
> want to maintain efforts on 9.1 or focus our resources and time on 10.0 ?
>
> On the other hand, If we upgrade TomEE 9 with tomcat 10.1 we loose a status
> method of servlet api used by EE9 versions of resteasy/jersey/etc.
> Resulting in a no such method exception. That means users then must upgrade
> faulty dependencies to their EE10 equivalent.
>
> It will feel more natural to users to use a EE10 TomEE with EE10
> dependencies. Even it being milestone/alpha.
>
> -1 for a TomEE 9 release (mainly because tomcat 10.0 is EOL)
>
> My two cents … have a nice week!
> Swell
>
> On Tue 18 Apr 2023 at 11:02, Richard Zowalla <rz...@apache.org> wrote:
>
> > Hi,
> >
> > I am +1 for it, but we need to decide, if we want to port the commons
> > fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and loose
> > EE9.1 tck compliance).
> >
> > Gruß
> > Richard
> >
> >
> > Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis Monteiro:
> > > Hi all,
> > >
> > > Looks like our backlog is starting to grow. We've done quite a lot of
> > > updates and I was wondering if we should do a release for 9.1.0?
> > >
> > > Note that there is an issue to fix before with the API Uber jar where
> > > the
> > > tomcat classifier has the same content as the non tomcat classifier.
> > > This
> > > was meant to not be the case, so in Tomcat we would use the API jars
> > > Tomcat
> > > is providing.
> > >
> > > See https://issues.apache.org/jira/browse/TOMEE-4199
> > >
> > > Regards
> > >
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> >
> >
>
Re: Release TomEE 9.1.0
Posted by Swell <so...@gmail.com>.
Fixing cve should have priority over tck results, right ? That said do we
want to maintain efforts on 9.1 or focus our resources and time on 10.0 ?
On the other hand, If we upgrade TomEE 9 with tomcat 10.1 we loose a status
method of servlet api used by EE9 versions of resteasy/jersey/etc.
Resulting in a no such method exception. That means users then must upgrade
faulty dependencies to their EE10 equivalent.
It will feel more natural to users to use a EE10 TomEE with EE10
dependencies. Even it being milestone/alpha.
-1 for a TomEE 9 release (mainly because tomcat 10.0 is EOL)
My two cents … have a nice week!
Swell
On Tue 18 Apr 2023 at 11:02, Richard Zowalla <rz...@apache.org> wrote:
> Hi,
>
> I am +1 for it, but we need to decide, if we want to port the commons
> fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and loose
> EE9.1 tck compliance).
>
> Gruß
> Richard
>
>
> Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis Monteiro:
> > Hi all,
> >
> > Looks like our backlog is starting to grow. We've done quite a lot of
> > updates and I was wondering if we should do a release for 9.1.0?
> >
> > Note that there is an issue to fix before with the API Uber jar where
> > the
> > tomcat classifier has the same content as the non tomcat classifier.
> > This
> > was meant to not be the case, so in Tomcat we would use the API jars
> > Tomcat
> > is providing.
> >
> > See https://issues.apache.org/jira/browse/TOMEE-4199
> >
> > Regards
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
>
>
Re: Release TomEE 9.1.0
Posted by Richard Zowalla <rz...@apache.org>.
Hi,
I am +1 for it, but we need to decide, if we want to port the commons
fileupload cve to tomcat 10.0.27 or if we upgrade tp 10.1.x (and loose
EE9.1 tck compliance).
Gruß
Richard
Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis Monteiro:
> Hi all,
>
> Looks like our backlog is starting to grow. We've done quite a lot of
> updates and I was wondering if we should do a release for 9.1.0?
>
> Note that there is an issue to fix before with the API Uber jar where
> the
> tomcat classifier has the same content as the non tomcat classifier.
> This
> was meant to not be the case, so in Tomcat we would use the API jars
> Tomcat
> is providing.
>
> See https://issues.apache.org/jira/browse/TOMEE-4199
>
> Regards
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
Re: Release TomEE 9.1.0
Posted by Richard Zowalla <rz...@apache.org>.
Short update: JL did some fixes on the TCK setup and the TCK looks
good. Bug fixes and dep upgrades did not introduce any regression.
There is a full build running to include the final version of
arquillian (1.7.0.Final) + Jackson 2.15.1 (with some bug fixes included
in 2.15.0). If this is included, we are in good shape for 9.1.0, imho.
WDYT?
Gruß
Richard
Am Dienstag, dem 16.05.2023 um 11:58 +0200 schrieb Richard Zowalla:
> Thanks. I will do the backport and prepare a API release for VOTE.
>
> Gruß
> Richard
>
>
> Am Dienstag, dem 16.05.2023 um 11:42 +0200 schrieb Jean-Louis
> Monteiro:
> > Hi,
> >
> > I reviewed and merged the PR. Go ahead with the API release and
> > place
> > backport to 10.x so we don't introduce the issue again.
> > I did not close the issue as fixed for that reason.
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
> >
> >
> > On Tue, May 16, 2023 at 11:02 AM Richard Zowalla <rz...@apache.org>
> > wrote:
> >
> > > Hi all,
> > >
> > > I provided a possible fix for TOMEE-4199 via [1]. If it is
> > > sufficient,
> > > we can do an api release and proceed with 9.1.0 (after we have
> > > some
> > > tck
> > > results).
> > >
> > > Gruß
> > > Richard
> > >
> > >
> > > [1] https://github.com/apache/tomee-jakartaee-api/pull/2
> > >
> > > Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis
> > > Monteiro:
> > > > Hi all,
> > > >
> > > > Looks like our backlog is starting to grow. We've done quite a
> > > > lot of
> > > > updates and I was wondering if we should do a release for
> > > > 9.1.0?
> > > >
> > > > Note that there is an issue to fix before with the API Uber jar
> > > > where
> > > > the
> > > > tomcat classifier has the same content as the non tomcat
> > > > classifier.
> > > > This
> > > > was meant to not be the case, so in Tomcat we would use the API
> > > > jars
> > > > Tomcat
> > > > is providing.
> > > >
> > > > See https://issues.apache.org/jira/browse/TOMEE-4199
> > > >
> > > > Regards
> > > >
> > > > --
> > > > Jean-Louis Monteiro
> > > > http://twitter.com/jlouismonteiro
> > > > http://www.tomitribe.com
> > >
> > >
>
Re: Release TomEE 9.1.0
Posted by Richard Zowalla <rz...@apache.org>.
Thanks. I will do the backport and prepare a API release for VOTE.
Gruß
Richard
Am Dienstag, dem 16.05.2023 um 11:42 +0200 schrieb Jean-Louis Monteiro:
> Hi,
>
> I reviewed and merged the PR. Go ahead with the API release and place
> backport to 10.x so we don't introduce the issue again.
> I did not close the issue as fixed for that reason.
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com
>
>
> On Tue, May 16, 2023 at 11:02 AM Richard Zowalla <rz...@apache.org>
> wrote:
>
> > Hi all,
> >
> > I provided a possible fix for TOMEE-4199 via [1]. If it is
> > sufficient,
> > we can do an api release and proceed with 9.1.0 (after we have some
> > tck
> > results).
> >
> > Gruß
> > Richard
> >
> >
> > [1] https://github.com/apache/tomee-jakartaee-api/pull/2
> >
> > Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis
> > Monteiro:
> > > Hi all,
> > >
> > > Looks like our backlog is starting to grow. We've done quite a
> > > lot of
> > > updates and I was wondering if we should do a release for 9.1.0?
> > >
> > > Note that there is an issue to fix before with the API Uber jar
> > > where
> > > the
> > > tomcat classifier has the same content as the non tomcat
> > > classifier.
> > > This
> > > was meant to not be the case, so in Tomcat we would use the API
> > > jars
> > > Tomcat
> > > is providing.
> > >
> > > See https://issues.apache.org/jira/browse/TOMEE-4199
> > >
> > > Regards
> > >
> > > --
> > > Jean-Louis Monteiro
> > > http://twitter.com/jlouismonteiro
> > > http://www.tomitribe.com
> >
> >
Re: Release TomEE 9.1.0
Posted by Jean-Louis Monteiro <jl...@tomitribe.com>.
Hi,
I reviewed and merged the PR. Go ahead with the API release and place
backport to 10.x so we don't introduce the issue again.
I did not close the issue as fixed for that reason.
--
Jean-Louis Monteiro
http://twitter.com/jlouismonteiro
http://www.tomitribe.com
On Tue, May 16, 2023 at 11:02 AM Richard Zowalla <rz...@apache.org> wrote:
> Hi all,
>
> I provided a possible fix for TOMEE-4199 via [1]. If it is sufficient,
> we can do an api release and proceed with 9.1.0 (after we have some tck
> results).
>
> Gruß
> Richard
>
>
> [1] https://github.com/apache/tomee-jakartaee-api/pull/2
>
> Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis Monteiro:
> > Hi all,
> >
> > Looks like our backlog is starting to grow. We've done quite a lot of
> > updates and I was wondering if we should do a release for 9.1.0?
> >
> > Note that there is an issue to fix before with the API Uber jar where
> > the
> > tomcat classifier has the same content as the non tomcat classifier.
> > This
> > was meant to not be the case, so in Tomcat we would use the API jars
> > Tomcat
> > is providing.
> >
> > See https://issues.apache.org/jira/browse/TOMEE-4199
> >
> > Regards
> >
> > --
> > Jean-Louis Monteiro
> > http://twitter.com/jlouismonteiro
> > http://www.tomitribe.com
>
>
Re: Release TomEE 9.1.0
Posted by Richard Zowalla <rz...@apache.org>.
Hi all,
I provided a possible fix for TOMEE-4199 via [1]. If it is sufficient,
we can do an api release and proceed with 9.1.0 (after we have some tck
results).
Gruß
Richard
[1] https://github.com/apache/tomee-jakartaee-api/pull/2
Am Dienstag, dem 18.04.2023 um 10:01 +0200 schrieb Jean-Louis Monteiro:
> Hi all,
>
> Looks like our backlog is starting to grow. We've done quite a lot of
> updates and I was wondering if we should do a release for 9.1.0?
>
> Note that there is an issue to fix before with the API Uber jar where
> the
> tomcat classifier has the same content as the non tomcat classifier.
> This
> was meant to not be the case, so in Tomcat we would use the API jars
> Tomcat
> is providing.
>
> See https://issues.apache.org/jira/browse/TOMEE-4199
>
> Regards
>
> --
> Jean-Louis Monteiro
> http://twitter.com/jlouismonteiro
> http://www.tomitribe.com