How to get early notification of the upcoming release

[Rupesh Kumar <ru...@adobe.com>]

Hi,

How do I get an early notification of the upcoming release (including Secur= ity fix) from Tomcat? Is there any program/subscription mechanism for this?



Basically we have made some custom changes to Tomcat source and would like = to get the early notification so that we can merge those changes with Tomca= t ones and make it available as soon as the public release is made.



Regards,

Rupesh

RE: How to get early notification of the upcoming release

[Rupesh Kumar <ru...@adobe.com>]

Thanks Mark! That was very helpful.

-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org] 
Sent: Monday, May 23, 2011 5:58 PM
To: Tomcat Users List
Subject: Re: How to get early notification of the upcoming release

On 23/05/2011 12:30, Rupesh Kumar wrote:
> Hi,
> 
> How do I get an early notification of the upcoming release (including Security fix) from Tomcat? Is there any program/subscription mechanism for this?

Proposed releases are discussed on the dev mailing list. As a minimum there will be an svn commit to create the release tag and a VOTE on the proposed release prior to any release. If you follow the dev list you will have as much notice as anyone else of a Tomcat release. As an aside, Tomcat 7 currently releases once a month with the process starting at the beginning of the month.

No advance notification is made of security vulnerabilities fixed in any Tomcat release. Information regarding unpublished security vulnerabilities is limited to:
- the person that reported the issue
- the Tomcat security team
- the Apache security team

Membership of the Tomcat security team is limited to Tomcat committers.
Membership of the Apache security team is limited (as far as I recall) to members of the foundation.

Members of the Apache and/or Tomcat security teams may share information on Tomcat security vulnerabilities with domain experts (e.g. colleagues at their employer) providing that it is made clear that a) the information is not for public disclosure and b) that all discussion of the vulnerability is cc'd to the tomcat security mailing list.

When a vulnerability is made public (usually shortly after the release in which it is fixed is available) then it is announced to:
- Tomcat announce mailing list
- Tomcat dev mailing list
- Tomcat users mailing list
- Apache announce mailing list
- Bugtraq
- Full disclosure

> Basically we have made some custom changes to Tomcat source and would like to get the early notification so that we can merge those changes with Tomcat ones and make it available as soon as the public release is made.

That isn't possible. However, depending on what those custom changes are, one option is to propose the changes for inclusion in Tomcat so you no longer need to merge them in. Note that without knowing what the changes are, there is no guarantee that they will be excepted. Changes you would like to propose should be added as enhancement requests in Bugzilla.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to get early notification of the upcoming release

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark,

On 5/23/2011 8:27 AM, Mark Thomas wrote:
> However, depending on what those custom changes are, one option is to
> propose the changes for inclusion in Tomcat so you no longer need to
> merge them in.

+1

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3azeEACgkQ9CaO5/Lv0PAvPACfaozzpZotAP/hbCX6C9UYnBW4
z9sAn2ga/oJuVhMm4kyLUDCVVK18yeGs
=EvQ8
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: How to get early notification of the upcoming release

[Mark Thomas <ma...@apache.org>]

On 23/05/2011 12:30, Rupesh Kumar wrote:
> Hi,
> 
> How do I get an early notification of the upcoming release (including Security fix) from Tomcat? Is there any program/subscription mechanism for this?

Proposed releases are discussed on the dev mailing list. As a minimum
there will be an svn commit to create the release tag and a VOTE on the
proposed release prior to any release. If you follow the dev list you
will have as much notice as anyone else of a Tomcat release. As an
aside, Tomcat 7 currently releases once a month with the process
starting at the beginning of the month.

No advance notification is made of security vulnerabilities fixed in any
Tomcat release. Information regarding unpublished security
vulnerabilities is limited to:
- the person that reported the issue
- the Tomcat security team
- the Apache security team

Membership of the Tomcat security team is limited to Tomcat committers.
Membership of the Apache security team is limited (as far as I recall)
to members of the foundation.

Members of the Apache and/or Tomcat security teams may share information
on Tomcat security vulnerabilities with domain experts (e.g. colleagues
at their employer) providing that it is made clear that a) the
information is not for public disclosure and b) that all discussion of
the vulnerability is cc'd to the tomcat security mailing list.

When a vulnerability is made public (usually shortly after the release
in which it is fixed is available) then it is announced to:
- Tomcat announce mailing list
- Tomcat dev mailing list
- Tomcat users mailing list
- Apache announce mailing list
- Bugtraq
- Full disclosure

> Basically we have made some custom changes to Tomcat source and would like to get the early notification so that we can merge those changes with Tomcat ones and make it available as soon as the public release is made.

That isn't possible. However, depending on what those custom changes
are, one option is to propose the changes for inclusion in Tomcat so you
no longer need to merge them in. Note that without knowing what the
changes are, there is no guarantee that they will be excepted. Changes
you would like to propose should be added as enhancement requests in
Bugzilla.

Mark



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org