You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Danno Ferrin <sh...@earthlink.net> on 2000/07/23 08:27:44 UTC

Security of Tomcat/Jasper (was: [PROPOSAL] New build targets for Tomcat)

     I do not see how one can put as much blind trust in Tomcat and not
Jasper security wise.  As a code bases they are approximately the same age
and they have been available for security audits and code reviews for the
same amount of time.  Especially so when you consider open source time.

     If you really want code that has been under more security review and
been available for review a longer time then I would pick JServ as the
servlet engine of choice.  In fact on my project at work it has been in the
build for almost a year.  I must confess that is because (a) it continues to
work, and (b) until recently the management and engineering has not
considered code from the Jakarta Project production ready and (c) no one has
taken the effort to replace it with Tomcat, (we have so many other features
to add and code to optimize that given (a) alone it has stayed well below
the radar screen.  I hope no-one tells the install guys about web apps).

     Your points about security and the bugtraq issues are very valid.  It
is a great message that has been marred by the delivery.  Even though you
didn't say it in the e-mail explicitly I am going to assume that you feel
security issues should be fixed before we have a final release.  Hence if I
know of any security bugs (particularly bugtraq ones) I will -1 the release
until it is fixed.  Thus whether or not Jasper or Tomcat is the product of
choice, it will be secure.

--Danno

p.s.  If you are ever going to go someplace to take engagement photos make
sure the film is advancing before you pack up and leave.  But the people at
WalMart will develop the roll of film just the same.

----- Original Message -----
From: "Jon Stevens" <jo...@latchkey.com>
To: <to...@jakarta.apache.org>
Sent: Saturday, July 22, 2000 7:34 PM
Subject: Re: [PROPOSAL] New build targets for Tomcat


> on 7/22/2000 10:36 AM, "Danno Ferrin" <sh...@earthlink.net> wrote:
>
> > But all of this is straying us from THE REAL ISSUE of the BUGTRAQ things
> > that are providing too much information to the client user that can be
> > useful to compromise the system.
>
> I trust that Apache does not have security holes. The code has been
reviewed
> by enough people now that it is pretty well known to be secure.
>
> I do not trust that Jasper has had all the security holes removed.
>
> I trust that the people in this group will fix the issues as they come up.
>
> I would like the OPTION to be able to remove the portion that I do not
> trust.
>
> I NEVER said that I wanted to remove JSP from Tomcat.
>
> I NEVER said that I wanted to distribute Tomcat from jakarta.apache.org
> without JSP.
>
> I know I can, but I DO NOT want to fork the project.
>
> ALL I SAID IS THAT I WOULD LIKE TO PROVIDE OPTIONAL BUILD TARGETS THAT DO
> NOT INCLUDE JSP.
>
> What exactly is so bad about that?
>
> thanks,
>
> -jon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>