You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2022/10/25 15:51:32 UTC
November release round
Hi all,
I've just seen the heads up from the OpenSSL project that there will be
a 3.0.7 release on 2022-12-01 that will address a critical
vulnerability. We won't know the details of the vulnerability until the
release announcement. Given that it may trigger a Tomcat Native release
my current thinking is:
- prep for November releases as normal
- review the OpenSSL issue once public
- roll a Tomcat Native release if necessary
- update to the new Tomcat Native release of there is one
- roll the Tomcat releases
Do we want to pick up an updated migration tool as well?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: November release round
Posted by Rémy Maucherat <re...@apache.org>.
On Wed, Nov 2, 2022 at 2:40 AM Han Li <li...@apache.org> wrote:
>
>
>
> > 2022年11月2日 00:19,Mark Thomas <ma...@apache.org> 写道:
> >
> > I've just read the OpenSSL announcement. The issue has been downgraded to critical but we are going to need to new Tomcat Native release. There are a couple of stack overflow bugs in certificate verification so Tomcat could be accepted via CLIENT-CERT.
> >
> > Where are we on the migration tool. I haven't been following that closely. Is the repo ready for a release?
> Yes, I think it’s ready. ;)
+1
Remy
> Han
> >
> > Mark
> >
> >
> > On 25/10/2022 16:55, Rémy Maucherat wrote:
> >> On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I've just seen the heads up from the OpenSSL project that there will be
> >>> a 3.0.7 release on 2022-12-01 that will address a critical
> >>> vulnerability. We won't know the details of the vulnerability until the
> >>> release announcement. Given that it may trigger a Tomcat Native release
> >>> my current thinking is:
> >>>
> >>> - prep for November releases as normal
> >>> - review the OpenSSL issue once public
> >>> - roll a Tomcat Native release if necessary
> >>> - update to the new Tomcat Native release of there is one
> >>> - roll the Tomcat releases
> >>>
> >>> Do we want to pick up an updated migration tool as well?
> >> Maybe, we're in the process of integrating a PR for the tool. The
> >> submitter says it makes it run faster.
> >> Rémy
> >>> Mark
> >>>
> >>> ---------------------------------------------------------------------
> >>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >>> For additional commands, e-mail: dev-help@tomcat.apache.org
> >>>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: dev-help@tomcat.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: dev-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: November release round
Posted by Han Li <li...@apache.org>.
> 2022年11月2日 00:19,Mark Thomas <ma...@apache.org> 写道:
>
> I've just read the OpenSSL announcement. The issue has been downgraded to critical but we are going to need to new Tomcat Native release. There are a couple of stack overflow bugs in certificate verification so Tomcat could be accepted via CLIENT-CERT.
>
> Where are we on the migration tool. I haven't been following that closely. Is the repo ready for a release?
Yes, I think it’s ready. ;)
Han
>
> Mark
>
>
> On 25/10/2022 16:55, Rémy Maucherat wrote:
>> On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:
>>>
>>> Hi all,
>>>
>>> I've just seen the heads up from the OpenSSL project that there will be
>>> a 3.0.7 release on 2022-12-01 that will address a critical
>>> vulnerability. We won't know the details of the vulnerability until the
>>> release announcement. Given that it may trigger a Tomcat Native release
>>> my current thinking is:
>>>
>>> - prep for November releases as normal
>>> - review the OpenSSL issue once public
>>> - roll a Tomcat Native release if necessary
>>> - update to the new Tomcat Native release of there is one
>>> - roll the Tomcat releases
>>>
>>> Do we want to pick up an updated migration tool as well?
>> Maybe, we're in the process of integrating a PR for the tool. The
>> submitter says it makes it run faster.
>> Rémy
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: November release round
Posted by Mark Thomas <ma...@apache.org>.
On 02/11/2022 18:36, Christopher Schultz wrote:
> Mark,
>
> On 11/1/22 12:19, Mark Thomas wrote:
>> I've just read the OpenSSL announcement. The issue has been downgraded
>> to critical but we are going to need to new Tomcat Native release.
>> There are a couple of stack overflow bugs in certificate verification
>> so Tomcat could be accepted via CLIENT-CERT.
>
> s/accepted/affected/
Tx.
> I've been following this as well, and I agree that we need a flurry of
> releases. It's too bad we decided to bundle libtcnative.dll with Tomcat
> releases. *NIX users don't have to wait for a release...
Neither do Windows users. They just have to build from source like their
Unix colleagues.
> I think we should have an immediate VOTE on a tcnative release which
> includes an updated statically-linked Windows DLL. Because there are no
> code changes (?) since the last tcnative release... can we simply
> fast-forward to a release-by-acclamation? ASF probably says no to that. :/
The VOTE thread is on the way. I'm currently travelling so things are a
little tricker / slower than usual but I expect to get the VOTE thread
out in the next hour or so.
We can end the VOTE whenever we like. If we have at least 3 +1 PMC votes
and more PMC +1 votes than -1 votes then we can release. The 72 hours is
a guideline / very strong recommendation but if we have a good reason
for doing something else that is fine. And security is generally
accepted as a good reason for a shorter vote. If we had everyone lined
up ready to VOTE, the whole thing could be over in a couple of minutes.
Mark
>
> -chris
>
>> On 25/10/2022 16:55, Rémy Maucherat wrote:
>>> On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>> Hi all,
>>>>
>>>> I've just seen the heads up from the OpenSSL project that there will be
>>>> a 3.0.7 release on 2022-12-01 that will address a critical
>>>> vulnerability. We won't know the details of the vulnerability until the
>>>> release announcement. Given that it may trigger a Tomcat Native release
>>>> my current thinking is:
>>>>
>>>> - prep for November releases as normal
>>>> - review the OpenSSL issue once public
>>>> - roll a Tomcat Native release if necessary
>>>> - update to the new Tomcat Native release of there is one
>>>> - roll the Tomcat releases
>>>>
>>>> Do we want to pick up an updated migration tool as well?
>>>
>>> Maybe, we're in the process of integrating a PR for the tool. The
>>> submitter says it makes it run faster.
>>>
>>> Rémy
>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: November release round
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Mark,
On 11/1/22 12:19, Mark Thomas wrote:
> I've just read the OpenSSL announcement. The issue has been downgraded
> to critical but we are going to need to new Tomcat Native release. There
> are a couple of stack overflow bugs in certificate verification so
> Tomcat could be accepted via CLIENT-CERT.
s/accepted/affected/
I've been following this as well, and I agree that we need a flurry of
releases. It's too bad we decided to bundle libtcnative.dll with Tomcat
releases. *NIX users don't have to wait for a release...
I think we should have an immediate VOTE on a tcnative release which
includes an updated statically-linked Windows DLL. Because there are no
code changes (?) since the last tcnative release... can we simply
fast-forward to a release-by-acclamation? ASF probably says no to that. :/
-chris
> On 25/10/2022 16:55, Rémy Maucherat wrote:
>> On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:
>>>
>>> Hi all,
>>>
>>> I've just seen the heads up from the OpenSSL project that there will be
>>> a 3.0.7 release on 2022-12-01 that will address a critical
>>> vulnerability. We won't know the details of the vulnerability until the
>>> release announcement. Given that it may trigger a Tomcat Native release
>>> my current thinking is:
>>>
>>> - prep for November releases as normal
>>> - review the OpenSSL issue once public
>>> - roll a Tomcat Native release if necessary
>>> - update to the new Tomcat Native release of there is one
>>> - roll the Tomcat releases
>>>
>>> Do we want to pick up an updated migration tool as well?
>>
>> Maybe, we're in the process of integrating a PR for the tool. The
>> submitter says it makes it run faster.
>>
>> Rémy
>>
>>> Mark
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: November release round
Posted by Mark Thomas <ma...@apache.org>.
I've just read the OpenSSL announcement. The issue has been downgraded
to critical but we are going to need to new Tomcat Native release. There
are a couple of stack overflow bugs in certificate verification so
Tomcat could be accepted via CLIENT-CERT.
Where are we on the migration tool. I haven't been following that
closely. Is the repo ready for a release?
Mark
On 25/10/2022 16:55, Rémy Maucherat wrote:
> On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:
>>
>> Hi all,
>>
>> I've just seen the heads up from the OpenSSL project that there will be
>> a 3.0.7 release on 2022-12-01 that will address a critical
>> vulnerability. We won't know the details of the vulnerability until the
>> release announcement. Given that it may trigger a Tomcat Native release
>> my current thinking is:
>>
>> - prep for November releases as normal
>> - review the OpenSSL issue once public
>> - roll a Tomcat Native release if necessary
>> - update to the new Tomcat Native release of there is one
>> - roll the Tomcat releases
>>
>> Do we want to pick up an updated migration tool as well?
>
> Maybe, we're in the process of integrating a PR for the tool. The
> submitter says it makes it run faster.
>
> Rémy
>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: dev-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: November release round
Posted by Rémy Maucherat <re...@apache.org>.
On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas <ma...@apache.org> wrote:
>
> Hi all,
>
> I've just seen the heads up from the OpenSSL project that there will be
> a 3.0.7 release on 2022-12-01 that will address a critical
> vulnerability. We won't know the details of the vulnerability until the
> release announcement. Given that it may trigger a Tomcat Native release
> my current thinking is:
>
> - prep for November releases as normal
> - review the OpenSSL issue once public
> - roll a Tomcat Native release if necessary
> - update to the new Tomcat Native release of there is one
> - roll the Tomcat releases
>
> Do we want to pick up an updated migration tool as well?
Maybe, we're in the process of integrating a PR for the tool. The
submitter says it makes it run faster.
Rémy
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: November release round
Posted by Han Li <li...@apache.org>.
> 2022年10月25日 23:51,Mark Thomas <ma...@apache.org> 写道:
>
> Hi all,
>
> I've just seen the heads up from the OpenSSL project that there will be a 3.0.7 release on 2022-12-01 that will address a critical vulnerability. We won't know the details of the vulnerability until the release announcement. Given that it may trigger a Tomcat Native release my current thinking is:
>
> - prep for November releases as normal
> - review the OpenSSL issue once public
> - roll a Tomcat Native release if necessary
> - update to the new Tomcat Native release of there is one
> - roll the Tomcat releases
>
> Do we want to pick up an updated migration tool as well?
Sure, I have merged the PR and so far everything seems to be OK, and it’s indeed faster.
Han
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org