You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by jean-frederic clere <jf...@gmail.com> on 2018/06/07 15:50:25 UTC
[VOTE] Release Apache Tomcat Native 1.2.17
Version 1.2.17 includes the following changes compared to 1.2.16:
- Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
Various other fixes and improvements. See the changelog for details.
The proposed release artefacts can be found at [1],
and the build was done using tag [2].
The Apache Tomcat Native 1.2.17 is
[ ] Stable, go ahead and release
[ ] Broken because of ...
Thanks,
Jean-Frederic
[1]
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/1.2.17/
[2] https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_2_17
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.17
Posted by Mark Thomas <ma...@apache.org>.
Changing my vote to +1, stable.
On 07/06/18 21:15, Mark Thomas wrote:
> On 07/06/18 16:50, jean-frederic clere wrote:
>> Version 1.2.17 includes the following changes compared to 1.2.16:
>>
>> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
>>
>> Various other fixes and improvements. See the changelog for details.
>>
>> The proposed release artefacts can be found at [1],
>> and the build was done using tag [2].
>>
>> The Apache Tomcat Native 1.2.17 is
>> [X] Stable, go ahead and release
>> [ ] Broken because of ...
>
> gpg --verify reports that the signature for
> tomcat-native-1.2.17-win32-src.zip
> is bad.
This has been fixed.
> Other notes:
> - We should be providing sha1 and sha512 hashes, not md5.
> (build scripts may need updating)
These have been provided.
> Checks:
> - hashes match
> - signatures match apart from exception noted above
> - src.tar.gz structure matches tag (with expected differences)
> - library builds from src.tar.gz on Ubuntu Linux
> - unit tests pass on Linux with library built from source
> (apart from expected failures due to the version of
> OpenSSL being used)
> - Windows binary layout as expected
> - Windows binaries of expected size
> - Windows binaries have no unexpected DLL dependencies
> - unit tests pass on Windows with library from binaries
I am not concerned that VERSIONS references an older OpenSSL version.
There have been a few releases where this has happened in the past and
the nature of VERSIONS is such that it becomes out of date as time
passes after the release anyway. The important thing is that the
binaries are built with the correct versions and they have been.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.17
Posted by Mark Thomas <ma...@apache.org>.
On 07/06/18 16:50, jean-frederic clere wrote:
> Version 1.2.17 includes the following changes compared to 1.2.16:
>
> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
>
> Various other fixes and improvements. See the changelog for details.
>
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
>
> The Apache Tomcat Native 1.2.17 is
> [ ] Stable, go ahead and release
> [X] Broken because of ...
gpg --verify reports that the signature for
tomcat-native-1.2.17-win32-src.zip
is bad.
Other notes:
- We should be providing sha1 and sha512 hashes, not md5.
(build scripts may need updating)
Checks:
- hashes match
- signatures match apart from exception noted above
- src.tar.gz structure matches tag (with expected differences)
- library builds from src.tar.gz on Ubuntu Linux
- unit tests pass on Linux with library built from source
(apart from expected failures due to the version of
OpenSSL being used)
- Windows binary layout as expected
- Windows binaries of expected size
- Windows binaries have no unexpected DLL dependencies
- unit tests pass on Windows with library from binaries
Given that we have a valid MD5 hash for
tomcat-native-1.2.17-win32-src.zip
I'd be happy with the following:
- upload corrected signature file
- add SHA1 and SHA512 hashes for all files
- remove MD5 files once vote has passed and before moving to release
I am willing to change my vote to +1, stable once the above steps are
complete.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.17
Posted by Rémy Maucherat <re...@apache.org>.
On Thu, Jun 7, 2018 at 5:50 PM jean-frederic clere <jf...@gmail.com>
wrote:
> Version 1.2.17 includes the following changes compared to 1.2.16:
>
> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
>
> Various other fixes and improvements. See the changelog for details.
>
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
>
> The Apache Tomcat Native 1.2.17 is
> [X] Stable, go ahead and release
> [ ] Broken because of ...
>
Works fine for me.
Rémy
>
> Thanks,
>
> Jean-Frederic
>
>
> [1]
>
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/1.2.17/
> [2]
> https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_2_17
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [VOTE] Release Apache Tomcat Native 1.2.17
Posted by Rainer Jung <ra...@kippdata.de>.
Am 07.06.2018 um 17:50 schrieb jean-frederic clere:
> Version 1.2.17 includes the following changes compared to 1.2.16:
>
> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
>
> Various other fixes and improvements. See the changelog for details.
>
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
>
> The Apache Tomcat Native 1.2.17 is
> [X] Stable, go ahead and release
> [ ] Broken because of ...
+1 to release, thanks for RMing.
2 remarks:
- when I extract the zip sources on Unix, I get all dirs and files with
group write (!) permission. That sounds unsafe. It wasn't like that for
1.2.16. I don't know on which platform and using which zip impl you
created them, but many of those would reflect in the zip the permissions
that the files had on your file system. Group write permissions is
typically something we should avoid for security reasons.
- OpenSSL used according to VERSIONS file is 1.0.2m. I would suggest
taking the latest patch level for release builds but did not check the
changelog and history to see, whether there was a relevant change
between 1.0.2m and 1.0.2o.
and one old remark:
- it seems to me that on Unix/Linux OCSP support is always active if
OpenSSL supports it, but on Windows one needs to enable it. See
"ENABLE_OCSP" in files native/BUILDING and native/NMAKEmakefile. Is that
still the right thing to do, or should we simply distribute the ocsp
enabled windows binary and drop the non-ocsp one? I can't judge by
myself, but currently Windows and Unix/Linux build differ in their defaults.
Now for the test results:
- Tested with APR 1.6.3, OpenSSL 1.0.2o plus patches,
and unit tests of TC 8.5 head
- Platforms Solaris 10 Sparc, SLES 11 and 12 64 Bit, RHEL 6 and 7 64 Bits
- configure flag "--enable-maintainer-mode"
- make with gcc 8.1.0 on Solaris and platform gcc on Linux
- Using Java version 1.8.0_172 64 Bit
- Using "-XX:-UseCompressedClassPointers" on 64 Bit Linux
- SHA1 and MD5 OK
- signatures OK
- gz and zip for sources consistent
- source dist consistent with svn tag
- config.guess and config.sub from apr 1.6.3 (copied by buildconf)
from last year (OK).
- VERSIONS says OpenSSL 1.0.2m and APR 1.6.3
- more recent OpenSSL 1.0.2o might have been nice
- recreated release with jnirelease script, results are
consistent with source dist, except for minor expected diffs in
generated docs
- make succeeds and builds lib
- no C warnings
- unit test results for TC
- no failures
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.17
Posted by Emmanuel Bourg <eb...@apache.org>.
+1
Tested on Debian Sid with OpenJDK 10, OpenSSL 1.1.0h and GCC 7.3
Emmanuel Bourg
Le 07/06/2018 à 17:50, jean-frederic clere a écrit :
> Version 1.2.17 includes the following changes compared to 1.2.16:
>
> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
>
> Various other fixes and improvements. See the changelog for details.
>
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
>
> The Apache Tomcat Native 1.2.17 is
> [ ] Stable, go ahead and release
> [ ] Broken because of ...
>
> Thanks,
>
> Jean-Frederic
>
>
> [1]
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/1.2.17/
> [2] https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_2_17
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.17
Posted by Coty Sutherland <cs...@apache.org>.
On Thu, Jun 7, 2018 at 11:50 AM, jean-frederic clere <jf...@gmail.com>
wrote:
> Version 1.2.17 includes the following changes compared to 1.2.16:
>
> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
>
> Various other fixes and improvements. See the changelog for details.
>
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
>
> The Apache Tomcat Native 1.2.17 is
> [x] Stable, go ahead and release
> [ ] Broken because of ...
>
+1, works fine for me on Fedora 26 (APR 1.6.3 and OpenSSL 1.1.0h-fips).
>
> Thanks,
>
> Jean-Frederic
>
>
> [1]
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-
> connectors/native/1.2.17/
> [2] https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_
> NATIVE_1_2_17
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
Re: [VOTE] Release Apache Tomcat Native 1.2.17
Posted by jean-frederic clere <jf...@gmail.com>.
On 08/06/18 10:45, Rainer Jung wrote:
> Some early observations, at least the broken signature needs fixing:
>
> - previously sources where in a download folder named "source", now they
> are in "sources" (plural form).
fixed.
>
> - sha1 and sha512 checksums not there, only md5. 1.2.16 had all three
fixed.
>
> - file sources/tomcat-native-1.2.17-win32-src.zip.asc has a bad pgp
> signature:
>
> gpg: assuming signed data in `tomcat-native-1.2.17-win32-src.zip'
> gpg: Signature made June 7, 2018 1:36:05 PM CEST
> gpg: using RSA key ED3873F5D3262722
> gpg: BAD signature from "Jean-Frederic Clere (Apache signing key)
> <jf...@apache.org>"
>
> Other signatures are OK, so please check integrity of the file
> tomcat-native-1.2.17-win32-src.zip and fix either this file or the asc
> file.
Fixed:
+++
[jfclere@dhcp-144-173 1.2.17]$ gpg --verify
source/tomcat-native-1.2.17-win32-src.zip.asc
gpg: assuming signed data in `source/tomcat-native-1.2.17-win32-src.zip'
gpg: Signature made Fri 08 Jun 2018 16:03:14 CEST using RSA key ID D3262722
gpg: Good signature from "Jean-Frederic Clere (Apache signing key)
<jf...@apache.org>"
+++
>
> - when I extract the zip sources on Unix, I get all dirs and files with
> group write permission. That sounds unsafe. It wasn't like that for 1.2.16.
umask 0022 hm no idea why the umask on my fedora27, minor, correct?
>
> - OpenSSL used according to VERSIONS file is 1.0.2m, shouldn't it be
> 1.0.2o?
I wasn't sure to update it, does that block your vote?
https://www.openssl.org/news/vulnerabilities.html
Cheers
Jean-Frederic
>
> Regards,
>
> Rainer
>
> Am 07.06.2018 um 17:50 schrieb jean-frederic clere:
>> Version 1.2.17 includes the following changes compared to 1.2.16:
>>
>> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
>>
>> Various other fixes and improvements. See the changelog for details.
>>
>> The proposed release artefacts can be found at [1],
>> and the build was done using tag [2].
>>
>> The Apache Tomcat Native 1.2.17 is
>> [ ] Stable, go ahead and release
>> [ ] Broken because of ...
>>
>> Thanks,
>>
>> Jean-Frederic
>>
>>
>> [1]
>> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/1.2.17/
>>
>> [2]
>> https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_2_17
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.2.17
Posted by Rainer Jung <ra...@kippdata.de>.
Some early observations, at least the broken signature needs fixing:
- previously sources where in a download folder named "source", now they
are in "sources" (plural form).
- sha1 and sha512 checksums not there, only md5. 1.2.16 had all three
- file sources/tomcat-native-1.2.17-win32-src.zip.asc has a bad pgp
signature:
gpg: assuming signed data in `tomcat-native-1.2.17-win32-src.zip'
gpg: Signature made June 7, 2018 1:36:05 PM CEST
gpg: using RSA key ED3873F5D3262722
gpg: BAD signature from "Jean-Frederic Clere (Apache signing key)
<jf...@apache.org>"
Other signatures are OK, so please check integrity of the file
tomcat-native-1.2.17-win32-src.zip and fix either this file or the asc file.
- when I extract the zip sources on Unix, I get all dirs and files with
group write permission. That sounds unsafe. It wasn't like that for 1.2.16.
- OpenSSL used according to VERSIONS file is 1.0.2m, shouldn't it be 1.0.2o?
Regards,
Rainer
Am 07.06.2018 um 17:50 schrieb jean-frederic clere:
> Version 1.2.17 includes the following changes compared to 1.2.16:
>
> - Windows binaries built with OpenSSL 1.0.2o and APR 1.6.3
>
> Various other fixes and improvements. See the changelog for details.
>
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
>
> The Apache Tomcat Native 1.2.17 is
> [ ] Stable, go ahead and release
> [ ] Broken because of ...
>
> Thanks,
>
> Jean-Frederic
>
>
> [1]
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-connectors/native/1.2.17/
> [2] https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_2_17
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[RESULT] [VOTE] Release Apache Tomcat Native 1.2.17
Posted by jean-frederic clere <jf...@gmail.com>.
The following votes were cast:
Binding:
+1: markt, ebourg, remm, rjung, csutherl, jfclere
The vote therefore passes.
Thanks to everyone who contributed to this release.
Cheers
Jean-Frederic
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org