[PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

Hey all,

Definitions:
Tomcat - Servlet Engine
Jasper - JSP Engine

These recent security advisories on Bugtraq have me a bit worried. I'm
worried that because of Jasper, people will view Tomcat as being insecure
when it really is not Tomcat's fault. Essentially the crux of the advisories
is that the implementation of JSP that comes with Tomcat is somewhat
security hole prone, we are now up to 3 or 4 security advisories for Jasper,
and zero for Tomcat itself.

What I would like to do is simply be able to provide people with the ability
to create a copy of Tomcat that does not have *any* support for JSP within
it. This way, people who do not care to use JSP (like myself) can feel
secure that any hole in Jasper will not compromise my server in any way. I
am ok with the default continuing to be a distribution of Jasper+Tomcat. My
goal here is simply providing options, not removing existing functionality.

I think that this can be done fairly easily with more defined targets in the
Ant build scripts.

My proposal would be to break things up like this:

Build only the necessary files for Tomcat itself:
<target name="compile-tomcat">

Build only the necessary files for JSP:
<target name="compile-jsp">

Package Tomcat for distribution sans JSP:
<target name="package-tomcat">

Package Tomcat for distribution with JSP:
<target name="package-tomcat-jsp">

The current "webapps" target would also be split up:
<target name="webapps-servlets">
<target name="webapps-jsp">

Comments?

-jon

Re: [PROPOSAL] New build targets for Tomcat

["Pier P. Fumagalli" <pi...@apache.org>]

Danno Ferrin wrote:
> 
> Your true motivation comes out.  Why didn't you give this full
> disclosure in your first response?
> 
> +1 for fixing the BUGTRAQ bugs (the real issue)
> -1 for stripping jasper (the straw man issue)

Are you reading emails to the END??? Jon said clearly that he just want
the ability to build Tomcat without JSP... :)
I think nobody said that Jasper must be stripped out of Tomcat... :)

	Pier

-- 
------------------------------------------------------------------------
stable structure  erected over water to allow  safe docking of seacrafts
email: pier@betaversion.org   homepage: http://www.betaversion.org/~pier
------------------------------------------------------------------------

Re: [PROPOSAL] New build targets for Tomcat

[Danno Ferrin <sh...@earthlink.net>]

Sorry Jon, I was intending to leave this one alone but I just have to bite
again because this thread should be put in some sociology book about
flaming.  This most recent response you did to one of my response amounts to
putting words in my mouth.

Let's start out with what you have quoted.  You only quoted what you want
other people to see.  You cut off the following line from my quite (which
did start on the same line and you had to edit to get what you wanted) which
read, and I quote via cut and paste, "Can't we just all get along and work
on
those issues?"  I have extended the olive branch and I really feel like you
have ripped it from my hands and started a camp fire so you can have roast
dove for dinner.

But I digress, lets go to the content of your body, particularly the
sentence in all caps.  You make it seem as though I cannot understand what
your request was, which was to make a build configuration without jasper in
the build scripts and possibly with Jakarta distribution as well.  I
validated that that what was what you waited in the message you replied to.
Granted, in my vote e-mail I was so terse in my description of what I was
voting on it appeared as though I did not understand your e-mail.  I
publicly apologize for that, but I must confess for vote lines I will
continue to be terse in the future.  I would request that people please do
not judge my understanding of someone's e-mail based on my vote-line labels.


----- Original Message -----
From: "Jon Stevens" <jo...@latchkey.com>
To: <to...@jakarta.apache.org>
Sent: Saturday, July 22, 2000 7:34 PM
Subject: Re: [PROPOSAL] New build targets for Tomcat


> on 7/22/2000 10:36 AM, "Danno Ferrin" <sh...@earthlink.net> wrote:
>
> > But all of this is straying us from THE REAL ISSUE of the BUGTRAQ things
> > that are providing too much information to the client user that can be
> > useful to compromise the system.
>
> I trust that Apache does not have security holes. The code has been
reviewed
> by enough people now that it is pretty well known to be secure.
>
> I do not trust that Jasper has had all the security holes removed.
>
> I trust that the people in this group will fix the issues as they come up.
>
> I would like the OPTION to be able to remove the portion that I do not
> trust.
>
> I NEVER said that I wanted to remove JSP from Tomcat.
>
> I NEVER said that I wanted to distribute Tomcat from jakarta.apache.org
> without JSP.
>
> I know I can, but I DO NOT want to fork the project.
>
> ALL I SAID IS THAT I WOULD LIKE TO PROVIDE OPTIONAL BUILD TARGETS THAT DO
> NOT INCLUDE JSP.
>
> What exactly is so bad about that?
>
> thanks,
>
> -jon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>

.jsp .JSP source bug (was: [PROPOSAL] New build targets for Tomcat)

[Danno Ferrin <sh...@earthlink.net>]

IIRC I saw a fix go through the CVS list for this, there was some code that
used equalsIgnoreCase against file names for win32 convenience.  Let us know
if you can re-create the bug from a CVS head or tomcat_32 tag build and we
can re-open the bug, but to my knowledge the bug is fixed (and it was
somewhere in a tomcat package).

--Danno

----- Original Message -----
From: "Serge Knystautas" <se...@lokitech.com>
To: <to...@jakarta.apache.org>
Sent: Sunday, July 23, 2000 7:36 AM
Subject: Re: [PROPOSAL] New build targets for Tomcat


> Jon Stevens wrote:
> > I do not trust that Jasper has had all the security holes removed.
>
> I'd like to resubmit my bug (source code of JSPs gets displayed) in
> order of clarify the bug.  (ok, it's not "my" bug, but I think I was the
> first to submit it to the list... I'm not sure who submitted it to
> Bugtraq, or even what/where that is since I've been on vacation for a
> week.)
>
> The problem of JSP source code getting returned is a function of the
> servlet engine's <url-pattern> in web.xml, not anything in the jsp
> compiler or architecture.  The servlet engine needs to be aware that it
> might be running on a case-insensitive operating system, and accordingly
> if there is a *servlet* mapping of jsp to a servlet, it should enforce
> this mapping in a case-insensitive manner.  Other parts of the servlet
> engine have already been made aware of case-insensitivity, for instance,
> you can't access the WEB-INF folder no matter what case combination you
> use.
>
> I really don't want to enter into the foray about what Tomcat is, but
> I'd just like this security bug appropriately filed under the servlet
> engine, not the JSP engine.  Regardless of whether you're using .tea,
> ..asp, or whatever files, this is the servlet engine's problem not
> recognizing the Microsoft "feature" at work.  ;)
>
> Serge Knystautas
> Loki Technologies
> http://www.lokitech.com/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>

Re: [PROPOSAL] New build targets for Tomcat

[Serge Knystautas <se...@lokitech.com>]

Jon Stevens wrote:
> I do not trust that Jasper has had all the security holes removed.

I'd like to resubmit my bug (source code of JSPs gets displayed) in
order of clarify the bug.  (ok, it's not "my" bug, but I think I was the
first to submit it to the list... I'm not sure who submitted it to
Bugtraq, or even what/where that is since I've been on vacation for a
week.)

The problem of JSP source code getting returned is a function of the
servlet engine's <url-pattern> in web.xml, not anything in the jsp
compiler or architecture.  The servlet engine needs to be aware that it
might be running on a case-insensitive operating system, and accordingly
if there is a *servlet* mapping of jsp to a servlet, it should enforce
this mapping in a case-insensitive manner.  Other parts of the servlet
engine have already been made aware of case-insensitivity, for instance,
you can't access the WEB-INF folder no matter what case combination you
use.

I really don't want to enter into the foray about what Tomcat is, but
I'd just like this security bug appropriately filed under the servlet
engine, not the JSP engine.  Regardless of whether you're using .tea,
..asp, or whatever files, this is the servlet engine's problem not
recognizing the Microsoft "feature" at work.  ;)

Serge Knystautas
Loki Technologies
http://www.lokitech.com/

Security of Tomcat/Jasper (was: [PROPOSAL] New build targets for Tomcat)

[Danno Ferrin <sh...@earthlink.net>]

     I do not see how one can put as much blind trust in Tomcat and not
Jasper security wise.  As a code bases they are approximately the same age
and they have been available for security audits and code reviews for the
same amount of time.  Especially so when you consider open source time.

     If you really want code that has been under more security review and
been available for review a longer time then I would pick JServ as the
servlet engine of choice.  In fact on my project at work it has been in the
build for almost a year.  I must confess that is because (a) it continues to
work, and (b) until recently the management and engineering has not
considered code from the Jakarta Project production ready and (c) no one has
taken the effort to replace it with Tomcat, (we have so many other features
to add and code to optimize that given (a) alone it has stayed well below
the radar screen.  I hope no-one tells the install guys about web apps).

     Your points about security and the bugtraq issues are very valid.  It
is a great message that has been marred by the delivery.  Even though you
didn't say it in the e-mail explicitly I am going to assume that you feel
security issues should be fixed before we have a final release.  Hence if I
know of any security bugs (particularly bugtraq ones) I will -1 the release
until it is fixed.  Thus whether or not Jasper or Tomcat is the product of
choice, it will be secure.

--Danno

p.s.  If you are ever going to go someplace to take engagement photos make
sure the film is advancing before you pack up and leave.  But the people at
WalMart will develop the roll of film just the same.

----- Original Message -----
From: "Jon Stevens" <jo...@latchkey.com>
To: <to...@jakarta.apache.org>
Sent: Saturday, July 22, 2000 7:34 PM
Subject: Re: [PROPOSAL] New build targets for Tomcat


> on 7/22/2000 10:36 AM, "Danno Ferrin" <sh...@earthlink.net> wrote:
>
> > But all of this is straying us from THE REAL ISSUE of the BUGTRAQ things
> > that are providing too much information to the client user that can be
> > useful to compromise the system.
>
> I trust that Apache does not have security holes. The code has been
reviewed
> by enough people now that it is pretty well known to be secure.
>
> I do not trust that Jasper has had all the security holes removed.
>
> I trust that the people in this group will fix the issues as they come up.
>
> I would like the OPTION to be able to remove the portion that I do not
> trust.
>
> I NEVER said that I wanted to remove JSP from Tomcat.
>
> I NEVER said that I wanted to distribute Tomcat from jakarta.apache.org
> without JSP.
>
> I know I can, but I DO NOT want to fork the project.
>
> ALL I SAID IS THAT I WOULD LIKE TO PROVIDE OPTIONAL BUILD TARGETS THAT DO
> NOT INCLUDE JSP.
>
> What exactly is so bad about that?
>
> thanks,
>
> -jon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/22/2000 10:36 AM, "Danno Ferrin" <sh...@earthlink.net> wrote:

> But all of this is straying us from THE REAL ISSUE of the BUGTRAQ things
> that are providing too much information to the client user that can be
> useful to compromise the system.

I trust that Apache does not have security holes. The code has been reviewed
by enough people now that it is pretty well known to be secure.

I do not trust that Jasper has had all the security holes removed.

I trust that the people in this group will fix the issues as they come up.

I would like the OPTION to be able to remove the portion that I do not
trust.

I NEVER said that I wanted to remove JSP from Tomcat.

I NEVER said that I wanted to distribute Tomcat from jakarta.apache.org
without JSP.

I know I can, but I DO NOT want to fork the project.

ALL I SAID IS THAT I WOULD LIKE TO PROVIDE OPTIONAL BUILD TARGETS THAT DO
NOT INCLUDE JSP.

What exactly is so bad about that?

thanks,

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Danno Ferrin <sh...@earthlink.net>]

My motivation is to make clear headed decisions.  Since my job does not
require me to use JSP and the rest of my time is wrapped up in managingthe
details of my personal life I could care less wether Jasper and Tomcat can
be built seperately but your arguement soulds like "You want to go to
DisneyWorld and it is in Florida so let's spend our vacation time in Aruba
which is close to Florida." and after someone asks you about disneyland you
state "I think florida sucks."

My reasons were given out after the vote.  You brought up a very valid point
that I am afraid is getting missed in the whole JSP/notJSP debate: that
BUGTRAQ has found some security problems.  I would +5 fixing them if a vote
were required (which for something like that a vote should be unnesscicary
unless the fix breaks non-speced APIs).  But you go off on a tangent (since
we are flying way far away why not go to aruba, since it will be warm like
florida even though it doesn't have an amusement park as big as disnely
world) and then a few mails later say the reason is you want to have a
configuration without Jasper (well I think florida sucks).  That is what is
generally called a straw man arguement, where you present some other topic
(the straw man), provide some reason why your arguements are superior, and
they concluding on some unrealted topic.  If the subject of personal opinion
were left out of it I probobly would have left this whole thread alone, but
I don't consider one's personal opinion as a valid reason to force the
community to change, unless that too is the will of the community.  And
Glenn and Anil hav also voiced -1s for reasons other than mine.

Seriously though Jon, if having JSP in with tomcat bothers you that bad, the
BSD licence alows you to fork off the code base and make your own
distribution of it.  It has hapend may times before, in fact Apache started
out as a fork of NCSA.  I am not trying to campaign for a code fork or to
breed discontent, but it is possible to create non-jakarta distributions of
the most recent tomcat stripped of JSP for whatever reson you feel
necessary.

But all of this is straying us from THE REAL ISSUE of the BUGTRAQ things
that are providing too much information to the client user that can be
useful to compromise the system.  Can't we just all get along and work on
those issues?

--Danno

----- Original Message -----
From: "Jon Stevens" <jo...@latchkey.com>
To: <to...@jakarta.apache.org>
Sent: Friday, July 21, 2000 3:23 PM
Subject: Re: [PROPOSAL] New build targets for Tomcat


> on 7/21/2000 2:13 PM, "Danno Ferrin" <sh...@earthlink.net> wrote:
>
> > Your true motivation comes out.
>
> I have been clear from day one that I don't like JSP (I know that I have
> personally told you this multiple times) and my "motivation" with this
> proposal is simply to provide a way to build Tomcat without JSP in it.
There
> is nothing wrong (in my eyes) with that and nothing in my emails suggested
> anything different.
>
> My views and intentions and reasons are 100% open. Are yours?
>
> :-)
>
> -jon
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
>

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 2:13 PM, "Danno Ferrin" <sh...@earthlink.net> wrote:

> Your true motivation comes out.

I have been clear from day one that I don't like JSP (I know that I have
personally told you this multiple times) and my "motivation" with this
proposal is simply to provide a way to build Tomcat without JSP in it. There
is nothing wrong (in my eyes) with that and nothing in my emails suggested
anything different.

My views and intentions and reasons are 100% open. Are yours?

:-)

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Eduardo Pelegri--Llopart <Ed...@eng.sun.com>]

Wow!  What I've been missing by doing a server-side redirect of
tomcat-dev.  I don't want to necessarily restart the thread but since
"Sun people" were mentioned...

It seems to me that there are several different points.

* Doing something due to security issues in jasper.
I do not believe this is a compelling argument.  If there is a bug
we should fix it.

* Making a separate build target without JSP
+1

* Making the build of the Servlet container available without the JSP
container support at jakarta, and if so, in what fashion.

I don't have a real issue with this as long as it is clear what it is,
and we make a real effort to make it very easy for the majority of the
people to find what they are looking for.

* If the build is made available, then with what name

Jasper has not been used for a long time.  For good or for bad nobody
has been making a separation between tomcat and jasper outside of
some "relatively small" set of developers and there are many
references out there to Tomcat.

It already has taken quite a bit of energy to train people that Jakarta
is *NOT* Tomcat (and this requires constant efforts), so I am against
complicating this even further.

I don't have a good suggestion for a name, maybe somebody will.  The
best I can come up with is:

	* Tomcat 4.0 Servlet and JSP engine
	* Jasper JSP compiler
	* Tomcat 4.0 Servlet without Jasper JSP compiler.


	- eduard/o

Re: [PROPOSAL] New build targets for Tomcat

[James Duncan Davidson <du...@x180.com>]

on 7/21/00 5:31 PM, Costin Manolache at costin@eng.sun.com wrote:

> ( I guess I read the mails in the wrong order, Jon's initial email is
> just fine, I still don't understand why we had so many mails for
> something most people agree on )

:) I felt that way last week on another mailing list. :)

.duncan

Re: [PROPOSAL] New build targets for Tomcat

[Costin Manolache <co...@eng.sun.com>]

James Duncan Davidson wrote:

> on 7/21/00 3:20 PM, Costin Manolache at costin@eng.sun.com wrote:
>
> >> Right. Like I said in my original email, I didn't think that this would be
> >> as big of a deal as it has been made into. :-)
> >
> > So you really believed that :-) ???
>
> Actually, I beleived it from reading Jon's initial email... It's just a
> target in a build file that modularizes at heart. Ignore intent and look at
> just what it is.

> If people get bent out about that, then please -- go outside for a bit and
> calm down... (The graphics are amazing btw. :)

I was just trying to point that part of what jon wants is already done
( jasper.jar
_is_ already a separate jar), and the other part ( no deps between
tomcat and jasper ) doesn't require a vote - it's one
of the current goals anyway.
( looking at the proposal as it is ).

( I guess I read the mails in the wrong order, Jon's initial email is
just fine, I still don't understand why we had so many mails for
something most people agree on )

Costin

Re: [PROPOSAL] New build targets for Tomcat

[James Duncan Davidson <du...@x180.com>]

on 7/21/00 3:20 PM, Costin Manolache at costin@eng.sun.com wrote:

>> Right. Like I said in my original email, I didn't think that this would be
>> as big of a deal as it has been made into. :-)
> 
> So you really believed that :-) ???

Actually, I beleived it from reading Jon's initial email... It's just a
target in a build file that modularizes at heart. Ignore intent and look at
just what it is.

If people get bent out about that, then please -- go outside for a bit and
calm down... (The graphics are amazing btw. :)

.duncan

Re: [PROPOSAL] New build targets for Tomcat

[James Duncan Davidson <du...@x180.com>]

on 7/21/00 3:54 PM, Costin Manolache at cmanolache@yahoo.com wrote:

> BTW, as you can see in the current code, having a modular jasper
> is something that most individuals on this list want.
> ( some because they like jasper more than they like tomcat )

OH MY GAWD! THEY HATE TOMCAT! THOSE BASTARDS!!!!!!

----

Ok, for the humor impared, I was mocking the current thread in reverse. :)
We can all agree to disagree at times. It can cut both ways.. Let's enable
this.

+1 on seperate build targets... enable devs to do what they want
+1 on a default combined build of servlets + jsp when you just "build" or
"build dist".

(and I'll be happy to set up that mailing list for flame wars between the
two camps, just like in the ol days where it was vi vs. emacs... :)

.duncan

Re: [PROPOSAL] New build targets for Tomcat

[Costin Manolache <cm...@yahoo.com>]

> > So you really believed that :-) ???
>
> Actually no. So far, I can't think of one single time that I have had to
> deal with Sun on these topics that has been a pleasant experience.

Jon, I guess you are on the wrong list - this is
"tomcat-dev@jakarta.apache.org".  Only individuals here - some
may have jobs at various companies.


> > It's great to see that even if you don't like JSP, you are still willing
> > to help and contribute to it !
>
> Clarification: I am only contributing to making Tomcat better by removing a
> requirement for JSP. :-)

I'm glad that doing that will also make jasper better :-)
A lot of bugs and problems were caused by the deps jasper have
on tomcat.

BTW, as you can see in the current code, having a modular jasper
is something that most individuals on this list want.
( some because they like jasper more than they like tomcat )

Costin

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 3:20 PM, "Costin Manolache" <co...@eng.sun.com> wrote:

> So you really believed that :-) ???

Actually no. So far, I can't think of one single time that I have had to
deal with Sun on these topics that has been a pleasant experience.

Except:
When James Davidson was in control of things. Things ran smoothly and he has
such a great view on the larger picture of things that it doesn't cloud his
vision.

> Like we don't have enough mails and fires and bugs and problems.
> We are now "probed" with trick questions :-)
> What happens with those who didn't pass the test ?

I wouldn't have to do it if I dealing with people at Sun was easier, more
open and less political. You guys at Sun (not necessarily you Costin or
Craig) dig your own holes. :-)

> Feel free to help - modularity is one of the project goals, and this will be
> good for tomcat _and_ jasper ( in fact AFAIK one of the goals of jasper
> is to be useable in other containers, so your work will be very useful for
> jasper too ! ).
> 
> I guess I'm guilty of trying  to integrate jasper into tomcat with the
> JspInterceptor, but it just a simple adapter that can be compiled
> separately. I will continue to work on this because it seems it has
> great performance benefits, but again - it's just a module.
> If you have time to sort out the dependencies that still exist it will
> help me a lot in implementing the JspInterceptor too.

Actually, I'm in favor of the Jspinterceptor. I think that is a great thing.
I don't think it is necessary for Tomcat to run though. :-)

> It's great to see that even if you don't like JSP, you are still willing
> to help and contribute to it !

Clarification: I am only contributing to making Tomcat better by removing a
requirement for JSP. :-)

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Costin Manolache <co...@eng.sun.com>]

> > Jon, take a look in the lib directory and you'll see "jasper.jar" and
> > "webserver.jar".
>
> Right. Like I said in my original email, I didn't think that this would be
> as big of a deal as it has been made into. :-)

So you really believed that :-) ???


> > I don't know what else do you want, but if having this implemented
> > with 2 build directives is what you want I don't see any problem in
> > adding whatever targets you want. I don't think you need a vote on this,
> > it's just a build.xml file.
>
> I had two motivations here: #1. get approval. I don't think that there is
> anything wrong with that. #2. I wanted to see who would pop up and give a -1
> over such a small issue (especially one that wouldn't even change any
> default behavior).

Like we don't have enough mails and fires and bugs and problems.
We are now "probed" with trick questions :-)
What happens with those who didn't pass the test ?


> > There are code changes you'll need to make ( AFAIK ), but
> > I don't think there is a problem with that either - it'll just
> > make the code more modular.
>
> Wait a second. Are you saying that I can't currently build Tomcat without
> Jasper? I'm not talking about the example/admin code, I'm talking about the
> core of Tomcat. Ok, I think that is messed up and I agree with you, it
> should be made more modular.

Feel free to help - modularity is one of the project goals, and this will be
good for tomcat _and_ jasper ( in fact AFAIK one of the goals of jasper
is to be useable in other containers, so your work will be very useful for
jasper too ! ).

I guess I'm guilty of trying  to integrate jasper into tomcat with the
JspInterceptor, but it just a simple adapter that can be compiled
separately. I will continue to work on this because it seems it has
great performance benefits, but again - it's just a module.
If you have time to sort out the dependencies that still exist it will
help me a lot in implementing the JspInterceptor too.


> > I do think jsp is a very good technology (  better than many
> > other alternatives anyway ), but that have nothing to do
> > with the build.xml file.
>
> Right. It has nothing to do with the original issue at all! My original
> email never even stated that I don't like JSP. I only gave my response to
> someone else's posting asking me directly what my feelings were. :-)

It's great to see that even if you don't like JSP, you are still willing
to help and contribute to it !

Costin

Re: [PROPOSAL] New build targets for Tomcat

[James Duncan Davidson <du...@x180.com>]

on 7/21/00 2:54 PM, Jon Stevens at jon@latchkey.com wrote:

>> Jon, take a look in the lib directory and you'll see "jasper.jar" and
>> "webserver.jar".
> 
> Right. Like I said in my original email, I didn't think that this would be
> as big of a deal as it has been made into. :-)

People are touchy this time of year.. It's time to take a Vacation!!!! :)

> I think that the response that I got from Danny helped clarify a lot of
> things to me. :-)

I didn't see that go by, but then I've been playing with my email set up so
that I'm a bit more up to date on the various places where I'm supposed to
be. :)

> Right. It has nothing to do with the original issue at all! My original
> email never even stated that I don't like JSP. I only gave my response to
> someone else's posting asking me directly what my feelings were. :-)

Let's not descend into the things that people obviously have strong opinions
on and which it's not productive to have a flame war off....

Some people want it
Some people dont.

Servlets are in the stack below JSP and other things can sit on top of it.
If you mandate that JSP have to be everywhere that Servlets are, then
somethings not quite right (just like you shouldn't have to take EJBs with
the JDK SE wherever you have the plain ol core JDK.. :) Ok, so that's a bit
more extreme in spectrum, but not *that* much.

.duncan

Apology Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 2:54 PM, "Jon Stevens" <jo...@latchkey.com> wrote:

> I think that the response that I got from Danny helped clarify a lot of
> things to me. :-) Danny, you can't -1 something without a good reason (as
> documented on the jakarta.apache.org website). You didn't even give a reason
> so your -1 really would not have counted.

Ug, I made a big mistake here. Not Danny. It was Danno. I confused the two.

I fully apologize for that to both people.

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 2:50 PM, "Costin Manolache" <co...@eng.sun.com> wrote:

> Jon, take a look in the lib directory and you'll see "jasper.jar" and
> "webserver.jar".

Right. Like I said in my original email, I didn't think that this would be
as big of a deal as it has been made into. :-)

> I don't know what else do you want, but if having this implemented
> with 2 build directives is what you want I don't see any problem in
> adding whatever targets you want. I don't think you need a vote on this,
> it's just a build.xml file.

I had two motivations here: #1. get approval. I don't think that there is
anything wrong with that. #2. I wanted to see who would pop up and give a -1
over such a small issue (especially one that wouldn't even change any
default behavior). 

I think that the response that I got from Danny helped clarify a lot of
things to me. :-) Danny, you can't -1 something without a good reason (as
documented on the jakarta.apache.org website). You didn't even give a reason
so your -1 really would not have counted.

> There are code changes you'll need to make ( AFAIK ), but
> I don't think there is a problem with that either - it'll just
> make the code more modular.

Wait a second. Are you saying that I can't currently build Tomcat without
Jasper? I'm not talking about the example/admin code, I'm talking about the
core of Tomcat. Ok, I think that is messed up and I agree with you, it
should be made more modular.

> I do think jsp is a very good technology (  better than many
> other alternatives anyway ), but that have nothing to do
> with the build.xml file.

Right. It has nothing to do with the original issue at all! My original
email never even stated that I don't like JSP. I only gave my response to
someone else's posting asking me directly what my feelings were. :-)

thanks,

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Costin Manolache <co...@eng.sun.com>]

> Because I'm not advocating changing anything as a default. I never suggested
> removing support of Jasper from Tomcat. I never suggested "stripping
> jasper". Please go back and actually READ my original proposal.
>
> I'm only advocating adding new build targets (as the subject of this email
> suggests).
>
> Maybe the fact that you guys are afraid that someone else might want to
> actually use Tomcat without Jasper is the larger issue? :-)

Jon, take a look in the lib directory and you'll see "jasper.jar" and
"webserver.jar".

I don't know what else do you want, but if having this implemented
with 2 build directives is what you want I don't see any problem in
adding whatever targets you want. I don't think you need a vote on this,
it's just a build.xml file.

There are code changes you'll need to make ( AFAIK ), but
I don't think there is a problem with that either - it'll just
make the code more modular.

I do think jsp is a very good technology (  better than many
other alternatives anyway ), but that have nothing to do
with the build.xml file.

Costin

Re: [PROPOSAL] New build targets for Tomcat

["Pier P. Fumagalli" <pi...@apache.org>]

Jon Stevens wrote:
> 
> on 7/21/2000 2:13 PM, "Danno Ferrin" <sh...@earthlink.net> wrote:
> 
> > Your true motivation comes out.  Why didn't you give this full
> > disclosure in your first response?
> 
> Because I'm not advocating changing anything as a default. I never suggested
> removing support of Jasper from Tomcat. I never suggested "stripping
> jasper". Please go back and actually READ my original proposal.
> 
> I'm only advocating adding new build targets (as the subject of this email
> suggests).
> 
> Maybe the fact that you guys are afraid that someone else might want to
> actually use Tomcat without Jasper is the larger issue? :-)

And I agree w/ you... :)

	Pier 

-- 
------------------------------------------------------------------------
stable structure  erected over water to allow  safe docking of seacrafts
email: pier@betaversion.org   homepage: http://www.betaversion.org/~pier
------------------------------------------------------------------------

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 2:13 PM, "Danno Ferrin" <sh...@earthlink.net> wrote:

> Your true motivation comes out.  Why didn't you give this full
> disclosure in your first response?

Because I'm not advocating changing anything as a default. I never suggested
removing support of Jasper from Tomcat. I never suggested "stripping
jasper". Please go back and actually READ my original proposal.

I'm only advocating adding new build targets (as the subject of this email
suggests).

Maybe the fact that you guys are afraid that someone else might want to
actually use Tomcat without Jasper is the larger issue? :-)

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Danno Ferrin <sh...@earthlink.net>]

Your true motivation comes out.  Why didn't you give this full
disclosure in your first response?

+1 for fixing the BUGTRAQ bugs (the real issue)
-1 for stripping jasper (the straw man issue)

Jon Stevens wrote:
> 
> on 7/21/2000 1:47 PM, "phanna@ipass.net" <ph...@ipass.net> wrote:
> 
> > Jon, I don't follow you.  Are you down on JSP in general
> > as a technology, or just the Tomcat implementation of
> > it?
> 
> Yes, I'm down on it as a technology. I think JSP sucks and I think that
> there are better solutions out there. I have expressed my views on various
> different mailing lists over the last couple of years. Maybe I will setup a
> website. :-) <http://www.servlets.com/soapbox/problems-jsp.html> expresses
> some of the same views I have, but I actually don't think it describes them
> quite clearly enough for people to understand everything involved with using
> JSP. I now work with Jason at Collab.Net, so I need to get him to update
> that site. :-)
> 
> What I'm really down on right now is the fact that there have been Bugtraq
> security advisories that point out the error in "Tomcat" vs. the error in
> "Jasper". The later is where the real error is.
> 
> Of course spending more time trying to fix the holes and evaluate Jasper is
> a good thing. I'm also not advocating removing it from Tomcat as a default
> distribution. I understand that there are people that like it and that is
> fine. Whatever floats your boat is fine with me just as long as I don't have
> to sink with you. :-)
> 
> My POINT is that I personally want to easily have the ability to build a
> version of Tomcat that has absolutely NOTHING related to JSP in it. This
> doesn't require changing any code, it only requires changing a few lines in
> a .xml file. I also think that there are others here that want that as well,
> not only from a security perspective, but from a JSP sucks perspective.
> 
> thanks,
> 
> -jon
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: [PROPOSAL] New build targets for Tomcat

[Cliff Rowley <cl...@olive.co.uk>]

> Yes, I'm down on it as a technology. I think JSP sucks and I think that
> there are better solutions out there. I have expressed my views on various
> different mailing lists over the last couple of years. Maybe I will setup a
> website. :-) <http://www.servlets.com/soapbox/problems-jsp.html> expresses
> some of the same views I have, but I actually don't think it describes them
> quite clearly enough for people to understand everything involved with using
> JSP. I now work with Jason at Collab.Net, so I need to get him to update
> that site. :-)

I'm just wondering, where is your evaluation of custom tags?  You've
shown in-html java code to be (in your view) not particularly ideal, but
you've not mentioned custom tags anywhere.  Aren't custom tags also part
of the JSP specification?

Cliff Rowley

Software Developer
Olive Systems LTD
http://www.olive.co.uk

Re: [PROPOSAL] New build targets for Tomcat

[James Duncan Davidson <du...@x180.com>]

on 7/21/00 1:59 PM, Jon Stevens at jon@latchkey.com wrote:

> My POINT is that I personally want to easily have the ability to build a
> version of Tomcat that has absolutely NOTHING related to JSP in it. This
> doesn't require changing any code, it only requires changing a few lines in
> a .xml file. I also think that there are others here that want that as well,
> not only from a security perspective, but from a JSP sucks perspective.

Whatever the argument you use -- it sucks, it doesn't, it has security
problems, it doesn't... Keep in mind that Servlets as a technology is always
something that sits underneath JSP -- and other page template engines sit on
top of the servlet spec as well. I can imagine yet a different case where
some body wants the servlet part, but has a different template engine that
sits on top and they want to make that a part of some product.

Let's break it down into:

    Sometimes you want both
    Sometimes you don't

And provide a way to enable this. Without descending into details of
security or suckyness or whatever. It's a non-productive discussion
otherwise.

.duncan

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 1:47 PM, "phanna@ipass.net" <ph...@ipass.net> wrote:

> Jon, I don't follow you.  Are you down on JSP in general
> as a technology, or just the Tomcat implementation of
> it?

Yes, I'm down on it as a technology. I think JSP sucks and I think that
there are better solutions out there. I have expressed my views on various
different mailing lists over the last couple of years. Maybe I will setup a
website. :-) <http://www.servlets.com/soapbox/problems-jsp.html> expresses
some of the same views I have, but I actually don't think it describes them
quite clearly enough for people to understand everything involved with using
JSP. I now work with Jason at Collab.Net, so I need to get him to update
that site. :-)

What I'm really down on right now is the fact that there have been Bugtraq
security advisories that point out the error in "Tomcat" vs. the error in
"Jasper". The later is where the real error is.

Of course spending more time trying to fix the holes and evaluate Jasper is
a good thing. I'm also not advocating removing it from Tomcat as a default
distribution. I understand that there are people that like it and that is
fine. Whatever floats your boat is fine with me just as long as I don't have
to sink with you. :-)

My POINT is that I personally want to easily have the ability to build a
version of Tomcat that has absolutely NOTHING related to JSP in it. This
doesn't require changing any code, it only requires changing a few lines in
a .xml file. I also think that there are others here that want that as well,
not only from a security perspective, but from a JSP sucks perspective.

thanks,

-jon

Re: [PROPOSAL] New build targets for Tomcat

[ph...@ipass.net]

Quoting Jon Stevens <jo...@latchkey.com>:

> on 7/21/2000 1:31 PM, "Hans Bergsten" 
<ha...@gefionsoftware.com> wrote:
>
> > I don't mind a binary that doesn't include JSP, but 
the motivation should
> > be that it's a smaller build for people who don't 
need JSP, not because
> > of security issues in Jasper.
> >
> > If there are bugs and security issues with Jasper 
(or any part of
> Tomcat),
> > they need to be fixed, not hidden by stripping down 
the configuration.
>
> How ever you want to "market" this concept is fine by 
me as long as the
> concept gets accepted. :-)
>
> The corollary to what you are saying is: "If Jasper 
simply went away, there
> wouldn't be any security holes in it." :-)
>
> -jon

Jon, I don't follow you.  Are you down on JSP in general 
as a technology, or just the Tomcat implementation of 
it?

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 1:31 PM, "Hans Bergsten" <ha...@gefionsoftware.com> wrote:

> I don't mind a binary that doesn't include JSP, but the motivation should
> be that it's a smaller build for people who don't need JSP, not because
> of security issues in Jasper.
> 
> If there are bugs and security issues with Jasper (or any part of Tomcat),
> they need to be fixed, not hidden by stripping down the configuration.

How ever you want to "market" this concept is fine by me as long as the
concept gets accepted. :-)

The corollary to what you are saying is: "If Jasper simply went away, there
wouldn't be any security holes in it." :-)

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Hans Bergsten <ha...@gefionsoftware.com>]

Jon Stevens wrote:
> 
> Hey all,
> 
> Definitions:
> Tomcat - Servlet Engine
> Jasper - JSP Engine
> 
> These recent security advisories on Bugtraq have me a bit worried. I'm
> worried that because of Jasper, people will view Tomcat as being insecure
> when it really is not Tomcat's fault. Essentially the crux of the advisories
> is that the implementation of JSP that comes with Tomcat is somewhat
> security hole prone, we are now up to 3 or 4 security advisories for Jasper,
> and zero for Tomcat itself.
> 
> What I would like to do is simply be able to provide people with the ability
> to create a copy of Tomcat that does not have *any* support for JSP within
> it. This way, people who do not care to use JSP (like myself) can feel
> secure that any hole in Jasper will not compromise my server in any way. I
> am ok with the default continuing to be a distribution of Jasper+Tomcat. My
> goal here is simply providing options, not removing existing functionality.
> [...]

I don't mind a binary that doesn't include JSP, but the motivation should
be that it's a smaller build for people who don't need JSP, not because
of security issues in Jasper. 

If there are bugs and security issues with Jasper (or any part of Tomcat), 
they need to be fixed, not hidden by stripping down the configuration.

Hans
-- 
Hans Bergsten		hans@gefionsoftware.com
Gefion Software		http://www.gefionsoftware.com

Re: [PROPOSAL] New build targets for Tomcat

[Glenn Nielsen <gl...@voyager.apg.more.net>]

-1 on providing separate builds of tomcat

I thought Tomcat was supposed to be the reference implementation
for the latest servlet _and_ jsp specs.

I don't see where Jasper is inherently any less secure than
the core of Tomcat.

Looking at bugtraq I only found two things referenced.

source.jsp 
  simple just remove it, a servlet installed by default could just
  as easily been the source of a 'security' problem.

/admin context
  configure something in web.xml so the default install prevents
  access, then provide instructions on how to configure and admin
  role.  This isn't related to Jasper at all.

Were there any others?

Tomcat 3.2 does have a good start to the answer of security for 
both servlets AND jsp, the ability to use the Jave SecurityManager
to implement a security policy configured in tomcat.policy.

Glenn



Jon Stevens wrote:
> 
> Hey all,
> 
> Definitions:
> Tomcat - Servlet Engine
> Jasper - JSP Engine
> 
> These recent security advisories on Bugtraq have me a bit worried. I'm
> worried that because of Jasper, people will view Tomcat as being insecure
> when it really is not Tomcat's fault. Essentially the crux of the advisories
> is that the implementation of JSP that comes with Tomcat is somewhat
> security hole prone, we are now up to 3 or 4 security advisories for Jasper,
> and zero for Tomcat itself.
> 
> What I would like to do is simply be able to provide people with the ability
> to create a copy of Tomcat that does not have *any* support for JSP within
> it. This way, people who do not care to use JSP (like myself) can feel
> secure that any hole in Jasper will not compromise my server in any way. I
> am ok with the default continuing to be a distribution of Jasper+Tomcat. My
> goal here is simply providing options, not removing existing functionality.
> 
> I think that this can be done fairly easily with more defined targets in the
> Ant build scripts.
> 
> My proposal would be to break things up like this:
> 
> Build only the necessary files for Tomcat itself:
> <target name="compile-tomcat">
> 
> Build only the necessary files for JSP:
> <target name="compile-jsp">
> 
> Package Tomcat for distribution sans JSP:
> <target name="package-tomcat">
> 
> Package Tomcat for distribution with JSP:
> <target name="package-tomcat-jsp">
> 
> The current "webapps" target would also be split up:
> <target name="webapps-servlets">
> <target name="webapps-jsp">
> 
> Comments?
> 
> -jon
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

-- 
----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Re: [PROPOSAL] New build targets for Tomcat

[Rajiv Mordani <Ra...@eng.sun.com>]

There you go. You already have what you want. Just delete jasper.jar from
your copy and use tomcat. 

- Rajiv

--
:wq

On Fri, 21 Jul 2000, Costin Manolache wrote:

> Jon Stevens wrote:
> 
> > Hey all,
> >
> > Definitions:
> > Tomcat - Servlet Engine
> > Jasper - JSP Engine
> 
> That's the way tomcat is build - jasper is in a separate jar.
> ( the reason is different - jasper should be usable in
> different engines ).
> 
> Regarding security issues - I think the best aproach is to
> spend the time and review the policy-based security
> and make sure it is used.
> 
> One big issue would be to make sure jasper.jar gets
> only the minimal set of permissions, and maybe
> keep the small part of code that needs special
> permissions in tomcat.
> 
> Costin
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
> 

Re: [PROPOSAL] New build targets for Tomcat

[Costin Manolache <co...@eng.sun.com>]

Jon Stevens wrote:

> Hey all,
>
> Definitions:
> Tomcat - Servlet Engine
> Jasper - JSP Engine

That's the way tomcat is build - jasper is in a separate jar.
( the reason is different - jasper should be usable in
different engines ).

Regarding security issues - I think the best aproach is to
spend the time and review the policy-based security
and make sure it is used.

One big issue would be to make sure jasper.jar gets
only the minimal set of permissions, and maybe
keep the small part of code that needs special
permissions in tomcat.

Costin

Re: [PROPOSAL] New build targets for Tomcat

[Anil Vijendran <ak...@pipedream.org>]

Jon Stevens wrote:

> on 7/21/2000 7:02 PM, "Anil Vijendran" <ak...@pipedream.org> wrote:
>
> > I'm not very relegious about this at all. I just think saying Jakarta is about
> > Servlets *and* JSP in one place and then separating them by making different
> > builds
> > to suit random whims and fancies undermines Jakarta.
>
> And I think that Jakarta is larger than just Tomcat + JSP's.

I agree it is larger. I think there's some notional problem here. You always say
things like "Tomcat + JSPs". To me, just saying "Tomcat" includes a
JSP implementation and a Servlet implementation.

> In case you missed it, we are going to combine java.apache.org and
> jakarta.apache.org at some point. This has already been agreed upon by the
> PMC and hasn't happened yet solely for time constraints and volunteers to
> take care of it.

Yep, I've heard about this and we all agreed this is a good idea.


> There will be overlapping technologies and that really is not viewed as a
> bad thing by anyone that I have heard. Lets let the community decide what
> options they choose to use and not force what people at Sun (or previously
> at Sun) think is the best for them down their throats. That is my point of
> also distributing TeaServlet as an option to JSP with Tomcat.

The people at Apache and the people at Sun  originally decided that Tomcat will be
the official ref impl for JSPs _and_ Servlets. If what was agreed upon there needs
to be changed, you should find out what is the best forum to make that happen.

While you're at it, you should also ask yourself if you think Jakarta could be an
incubator for projects that provide functionality similar to (or overlapping with)
Servlets? (Example: an alternative managed server-side object technology.)

In an open-source atmosphere like this I feel bad about having to listen to things
like the people at Sun forcing things down people's throats. It feels like you are
trying to stoke anti-Sun sentiments (to bolster your opinions) in a forum that is
solely focused on providing good software tools and technologies. Now, *that* is
politics. Sigh!


> Jakarta is about providing an incubator for Java technologies for the server
> side until they grow up to become their own projects with their own PMC's
> (ie: tomcat.apache.org). Making this happen is still a little ways off as it
> needs more discussion within the PMC's and member groups, but as far as I
> can tell everyone has agreed the above is what is needed in the long run
> (correct me if I am wrong here).

This is a great idea and I hope we can all work towards making this happen.

--
Peace, Anil +<:-)

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 7:02 PM, "Anil Vijendran" <ak...@pipedream.org> wrote:

> I'm not very relegious about this at all. I just think saying Jakarta is about
> Servlets *and* JSP in one place and then separating them by making different
> builds
> to suit random whims and fancies undermines Jakarta.

And I think that Jakarta is larger than just Tomcat + JSP's.

In case you missed it, we are going to combine java.apache.org and
jakarta.apache.org at some point. This has already been agreed upon by the
PMC and hasn't happened yet solely for time constraints and volunteers to
take care of it. 

There will be overlapping technologies and that really is not viewed as a
bad thing by anyone that I have heard. Lets let the community decide what
options they choose to use and not force what people at Sun (or previously
at Sun) think is the best for them down their throats. That is my point of
also distributing TeaServlet as an option to JSP with Tomcat.

Here is a quick summary of what we have been discussing on the PMC's and
members lists:

Jakarta is about providing an incubator for Java technologies for the server
side until they grow up to become their own projects with their own PMC's
(ie: tomcat.apache.org). Making this happen is still a little ways off as it
needs more discussion within the PMC's and member groups, but as far as I
can tell everyone has agreed the above is what is needed in the long run
(correct me if I am wrong here).

thanks,

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Anil Vijendran <ak...@pipedream.org>]

Jon Stevens wrote:

> on 7/21/2000 6:41 PM, "Anil Vijendran" <ak...@pipedream.org> wrote:
>
> > Well, *I* just don't see the need for that option or a good reason *from you*.
> > ("I
> > want" is not good enough for me.)
>
> Ok fine, here is my reason. I agree with Sam. :-)

I knew you'd come up with a real good one ;-)

> > +1 on making both Tomcat and Jasper more modular, and furthermore, +1 on
> > any progress towards the goal of making Jasper run on any servlet engine
> > that conforms to the interfaces defined in jakarta-servletapi.
> >
> > For further background purposes: at the moment, IBM's WebSphere can not be
> > separated from its implementation of the servlet specification.  For
> > various reasons, including release cycles and customer input, there may be
> > periods where the latest release of WebSphere does not implement the latest
> > specification.  As I indicated, WebSphere customers can't replace the
> > servlet engine, but this need not be the case for the JSP implementation.
> >
> > - Sam Ruby

I haven't seen Sam say he wants separate Tomcat + Tomcat w JSP builds. Sam?

> :-)
>
> btw, Anil, you are the only one who is expressing a -1 at this point.

I wonder if you read threads generated by you fully yourself. Danno, Glenn and
I have expressed -1s.

I'm not very relegious about this at all. I just think saying Jakarta is about
Servlets *and* JSP in one place and then separating them by making different builds
to suit random whims and fancies undermines Jakarta.

Ultimately, I'm sure I can be convinced its just that your reasons don't hold much
water: things like there's more people with +1s in the herd are useless. (Besides,
I can see those +1s too.)

--
Peace, Anil +<:-)

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 6:41 PM, "Anil Vijendran" <ak...@pipedream.org> wrote:

> Well, *I* just don't see the need for that option or a good reason *from you*.
> ("I
> want" is not good enough for me.)

Ok fine, here is my reason. I agree with Sam. :-)

> +1 on making both Tomcat and Jasper more modular, and furthermore, +1 on
> any progress towards the goal of making Jasper run on any servlet engine
> that conforms to the interfaces defined in jakarta-servletapi.
> 
> For further background purposes: at the moment, IBM's WebSphere can not be
> separated from its implementation of the servlet specification.  For
> various reasons, including release cycles and customer input, there may be
> periods where the latest release of WebSphere does not implement the latest
> specification.  As I indicated, WebSphere customers can't replace the
> servlet engine, but this need not be the case for the JSP implementation.
> 
> - Sam Ruby

:-)

btw, Anil, you are the only one who is expressing a -1 at this point.

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Anil Vijendran <ak...@pipedream.org>]

Jon Stevens wrote:

> on 7/21/2000 6:30 PM, "Anil Vijendran" <ak...@pipedream.org> wrote:
>
> > Then, why don't you just write some personal ~jon/bin/strip-jasper-from-tomcat
> > script? Or have tomcat - jsp builds on your website? Or whatever....
>
> Because I want that code option as part of the distribution. That is the
> point of the original proposal.

Well, *I* just don't see the need for that option or a good reason *from you*. ("I
want" is not good enough for me.)


--
Peace, Anil +<:-)

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 6:30 PM, "Anil Vijendran" <ak...@pipedream.org> wrote:

> Then, why don't you just write some personal ~jon/bin/strip-jasper-from-tomcat
> script? Or have tomcat - jsp builds on your website? Or whatever....

Because I want that code option as part of the distribution. That is the
point of the original proposal.

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Anil Vijendran <ak...@pipedream.org>]

Jon Stevens wrote:

> on 7/21/2000 6:12 PM, "Anil Vijendran" <An...@eng.sun.com> wrote:
>
> > Yeah, sure, I saw your other targets in the original mail. I just haven't
> > heard
> > your reason about why making a distinction between compile/package-tomcat and
> > compile-package/-tomcat-jsp is needed.
> >
> > Tomcat as I see it is *the* RI for both Servlets and JSP. I haven't heard from
> > you anything worthwhile about why that needs to change.
>
> Because I don't want to have JSP in my distribution of Tomcat. :-)

Then, why don't you just write some personal ~jon/bin/strip-jasper-from-tomcat
script? Or have tomcat - jsp builds on your website? Or whatever....

I'm sure you could've done that in the time you spent mailing flames :-) Hmmm...
who am I to question that. Maybe you just like flames :-)


--
Peace, Anil +<:-)

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 6:12 PM, "Anil Vijendran" <An...@eng.sun.com> wrote:

> Yeah, sure, I saw your other targets in the original mail. I just haven't
> heard
> your reason about why making a distinction between compile/package-tomcat and
> compile-package/-tomcat-jsp is needed.
> 
> Tomcat as I see it is *the* RI for both Servlets and JSP. I haven't heard from
> you anything worthwhile about why that needs to change.

Because I don't want to have JSP in my distribution of Tomcat. :-)

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Anil Vijendran <An...@eng.sun.com>]

Jon Stevens wrote:

> on 7/21/2000 5:55 PM, "Anil Vijendran" <ak...@pipedream.org> wrote:
>
> > ok, -1 on having a build without JSP.
>
> Why? You can't -1 something without a detailed reason.

You can't propose something without a better reason. (I don't agree with your
original one. There have been security issues with Servlets, JSP, Unix, Windows
and so on... the security bugs in those components were fixed, not create
builds/releases without one component or the other)

> > Make a better case for it.... not
> > security bugs in Jasper. There are/have been security bugs that have nothing
> > to do with Jasper.
>
> I made a few cases for the addition of additional build targets. Read all
> the emails.

Yeah, sure, I saw your other targets in the original mail. I just haven't heard
your reason about why making a distinction between compile/package-tomcat and
compile-package/-tomcat-jsp is needed.

Tomcat as I see it is *the* RI for both Servlets and JSP. I haven't heard from
you anything worthwhile about why that needs to change.


--
Peace, Anil +<:-)

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 5:55 PM, "Anil Vijendran" <ak...@pipedream.org> wrote:

> ok, -1 on having a build without JSP.

Why? You can't -1 something without a detailed reason.

> Make a better case for it.... not
> security bugs in Jasper. There are/have been security bugs that have nothing
> to do with Jasper.

I made a few cases for the addition of additional build targets. Read all
the emails.

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Anil Vijendran <ak...@pipedream.org>]

Jon Stevens wrote:

> on 7/21/2000 5:29 PM, "Anil Vijendran" <An...@eng.sun.com> wrote:
>
> > -1 on removing JSP.
>
> That wasn't part of my proposal.

ok, -1 on having a build without JSP. Make a better case for it.... not
security bugs in Jasper. There are/have been security bugs that have nothing
to do with Jasper.


--
Peace, Anil +<:-)

Re: [PROPOSAL] New build targets for Tomcat

[Jon Stevens <jo...@latchkey.com>]

on 7/21/2000 5:29 PM, "Anil Vijendran" <An...@eng.sun.com> wrote:

> -1 on removing JSP.

That wasn't part of my proposal.

-jon

Re: [PROPOSAL] New build targets for Tomcat

[Anil Vijendran <An...@eng.sun.com>]

-1 on removing JSP.
+1 on fixing the bug in Jasper.

JSP is as much part of the Jakarta project mission as Java Servlets are. Do you
want to change that? And why? 'Cos there is a security bug in Jasper?

A bug in the implementation -- whatever it is -- is just that. That can be
fixed, no problem. Try and contribute a fix if you can....

No need to get all personal (your other mails) and try to push your "JSP sucks"
agenda like this. Let the market decide which sucks and which doesn't.

Jon Stevens wrote:

> Hey all,
>
> Definitions:
> Tomcat - Servlet Engine
> Jasper - JSP Engine
>
> These recent security advisories on Bugtraq have me a bit worried. I'm
> worried that because of Jasper, people will view Tomcat as being insecure
> when it really is not Tomcat's fault. Essentially the crux of the advisories
> is that the implementation of JSP that comes with Tomcat is somewhat
> security hole prone, we are now up to 3 or 4 security advisories for Jasper,
> and zero for Tomcat itself.
>
> What I would like to do is simply be able to provide people with the ability
> to create a copy of Tomcat that does not have *any* support for JSP within
> it. This way, people who do not care to use JSP (like myself) can feel
> secure that any hole in Jasper will not compromise my server in any way. I
> am ok with the default continuing to be a distribution of Jasper+Tomcat. My
> goal here is simply providing options, not removing existing functionality.
>
> I think that this can be done fairly easily with more defined targets in the
> Ant build scripts.
>
> My proposal would be to break things up like this:
>
> Build only the necessary files for Tomcat itself:
> <target name="compile-tomcat">
>
> Build only the necessary files for JSP:
> <target name="compile-jsp">
>
> Package Tomcat for distribution sans JSP:
> <target name="package-tomcat">
>
> Package Tomcat for distribution with JSP:
> <target name="package-tomcat-jsp">
>
> The current "webapps" target would also be split up:
> <target name="webapps-servlets">
> <target name="webapps-jsp">
>
> Comments?
>
> -jon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

--
Peace, Anil +<:-)

Re: [PROPOSAL] New build targets for Tomcat

[Rajiv Mordani <Ra...@eng.sun.com>]

The basic definition below I think is wrong... IMHO definition for 

Tomcat - servlet + jsp engine.. ;).

You should refer to the servlet engine as something else below.... 

- Rajiv

--
:wq

On Fri, 21 Jul 2000, Jon Stevens wrote:

> Hey all,
> 
> Definitions:
> Tomcat - Servlet Engine
> Jasper - JSP Engine
> 
> These recent security advisories on Bugtraq have me a bit worried. I'm
> worried that because of Jasper, people will view Tomcat as being insecure
> when it really is not Tomcat's fault. Essentially the crux of the advisories
> is that the implementation of JSP that comes with Tomcat is somewhat
> security hole prone, we are now up to 3 or 4 security advisories for Jasper,
> and zero for Tomcat itself.
> 
> What I would like to do is simply be able to provide people with the ability
> to create a copy of Tomcat that does not have *any* support for JSP within
> it. This way, people who do not care to use JSP (like myself) can feel
> secure that any hole in Jasper will not compromise my server in any way. I
> am ok with the default continuing to be a distribution of Jasper+Tomcat. My
> goal here is simply providing options, not removing existing functionality.
> 
> I think that this can be done fairly easily with more defined targets in the
> Ant build scripts.
> 
> My proposal would be to break things up like this:
> 
> Build only the necessary files for Tomcat itself:
> <target name="compile-tomcat">
> 
> Build only the necessary files for JSP:
> <target name="compile-jsp">
> 
> Package Tomcat for distribution sans JSP:
> <target name="package-tomcat">
> 
> Package Tomcat for distribution with JSP:
> <target name="package-tomcat-jsp">
> 
> The current "webapps" target would also be split up:
> <target name="webapps-servlets">
> <target name="webapps-jsp">
> 
> Comments?
> 
> -jon
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>