Can i use tomcat 9.0.x version in production

[s v n trimurthulu <sv...@gmail.com>]

Hello There,

At present we are using 7.0.x in our production environment. As we have
received few CVE alerts we wanted to migrate it to latest version 9.0.x.
But when i see the status of the 9.0.x release it is showing "Stable = No".
So i request you to suggest me whether i  can use the latest version(9.0.1)
of tomcat in production or not. Thanks in advance.

[image: Inline image 1]



Regards,
Murthy

Re: Can i use tomcat 9.0.x version in production

[s v n trimurthulu <sv...@gmail.com>]

Thanks Mark and Christopher

On Wed, Oct 4, 2017 at 6:12 AM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Murthy,
>
> On 10/3/17 7:38 AM, s v n trimurthulu wrote:
> > At present we are using 7.0.x in our production environment. As we
> > have received few CVE alerts we wanted to migrate it to latest
> > version 9.0.x. But when i see the status of the 9.0.x release it is
> > showing "Stable = No". So i request you to suggest me whether i
> > can use the latest version(9.0.1) of tomcat in production or not.
> > Thanks in advance.
>
> I'd recommend moving towards Tomcat 8.5 (after extensive testing in an
> appropriate environment). There are very few differences between 8.5
> and 9.0 (other than Servlet Spec changes) and so moving from 8.5 ->
> 9.0 in the future should be fairly easy.
>
> Tomcat 8.5 *is* currently considered production-ready.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnULoIdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhEWw//bpMgdIQCx11yDxUZ
> a1TxW8C3jqzKrTJdF1qbWmlZRIVt0kL8gryU8YGtPEP2Ge0c7uf6uqIIwsSJAPKO
> VoJhHwXe9lQWjZL4EUxzK9w+uU77Kl/C4kroojz2PiNS2CTeYOcrw6dfTmFdAMhY
> KAHMnl6oxp/mwf2s5DW9E7XZ/E+6Y+Ovr1gNIZ5u0qZHSRDJhimsfiTQfaQ2JnuS
> hORk/M1toaatDX0YiMXdyXIsWjDN4i+GpUvmIZheOP2SZauvyBCcCsL+OEEfWWSL
> lFvJHCLBkGxGzjN9lIIISi/EYnhZa2xhPpGpr9UjbDLIip898nB/5JBPEgVaBfvu
> lcCIzYJhfQpAwj2R0huY0P5NS0z1fUwnrhHntJpN0B/wXkkaBBuBc011MGl+1V0w
> 5GGGrPUhgHKxumWxR+VUn4ZUWL4jvg6V3lGx5i/GY0M4wjjlpZCIGBP+6Cg+CFD4
> zhYQOre3IAFnb+CmJZhTXpp2kjjjgrDUcHLyjLWvcdl8JFLsBmWIqOvPBZvAbjN3
> zWYg/GOis/obJ7quBlL/z0E2E2RI0yacuQ5sxO1z6HPbMFaQ9OIAjY0yEFZG+qlo
> MuMVnckGpdiDdE+StUZcUHExpX+PXONL6VmT55m8lOrMjvQK5w/qtb5NPkgWM+ZO
> Ys4yaxBShFtkVdAOlOAzYKGtmAs=
> =7W8F
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Can i use tomcat 9.0.x version in production

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Murthy,

On 10/3/17 7:38 AM, s v n trimurthulu wrote:
> At present we are using 7.0.x in our production environment. As we
> have received few CVE alerts we wanted to migrate it to latest
> version 9.0.x. But when i see the status of the 9.0.x release it is
> showing "Stable = No". So i request you to suggest me whether i
> can use the latest version(9.0.1) of tomcat in production or not.
> Thanks in advance.

I'd recommend moving towards Tomcat 8.5 (after extensive testing in an
appropriate environment). There are very few differences between 8.5
and 9.0 (other than Servlet Spec changes) and so moving from 8.5 ->
9.0 in the future should be fairly easy.

Tomcat 8.5 *is* currently considered production-ready.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlnULoIdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhEWw//bpMgdIQCx11yDxUZ
a1TxW8C3jqzKrTJdF1qbWmlZRIVt0kL8gryU8YGtPEP2Ge0c7uf6uqIIwsSJAPKO
VoJhHwXe9lQWjZL4EUxzK9w+uU77Kl/C4kroojz2PiNS2CTeYOcrw6dfTmFdAMhY
KAHMnl6oxp/mwf2s5DW9E7XZ/E+6Y+Ovr1gNIZ5u0qZHSRDJhimsfiTQfaQ2JnuS
hORk/M1toaatDX0YiMXdyXIsWjDN4i+GpUvmIZheOP2SZauvyBCcCsL+OEEfWWSL
lFvJHCLBkGxGzjN9lIIISi/EYnhZa2xhPpGpr9UjbDLIip898nB/5JBPEgVaBfvu
lcCIzYJhfQpAwj2R0huY0P5NS0z1fUwnrhHntJpN0B/wXkkaBBuBc011MGl+1V0w
5GGGrPUhgHKxumWxR+VUn4ZUWL4jvg6V3lGx5i/GY0M4wjjlpZCIGBP+6Cg+CFD4
zhYQOre3IAFnb+CmJZhTXpp2kjjjgrDUcHLyjLWvcdl8JFLsBmWIqOvPBZvAbjN3
zWYg/GOis/obJ7quBlL/z0E2E2RI0yacuQ5sxO1z6HPbMFaQ9OIAjY0yEFZG+qlo
MuMVnckGpdiDdE+StUZcUHExpX+PXONL6VmT55m8lOrMjvQK5w/qtb5NPkgWM+ZO
Ys4yaxBShFtkVdAOlOAzYKGtmAs=
=7W8F
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Can i use tomcat 9.0.x version in production

[Mark Thomas <ma...@apache.org>]

On 03/10/17 12:38, s v n trimurthulu wrote:
> Hello There,
> 
> At present we are using 7.0.x in our production environment. As we have
> received few CVE alerts we wanted to migrate it to latest version 9.0.x.

I'm not sure if you look at the vulnerability data for the last 12
months that the evidence is there to support that conclusion.

> But when i see the status of the 9.0.x release it is showing "Stable =
> No". So i request you to suggest me whether i  can use the latest
> version(9.0.1) of tomcat in production or not. Thanks in advance.

What you use in production is entirely up to you.

The Tomcat community isn't yet ready to recommend using 9.0.x in
production. How quickly the community is ready to make that
recommendation will depend on the feedback we get on the beta releases.

I'd suggest that you start testing 9.0.x, report and bugs you find and
plan to move to 9.0.x once those bugs have been fixed and the Tomcat
community has declared 9.0.x stable.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org