Re: using cocoon 2.1 in the long-term, security concerns

2021-07-19 Thread Christopher Schultz 

Vincent,

On 7/19/21 08:03, Vincent Neyt wrote:

Hi Cocoon users,

I'd like to ask your opinion on the long-term security risks of running 
Cocoon on a server. The colleague responsible for the servers at my 
university is inquiring if the software I'm using for my website is up 
to date and is concerned that I'm using outdated software that could in 
the future pose a security risk.


I'm using cocoon 2.1.11, which I could probably upgrade to 2.1.13 
without many problems. But I'm concerned about the long-term, and 
wondering if it would perhaps be better to reprogram the website I've 
been working on for 10 years into eXist DB (which would be a huge time 
investment). I like cocoon very much and would love to continue using it 
if it's possible.


I'm curious to hear your thoughts about using Cocoon 2.1 for the long 
term: will it still work well inside future versions of servlet 
containers like Tomcat? What about the java dependencies? And will 
cocoon 2.1 continue to put out updates when security risks are identified?


I, like you, have been running Cocoon 2.1.x for years and would like to 
continue to rely on it for some important functions at $work.


I don't see any reason it wouldn't run on current and future Tomcat 
versions. There are a few "current" versions of Tomcat, and the only one 
I would expect to have some issues would be the Tomcat 10.x series, 
which implement the "Jakarta EE" specifications instead of the "Java EE" 
specifications. For the most part, these specifications are simply 
package-renamed versions of the original Java EE specs. So, for example, 
javax.servlet.whatever becomes jakarta.servlet.whatever and so on.


Tomcat has a migration tool which can migrate a binary web application 
(e.g. WAR file) from Java EE to Jakarta EE. It would be good to know if 
that tool works on a webapp which is Cocoon itself and/or 
Cocoon-bundled-with-your-application.


I'm a Tomcat committer and if there are any problems, we could work 
together to make sure Cocoon has plenty of life left in it.


With the semi-recent release of Cocoon 2.2, are there members of the 
community who would be interested in converting the project into a 
Jakarta EE-based project? There is no particular rush, and most of the 
conversion can be done essentially with a single sed script. But working 
that into the build process so you can say "build me a Java EE-based 
Cocoon" versus "build me a Jakarta EE-based Cocoon" would be really 
beneficial moving into the future.


[As a Cocoon user, I'd love to know what is necessary to upgrade from 
Cocoon 2.1 to 2.2. We have an ant-based build process for our 
application which starts with a pre-built cocoon.war and customizes it 
with everything we need. So if e.g. Maven can build Cocoon into a WAR 
file, I might be all set.]


-chris

-
To unsubscribe, e-mail: users-unsubscr...@cocoon.apache.org
For additional commands, e-mail: users-h...@cocoon.apache.org

Re: using cocoon 2.1 in the long-term, security concerns

2021-07-19 Thread gelo1234 
Hello Vincent,

It depends on your future Strategy. Cocoon is very flexible. We've been
running Cocoon 3.0-beta in production with Tomcat9/10, Quarkus and even
Kubernetes 1.20 etc. No problems at all :)
with Java 8 :) We cannot switch to Java 11, because it's not compatible
with Cocoon libraries anymore :( That's the only obstacle.
Maybe someone could "update" cocoon stack to use Java 11 LTS JVM? Or now 17
LTS? :)

As long as it does its job, Cocoon is fine! Although the amount of
pipelines that are still in use in our Cocoon deployments decreased in
time.
We switched to Vue.js framework as frontend and Spring-Boot 2 as backend
technologies, all running on Kubernetes multi-clusters.
Both Vue and Spring-Boot 2 are very lightweight and suit our needs better
(to build Web-Portals) than Cocoon. Even though we still use Cocoon for
some integration stuff and fast
proxy/gateway to many "old" services or database access.

Greetings,
Greg


pon., 19 lip 2021 o 14:03 Vincent Neyt  napisał(a):

> Hi Cocoon users,
>
> I'd like to ask your opinion on the long-term security risks of running
> Cocoon on a server. The colleague responsible for the servers at my
> university is inquiring if the software I'm using for my website is up to
> date and is concerned that I'm using outdated software that could in the
> future pose a security risk.
>
> I'm using cocoon 2.1.11, which I could probably upgrade to 2.1.13 without
> many problems. But I'm concerned about the long-term, and wondering if it
> would perhaps be better to reprogram the website I've been working on for
> 10 years into eXist DB (which would be a huge time investment). I like
> cocoon very much and would love to continue using it if it's possible.
>
> I'm curious to hear your thoughts about using Cocoon 2.1 for the long
> term: will it still work well inside future versions of servlet containers
> like Tomcat? What about the java dependencies? And will cocoon 2.1 continue
> to put out updates when security risks are identified?
>
> thanks very much,
> Vincent
>

Re: using cocoon 2.1 in the long-term, security concerns

2021-07-19 Thread Cédric Damioli 

Hi,

Not only Tomcat, but each and every dependency your particular project uses.
As of today, Cocoon 2.1 works well in a Java 11+/Tomcat 9+ environment, 
with all dependencies upgraded.


Cocoon 2.1.13 itself contained a fix for a security-related issue, but 
in the past years, there wasn't many security issues targeting Cocoon core.


HTH,
Regards,
Cédric

Le 19/07/2021 à 14:05, warrell harries a écrit :

The Tomcat version must be updated to address these concerns.

That should do it

On Mon, 19 Jul 2021, 13:03 Vincent Neyt, > wrote:


Hi Cocoon users,

I'd like to ask your opinion on the long-term security risks of
running Cocoon on a server. The colleague responsible for the
servers at my university is inquiring if the software I'm using
for my website is up to date and is concerned that I'm using
outdated software that could in the future pose a security risk.

I'm using cocoon 2.1.11, which I could probably upgrade to 2.1.13
without many problems. But I'm concerned about the long-term, and
wondering if it would perhaps be better to reprogram the website
I've been working on for 10 years into eXist DB (which would be a
huge time investment). I like cocoon very much and would love to
continue using it if it's possible.

I'm curious to hear your thoughts about using Cocoon 2.1 for the
long term: will it still work well inside future versions of
servlet containers like Tomcat? What about the java dependencies?
And will cocoon 2.1 continue to put out updates when security
risks are identified?

thanks very much,
Vincent



--
Cédric Damioli
CMS - Java - Open Source
www.ametys.org

Re: using cocoon 2.1 in the long-term, security concerns

2021-07-19 Thread warrell harries 
The Tomcat version must be updated to address these concerns.

That should do it

On Mon, 19 Jul 2021, 13:03 Vincent Neyt,  wrote:

> Hi Cocoon users,
>
> I'd like to ask your opinion on the long-term security risks of running
> Cocoon on a server. The colleague responsible for the servers at my
> university is inquiring if the software I'm using for my website is up to
> date and is concerned that I'm using outdated software that could in the
> future pose a security risk.
>
> I'm using cocoon 2.1.11, which I could probably upgrade to 2.1.13 without
> many problems. But I'm concerned about the long-term, and wondering if it
> would perhaps be better to reprogram the website I've been working on for
> 10 years into eXist DB (which would be a huge time investment). I like
> cocoon very much and would love to continue using it if it's possible.
>
> I'm curious to hear your thoughts about using Cocoon 2.1 for the long
> term: will it still work well inside future versions of servlet containers
> like Tomcat? What about the java dependencies? And will cocoon 2.1 continue
> to put out updates when security risks are identified?
>
> thanks very much,
> Vincent
>

using cocoon 2.1 in the long-term, security concerns

2021-07-19 Thread Vincent Neyt 
Hi Cocoon users,

I'd like to ask your opinion on the long-term security risks of running
Cocoon on a server. The colleague responsible for the servers at my
university is inquiring if the software I'm using for my website is up to
date and is concerned that I'm using outdated software that could in the
future pose a security risk.

I'm using cocoon 2.1.11, which I could probably upgrade to 2.1.13 without
many problems. But I'm concerned about the long-term, and wondering if it
would perhaps be better to reprogram the website I've been working on for
10 years into eXist DB (which would be a huge time investment). I like
cocoon very much and would love to continue using it if it's possible.

I'm curious to hear your thoughts about using Cocoon 2.1 for the long term:
will it still work well inside future versions of servlet containers like
Tomcat? What about the java dependencies? And will cocoon 2.1 continue to
put out updates when security risks are identified?

thanks very much,
Vincent