[
https://issues.apache.org/jira/browse/GUACAMOLE-450?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16273457#comment-16273457
]
Michael Jumper commented on GUACAMOLE-450:
------------------------------------------
{quote}
Considering the end of life for Apache Tomcat 8.0.x in June 2018 I would
suggest changing the Tomcat version directly to the major 8 branch.
{quote}
The version definitely needs to be updated, and will continually need to be
updated, however I'm wary of pointing to just the major version tag, rather
than a specific known-good version, as this has bit us in the past. At an
earlier point in the pre-Apache days, the tag was a generic major release tag
(at the time, version 7), but a bug which broke WebSocket was released in
Tomcat which resulted in the Guacamole Docker image entirely not working:
https://github.com/glyptodon/guacamole-docker/commit/1df41e684199d5856d84edd445cbbb1e697658dd
In addition to updating the version number, it would probably be better to
(somehow) parameterize the Dockerfile such that the Tomcat version can be
changed and the image rebuilt, if necessary.
{quote}
(furthermore an automated build up-to-date official guac image with an current
tomcat would be good for everyone.)
{quote}
It could be useful, yes, however I think ASF release policy does not allow such
builds to be intentionally aimed at general consumption. Convenience binaries
for an otherwise entirely source release are allowed, but would need to be
built from the released source as part of the release process:
http://www.apache.org/legal/release-policy.html#compiled-packages
Continuous, automated builds are technically doable, but would need to be made
available only to those that are explicitly made aware that they are not
release binaries and are meant for development use only, which is not the
intent here:
http://www.apache.org/legal/release-policy.html#host-rc
If the concern is that the Docker images may become frequently out of date due
to updates to Tomcat, then the only solutions are for us to be sure to release
more frequently (being sure to update the Tomcat version whenever doing so does
not break things), or for the packaging of the Docker image itself to move
downstream.
> Change Tomcat Version in Dockerfile to major release
> ----------------------------------------------------
>
> Key: GUACAMOLE-450
> URL: https://issues.apache.org/jira/browse/GUACAMOLE-450
> Project: Guacamole
> Issue Type: Improvement
> Components: guacamole-docker
> Affects Versions: 0.9.13-incubating
> Environment: Docker Container
> Reporter: Patrik Heinz
> Priority: Minor
> Labels: security-issue
>
> Currently the Dockerfile specifies the Tomcat version down to the patch level
> (TOMCAT_VERSION=8.0.20), which isn't ideal.
> Tomcat 8.0.20 has by now several major security issues which are fixed in the
> lasted release 8.0.47.
> I checked out the current github source and build / (shortly) tested
> successful with 8.0 and 8 as version tag. Which leads Docker to pull the
> current 8.0.47 respectively 8.5.23 tomcat image.
> Considering the end of life for Apache Tomcat 8.0.x in June 2018 I would
> suggest changing the Tomcat version directly to the major 8 branch.
> (furthermore an automated build up-to-date official guac image with an
> current tomcat would be good for everyone.)
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
