I was just looking into updating Tomcat for the Geronimo 2.1 release
with an eye toward getting a fix integrated for the Webdav servlet
security issue.
There are 3 possible approaches:
1) Apply the Webdav patch to the 6.0.13 image with the annotation
changes and one other minor change (basically our current 6.0.13_G543818
build plus the WebDav fix). Check this into our private repository in
trunk.
2) Checkout 6.0.14, apply the Webdav patch and annotation changes.
Check this into our private repository in trunk.
3) Checkout tomcat trunk (6.0.x) which already includes the Webdav patch
but not the annotation changes. Apply the annotation changes for our
private build and check it into our repository in trunk.
I personally think #2 is probably best although it might expose some
other issues in tomcat. We could always fall back to #1 if necessary.
There was an attempt made at a tomcat 6.0.15 a few weeks back but it
failed due to some context and tck issues ... hence my reservations with
6.0.x since it probably has those same issues.
Does anybody have any concerns with this approach or any better suggestions?
Joe
