Great answer ! But something puzzles me: unless I have missed something, for year with TomEE versions before TomEE 9, I have seen web application relying on very old Java EE specifications running fine ; for example Java EE 6 ones running with TomEE 8, and quite many still at Java EE 7 running also with TomEE 8.
But the current discussion mentioning the breaking change in Servlet 6 vs. Servlet 5 makes we worry : will it be still possible to run Jakarta EE 9 web apps using TomEE 10 ? (crossing fingers, hoping that the answer will be "yes") Alex Le ven. 29 mars 2024 à 16:36, Frank Jung <kamin.feuer.2...@gmx.de.invalid> a écrit : > > Great discussion! > > For me it would make sense to stay with (1) until we have the first release > of TomEE 10.x and then depending on the state of that release make a new > decision on 9.x. > > As I suspect (2) doesn't help very much since it would add more effort than > it saves: instead of backporting CVEs from Tomcat 10.1 to 10.0 we would have > to re-integrate the Servlet 5 stuff in every 10.1 release. > > Frankie > > -----Ursprüngliche Nachricht----- > > Von: Richard Zowalla <r...@apache.org> > > Gesendet: Freitag, 29. März 2024 12:38 > > An: dev@tomee.apache.org > > Betreff: [DISCUSS] TomEE 9.1.x and it's crippling dependency on EOL Tomcat > > 10.0.27 - Thoughts? > > > > Hi all, > > > > I want to bring to your attention, that we had recently some discussion > > around our current strategy of backporting cve related fixes to TomEE 9.1.x > > [1]. > > > > We are in a situation, in which the Tomcat community has decided to stop > > Tomcat 10.0.x (Servlet 5) work and only support Tomcat 9, 10.1 (Servlet 6) > > and onwards. Therefore, we do not get any bug fixes, improvements and > > need to manually backport potential security fixes; we are actually in a > > fight, > > we cannot really win. > > > > A few might ask, why we can't just upgrade to Tomcat 10.1.x with TomEE > > 9.1.x. The answer is simple: TomEE 9.1.x targets EE9.1, which requires us to > > stay in line with Servlet 5. > > > > The bad thing is, that between Servlet 5 and Servlet 6, a few methods got > > removed making it backwards incompatible with Servlet 5. > > > > So what are our options. From my pov, I can imagine the following: > > > > (1) Continue to backward CVE fixes and miss out important bug fixes, > > improvements and stuff. > > > > (2) Fork Tomcat from 10.1.x and re-add the dropped methods (from Servlet > > 5) in order to stay up-2-date and remaining Servlet 5 compatible (Tomcat > > community won't do that, see [2]). Romain posted the actual diff here: [3]. > > Downside is, that we might break the TCK signature test with this > > adjustment, so no TCK compliance anymore. > > (Don't actually speaking about the TCK itself, which might also break due to > > some changes in Servlet 6 in the way cookies are processed, > > etc.) > > > > (3) We officially drop v9 (with a perspective, i.e. end of the year and > > continue > > (1) until that date) and release a 10.0.0 within the next couple of months > > well > > knowing that it might not pass the full TC because we are in a hybrid state > > with CXF, etc. > > > > While I like the idea of (2), it will scatter our sparse resources even > > more, > > because we need to release a forked Tomcat and I would personally not really > > be happy to invest my time into maintaining a Tomcat fork because it is > > time, I > > would like to invest into TomEE 10.x and it's other dependencies. > > > > I am really keen to get some feedback on this discussion because we > > somehow need to decide what we want to do with 9.1.x anyway. Even if a > > possible outcome of this discussion is, that we just stay with (1). > > > > Gruß > > Richard > > > > [1] https://github.com/apache/tomee/pull/1114 > > [2] https://lists.apache.org/thread/7mp6lw41qvtx6q3nf1rpqdv7zndb5xs5 > > [3] https://lists.apache.org/thread/4nffbsvp6202pydr7mmyrsq6rqhgdkd6 >
