Re: November release round
On 02/11/2022 18:36, Christopher Schultz wrote: Mark, On 11/1/22 12:19, Mark Thomas wrote: I've just read the OpenSSL announcement. The issue has been downgraded to critical but we are going to need to new Tomcat Native release. There are a couple of stack overflow bugs in certificate verification so Tomcat could be accepted via CLIENT-CERT. s/accepted/affected/ Tx. I've been following this as well, and I agree that we need a flurry of releases. It's too bad we decided to bundle libtcnative.dll with Tomcat releases. *NIX users don't have to wait for a release... Neither do Windows users. They just have to build from source like their Unix colleagues. I think we should have an immediate VOTE on a tcnative release which includes an updated statically-linked Windows DLL. Because there are no code changes (?) since the last tcnative release... can we simply fast-forward to a release-by-acclamation? ASF probably says no to that. :/ The VOTE thread is on the way. I'm currently travelling so things are a little tricker / slower than usual but I expect to get the VOTE thread out in the next hour or so. We can end the VOTE whenever we like. If we have at least 3 +1 PMC votes and more PMC +1 votes than -1 votes then we can release. The 72 hours is a guideline / very strong recommendation but if we have a good reason for doing something else that is fine. And security is generally accepted as a good reason for a shorter vote. If we had everyone lined up ready to VOTE, the whole thing could be over in a couple of minutes. Mark -chris On 25/10/2022 16:55, Rémy Maucherat wrote: On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas wrote: Hi all, I've just seen the heads up from the OpenSSL project that there will be a 3.0.7 release on 2022-12-01 that will address a critical vulnerability. We won't know the details of the vulnerability until the release announcement. Given that it may trigger a Tomcat Native release my current thinking is: - prep for November releases as normal - review the OpenSSL issue once public - roll a Tomcat Native release if necessary - update to the new Tomcat Native release of there is one - roll the Tomcat releases Do we want to pick up an updated migration tool as well? Maybe, we're in the process of integrating a PR for the tool. The submitter says it makes it run faster. Rémy Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: November release round
Mark, On 11/1/22 12:19, Mark Thomas wrote: I've just read the OpenSSL announcement. The issue has been downgraded to critical but we are going to need to new Tomcat Native release. There are a couple of stack overflow bugs in certificate verification so Tomcat could be accepted via CLIENT-CERT. s/accepted/affected/ I've been following this as well, and I agree that we need a flurry of releases. It's too bad we decided to bundle libtcnative.dll with Tomcat releases. *NIX users don't have to wait for a release... I think we should have an immediate VOTE on a tcnative release which includes an updated statically-linked Windows DLL. Because there are no code changes (?) since the last tcnative release... can we simply fast-forward to a release-by-acclamation? ASF probably says no to that. :/ -chris On 25/10/2022 16:55, Rémy Maucherat wrote: On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas wrote: Hi all, I've just seen the heads up from the OpenSSL project that there will be a 3.0.7 release on 2022-12-01 that will address a critical vulnerability. We won't know the details of the vulnerability until the release announcement. Given that it may trigger a Tomcat Native release my current thinking is: - prep for November releases as normal - review the OpenSSL issue once public - roll a Tomcat Native release if necessary - update to the new Tomcat Native release of there is one - roll the Tomcat releases Do we want to pick up an updated migration tool as well? Maybe, we're in the process of integrating a PR for the tool. The submitter says it makes it run faster. Rémy Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: November release round
On Wed, Nov 2, 2022 at 2:40 AM Han Li wrote: > > > > > 2022年11月2日 00:19,Mark Thomas 写道: > > > > I've just read the OpenSSL announcement. The issue has been downgraded to > > critical but we are going to need to new Tomcat Native release. There are a > > couple of stack overflow bugs in certificate verification so Tomcat could > > be accepted via CLIENT-CERT. > > > > Where are we on the migration tool. I haven't been following that closely. > > Is the repo ready for a release? > Yes, I think it’s ready. ;) +1 Remy > Han > > > > Mark > > > > > > On 25/10/2022 16:55, Rémy Maucherat wrote: > >> On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas wrote: > >>> > >>> Hi all, > >>> > >>> I've just seen the heads up from the OpenSSL project that there will be > >>> a 3.0.7 release on 2022-12-01 that will address a critical > >>> vulnerability. We won't know the details of the vulnerability until the > >>> release announcement. Given that it may trigger a Tomcat Native release > >>> my current thinking is: > >>> > >>> - prep for November releases as normal > >>> - review the OpenSSL issue once public > >>> - roll a Tomcat Native release if necessary > >>> - update to the new Tomcat Native release of there is one > >>> - roll the Tomcat releases > >>> > >>> Do we want to pick up an updated migration tool as well? > >> Maybe, we're in the process of integrating a PR for the tool. The > >> submitter says it makes it run faster. > >> Rémy > >>> Mark > >>> > >>> - > >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >>> For additional commands, e-mail: dev-h...@tomcat.apache.org > >>> > >> - > >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > - > > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: dev-h...@tomcat.apache.org > > > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: November release round
> 2022年11月2日 00:19,Mark Thomas 写道: > > I've just read the OpenSSL announcement. The issue has been downgraded to > critical but we are going to need to new Tomcat Native release. There are a > couple of stack overflow bugs in certificate verification so Tomcat could be > accepted via CLIENT-CERT. > > Where are we on the migration tool. I haven't been following that closely. Is > the repo ready for a release? Yes, I think it’s ready. ;) Han > > Mark > > > On 25/10/2022 16:55, Rémy Maucherat wrote: >> On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas wrote: >>> >>> Hi all, >>> >>> I've just seen the heads up from the OpenSSL project that there will be >>> a 3.0.7 release on 2022-12-01 that will address a critical >>> vulnerability. We won't know the details of the vulnerability until the >>> release announcement. Given that it may trigger a Tomcat Native release >>> my current thinking is: >>> >>> - prep for November releases as normal >>> - review the OpenSSL issue once public >>> - roll a Tomcat Native release if necessary >>> - update to the new Tomcat Native release of there is one >>> - roll the Tomcat releases >>> >>> Do we want to pick up an updated migration tool as well? >> Maybe, we're in the process of integrating a PR for the tool. The >> submitter says it makes it run faster. >> Rémy >>> Mark >>> >>> - >>> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: dev-h...@tomcat.apache.org >>> >> - >> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: dev-h...@tomcat.apache.org > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: November release round
I've just read the OpenSSL announcement. The issue has been downgraded to critical but we are going to need to new Tomcat Native release. There are a couple of stack overflow bugs in certificate verification so Tomcat could be accepted via CLIENT-CERT. Where are we on the migration tool. I haven't been following that closely. Is the repo ready for a release? Mark On 25/10/2022 16:55, Rémy Maucherat wrote: On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas wrote: Hi all, I've just seen the heads up from the OpenSSL project that there will be a 3.0.7 release on 2022-12-01 that will address a critical vulnerability. We won't know the details of the vulnerability until the release announcement. Given that it may trigger a Tomcat Native release my current thinking is: - prep for November releases as normal - review the OpenSSL issue once public - roll a Tomcat Native release if necessary - update to the new Tomcat Native release of there is one - roll the Tomcat releases Do we want to pick up an updated migration tool as well? Maybe, we're in the process of integrating a PR for the tool. The submitter says it makes it run faster. Rémy Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: November release round
> 2022年10月25日 23:51,Mark Thomas 写道: > > Hi all, > > I've just seen the heads up from the OpenSSL project that there will be a > 3.0.7 release on 2022-12-01 that will address a critical vulnerability. We > won't know the details of the vulnerability until the release announcement. > Given that it may trigger a Tomcat Native release my current thinking is: > > - prep for November releases as normal > - review the OpenSSL issue once public > - roll a Tomcat Native release if necessary > - update to the new Tomcat Native release of there is one > - roll the Tomcat releases > > Do we want to pick up an updated migration tool as well? Sure, I have merged the PR and so far everything seems to be OK, and it’s indeed faster. Han > > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: November release round
On Tue, Oct 25, 2022 at 5:52 PM Mark Thomas wrote: > > Hi all, > > I've just seen the heads up from the OpenSSL project that there will be > a 3.0.7 release on 2022-12-01 that will address a critical > vulnerability. We won't know the details of the vulnerability until the > release announcement. Given that it may trigger a Tomcat Native release > my current thinking is: > > - prep for November releases as normal > - review the OpenSSL issue once public > - roll a Tomcat Native release if necessary > - update to the new Tomcat Native release of there is one > - roll the Tomcat releases > > Do we want to pick up an updated migration tool as well? Maybe, we're in the process of integrating a PR for the tool. The submitter says it makes it run faster. Rémy > Mark > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org