Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-03-01 Thread costinm 

On Fri, 1 Mar 2002, Remy Maucherat wrote:

> >>> Just to be a "pain in the ass" I don't really like the
> >concept of an "A"
> >>> version (never happened in httpd land)... So, I would call
> >them 4.0.3 and
> >>> 4.0.4b1
> 
> > Ok let's do 'a la HTTPd', 4.0.3 (fix security problems in 4.0.2)
> > and 4.0.4b1
> 
> Thanks for the feedback.
> It will then be 4.0.3 + 4.0.4b1 + hotfix for 4.0.2.
> (this is going to be a loong friday )

Or it can be just 4.0.3. The hotfix for 4.0.2 will be one of
the jars inside it, and 4.0.4b1 can wait few more days, 
it's just a beta. 

One release per day is enough, and friday should be a short day :-)


Costin


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-03-01 Thread Remy Maucherat 

>>> Just to be a "pain in the ass" I don't really like the
>concept of an "A"
>>> version (never happened in httpd land)... So, I would call
>them 4.0.3 and
>>> 4.0.4b1

> Ok let's do 'a la HTTPd', 4.0.3 (fix security problems in 4.0.2)
> and 4.0.4b1

Thanks for the feedback.
It will then be 4.0.3 + 4.0.4b1 + hotfix for 4.0.2.
(this is going to be a loong friday )

> >However a small patch would be usefull for those who already installed
> >4.0.2 and want a quick fix ( and 4.0.3/4.0.2a will be 4.0.2 +
> >the patch).

The patch for 4.0.2 is already online, BTW.
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.2/bin/hotfi
x/
I didn't announce it yet as I was waiting for the voting results.

I'll make two annoucements:
- Security hotfix for 4.0.2 + 4.0.3 (= 4.0.2 + hotfix)
- 4.0.4 Beta 1

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: [4.0.3] [VOTES] Upcoming release and security fix

2002-03-01 Thread GOMEZ Henri 

>On Fri, 1 Mar 2002, Pier Fumagalli wrote:
>
>> "GOMEZ Henri" <[EMAIL PROTECTED]> wrote:
>> 
>> > 4.0.2a + 4.0.3b1 :)
>> 
>> Just to be a "pain in the ass" I don't really like the 
>concept of an "A"
>> version (never happened in httpd land)... So, I would call 
>them 4.0.3 and
>> 4.0.4b1

Ok let's do 'a la HTTPd', 4.0.3 (fix security problems in 4.0.2)
and 4.0.4b1

>He's right... 
>
>However a small patch would be usefull for those who already installed
>4.0.2 and want a quick fix ( and 4.0.3/4.0.2a will be 4.0.2 + 
>the patch).

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-03-01 Thread costinm 

On Fri, 1 Mar 2002, Pier Fumagalli wrote:

> "GOMEZ Henri" <[EMAIL PROTECTED]> wrote:
> 
> > 4.0.2a + 4.0.3b1 :)
> 
> Just to be a "pain in the ass" I don't really like the concept of an "A"
> version (never happened in httpd land)... So, I would call them 4.0.3 and
> 4.0.4b1

He's right... 

However a small patch would be usefull for those who already installed
4.0.2 and want a quick fix ( and 4.0.3/4.0.2a will be 4.0.2 + the patch).

Costin


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-03-01 Thread Pier Fumagalli 

"GOMEZ Henri" <[EMAIL PROTECTED]> wrote:

> 4.0.2a + 4.0.3b1 :)

Just to be a "pain in the ass" I don't really like the concept of an "A"
version (never happened in httpd land)... So, I would call them 4.0.3 and
4.0.4b1

My $ 0.02

Pier


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

RE: [4.0.3] [VOTES] Upcoming release and security fix

2002-03-01 Thread GOMEZ Henri 

>Since there are apparently diverging opinions on the subject 
>(and also since
>I didn't get any +1s for a possible 4.0.3 b1, or a 4.0.2a 
>release), here's a
>formal request for vote.
>
>On the security problem reported yesterday, affecting the 
>security manager
>sandboxing. We should:
>
>A [ ] Make a full 4.0.3 (or 4.0.2a) release which would only 
>include the
>security fix
>B [ ] Make the security fix available as a binary patch for 
>4.0.2 (it would
>take the form of an archive to extract in $CATALINA_HOME, and would be
>*small*)
>C [ ] Accelerate the release schedule of 4.0.3, which would include the
>security fix, as well as fixes for other issues with 4.0.2 
>(with Beta 1 on
>03/01 and Final on 03/08)
>

A or B for RPM people are the same works ;)

But to be coherent with what we do for 3.3, 4.0.2a seems better,
ie 4.0.2 + security fix => 4.0.2a (nothing more nothing less).

4.0.3b1 will be a different story since it involve new code, and
it should be also provided.

4.0.2a + 4.0.3b1 :)

>In parallel, I'd like to release a first beta of 4.0.3 on 
>03/01 (depending
>on the vote on item 'C' above, the release cycle may be 
>shorter or longer):
>

>+1 [X] I support the release, and I will help
>+0 [ ] I support the release
>-0 [ ] I don't support the release
>-1 [ ] I'm against the release because:

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-03-01 Thread jean-frederic clere 

Remy Maucherat wrote:
> 
> Since there are apparently diverging opinions on the subject (and also since
> I didn't get any +1s for a possible 4.0.3 b1, or a 4.0.2a release), here's a
> formal request for vote.
> 
> On the security problem reported yesterday, affecting the security manager
> sandboxing. We should:
> 
> A [ ] Make a full 4.0.3 (or 4.0.2a) release which would only include the
> security fix
> B [ ] Make the security fix available as a binary patch for 4.0.2 (it would
> take the form of an archive to extract in $CATALINA_HOME, and would be
> *small*)
> C [ ] Accelerate the release schedule of 4.0.3, which would include the
> security fix, as well as fixes for other issues with 4.0.2 (with Beta 1 on
> 03/01 and Final on 03/08)

I need some of these fixes...
But I have just noted it only yesterday therefore today the choice A does not
help me... So B.

> 
> 
> Multiple votes are acceptable. If there are other interesting possibilities,
> let me know.
> 
> My vote is 'B'.
> 
> In parallel, I'd like to release a first beta of 4.0.3 on 03/01 (depending
> on the vote on item 'C' above, the release cycle may be shorter or longer):
> 
> +1 [X] I support the release, and I will help
> +0 [ ] I support the release
> -0 [ ] I don't support the release
> -1 [ ] I'm against the release because:
> 
> 
> 
> My vote is +1.
> 
> Note: Non-committers are welcome to vote if they feel like it, but the vote
> in that case is non binding.
> 
> Remy
> 
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-02-28 Thread costinm 

On Thu, 28 Feb 2002, Remy Maucherat wrote:

> On the security problem reported yesterday, affecting the security manager
> sandboxing. We should:
> 
> A [] Make a full 4.0.3 (or 4.0.2a) release which would only include  the
> security fix
> B [+1] Make the security fix available as a binary patch for 4.0.2 (it would
> take the form of an archive to extract in $CATALINA_HOME, and would be
> *small*)
> C [] Accelerate the release schedule of 4.0.3, which would include the
> security fix, as well as fixes for other issues with 4.0.2 (with Beta 1 on
> 03/01 and Final on 03/08)
> 

> Multiple votes are acceptable. If there are other interesting possibilities,
> let me know.
> 
> My vote is 'B'.
> 
> In parallel, I'd like to release a first beta of 4.0.3 on 03/01 (depending
> on the vote on item 'C' above, the release cycle may be shorter or longer):
> 
> +1 [+1( jk part )] I support the release, and I will help
> +0 [ ] I support the release
> -0 [ ] I don't support the release
> -1 [ ] I'm against the release because:

Costin


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-02-28 Thread Bill Barker 


- Original Message -
From: "Remy Maucherat" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, February 28, 2002 11:09 AM
Subject: [4.0.3] [VOTES] Upcoming release and security fix


> 
> A [+0] Make a full 4.0.3 (or 4.0.2a) release which would only include the
> security fix
> B [+0] Make the security fix available as a binary patch for 4.0.2 (it
would
> take the form of an archive to extract in $CATALINA_HOME, and would be
> *small*)
> C [ ] Accelerate the release schedule of 4.0.3, which would include the
> security fix, as well as fixes for other issues with 4.0.2 (with Beta 1 on
> 03/01 and Final on 03/08)
> 
>
Much the same as with Craig.  The RPM people will probably want A, whereas
I'd guess that a lot of non-Linux people will want B.

> 
> +1 [ ] I support the release, and I will help
> +0 [X] I support the release
> -0 [ ] I don't support the release
> -1 [ ] I'm against the release because:
>
>
> 
>
> My vote is +1.
>
> Note: Non-committers are welcome to vote if they feel like it, but the
vote
> in that case is non binding.
>
> Remy
>
>
> --
> To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-02-28 Thread Craig R. McClanahan 

+1 for option A and B together (they don't have to be mutually exclusive,
and we can examine user behavior to see if binary patches are an idea
worth pursuing.

+1 for 4.0.3-b1.

Craig


On Thu, 28 Feb 2002, Remy Maucherat wrote:

> Date: Thu, 28 Feb 2002 11:09:08 -0800
> From: Remy Maucherat <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: [4.0.3] [VOTES] Upcoming release and security fix
>
> Since there are apparently diverging opinions on the subject (and also since
> I didn't get any +1s for a possible 4.0.3 b1, or a 4.0.2a release), here's a
> formal request for vote.
>
> On the security problem reported yesterday, affecting the security manager
> sandboxing. We should:
> 
> A [ ] Make a full 4.0.3 (or 4.0.2a) release which would only include the
> security fix
> B [ ] Make the security fix available as a binary patch for 4.0.2 (it would
> take the form of an archive to extract in $CATALINA_HOME, and would be
> *small*)
> C [ ] Accelerate the release schedule of 4.0.3, which would include the
> security fix, as well as fixes for other issues with 4.0.2 (with Beta 1 on
> 03/01 and Final on 03/08)
> 
>
> Multiple votes are acceptable. If there are other interesting possibilities,
> let me know.
>
> My vote is 'B'.
>
> In parallel, I'd like to release a first beta of 4.0.3 on 03/01 (depending
> on the vote on item 'C' above, the release cycle may be shorter or longer):
> 
> +1 [ ] I support the release, and I will help
> +0 [ ] I support the release
> -0 [ ] I don't support the release
> -1 [ ] I'm against the release because:
>
>
> 
>
> My vote is +1.
>
> Note: Non-committers are welcome to vote if they feel like it, but the vote
> in that case is non binding.
>
> Remy
>
>
> --
> To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-02-28 Thread Jason Brittain 


Hi Remy and gang..

Below is my non-binding vote (for fun!):

Remy Maucherat wrote:
> Since there are apparently diverging opinions on the subject (and also since
> I didn't get any +1s for a possible 4.0.3 b1, or a 4.0.2a release), here's a
> formal request for vote.
> 
> On the security problem reported yesterday, affecting the security manager
> sandboxing. We should:
> 
> A [X] Make a full 4.0.3 (or 4.0.2a) release which would only include the
> security fix

This looks to me to be the path of least resistance/hassle for everyone
involved, since it's just a small change to the last release.  Release early,
release often.  :)

> B [ ] Make the security fix available as a binary patch for 4.0.2 (it would
> take the form of an archive to extract in $CATALINA_HOME, and would be
> *small*)

Binary patches make me nervous.  Whether this would work best or not
depends on a whole bunch of unspecified factors, so I won't vote for it.

> C [ ] Accelerate the release schedule of 4.0.3, which would include the
> security fix, as well as fixes for other issues with 4.0.2 (with Beta 1 on
> 03/01 and Final on 03/08)
> 

This one would be nice too, but it creates a bunch of extra work for you
it seems (which is my guess as to why you're not voting for it).

> Multiple votes are acceptable. If there are other interesting possibilities,
> let me know.
> 
> My vote is 'B'.
> 
> In parallel, I'd like to release a first beta of 4.0.3 on 03/01 (depending
> on the vote on item 'C' above, the release cycle may be shorter or longer):
> 
> +1 [ ] I support the release, and I will help
> +0 [X] I support the release, and I sure wish I had time to help!!
> -0 [ ] I don't support the release
> -1 [ ] I'm against the release because:


-- 
Jason Brittain

CollabNet http://www.collab.net


--
To unsubscribe, e-mail:   
For additional commands, e-mail:

Re: [4.0.3] [VOTES] Upcoming release and security fix

2002-02-28 Thread Eric Rescorla 

"Remy Maucherat" <[EMAIL PROTECTED]> writes:

> Since there are apparently diverging opinions on the subject (and also since
> I didn't get any +1s for a possible 4.0.3 b1, or a 4.0.2a release), here's a
> formal request for vote.
> 
> On the security problem reported yesterday, affecting the security manager
> sandboxing. We should:
> 
> A [ ] Make a full 4.0.3 (or 4.0.2a) release which would only include the
> security fix
> B [ ] Make the security fix available as a binary patch for 4.0.2 (it would
> take the form of an archive to extract in $CATALINA_HOME, and would be
> *small*)
> C [ ] Accelerate the release schedule of 4.0.3, which would include the
> security fix, as well as fixes for other issues with 4.0.2 (with Beta 1 on
> 03/01 and Final on 03/08)
> 
My vote is C.

> In parallel, I'd like to release a first beta of 4.0.3 on 03/01 (depending
> on the vote on item 'C' above, the release cycle may be shorter or longer):
> 
> +1 [ ] I support the release, and I will help
> +0 [ ] I support the release
> -0 [ ] I don't support the release
> -1 [ ] I'm against the release because:
> 
> 
> 
> 
> My vote is +1.
+0

-Ekr

-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/

--
To unsubscribe, e-mail:   
For additional commands, e-mail:

[4.0.3] [VOTES] Upcoming release and security fix

2002-02-28 Thread Remy Maucherat 

Since there are apparently diverging opinions on the subject (and also since
I didn't get any +1s for a possible 4.0.3 b1, or a 4.0.2a release), here's a
formal request for vote.

On the security problem reported yesterday, affecting the security manager
sandboxing. We should:

A [ ] Make a full 4.0.3 (or 4.0.2a) release which would only include the
security fix
B [ ] Make the security fix available as a binary patch for 4.0.2 (it would
take the form of an archive to extract in $CATALINA_HOME, and would be
*small*)
C [ ] Accelerate the release schedule of 4.0.3, which would include the
security fix, as well as fixes for other issues with 4.0.2 (with Beta 1 on
03/01 and Final on 03/08)


Multiple votes are acceptable. If there are other interesting possibilities,
let me know.

My vote is 'B'.

In parallel, I'd like to release a first beta of 4.0.3 on 03/01 (depending
on the vote on item 'C' above, the release cycle may be shorter or longer):

+1 [ ] I support the release, and I will help
+0 [ ] I support the release
-0 [ ] I don't support the release
-1 [ ] I'm against the release because:




My vote is +1.

Note: Non-committers are welcome to vote if they feel like it, but the vote
in that case is non binding.

Remy


--
To unsubscribe, e-mail:   
For additional commands, e-mail: