RE: Tomcat 4.0-beta-2 Security Vulnerability
I suggest that we create a revised version of beta 2, clearly labelled so that people will know whether they have the corrected version or not -- and we should do this immediately (like today) to minimize the number of people who end up downloading twice. I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or something like that. Comments? Votes? I vote you just call it "Tomcat-4.0-beta-3". I don't recall ever being told there were limits to the number of betas one can produce. :-) I believe that a new beta number is justified by any significant bug fix or fixes and a security hole is definitely significant, even if the code change may be tiny. +1 for Tomcat-4.0-beta-3 And what about including in TC 4.0b3 my patches which help build tc 4.0 on non standard distro, ie jsse.jar not in JSSE_HOME/lib or jmxri.jar not in JMX_HOME/lib.
Re: Tomcat 4.0-beta-2 Security Vulnerability
Jon Stevens wrote: on 4/2/01 2:20 PM, "Craig R. McClanahan" [EMAIL PROTECTED] wrote: I suggest that we create a revised version of beta 2, clearly labelled so that people will know whether they have the corrected version or not -- and we should do this immediately (like today) to minimize the number of people who end up downloading twice. I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or something like that. Comments? Votes? Craig -1 on an update. it just adds confusion imho and i don't see a reason to resist having many beta releases. Just make a beta 3. -jon I agree, beta 3 avoids confusion. +1 for a beta 3 release. Glenn -- Glenn Nielsen [EMAIL PROTECTED] | /* Spelin donut madder| MOREnet System Programming | * if iz ina coment. | Missouri Research and Education Network | */ | --
Re: Tomcat 4.0-beta-2 Security Vulnerability
- Original Message - From: "Glenn Nielsen" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 03, 2001 12:39 AM Subject: Re: Tomcat 4.0-beta-2 Security Vulnerability Jon Stevens wrote: on 4/2/01 2:20 PM, "Craig R. McClanahan" [EMAIL PROTECTED] wrote: I suggest that we create a revised version of beta 2, clearly labelled so that people will know whether they have the corrected version or not -- and we should do this immediately (like today) to minimize the number of people who end up downloading twice. I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or something like that. Comments? Votes? Craig -1 on an update. it just adds confusion imho and i don't see a reason to resist having many beta releases. Just make a beta 3. -jon I agree, beta 3 avoids confusion. +1 for a beta 3 release. Glenn +1 for beta 3 ;-) is too confusing to create update version
Re: Tomcat 4.0-beta-2 Security Vulnerability
--- "Craig R. McClanahan" [EMAIL PROTECTED] wrote: I suggest that we create a revised version of beta 2, clearly labelled so that people will know whether they have the corrected version or not -- and we should do this immediately (like today) to minimize the number of people who end up downloading twice. I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or something like that. Comments? Votes? I vote you just call it "Tomcat-4.0-beta-3". I don't recall ever being told there were limits to the number of betas one can produce. :-) I believe that a new beta number is justified by any significant bug fix or fixes and a security hole is definitely significant, even if the code change may be tiny. By labeling it 'beta-3' it is CLEARLY the latest build and CLEARLY newer than beta-2. fwiw, Dr. Mel Martinez G1440, Inc. __ Do You Yahoo!? Get email at your own domain with Yahoo! Mail. http://personal.mail.yahoo.com/?.refer=text
Re: Tomcat 4.0-beta-2 Security Vulnerability
On Mon, 2 Apr 2001, Mel Martinez wrote: --- "Craig R. McClanahan" [EMAIL PROTECTED] wrote: I suggest that we create a revised version of beta 2, clearly labelled so that people will know whether they have the corrected version or not -- and we should do this immediately (like today) to minimize the number of people who end up downloading twice. I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or something like that. Comments? Votes? I vote you just call it "Tomcat-4.0-beta-3". I don't recall ever being told there were limits to the number of betas one can produce. :-) I believe that a new beta number is justified by any significant bug fix or fixes and a security hole is definitely significant, even if the code change may be tiny. By labeling it 'beta-3' it is CLEARLY the latest build and CLEARLY newer than beta-2. Makes sense to me. "Beta 3" it is. fwiw, Dr. Mel Martinez G1440, Inc. Craig
Re: Tomcat 4.0-beta-2 Security Vulnerability
And I think it is also good to state in the mail-announcement and in the jakarta website that the b2 have such security vulnerability when b3 is rolled out. Punky - Original Message - From: "Craig R. McClanahan" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 03, 2001 7:38 AM Subject: Re: Tomcat 4.0-beta-2 Security Vulnerability On Mon, 2 Apr 2001, Mel Martinez wrote: --- "Craig R. McClanahan" [EMAIL PROTECTED] wrote: I suggest that we create a revised version of beta 2, clearly labelled so that people will know whether they have the corrected version or not -- and we should do this immediately (like today) to minimize the number of people who end up downloading twice. I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or something like that. Comments? Votes? I vote you just call it "Tomcat-4.0-beta-3". I don't recall ever being told there were limits to the number of betas one can produce. :-) I believe that a new beta number is justified by any significant bug fix or fixes and a security hole is definitely significant, even if the code change may be tiny. By labeling it 'beta-3' it is CLEARLY the latest build and CLEARLY newer than beta-2. Makes sense to me. "Beta 3" it is. fwiw, Dr. Mel Martinez G1440, Inc. Craig
Re: Tomcat 4.0-beta-2 Security Vulnerability
On Tue, 3 Apr 2001, Punky Tse wrote: And I think it is also good to state in the mail-announcement and in the jakarta website that the b2 have such security vulnerability when b3 is rolled out. It will. The beta-2 release is also going to get pulled so that no one will download it accidentally. Punky Craig - Original Message - From: "Craig R. McClanahan" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 03, 2001 7:38 AM Subject: Re: Tomcat 4.0-beta-2 Security Vulnerability On Mon, 2 Apr 2001, Mel Martinez wrote: --- "Craig R. McClanahan" [EMAIL PROTECTED] wrote: I suggest that we create a revised version of beta 2, clearly labelled so that people will know whether they have the corrected version or not -- and we should do this immediately (like today) to minimize the number of people who end up downloading twice. I suggest we call the updated version "Tomcat 4.0-beta-2-update-1" or something like that. Comments? Votes? I vote you just call it "Tomcat-4.0-beta-3". I don't recall ever being told there were limits to the number of betas one can produce. :-) I believe that a new beta number is justified by any significant bug fix or fixes and a security hole is definitely significant, even if the code change may be tiny. By labeling it 'beta-3' it is CLEARLY the latest build and CLEARLY newer than beta-2. Makes sense to me. "Beta 3" it is. fwiw, Dr. Mel Martinez G1440, Inc. Craig