> > IMO a remark regarding Java 9 should be added to
> > http://tomcat.apache.org/whichversion.html .
>
> Sounds good. I don't know of anything specific that does NOT work with
> Java 9, but markt has been following the pre-releases of Java 9 pretty
> closely, and has made adjustments (mostly disabling various
> workarounds for bugs in previous JVMs) accordingly. There may be some
> NEW items that may need to be worked-around -- those usually turn out
> to be various ClassLoader-pinning memory-leaks -- but my guess is that
> most Tomcat versions will work just find under Java 9 without any
> special effort.
>
> Could you try (the latest patch-level of) whatever version of Tomcat
> you are currently using with Java 9 and let us know how things go?
It looks like Tomcat 8.5.23 and Tomcat 9.0.1 Beta will be released
soon and they include the fix mentioned in
https://marc.info/?l=tomcat-dev=150617928913339=2 . So we will
test Tomcat 8.5.23.
> > 2. Currently MITM attacks by evil ISPs or WiFi networks are
> > possible against people downloading tomcat from
> > http://tomcat.apache.org/download-80.cgi . (The page has links to
> > PGP, md5 and sha1 hashes for validation, but the links are on a
> > http page that does not redirect to https. This means they could be
> > replaced in case of MITM.)
> >
> > IMO a HTTP 301 redirect to the https version and HSTS headers
> > should be added to http://tomcat.apache.org/ .
>
> Agreed about the redirect... not so sure about HSTS, as that affects
> the whole domain.
HSTS (RFC 6797) would only affect http://tomcat.apache.org/ .
"HSTS preload" would affect the base domain and all subdomains.
> > Should I try to submit issues in Bugzilla for both?
>
> Yes, please. Post-back with URLs to the BZ issues you raise.
OK.
Regards
Oliver
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
