Very well put, Mark! Thank you for your work and devotion to this.
> Hi, > My application is currently using Apache Tomcat 9.0.120 on a RHEL 9.2. > We plan to utilize Apache Tomcat 9.1.x once it is released. > > We are concerned about the timing of the 9.1.x release and if we will > have enough time to migrate/upgrade our application to using 9.1 before > 9.0.x is officially EOL - which we see on Apache's website states that > 9.0 EOL is no earlier than March 31st 2027. > > I understand that no release date has been provided for 9.1, but can > you provide guidance as to how long of a window or timeline software > vendors like us will have to migrate our applications before 9.0 is > EOL? The issue is security vulnerabilities. 12 months. We have stated multiple times, on this mailing list, starting in March / April this year that the first 9.1.x release will follow the final 9.0.x release and that you will be able to treat it exactly like a 9.0.x to 9.0.x+1 update providing: - you aren't using the APR connector - if you are using Tomcat Native, you are using 2.0.x You have from now (actually since ~April this year) to migrate off the APR connector if you are using APR and to Native 2.0 x if you are using Native 1.x. The only reason there is a minor version bump is dropping APR support and dropping Native 1.x support. > For example, we get notification from Apache on March 20th 2027 for a > 9.0.x release - which is presumably the last 9.0 release before it is > EOL on March 31st 2027. We then get a notification from Apache on > March 27th for the 9.1.x release. This gives us three days to migrate, > test, and deliver our software to our customer base, and it gives them > very little time to upgrade so that they are covered in terms of > security vulnerabilities. Our customer's security teams are stating > that at midnight, March 31st, if Apache Tomcat is not upgraded to 9.1, > then the company will have to shut the application/system down to avoid > being vulnerable. Then those security teams need to rethink their plans based on what is actually happening rather than their misunderstanding of what is happening. All they need to do is treat it like just another point release. There won't be any security vulnerabilities announced for the final 9.0.x release until the first 9.1.x release is available with fixes for those issues (unless the issue is in APR or Native 1.3.x in which case it won't get fixed). Better yet, tell them to buy some tickets to CoC Glasgow and they can listen to me talking about the migration process and, if they still have questions, I can answer them in person. > Any guidance on how much time will be given from the time Tomcat 9.1 is > released to the time 9.0 is EOL would be appreciated. > Thank you, > Lisa Sayre I expect that last 9.0.x release will be in March 2027 and the first 9.1.x release will be in April 2027. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
