Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.java > #12274 > unrolled thread
| Started by | Thorsten Glaser <t.glaser@tarent.de> |
|---|---|
| First post | 2021-08-10 22:10 +0200 |
| Last post | 2021-10-15 11:00 +0200 |
| Articles | 7 — 3 participants |
Back to article view | Back to linux.debian.maint.java
tomcat9 in buster-backports vs. security Thorsten Glaser <t.glaser@tarent.de> - 2021-08-10 22:10 +0200
Re: tomcat9 in buster-backports vs. security Markus Koschany <apo@debian.org> - 2021-08-10 22:40 +0200
Re: tomcat9 in buster-backports vs. security Thorsten Glaser <t.glaser@tarent.de> - 2021-08-10 22:50 +0200
Re: tomcat9 in buster-backports vs. security Markus Koschany <apo@debian.org> - 2021-08-10 23:00 +0200
Re: tomcat9 in buster-backports vs. security Thorsten Glaser <t.glaser@tarent.de> - 2021-08-22 23:00 +0200
Re: tomcat9 in buster-backports vs. security Markus Koschany <apo@debian.org> - 2021-10-14 23:30 +0200
Re: tomcat9 in buster-backports vs. security Alexander Wirt <formorer@formorer.de> - 2021-10-15 11:00 +0200
| From | Thorsten Glaser <t.glaser@tarent.de> |
|---|---|
| Date | 2021-08-10 22:10 +0200 |
| Subject | tomcat9 in buster-backports vs. security |
| Message-ID | <CKGet-FO-3@gated-at.bofh.it> |
Hi, the tomcat9 backport is pretty much orphaned: newer tomcat9 versions don’t even build in buster any more¹, and both bullseye² and buster received security fixes recently. ① One built in bullseye works on buster but that is, of course, no option for bpo. (It works for my sysvinit-compatible local builds though.) ② Although waiting for -3 before acting would be best. Markus, Emmanuel, are you going to update the backport to the latest version (9.0.43-3 or 9.0.43-3~deb11u1 once migrated) fixing the compile time problem (some constants for Java™ 15 and newer are not defined yet) because the alternative is to request removal of the backport now and informing the users. bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ************************************************* Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *************************************************
[toc] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2021-08-10 22:40 +0200 |
| Message-ID | <CKGHv-P2-1@gated-at.bofh.it> |
| In reply to | #12274 |
[Multipart message — attachments visible in raw view] — view raw
Hi, Am Dienstag, dem 10.08.2021 um 22:00 +0200 schrieb Thorsten Glaser: [...] > Markus, Emmanuel, are you going to update the backport to the > latest version (9.0.43-3 or 9.0.43-3~deb11u1 once migrated) > fixing the compile time problem (some constants for Java™ 15 > and newer are not defined yet) because the alternative is to > request removal of the backport now and informing the users. Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If you prefer the latest updates then I'd suggest to focus on bullseye-backports from now on. I am not sure yet if the regression which I have fixed in 9.0.43-3 requires another security update for bullseye or buster at the moment, since an easy workaround is available and probably not many users are affected. I will monitor the situation though. Regards, Markus
[toc] | [prev] | [next] | [standalone]
| From | Thorsten Glaser <t.glaser@tarent.de> |
|---|---|
| Date | 2021-08-10 22:50 +0200 |
| Message-ID | <CKGRc-Su-1@gated-at.bofh.it> |
| In reply to | #12275 |
On Tue, 10 Aug 2021, Markus Koschany wrote: > Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If you > prefer the latest updates then I'd suggest to focus on bullseye-backports from I think you misunderstood the intention of this request. Packages in $version-backports have to be up-to-date wrt. their corresponding packages from $(version+1), except small, not very user-visible, etc. changes. In the case of security updates, this is even more important. The person who uploaded the first backport basically agreed to keep the tomcat9 backport up-to-date over the lifetime of buster-backports, that is, to approximately 14/15ᵗʰ August 2022(!). > now on. I am not sure yet if the regression which I have fixed in > 9.0.43-3 requires another security update for bullseye or buster at > the moment, since an easy workaround is available and probably not > many users are affected. I will monitor the situation though. Right. However, if you’re not intending to update the buster backport, please file a removal request and inform the users (via the bpo mailing list) about this and the extant security issues in the version they have installed. Thanks, //mirabilos ObPlug: http://www.mirbsd.org/~tg/Debs/dists/buster/lts/Pkgs/tomcat9/ is what I try to keep reasonably up to date. It also contains the sysvinit fixes. It’s built in a bullseye chroot though, and as such does NOT follow the bpo rules. It’s a works-for-me thing which one MAY use if they want, at their own risk. -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ************************************************* Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *************************************************
[toc] | [prev] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2021-08-10 23:00 +0200 |
| Message-ID | <CKH0S-VD-5@gated-at.bofh.it> |
| In reply to | #12276 |
[Multipart message — attachments visible in raw view] — view raw
Am Dienstag, dem 10.08.2021 um 22:47 +0200 schrieb Thorsten Glaser: > On Tue, 10 Aug 2021, Markus Koschany wrote: > > > Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If > > you > > prefer the latest updates then I'd suggest to focus on bullseye-backports > > from > > I think you misunderstood the intention of this request. > > Packages in $version-backports have to be up-to-date wrt. > their corresponding packages from $(version+1), except > small, not very user-visible, etc. changes. > > In the case of security updates, this is even more important. > > The person who uploaded the first backport basically agreed > to keep the tomcat9 backport up-to-date over the lifetime of > buster-backports, that is, to approximately 14/15ᵗʰ August 2022(!). > > > now on. I am not sure yet if the regression which I have fixed in > > 9.0.43-3 requires another security update for bullseye or buster at > > the moment, since an easy workaround is available and probably not > > many users are affected. I will monitor the situation though. > > Right. > > However, if you’re not intending to update the buster backport, > please file a removal request and inform the users (via the bpo > mailing list) about this and the extant security issues in the > version they have installed. I have never uploaded tomcat9 to a debian-backports suite hence why I have only replied to the debian-java list. Obviously you should wait for Emmanuel's feedback before doing anything. Regards, Markus
[toc] | [prev] | [next] | [standalone]
| From | Thorsten Glaser <t.glaser@tarent.de> |
|---|---|
| Date | 2021-08-22 23:00 +0200 |
| Message-ID | <CP2Jr-6aE-1@gated-at.bofh.it> |
| In reply to | #12277 |
On Tue, 10 Aug 2021, Markus Koschany wrote: > Obviously you should wait for Emmanuel's feedback before doing > anything. So… Emmanuel? bye, //mirabilos -- Infrastrukturexperte • tarent solutions GmbH Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/ Telephon +49 228 54881-393 • Fax: +49 228 54881-235 HRB AG Bonn 5168 • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg ************************************************* Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter *************************************************
[toc] | [prev] | [next] | [standalone]
| From | Markus Koschany <apo@debian.org> |
|---|---|
| Date | 2021-10-14 23:30 +0200 |
| Message-ID | <D8gsx-7NJ-7@gated-at.bofh.it> |
| In reply to | #12281 |
[Multipart message — attachments visible in raw view] — view raw
Hi backports team, please remove tomcat9 from buster-backports because Emmanuel won't have the time to update the package for the next months and I don't intend to maintain it. My recommendation for all users of tomcat9 is to use the version in buster because it receives full security support. You also have the option to upgrade to bullseye. Regards, Markus
[toc] | [prev] | [next] | [standalone]
| From | Alexander Wirt <formorer@formorer.de> |
|---|---|
| Date | 2021-10-15 11:00 +0200 |
| Message-ID | <D8reh-7uC-7@gated-at.bofh.it> |
| In reply to | #12301 |
[Multipart message — attachments visible in raw view] — view raw
On Thu, Oct 14, 2021 at 11:23:01PM +0200, Markus Koschany wrote: > Hi backports team, > > please remove tomcat9 from buster-backports because Emmanuel won't have the > time to update the package for the next months and I don't intend to maintain > it. My recommendation for all users of tomcat9 is to use the version in buster > because it receives full security support. You also have the option to upgrade > to bullseye. Done Alex
[toc] | [prev] | [standalone]
Back to top | Article view | linux.debian.maint.java
csiph-web