Bug#1034824: tomcat9 should not be released with Bookworm
Paul Gevers
elbrus at debian.org
Fri May 26 08:23:29 BST 2023
Control: clone -1 -2 -3
Control: reassign -2 release-notes
Control: reassign -3 debian-security-support
Control: tag -1 bookworm-ignore
Hi,
On 26-05-2023 00:10, Markus Koschany wrote:
> #1036250 is mainly a logback problem, not a tomcat problem. I still would like
> to hear Emmanuel's opinion. We still could revert to libtomcat9-java, if we
> don't find a solution though.
I want the logback changes reverted and go back to tomcat9. We'll ship
two versions. We failed to remove tomcat9 properly and it's well past
the line where we can try more variant. Just like the apt/adduser
situation where we stopped experimenting, let's go back to the situation
we know and understand.
> The tomcatjss / dogtag-pki situation is simple too.
Small note, I don't like you framing the situation simple. The time
pressure is huge. The tomcat9 situation has drained a lot of energy
already, so no, it's not simple.
> If there is no way to make
> the application work with Tomcat 10, then there are three options:
> 2. Continue to use the current Tomcat 9 package as is but make sure that nobody
> else than dogtag-pki uses it. (Package descriptions should be adjusted, and the
> binary tomcat9 package should be probably removed too) Nobody should think that
> we support two major Tomcat versions.
I think we have no *reasonable* other option than to do that somewhat.
So let's make this clear in the release notes and in
debian-security-support. I propose something along these lines for the
release notes:
Although tomcat9 and tomcat9-user are shipped with bookworm next to
tomcat10 binaries, they are exclusively supported for use with
dogtag-pki. Users of dogtag-pki have to ensure they run the application
in a sufficiently trusted network.
Paul (and Salvatore)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20230526/466f8874/attachment-0001.sig>
More information about the pkg-java-maintainers
mailing list