----- Original Message ----- > From: "Dan Mashal" <dan.mashal@xxxxxxxxx> > To: "Development discussions related to Fedora" <devel@xxxxxxxxxxxxxxxxxxxxxxx> > Sent: Tuesday, March 12, 2013 9:34:24 PM > Subject: Re: tomcat6 unresponsive maintainer & deprecation > > On Tue, Mar 12, 2013 at 10:30 AM, Stanislav Ochotnicky > <sochotnicky@xxxxxxxxxx> wrote: > > Quoting Dan Mashal (2013-03-12 18:11:06) > >> On Tue, Mar 12, 2013 at 10:06 AM, yersinia > >> <yersinia.spiros@xxxxxxxxx> wrote: > >> > On Tue, Mar 12, 2013 at 6:05 PM, devzero2000 > >> > <pinto.elia@xxxxxxxxx> wrote: > >> >> > >> >> On Tue, Mar 12, 2013 at 4:28 PM, Stanislav Ochotnicky > >> >> <sochotnicky@xxxxxxxxxx> wrote: > >> >>> > >> >>> Quoting Kevin Fenzi (2013-03-12 15:53:56) > >> >>> > On Tue, 12 Mar 2013 13:49:22 +0100 > >> >>> > Stanislav Ochotnicky <sochotnicky@xxxxxxxxxx> wrote: > >> >>> > > >> >>> > > Tomcat6 package in Fedora is old, has several problematic > >> >>> > > bugs > >> >>> > > (including 4 security) and most importantly there's a > >> >>> > > replacement: > >> >>> > > tomcat-7.x > >> >>> > > > >> >>> > > I believe it is in our (developers as well as users) best > >> >>> > > interest to > >> >>> > > get rid of it. I have sent similar email to java-devel on > >> >>> > > February > >> >>> > > 26th[1], created another tomcat6 bugreport a week ago[2] > >> >>> > > but I wasn't > >> >>> > > successful in reaching David Knox (primary maintainer). > >> >>> > > > >> >>> > > Note that we already had a bugreport to migrate packages > >> >>> > > to > >> >>> > > tomcat-7[3] and we almost succeeded, but then new packages > >> >>> > > started > >> >>> > > creeping in with dependency on tomcat6. We need to get rid > >> >>> > > of it ASAP > >> >>> > > or we'll be fighting neverending battle. Even as > >> >>> > > comaintainer/provenpackager I cannot deprecate package > >> >>> > > that I do not > >> >>> > > own. > >> >>> > > > >> >>> > > I consider this point 4 of unresponsive maintainer > >> >>> > > process[4]. > >> >>> > > However due to security issues, and package being > >> >>> > > effectively dead I > >> >>> > > wouldn't mind speeding up the process. I might try to > >> >>> > > bring this up > >> >>> > > with FESCO, but process doesn't seem to include any wiggle > >> >>> > > room > >> >>> > > there. > >> >>> > > >> >>> > Feel free to file a fesco ticket and explain whats going on. > >> >>> Thanks, filed https://fedorahosted.org/fesco/ticket/1094 > >> >>> > >> >>> I believe the emails/bugzilla provides enough context but I'll > >> >>> also try > >> >>> to attend > >> >>> the FESCO meeting to answer any questions. > >> >> > >> >> > >> >> I have received this today > >> >> http://www.exploitthis.com/2013/03/rhsa-20130623-1-important-tomcat6-security-update.html. > >> >> > >> >> Dunno if useful. > >> >> > >> >> Best > >> >> > >> > > >> > > >> > -- > >> > devel mailing list > >> > devel@xxxxxxxxxxxxxxxxxxxxxxx > >> > https://admin.fedoraproject.org/mailman/listinfo/devel > >> > >> I actually tried to install tomcat6 last night on RHEL6.4 and was > >> having issues. Funny. > >> > >> Don't know if Fedora has the same release (haven't checked), but > >> this > >> is pretty important as I use tomcat at work. > >> > >> Could a proven packager take a look at it as well, (ASAP if it's a > >> security issue?). > > > > There's more of them (bugs), but please for the love of all that is > > holy...don't > > use tomcat6. Every single supported Fedora release has tomcat-7.x > > where Ivan > > Afonichev is doing pretty great work with updates/bugfixing > > (kudos). Use it. > > Forget tomcat6. > > > > Situation is different on RHEL of course, there the tomcat6 is > > still being > > actively maintained (and will be for whole life of the given > > release). > > > > -- > > Stanislav Ochotnicky <sochotnicky@xxxxxxxxxx> > > Software Engineer - Developer Experience > > > > PGP: 7B087241 > > Red Hat Inc. http://cz.redhat.com > > -- > > devel mailing list > > devel@xxxxxxxxxxxxxxxxxxxxxxx > > https://admin.fedoraproject.org/mailman/listinfo/devel > > Well I was using it on RHEL obviously. Are you saying we have both > tomcat6 and tomcat7 in Fedora? Why don't we just hand the package > ownership of tomcat6 over to Ivan then (after going through the > proper > processes)? I see 2 reasons: * Ivan haven't expressed such will - as neither you nor I can speak for himself until he decides whether he wants to do it and apply in pkgdb it's a non option * tomcat6 screws many things in the distro as a whole - even if someone picks it up tomcat6 would need to modified a lot to not provide unversioned servlet/jsp/etc. which is work that noone wants to do (at least noone yet) for old versions. Alexander Kurtakov Red Hat Eclipse team > > Dan > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
