Emmanuel Seyman wrote:
> * Kevin Kofler via devel [13/11/2020 00:52] :
>>
>> The one that keeps getting brought up is Tomcat, but I can tell you from
>> my personal experience that the Fedora Tomcat package has always been
>> working just fine (not only as a build dependency, but for its intended
>> use as a web application server: I use it to locally test Java web
>> applications).
>
> I suspect this isn't sufficient a test to determine if a package is well
> maintained or not. At a minimum, you also need to look at CVEs for which
> fixes have not being pushed.
I see Tomcat CVE fixes getting pushed regularly, though I have not attempted
to quantify the exact time it takes for an upstream security fix to go out
to Fedora.
Kevin Kofler
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
