Quoting Kevin Fenzi (2013-03-12 15:53:56)

On Tue, 12 Mar 2013 13:49:22 +0100 Stanislav Ochotnicky sochotnicky@redhat.com wrote:

...

Tomcat6 package in Fedora is old, has several problematic bugs (including 4 security) and most importantly there's a replacement: tomcat-7.x

I believe it is in our (developers as well as users) best interest to get rid of it. I have sent similar email to java-devel on February 26th[1], created another tomcat6 bugreport a week ago[2] but I wasn't successful in reaching David Knox (primary maintainer).

Note that we already had a bugreport to migrate packages to tomcat-7[3] and we almost succeeded, but then new packages started creeping in with dependency on tomcat6. We need to get rid of it ASAP or we'll be fighting neverending battle. Even as comaintainer/provenpackager I cannot deprecate package that I do not own.

I consider this point 4 of unresponsive maintainer process[4]. However due to security issues, and package being effectively dead I wouldn't mind speeding up the process. I might try to bring this up with FESCO, but process doesn't seem to include any wiggle room there.

Feel free to file a fesco ticket and explain whats going on.

Thanks, filed https://fedorahosted.org/fesco/ticket/1094

I believe the emails/bugzilla provides enough context but I'll also try to attend the FESCO meeting to answer any questions.

On Tue, Mar 12, 2013 at 6:05 PM, devzero2000 pinto.elia@gmail.com wrote:

On Tue, Mar 12, 2013 at 4:28 PM, Stanislav Ochotnicky < sochotnicky@redhat.com> wrote:

...

Quoting Kevin Fenzi (2013-03-12 15:53:56)

...

On Tue, 12 Mar 2013 13:49:22 +0100 Stanislav Ochotnicky sochotnicky@redhat.com wrote:

...

Tomcat6 package in Fedora is old, has several problematic bugs (including 4 security) and most importantly there's a replacement: tomcat-7.x

I believe it is in our (developers as well as users) best interest to get rid of it. I have sent similar email to java-devel on February 26th[1], created another tomcat6 bugreport a week ago[2] but I wasn't successful in reaching David Knox (primary maintainer).

Note that we already had a bugreport to migrate packages to tomcat-7[3] and we almost succeeded, but then new packages started creeping in with dependency on tomcat6. We need to get rid of it ASAP or we'll be fighting neverending battle. Even as comaintainer/provenpackager I cannot deprecate package that I do not own.

I consider this point 4 of unresponsive maintainer process[4]. However due to security issues, and package being effectively dead I wouldn't mind speeding up the process. I might try to bring this up with FESCO, but process doesn't seem to include any wiggle room there.

Feel free to file a fesco ticket and explain whats going on.

Thanks, filed https://fedorahosted.org/fesco/ticket/1094

I believe the emails/bugzilla provides enough context but I'll also try to attend the FESCO meeting to answer any questions.

I have received this today http://www.exploitthis.com/2013/03/rhsa-20130623-1-important-tomcat6-securit... .

Dunno if useful.

Best

Quoting Dan Mashal (2013-03-12 18:11:06)

On Tue, Mar 12, 2013 at 10:06 AM, yersinia yersinia.spiros@gmail.com wrote:

...

On Tue, Mar 12, 2013 at 6:05 PM, devzero2000 pinto.elia@gmail.com wrote:

...

On Tue, Mar 12, 2013 at 4:28 PM, Stanislav Ochotnicky sochotnicky@redhat.com wrote:

...

Quoting Kevin Fenzi (2013-03-12 15:53:56)

...

On Tue, 12 Mar 2013 13:49:22 +0100 Stanislav Ochotnicky sochotnicky@redhat.com wrote:

...

Tomcat6 package in Fedora is old, has several problematic bugs (including 4 security) and most importantly there's a replacement: tomcat-7.x

I believe it is in our (developers as well as users) best interest to get rid of it. I have sent similar email to java-devel on February 26th[1], created another tomcat6 bugreport a week ago[2] but I wasn't successful in reaching David Knox (primary maintainer).

Note that we already had a bugreport to migrate packages to tomcat-7[3] and we almost succeeded, but then new packages started creeping in with dependency on tomcat6. We need to get rid of it ASAP or we'll be fighting neverending battle. Even as comaintainer/provenpackager I cannot deprecate package that I do not own.

I consider this point 4 of unresponsive maintainer process[4]. However due to security issues, and package being effectively dead I wouldn't mind speeding up the process. I might try to bring this up with FESCO, but process doesn't seem to include any wiggle room there.

Feel free to file a fesco ticket and explain whats going on.

Thanks, filed https://fedorahosted.org/fesco/ticket/1094

I believe the emails/bugzilla provides enough context but I'll also try to attend the FESCO meeting to answer any questions.

I have received this today http://www.exploitthis.com/2013/03/rhsa-20130623-1-important-tomcat6-securit....

Dunno if useful.

Best

-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel

I actually tried to install tomcat6 last night on RHEL6.4 and was having issues. Funny.

Don't know if Fedora has the same release (haven't checked), but this is pretty important as I use tomcat at work.

Could a proven packager take a look at it as well, (ASAP if it's a security issue?).

There's more of them (bugs), but please for the love of all that is holy...don't use tomcat6. Every single supported Fedora release has tomcat-7.x where Ivan Afonichev is doing pretty great work with updates/bugfixing (kudos). Use it. Forget tomcat6.

Situation is different on RHEL of course, there the tomcat6 is still being actively maintained (and will be for whole life of the given release).

----- Original Message -----

From: "Dan Mashal" dan.mashal@gmail.com To: "Development discussions related to Fedora" devel@lists.fedoraproject.org Sent: Tuesday, March 12, 2013 9:34:24 PM Subject: Re: tomcat6 unresponsive maintainer & deprecation

On Tue, Mar 12, 2013 at 10:30 AM, Stanislav Ochotnicky sochotnicky@redhat.com wrote:

...

Quoting Dan Mashal (2013-03-12 18:11:06)

...

On Tue, Mar 12, 2013 at 10:06 AM, yersinia yersinia.spiros@gmail.com wrote:

...

On Tue, Mar 12, 2013 at 6:05 PM, devzero2000 pinto.elia@gmail.com wrote:

...

On Tue, Mar 12, 2013 at 4:28 PM, Stanislav Ochotnicky sochotnicky@redhat.com wrote:

...

Quoting Kevin Fenzi (2013-03-12 15:53:56) > On Tue, 12 Mar 2013 13:49:22 +0100 > Stanislav Ochotnicky sochotnicky@redhat.com wrote: > > > Tomcat6 package in Fedora is old, has several problematic > > bugs > > (including 4 security) and most importantly there's a > > replacement: > > tomcat-7.x > > > > I believe it is in our (developers as well as users) best > > interest to > > get rid of it. I have sent similar email to java-devel on > > February > > 26th[1], created another tomcat6 bugreport a week ago[2] > > but I wasn't > > successful in reaching David Knox (primary maintainer). > > > > Note that we already had a bugreport to migrate packages > > to > > tomcat-7[3] and we almost succeeded, but then new packages > > started > > creeping in with dependency on tomcat6. We need to get rid > > of it ASAP > > or we'll be fighting neverending battle. Even as > > comaintainer/provenpackager I cannot deprecate package > > that I do not > > own. > > > > I consider this point 4 of unresponsive maintainer > > process[4]. > > However due to security issues, and package being > > effectively dead I > > wouldn't mind speeding up the process. I might try to > > bring this up > > with FESCO, but process doesn't seem to include any wiggle > > room > > there. > > Feel free to file a fesco ticket and explain whats going on. Thanks, filed https://fedorahosted.org/fesco/ticket/1094

I believe the emails/bugzilla provides enough context but I'll also try to attend the FESCO meeting to answer any questions.

I have received this today http://www.exploitthis.com/2013/03/rhsa-20130623-1-important-tomcat6-securit....

Dunno if useful.

Best

-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel

I actually tried to install tomcat6 last night on RHEL6.4 and was having issues. Funny.

Don't know if Fedora has the same release (haven't checked), but this is pretty important as I use tomcat at work.

Could a proven packager take a look at it as well, (ASAP if it's a security issue?).

There's more of them (bugs), but please for the love of all that is holy...don't use tomcat6. Every single supported Fedora release has tomcat-7.x where Ivan Afonichev is doing pretty great work with updates/bugfixing (kudos). Use it. Forget tomcat6.

Situation is different on RHEL of course, there the tomcat6 is still being actively maintained (and will be for whole life of the given release).

-- Stanislav Ochotnicky sochotnicky@redhat.com Software Engineer - Developer Experience

PGP: 7B087241 Red Hat Inc. http://cz.redhat.com -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel

Well I was using it on RHEL obviously. Are you saying we have both tomcat6 and tomcat7 in Fedora? Why don't we just hand the package ownership of tomcat6 over to Ivan then (after going through the proper processes)?

I see 2 reasons: * Ivan haven't expressed such will - as neither you nor I can speak for himself until he decides whether he wants to do it and apply in pkgdb it's a non option * tomcat6 screws many things in the distro as a whole - even if someone picks it up tomcat6 would need to modified a lot to not provide unversioned servlet/jsp/etc. which is work that noone wants to do (at least noone yet) for old versions.

Alexander Kurtakov Red Hat Eclipse team

Dan

devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel