tomcat6 unresponsive maintainer & deprecation
Dan Mashal
dan.mashal at gmail.com
Tue Mar 12 19:34:24 UTC 2013
On Tue, Mar 12, 2013 at 10:30 AM, Stanislav Ochotnicky
<sochotnicky at redhat.com> wrote:
> Quoting Dan Mashal (2013-03-12 18:11:06)
>> On Tue, Mar 12, 2013 at 10:06 AM, yersinia <yersinia.spiros at gmail.com> wrote:
>> > On Tue, Mar 12, 2013 at 6:05 PM, devzero2000 <pinto.elia at gmail.com> wrote:
>> >>
>> >> On Tue, Mar 12, 2013 at 4:28 PM, Stanislav Ochotnicky
>> >> <sochotnicky at redhat.com> wrote:
>> >>>
>> >>> Quoting Kevin Fenzi (2013-03-12 15:53:56)
>> >>> > On Tue, 12 Mar 2013 13:49:22 +0100
>> >>> > Stanislav Ochotnicky <sochotnicky at redhat.com> wrote:
>> >>> >
>> >>> > > Tomcat6 package in Fedora is old, has several problematic bugs
>> >>> > > (including 4 security) and most importantly there's a replacement:
>> >>> > > tomcat-7.x
>> >>> > >
>> >>> > > I believe it is in our (developers as well as users) best interest to
>> >>> > > get rid of it. I have sent similar email to java-devel on February
>> >>> > > 26th[1], created another tomcat6 bugreport a week ago[2] but I wasn't
>> >>> > > successful in reaching David Knox (primary maintainer).
>> >>> > >
>> >>> > > Note that we already had a bugreport to migrate packages to
>> >>> > > tomcat-7[3] and we almost succeeded, but then new packages started
>> >>> > > creeping in with dependency on tomcat6. We need to get rid of it ASAP
>> >>> > > or we'll be fighting neverending battle. Even as
>> >>> > > comaintainer/provenpackager I cannot deprecate package that I do not
>> >>> > > own.
>> >>> > >
>> >>> > > I consider this point 4 of unresponsive maintainer process[4].
>> >>> > > However due to security issues, and package being effectively dead I
>> >>> > > wouldn't mind speeding up the process. I might try to bring this up
>> >>> > > with FESCO, but process doesn't seem to include any wiggle room
>> >>> > > there.
>> >>> >
>> >>> > Feel free to file a fesco ticket and explain whats going on.
>> >>> Thanks, filed https://fedorahosted.org/fesco/ticket/1094
>> >>>
>> >>> I believe the emails/bugzilla provides enough context but I'll also try
>> >>> to attend
>> >>> the FESCO meeting to answer any questions.
>> >>
>> >>
>> >> I have received this today
>> >> http://www.exploitthis.com/2013/03/rhsa-20130623-1-important-tomcat6-security-update.html.
>> >>
>> >> Dunno if useful.
>> >>
>> >> Best
>> >>
>> >
>> >
>> > --
>> > devel mailing list
>> > devel at lists.fedoraproject.org
>> > https://admin.fedoraproject.org/mailman/listinfo/devel
>>
>> I actually tried to install tomcat6 last night on RHEL6.4 and was
>> having issues. Funny.
>>
>> Don't know if Fedora has the same release (haven't checked), but this
>> is pretty important as I use tomcat at work.
>>
>> Could a proven packager take a look at it as well, (ASAP if it's a
>> security issue?).
>
> There's more of them (bugs), but please for the love of all that is holy...don't
> use tomcat6. Every single supported Fedora release has tomcat-7.x where Ivan
> Afonichev is doing pretty great work with updates/bugfixing (kudos). Use it.
> Forget tomcat6.
>
> Situation is different on RHEL of course, there the tomcat6 is still being
> actively maintained (and will be for whole life of the given release).
>
> --
> Stanislav Ochotnicky <sochotnicky at redhat.com>
> Software Engineer - Developer Experience
>
> PGP: 7B087241
> Red Hat Inc. http://cz.redhat.com
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel
Well I was using it on RHEL obviously. Are you saying we have both
tomcat6 and tomcat7 in Fedora? Why don't we just hand the package
ownership of tomcat6 over to Ivan then (after going through the proper
processes)?
Dan
More information about the devel
mailing list