tomcat6 unresponsive maintainer & deprecation

Aleksandar Kurtakov akurtako at redhat.com
Wed Mar 13 10:03:54 UTC 2013 

----- Original Message -----
> From: "Dan Mashal" <dan.mashal at gmail.com>
> To: "Development discussions related to Fedora" <devel at lists.fedoraproject.org>
> Sent: Tuesday, March 12, 2013 9:34:24 PM
> Subject: Re: tomcat6 unresponsive maintainer & deprecation
> 
> On Tue, Mar 12, 2013 at 10:30 AM, Stanislav Ochotnicky
> <sochotnicky at redhat.com> wrote:
> > Quoting Dan Mashal (2013-03-12 18:11:06)
> >> On Tue, Mar 12, 2013 at 10:06 AM, yersinia
> >> <yersinia.spiros at gmail.com> wrote:
> >> > On Tue, Mar 12, 2013 at 6:05 PM, devzero2000
> >> > <pinto.elia at gmail.com> wrote:
> >> >>
> >> >> On Tue, Mar 12, 2013 at 4:28 PM, Stanislav Ochotnicky
> >> >> <sochotnicky at redhat.com> wrote:
> >> >>>
> >> >>> Quoting Kevin Fenzi (2013-03-12 15:53:56)
> >> >>> > On Tue, 12 Mar 2013 13:49:22 +0100
> >> >>> > Stanislav Ochotnicky <sochotnicky at redhat.com> wrote:
> >> >>> >
> >> >>> > > Tomcat6 package in Fedora is old, has several problematic
> >> >>> > > bugs
> >> >>> > > (including 4 security) and most importantly there's a
> >> >>> > > replacement:
> >> >>> > > tomcat-7.x
> >> >>> > >
> >> >>> > > I believe it is in our (developers as well as users) best
> >> >>> > > interest to
> >> >>> > > get rid of it. I have sent similar email to java-devel on
> >> >>> > > February
> >> >>> > > 26th[1], created another tomcat6 bugreport a week ago[2]
> >> >>> > > but I wasn't
> >> >>> > > successful in reaching David Knox (primary maintainer).
> >> >>> > >
> >> >>> > > Note that we already had a bugreport to migrate packages
> >> >>> > > to
> >> >>> > > tomcat-7[3] and we almost succeeded, but then new packages
> >> >>> > > started
> >> >>> > > creeping in with dependency on tomcat6. We need to get rid
> >> >>> > > of it ASAP
> >> >>> > > or we'll be fighting neverending battle. Even as
> >> >>> > > comaintainer/provenpackager I cannot deprecate package
> >> >>> > > that I do not
> >> >>> > > own.
> >> >>> > >
> >> >>> > > I consider this point 4 of unresponsive maintainer
> >> >>> > > process[4].
> >> >>> > > However due to security issues, and package being
> >> >>> > > effectively dead I
> >> >>> > > wouldn't mind speeding up the process. I might try to
> >> >>> > > bring this up
> >> >>> > > with FESCO, but process doesn't seem to include any wiggle
> >> >>> > > room
> >> >>> > > there.
> >> >>> >
> >> >>> > Feel free to file a fesco ticket and explain whats going on.
> >> >>> Thanks, filed https://fedorahosted.org/fesco/ticket/1094
> >> >>>
> >> >>> I believe the emails/bugzilla provides enough context but I'll
> >> >>> also try
> >> >>> to attend
> >> >>> the FESCO meeting to answer any questions.
> >> >>
> >> >>
> >> >> I have received this today
> >> >> http://www.exploitthis.com/2013/03/rhsa-20130623-1-important-tomcat6-security-update.html.
> >> >>
> >> >> Dunno if useful.
> >> >>
> >> >> Best
> >> >>
> >> >
> >> >
> >> > --
> >> > devel mailing list
> >> > devel at lists.fedoraproject.org
> >> > https://admin.fedoraproject.org/mailman/listinfo/devel
> >>
> >> I actually tried to install tomcat6 last night on RHEL6.4 and was
> >> having issues. Funny.
> >>
> >> Don't know if Fedora has the same release (haven't checked), but
> >> this
> >> is pretty important as I use tomcat at work.
> >>
> >> Could a proven packager take a look at it as well, (ASAP if it's a
> >> security issue?).
> >
> > There's more of them (bugs), but please for the love of all that is
> > holy...don't
> > use tomcat6. Every single supported Fedora release has tomcat-7.x
> > where Ivan
> > Afonichev is doing pretty great work with updates/bugfixing
> > (kudos). Use it.
> > Forget tomcat6.
> >
> > Situation is different on RHEL of course, there the tomcat6 is
> > still being
> > actively maintained (and will be for whole life of the given
> > release).
> >
> > --
> > Stanislav Ochotnicky <sochotnicky at redhat.com>
> > Software Engineer - Developer Experience
> >
> > PGP: 7B087241
> > Red Hat Inc.                               http://cz.redhat.com
> > --
> > devel mailing list
> > devel at lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/devel
> 
> Well I was using it on RHEL obviously. Are you saying we have both
> tomcat6 and tomcat7 in Fedora? Why don't we just hand the package
> ownership of tomcat6 over to Ivan then (after going through the
> proper
> processes)?

I see 2 reasons:
* Ivan haven't expressed such will - as neither you nor I can speak for himself until he decides whether he wants to do it and apply in pkgdb it's a non option
* tomcat6 screws many things in the distro as a whole - even if someone picks it up tomcat6 would need to modified a lot to not provide unversioned servlet/jsp/etc. which is work that noone wants to do (at least noone yet) for old versions.

Alexander Kurtakov
Red Hat Eclipse team

> 
> Dan
> --
> devel mailing list
> devel at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/devel

More information about the devel mailing list