On Fri, May 26, 2023 at 12:10:18AM +0200, Markus Koschany wrote:
> First of all trapperkeeper-webserver-jetty9-clojure should add a build-
> dependency on logback to detect such regressions in advance.
>
> #1036250 is mainly a logback problem, not a tomcat problem. I still would like
> to hear Emmanuel's opinion. We still could revert to libtomcat9-java, if we
> don't find a solution though.
>
> The tomcatjss / dogtag-pki situation is simple too. If there is no way to make
> the application work with Tomcat 10, then there are three options:
>
> 1. Embed Tomcat 9 in your application by creating a standalone jar
>
> 2. Continue to use the current Tomcat 9 package as is but make sure that
> nobody
> else than dogtag-pki uses it. (Package descriptions should be adjusted, and
> the
> binary tomcat9 package should be probably removed too) Nobody should think
> that
> we support two major Tomcat versions.
>
> In any case the dogtag-pki maintainers must commit to at least three years of
> security support, web application + Tomcat 9. Otherwise this is pointless.
>
> 3. Remove dogtag-pki and tomcatjss from testing and prepare backports as soon
> as dogtag-pki and Co support Tomcat 10.
Can't we just do the pragmatic fix of updating src:tomcat9 to only ship
libtomcat9-java and libtomcat9-embed-java? The maintenance burden for
security updates lies within the server stack, the percentage of issues
affecting the libtomcat9-java binary packages as used by rdeps will be small
to none?
Cheers,
Moritz
