On Sat, Jun 30, 2018 at 04:24:24PM +0200, Markus Koschany wrote: > Am 30.06.2018 um 04:00 schrieb Roberto C. Sánchez: > [...] > > Comments and suggestions are most welcome. > > I would suggest to fix the open CVE via patches for now. Being EOL does > not necessarily mean that we cannot backport fixes from the 8.5 branch > but at some point upgrading from 8.x to 8.5 might be the only viable > option. At the moment I recommend to refrain from marking Tomcat 8 EOL. > That makes sense. I have already prepared the necessary patches and I am now trying to ensure that the unit test failures I am seeing do not indicate a regression as a result from the patches I introduced.
I don't think that we need to make an EOL decision/announcement with any urgency at this point. However, it is sensible to at least have a discussion on it so that when the time comes it will not be the first discussion of it. Regards, -Roberto -- Roberto C. Sánchez
