tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Anil Vijendran <>
Subject Re: [PROPOSAL] New build targets for Tomcat
Date Sat, 22 Jul 2000 00:29:42 GMT
-1 on removing JSP.
+1 on fixing the bug in Jasper.

JSP is as much part of the Jakarta project mission as Java Servlets are. Do you
want to change that? And why? 'Cos there is a security bug in Jasper?

A bug in the implementation -- whatever it is -- is just that. That can be
fixed, no problem. Try and contribute a fix if you can....

No need to get all personal (your other mails) and try to push your "JSP sucks"
agenda like this. Let the market decide which sucks and which doesn't.

Jon Stevens wrote:

> Hey all,
> Definitions:
> Tomcat - Servlet Engine
> Jasper - JSP Engine
> These recent security advisories on Bugtraq have me a bit worried. I'm
> worried that because of Jasper, people will view Tomcat as being insecure
> when it really is not Tomcat's fault. Essentially the crux of the advisories
> is that the implementation of JSP that comes with Tomcat is somewhat
> security hole prone, we are now up to 3 or 4 security advisories for Jasper,
> and zero for Tomcat itself.
> What I would like to do is simply be able to provide people with the ability
> to create a copy of Tomcat that does not have *any* support for JSP within
> it. This way, people who do not care to use JSP (like myself) can feel
> secure that any hole in Jasper will not compromise my server in any way. I
> am ok with the default continuing to be a distribution of Jasper+Tomcat. My
> goal here is simply providing options, not removing existing functionality.
> I think that this can be done fairly easily with more defined targets in the
> Ant build scripts.
> My proposal would be to break things up like this:
> Build only the necessary files for Tomcat itself:
> <target name="compile-tomcat">
> Build only the necessary files for JSP:
> <target name="compile-jsp">
> Package Tomcat for distribution sans JSP:
> <target name="package-tomcat">
> Package Tomcat for distribution with JSP:
> <target name="package-tomcat-jsp">
> The current "webapps" target would also be split up:
> <target name="webapps-servlets">
> <target name="webapps-jsp">
> Comments?
> -jon
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Peace, Anil +<:-)

View raw message