tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: [ANNOUNCEMENT] Security Related Updates - Tomcat 3.1.1 and Tomcat 3.2.1
Date Thu, 14 Dec 2000 18:34:36 GMT
GOMEZ Henri wrote:

> >* This release fixes ***only*** the identified security
> >vulnerabilities.
> >  It does not address any of the other bugs, or feature
> >requests, related
> >  to Tomcat 3.2 final.  These issues will be dealt with in future
> >  maintenance releases of Tomcat 3.2 as appropriate.
> >
> Not totally true since there is also :
> * documentation updates

> * many fixes like ajp13 and multiple cookies ;-)

This raises an interesting policy issue that should be discussed.

In short, I think that packaging additional docs and fixes with your 3.2.1 RPMs
is very misleading to Tomcat users, because what you get is *not* the same as
what the "official" packages contain.

A far better service to the Tomcat community would be to do as you and I have
discussed before -- bring the RPM generation process into the official source
tree, create the RPMs that match the functionality of the tar/zip distros
(directory organization changes to meet platform conventions are fine -- bug
fixes that are not present in the official release are not), and publish them on
the Jakarta web site as official versions of Tomcat.

Henri, you are a committer on Tomcat -- could you please post the bug fixes and
doc improvements that you've included into the CVS repositories for the
appropriate Tomcat releases?  And, when your RPMs match the content of official
releases, post them on the Jakarta web site (it's on locus as well ... write me
separately for details)?  That way, everyone will benefit from them.

> Regards


View raw message