tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Costin Manolache <cmanola...@yahoo.com>
Subject Re: [VOTE] minimal JSR 154 only distribution
Date Tue, 10 Dec 2002 23:15:57 GMT
<rant mode>

I don't know why people have the impression that they need 
support or some special motivation when voting on a proposal.

Yes - your admin tool argument doesn't make sense. You can easily
precompile the admintool ( and we should do it anyway ) and
run it in the JSR154-only container - if you want to. And I don't
think including it in the minimal is a good idea either ( if it 
can run without it, then it shouldn't be in "minimal" ).

The vote was about creating a separate distribution of tomcat 
with certain content. You can vote +1 or -1 if you want to
influence the result, or -0 or +0 if you don't want
to change the result, but still want to say you agree or not.

If you had a bad dream about it last night or you feel it will
confuse users or whatever - it doesn't matter, this is 
not a veto but a majority decision on a proposal.  

And a +1 doesn't mean ( in this case ) that you'll have to help.
It has this meaning ( in tomcat at least ) only on the final
vote to release. A +1 only means that you feel it is a good idea
and will make tomcat better.

Has everyone lost interest in tomcat and doesn't care what happens ?
This open source stuff and majority vote and so on doesn't work
if people don't participate. I can understand that we all have little
time - but at least read the proposals ( marked with [VOTE] or [PROPOSAL]
so you can set your mailer and ignore everything else ) and send your
opinion. A simple +-1, +-0 is enough and shouldn't consume that much time.

One concern I had about Jon's proposal is the tensions it may create
among committers, and especially those that work or use jasper. If their
answer is "we don't give a damn about tomcat releases" - then I'm wrong. My 
other concern is that users will be confused if they have N downloads to 
choose from, and our efforts on documenting and testing will be diluted if
we have N releases each with 3 people working on them. 


Costin


Jeanfrancois Arcand wrote:

> OK, seems I don't have any supports to stay with my -1 (seems nobody
> care about the AdminTool argument :-)). So I will change my mind and
> vote 0.
> 
> -- Jeanfrancois
> 
> Pier Fumagalli wrote:
> 
>>On 10/12/02 0:30 "Jeanfrancois Arcand" <jfarcand@apache.org> wrote:
>>
>>  
>>
>>>>Now, don't tell me that ALL that collection of cruft doesn't have a
>>>>bug... It's just that we are lucky and noone found them yet (given
>>>>enough eyes... Linus says)...
>>>>
>>>>      
>>>>
>>>I never say that and I will never says that. But I least I have try
>>>during the Security Audit to fix some of the obvious one. Still Tomcat
>>>is probably not enough secure (and will never be).  My point is if you
>>>are aware of such obvious one, then let me know and I will fix them.
>>>    
>>>
>>
>>You said (quote) "Jasper/AdminTool/etc. are secure"... That's a pretty
>>bold statement.
>>
>>>>From my experience, security audits and stuff are all right, until
>>>someone
>>doesn't call up at 3 AM saying "the server is down because of a DOS"...
>>Nah, I don't like being woken up in the middle of the night...
>>
>>  
>>
>>>But I don't think Tomcat is more secure without JSP.... I know, I know,
>>>what I think you don't care :-)
>>>    
>>>
>>
>>The bible (for us Sun customers, _your_ customers):
>>
>><http://wwws.sun.com/software/security/blueprints/#minimum>
>>
>>  
>>
>>>"Solaris Operating Environment Minimization for Security: A Simple,
>>>Reproducible and Secure Application Installation Methodology
>>>- Updated for the Solaris 8 Operating Environment"
>>>- November 2000
>>>- by Alex Noordergraaf
>>>
>>>Discusses the process of minimizing an installation of the Solaris
>>>Operating Environment. Mimimization is the process of removing all
>>>unnecessary components and services from the Solaris software to reduce
>>>system vulnerabilities. Also introduces a simple technique for
>>>replicating these types of installations across a large number of
>>>systems.
>>>    
>>>
>>
>>_YOUR_ security folks tought me that... Go and talk to them, they're down
>>in SCA-7 if I'm not wrong... Paranoia is an irreversible process for us on
>>the line-of-fire.
>>
>>  
>>
>>>>To sum up: rule of the thumb #3, less code, less bugs (you folks from
>>>>Sun preach that all over your Solaris Blueprints stuff, I learnt it when
>>>>your employer was paying my salary).
>>>>
>>>>      
>>>>
>>>Wow, didn't know that... I've missed the chance to work with you :-)
>>>    
>>>
>>
>>Don't worry, you would have _hated_ working with me (and proudly keeping
>>up my record of being the most hated freak on the planet).
>>
>>  
>>
>>>I should studies my Tomcat history and learn who is doing what, what
>>>biases he/she have, and then vote appropriatly.
>>>    
>>>
>>
>>Oh, no, I got paranoid after I left Sun and started working on the other
>>side of the barricade... Trying to use in production what I was coding
>>earlier... :-)
>>
>>  
>>
>>>>So, please, donšt come up on a mailing list saying "that is secure",
>>>>just say that "noone has found a bug yet", because that (and only that)
>>>>is the truth...
>>>>
>>>>      
>>>>
>>>I agree my wording was not appropriate. Should say that in french next
>>>time :-)
>>>    
>>>
>>
>>Pas de problemes (where are the accents on this keyboard?)
>>
>>    Pier
>>
>>
>>--
>>To unsubscribe, e-mail:  
>><mailto:tomcat-dev-unsubscribe@jakarta.apache.org> For additional
>>commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>
>>
>>
>>  
>>




--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message