tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William L. Thomson Jr." <>
Subject Re: Removing the examples (JSP/servlet) in TC Binaries
Date Mon, 09 Jul 2007 17:06:33 GMT
Just FYI, on Gentoo we do not install or provide the examples by
default. One must set the examples USE flag for examples to be
installed. Because of such they were kinda moot issues for the recent
security issues for us on Gentoo.

Most running TC in production, or are actually using it for webapps and
etc don't really care about the examples. Most times they are in the way
IMHO, same goes for root default webapps. Short of displaying a page
after someone installs and starts Tomcat so they know it's up and
running. Although there are many ways to determine that, requesting a
default web page is only one.

Seems in more cases than not the examples and default stuff is not used.
Examples IMHO surely can be shipped in their own binary release. Still
included in source releases. Default webapp is up to you all. We install
that by default atm, since people used to complain about getting a blank
page from Tomcat. I got tired of saying blank != 404 :) So nothing can
be a valid response.

Given that the examples have a known security issue. It does not seem
logical to ship Tomcat binaries with the examples enabled. Being as how
a newb is likely the only one to use them. So they are also being
subjected to a vulnerability right off the bat. Despite it being a
major/minor vulnerability. Do you all really want newbs exposed off the

In that regard, separate bundled, or disabled in binary release would be
the ideal ways to go IMHO.

William L. Thomson Jr.

View raw message