Mark,
On 6/24/24 08:14, Mark Thomas wrote:
On 21/06/2024 15:35, Dimitris Soumis wrote:
Hi all,
I hope this message finds you well. I am writing to seek
clarifications and provide some suggestions regarding the Tomcat
Native binary distributions.
Firstly, I have noticed that openssl.exe is included in the Tomcat
Native binary distributions. It appears that the .dll file is
sufficient for the component to function correctly. Thus, my
question is why is openssl.exe included in the distribution? If
openssl.exe is not essential, it might be worth considering its
removal from the distribution to minimize the vulnerability
footprint.
Its inclusion predates me acting as release manager for Tomcat Native.
If I had to guess, I'd guess that it was included so folks on Windows
had an OpenSSL binary to use to work with keys, certificates, signing
requests etc.
+1
Secondly, I observed that Tomcat Native 1.3.0 does not include the
.pdb file, which is present in version 2.0.7. I would like to
confirm if this is intentional.
No. That looks like an oversight.
I feel like I've been told that providing "a debug version" or our .DLL
files "was impossible" for #reasons. Would including the .PDB file
actually improve anything for downstream users?
Additionally, Tomcat Native 1.3.0 contains a deprecated VERSIONS file.
Could you be more specific about this.
I would also like to suggest pruning the "Building" and "Running
the tests" sections in the README.txt for both versions. These
sections are not applicable to the binary distribution and their
exclusion could make the documentation more concise and
user-friendly.
I think separate README files for source and binary will be more work
to manage and also more error prone. It might be simpler to mark
those sections with "(source distribution only)" or similar.
What would really make more sense would be to clean-up the whole source
tree. It's still pretending that there is some significant Java portion
of the project. Any time I check it out of revision-control or download
a source distro, I *always* cd directly to tcnative/native and never do
anything at all in tcnative/(root).
The current tests are practicly useless. They do confirm that tcnative
is being loaded, but not much else.
I would love to have a proper test-harness for the non-Java components
e.g. "make test" but maybe all we would really be testing would be
plumbing, so ironically adding more Java code is the better solution.
Thoughts?
Lastly, I noticed a minor issue, the NOTICE file for both releases
contains an outdated copyright date.
Could you be more specific. The NOTICE file in both tags looks to have
the correct date.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
