Dimitris,
On 3/3/25 9:57 AM, Dimitris Soumis wrote:
On Sat, Mar 1, 2025 at 8:29 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:
The proposed Apache Tomcat 10.1.37 release is now available for
voting.
All committers and PMC members are kindly requested to provide a vote if
possible. ANY TOMCAT USER MAY VOTE, though only PMC members votes are
binding. We welcome non-committer votes or comments on release builds.
The notable changes compared to 10.1.36 are:
- Improve the checks for exposure to and protection against
CVE-2024-56337 so that reflection is not used unless required. The
checks for whether the file system is case sensitive or not have been
removed.
- Use Transfer-Encoding for compression rather than Content-Encoding if
the client submits a TE header containing gzip
- Add makensis as an option for building the Installer for Windows on
non-Windows platforms.
For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html
Applications that run on Tomcat 9 and earlier will not run on Tomcat 10
without changes. Java EE applications designed for Tomcat 9 and earlier
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
will automatically convert them to Jakarta EE and copy them to the
webapps directory.
It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.37/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1535
The tag is:
https://github.com/apache/tomcat/tree/10.1.37
https://github.com/apache/tomcat/commit/e4338ee7a3e0f22d85f7cb2e04dacee752eaa619
Please reply with a +1 for release or +0/-0/-1 with an explanation.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
+1 Build is reproducible and all tests pass on Fedora 41 with Java 21,
tcnative-2.0.8, apr-1.7.4, openssl-3.2.4.
However, the RSA key (3262A061C42FC4C7BBB5C25C1CF0293FA53CA458) used to
sign the release is still not present in the KEYS file.
This is what I get during validation of e.g. the .exe artifact:
$ gpg --verify --keyring ./apache-keys --no-default-keyring
apache-tomcat-10.1.37.exe.asc apache-tomcat-10.1.37.exe
gpg: Signature made Sat Mar 1 01:00:52 2025 EST
gpg: using RSA key 3262A061C42FC4C7BBB5C25C1CF0293FA53CA458
gpg: Good signature from "Christopher Schultz
<ch...@christopherschultz.net>" [ultimate]
gpg: aka "Christopher Schultz <cschu...@chadis.com>"
[ultimate]
gpg: aka "Christopher Schultz <schu...@apache.org>"
[ultimate]
gpg: aka "Christopher Schultz
<christopher.schu...@alumni.rose-hulman.edu>" [ultimate]
$ echo $?
0
The apache-keys file is a proper GPG keyring imported using this command:
$ gpg --import --no-default-keyring --primary-keyring ./apache-keys < KEYS
The key I use to sign is a subkey of my main key. I believe I've been
using the same key to sign releases for a good long time.
But I do see that my signature on the Windows .exe binary is not quite
right. It fails using osssigncodeusing my usual method :/
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
