Just FYI, on Gentoo we do not install or provide the examples by default. One must set the examples USE flag for examples to be installed. Because of such they were kinda moot issues for the recent security issues for us on Gentoo.
Most running TC in production, or are actually using it for webapps and etc don't really care about the examples. Most times they are in the way IMHO, same goes for root default webapps. Short of displaying a page after someone installs and starts Tomcat so they know it's up and running. Although there are many ways to determine that, requesting a default web page is only one. Seems in more cases than not the examples and default stuff is not used. Examples IMHO surely can be shipped in their own binary release. Still included in source releases. Default webapp is up to you all. We install that by default atm, since people used to complain about getting a blank page from Tomcat. I got tired of saying blank != 404 :) So nothing can be a valid response. Given that the examples have a known security issue. It does not seem logical to ship Tomcat binaries with the examples enabled. Being as how a newb is likely the only one to use them. So they are also being subjected to a vulnerability right off the bat. Despite it being a major/minor vulnerability. Do you all really want newbs exposed off the bat? In that regard, separate bundled, or disabled in binary release would be the ideal ways to go IMHO. -- William L. Thomson Jr. Gentoo/Java
signature.asc
Description: This is a digitally signed message part
