[tomcat] branch main updated: Update migration tool for Jakarta EE version in IDE config files

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 907246fb5a Update migration tool for Jakarta EE version in IDE config 
files
907246fb5a is described below

commit 907246fb5ad57638877634bde6f3c45144108fa1
Author: thomasma 
AuthorDate: Tue Aug 9 08:54:02 2022 +0100

Update migration tool for Jakarta EE version in IDE config files
---
 res/ide-support/eclipse/eclipse.classpath | 2 +-
 res/ide-support/idea/tomcat.iml   | 2 +-
 res/ide-support/netbeans/project.xml  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/res/ide-support/eclipse/eclipse.classpath 
b/res/ide-support/eclipse/eclipse.classpath
index 3801d98fbd..f1fec33982 100644
--- a/res/ide-support/eclipse/eclipse.classpath
+++ b/res/ide-support/eclipse/eclipse.classpath
@@ -30,7 +30,7 @@
 
 
 
-
+
 
 
 
diff --git a/res/ide-support/idea/tomcat.iml b/res/ide-support/idea/tomcat.iml
index ec21001522..e38b6557d2 100644
--- a/res/ide-support/idea/tomcat.iml
+++ b/res/ide-support/idea/tomcat.iml
@@ -122,7 +122,7 @@
 
   
 
-  
+  
 
 
 
diff --git a/res/ide-support/netbeans/project.xml 
b/res/ide-support/netbeans/project.xml
index 22f820b42e..273f05dc15 100644
--- a/res/ide-support/netbeans/project.xml
+++ b/res/ide-support/netbeans/project.xml
@@ -178,7 +178,7 @@
 -->
 
 java
-${base.path}/jaxrpc-1.1-rc4/geronimo-spec-jaxrpc-1.1-rc4.jar:${base.path}/wsdl4j-1.6.3/wsdl4j-1.6.3.jar:${base.path}/ecj-4.23/ecj-4.23.jar:${base.path}/bnd-6.3.1/biz.aQute.bnd-6.3.1.jar:${base.path}/migration-1.0.0/jakartaee-migration-1.0.0-shaded.jar:${ant.includes}/
+${base.path}/jaxrpc-1.1-rc4/geronimo-spec-jaxrpc-1.1-rc4.jar:${base.path}/wsdl4j-1.6.3/wsdl4j-1.6.3.jar:${base.path}/ecj-4.23/ecj-4.23.jar:${base.path}/bnd-6.3.1/biz.aQute.bnd-6.3.1.jar:${base.path}/migration-1.0.1/jakartaee-migration-1.0.1-shaded.jar:${ant.includes}/
 1.7
 
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 10.0.x updated: Update migration tool for Jakarta EE version in IDE config files

[markt]

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.0.x by this push:
 new 774affcf3d Update migration tool for Jakarta EE version in IDE config 
files
774affcf3d is described below

commit 774affcf3de2697c834e1e6109891663331097e9
Author: thomasma 
AuthorDate: Tue Aug 9 08:54:02 2022 +0100

Update migration tool for Jakarta EE version in IDE config files
---
 res/ide-support/eclipse/eclipse.classpath | 2 +-
 res/ide-support/idea/tomcat.iml   | 2 +-
 res/ide-support/netbeans/project.xml  | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/res/ide-support/eclipse/eclipse.classpath 
b/res/ide-support/eclipse/eclipse.classpath
index b6f99c98d9..e1401d908a 100644
--- a/res/ide-support/eclipse/eclipse.classpath
+++ b/res/ide-support/eclipse/eclipse.classpath
@@ -30,7 +30,7 @@
 
 
 
-
+
 
 
 
diff --git a/res/ide-support/idea/tomcat.iml b/res/ide-support/idea/tomcat.iml
index 22286b2102..32469e1e4f 100644
--- a/res/ide-support/idea/tomcat.iml
+++ b/res/ide-support/idea/tomcat.iml
@@ -122,7 +122,7 @@
 
   
 
-  
+  
 
 
 
diff --git a/res/ide-support/netbeans/project.xml 
b/res/ide-support/netbeans/project.xml
index c68daef4aa..41a0910f02 100644
--- a/res/ide-support/netbeans/project.xml
+++ b/res/ide-support/netbeans/project.xml
@@ -178,7 +178,7 @@
 -->
 
 java
-${base.path}/jaxrpc-1.1-rc4/geronimo-spec-jaxrpc-1.1-rc4.jar:${base.path}/wsdl4j-1.6.3/wsdl4j-1.6.3.jar:${base.path}/ecj-4.20/ecj-4.20.jar:${base.path}/bnd-6.3.1/biz.aQute.bnd-6.3.1.jar:${base.path}/migration-1.0.0/jakartaee-migration-1.0.0-shaded.jar:${ant.includes}/
+${base.path}/jaxrpc-1.1-rc4/geronimo-spec-jaxrpc-1.1-rc4.jar:${base.path}/wsdl4j-1.6.3/wsdl4j-1.6.3.jar:${base.path}/ecj-4.20/ecj-4.20.jar:${base.path}/bnd-6.3.1/biz.aQute.bnd-6.3.1.jar:${base.path}/migration-1.0.1/jakartaee-migration-1.0.1-shaded.jar:${ant.includes}/
 1.7
 
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Christopher Schultz]

All,

On 8/8/22 18:15, Christopher Schultz wrote:

The proposed Apache Tomcat 8.5.82 release is now available for voting.

The notable changes compared to 8.5.81 are:

  - Update the packaged version of the Tomcat Native Library to 1.2.35 to
    pick up Windows binaries built with OpenSSL 1.1.1q.

  - Enable the use of the FIPS provider for TLS enabled Connectors when
    using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.

  - Improvements to HTTP/2 header handling.

  - Fix CVE-2022-34305, a low severity XSS vulnerability in the
    Form authentication example.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1385
The tag is:
https://github.com/apache/tomcat/tree/8.5.82/
237076605ea6b44ec7b97ee1158d5aa7f2f0b53c

The proposed 8.5.82 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 8.5.82 (stable)


Works with a vanilla application in a development environment.

Notes on the "details" below:

1. The "Signature verification failed" for the Windows binary is due to 
a misconfiguration of osslsigncode on the server I used to run my tests. 
I have corrected that and verified that the Windows binary is 
properly-signed.


2. The failures for the PEMFile tests are due to a bug in the JVM which 
has been fixed in Java 1.8.0-8u301 while the version used for testing 
here is 1.8.0-8u292.


Details:
* Environment
*  Java (build): openjdk version "1.8.0_292" OpenJDK Runtime 
Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit 
Server VM (build 25.292-b10, mixed mode)
*  Java (test): openjdk version "1.8.0_292" OpenJDK Runtime 
Environment (build 1.8.0_292-8u292-b10-0+deb9u1-b10) OpenJDK 64-Bit 
Server VM (build 25.292-b10, mixed mode)

*  OS:   Linux 5.10.0-14-amd64 x86_64
*  cc:   cc (Debian 10.2.1-6) 10.2.1 20210110
*  make: GNU Make 4.3
*  OpenSSL:  OpenSSL 1.1.1 11 Sep 2018
*  APR:  1.7.0
*
* Valid SHA-512 signature for apache-tomcat-8.5.82.zip
* Valid GPG signature for apache-tomcat-8.5.82.zip
* Valid SHA-512 signature for apache-tomcat-8.5.82.tar.gz
* Valid GPG signature for apache-tomcat-8.5.82.tar.gz
* Valid SHA-512 signature for apache-tomcat-8.5.82.exe
* Valid GPG signature for apache-tomcat-8.5.82.exe
* !! Invalid Windows Digital Signature for apache-tomcat-8.5.82.exe
* Valid SHA512 signature for apache-tomcat-8.5.82-src.zip
* Valid GPG signature for apache-tomcat-8.5.82-src.zip
* Valid SHA512 signature for apache-tomcat-8.5.82-src.tar.gz
* Valid GPG signature for apache-tomcat-8.5.82-src.tar.gz
*
* Binary Zip and tarball: Same
* Source Zip and tarball: Same
*
* Building dependencies returned: 0
* tcnative builds cleanly
* Tomcat builds cleanly
* Junit Tests: FAILED
*
* Tests that failed:
* org.apache.tomcat.util.net.jsse.TestPEMFile.APR.txt
* org.apache.tomcat.util.net.jsse.TestPEMFile.NIO.txt
* org.apache.tomcat.util.net.jsse.TestPEMFile.NIO2.txt

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Christopher Schultz]

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able to 
generate the correct signed Windows binaries, of course, but you should 
theoretically be able to build everything else.


You will need to consult build.properties.release in order to use the 
same toolchain I used.


Hmm. I think I ran the release-prep target before upgrading my JDK to 
its current version. The build.properties.release file states I used 
"Adoptium 11.0.15+10" but in fact I used "Adoptium 11.0.16+8". I'm not 
sure if that will have a significant impact on the build in terms of 
reproducibility.


Thanks,
-chris

On 8/8/22 18:15, Christopher Schultz wrote:

The proposed Apache Tomcat 8.5.82 release is now available for voting.

The notable changes compared to 8.5.81 are:

  - Update the packaged version of the Tomcat Native Library to 1.2.35 to
    pick up Windows binaries built with OpenSSL 1.1.1q.

  - Enable the use of the FIPS provider for TLS enabled Connectors when
    using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.

  - Improvements to HTTP/2 header handling.

  - Fix CVE-2022-34305, a low severity XSS vulnerability in the
    Form authentication example.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1385
The tag is:
https://github.com/apache/tomcat/tree/8.5.82/
237076605ea6b44ec7b97ee1158d5aa7f2f0b53c

The proposed 8.5.82 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.82 (stable)

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Rémy Maucherat]

On Tue, Aug 9, 2022 at 12:16 AM Christopher Schultz
 wrote:
>
> The proposed Apache Tomcat 8.5.82 release is now available for voting.
>
> The notable changes compared to 8.5.81 are:
>
>   - Update the packaged version of the Tomcat Native Library to 1.2.35 to
> pick up Windows binaries built with OpenSSL 1.1.1q.
>
>   - Enable the use of the FIPS provider for TLS enabled Connectors when
> using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
>
>   - Improvements to HTTP/2 header handling.
>
>   - Fix CVE-2022-34305, a low severity XSS vulnerability in the
> Form authentication example.
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1385
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.82/
> 237076605ea6b44ec7b97ee1158d5aa7f2f0b53c
>
> The proposed 8.5.82 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.82 (stable)

Well, I still have a problem. JSP seems to be less functional now with
Java 17+ (at least the one from fedora).

As a quick test, maybe try
http://127.0.0.1:8080/examples/jsp/include/include.jsp
With it I get an error about JDT (we use an older version due to Java 7):

09-Aug-2022 16:22:22.856 SEVERE [http-nio-8080-exec-5]
org.apache.jasper.compiler.JDTCompiler$1.findType Failed to load class
[java.lang.System]
org.eclipse.jdt.internal.compiler.classfmt.ClassFormatException
at 
org.eclipse.jdt.internal.compiler.classfmt.ClassFileReader.(ClassFileReader.java:406)
at 
org.apache.jasper.compiler.JDTCompiler$1.findType(JDTCompiler.java:231)
at 
org.apache.jasper.compiler.JDTCompiler$1.findType(JDTCompiler.java:207)
at 
org.eclipse.jdt.internal.compiler.lookup.LookupEnvironment.askForType(LookupEnvironment.java:174)

Rémy

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Use of locks in JNDIRealm

[Felix Schumacher]

Hi all,

I now have a bit more information on this.

The problem arises, when you have configured a single LDAP connection 
(no pooling) and the a naming exception is thrown (for example) in 
JNDIRealm#getPrincipal (for example line 2242 in current main). In that 
location we hold a lock while been thrown into the catch block. There we 
are throwing away the connection (without releasing the lock) and 
increase the lock counter (for our thread) by calling get(). After the 
catch block, we release the connection and decrease the lock counter by 
one (which does not release the lock).


We try to fix this with a few different paths:

a) in get() check for the lock, if we hold it ourselves, don't increase it

b) in release() unlock the lock, till we don't hold it anymore

(both ways seem a bit dirty)

c) release the lock and re-get it (that might incur trouble as some 
other thread might get "our" connection, but it should not be that bad, 
as we would get a "new" one anyways)


d) remove the code to handle single connections  and use the pool 
(stack) with a size of one and a special handling, when no connection 
can be taken from the stack.


Any other ideas or preferences?

Felix

PS. apart from fixing this, I still believe, that we should wait for the 
lock with a timeout (in case we keep the lock)


Am 30.07.22 um 12:16 schrieb Felix Schumacher:


Hi all,

yesterday, we had a Tomcat, that would be unresponsive for about 
twenty minutes on every full hour. The cause was a long running 
scheduled job that used the /last/ available connection of the 200 
default connections. All other connections were waiting to lock the 
single LDAP connection (probably waited already for a long time). I 
could not find a thread in the stack trace, that actually held the 
lock, so that must have been gone (and should probably be investigated 
further).


Would you mind, if we changed the locking into a timed locking and 
throwing a NamingException on timeout? That way the connections would 
be re-available in a timely manner if such a situation arises again.


Felix



OpenPGP_0xEA6C3728EA91C4AF.asc
Description: OpenPGP public key


OpenPGP_signature
Description: OpenPGP digital signature

Re: [VOTE] Release Apache Tomcat 8.5.82

[Mark Thomas]

On 09/08/2022 15:12, Christopher Schultz wrote:

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able to 
generate the correct signed Windows binaries, of course, but you should 
theoretically be able to build everything else.


I'll give it a go.

Note that the signed Windows binaries should build correctly. The 
detached signatures for the installer should be in the tag and the 
installer build should be reproducible. It should be possible to insert 
the detached signatures and get a valid, signed Windows binary.


You will need to consult build.properties.release in order to use the 
same toolchain I used.


Hmm. I think I ran the release-prep target before upgrading my JDK to 
its current version. The build.properties.release file states I used 
"Adoptium 11.0.15+10" but in fact I used "Adoptium 11.0.16+8". I'm not 
sure if that will have a significant impact on the build in terms of 
reproducibility.


It will. The JARs that don't get processed by BND will have the Ant and 
JRE version in the manifest.


Wish me luck...

Mark



Thanks,
-chris

On 8/8/22 18:15, Christopher Schultz wrote:

The proposed Apache Tomcat 8.5.82 release is now available for voting.

The notable changes compared to 8.5.81 are:

  - Update the packaged version of the Tomcat Native Library to 1.2.35 to
    pick up Windows binaries built with OpenSSL 1.1.1q.

  - Enable the use of the FIPS provider for TLS enabled Connectors when
    using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.

  - Improvements to HTTP/2 header handling.

  - Fix CVE-2022-34305, a low severity XSS vulnerability in the
    Form authentication example.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1385
The tag is:
https://github.com/apache/tomcat/tree/8.5.82/
237076605ea6b44ec7b97ee1158d5aa7f2f0b53c

The proposed 8.5.82 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.82 (stable)

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Han Li]

> 2022年8月9日 22:25，Rémy Maucherat  写道：
> 
> On Tue, Aug 9, 2022 at 12:16 AM Christopher Schultz
> mailto:ch...@christopherschultz.net>> wrote:
>> 
>> The proposed Apache Tomcat 8.5.82 release is now available for voting.
>> 
>> The notable changes compared to 8.5.81 are:
>> 
>> - Update the packaged version of the Tomcat Native Library to 1.2.35 to
>> pick up Windows binaries built with OpenSSL 1.1.1q.
>> 
>> - Enable the use of the FIPS provider for TLS enabled Connectors when
>> using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
>> 
>> - Improvements to HTTP/2 header handling.
>> 
>> - Fix CVE-2022-34305, a low severity XSS vulnerability in the
>> Form authentication example.
>> 
>> Along with lots of other bug fixes and improvements.
>> 
>> For full details, see the changelog:
>> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>> 
>> It can be obtained from:
>> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
>> The Maven staging repo is:
>> https://repository.apache.org/content/repositories/orgapachetomcat-1385
>> The tag is:
>> https://github.com/apache/tomcat/tree/8.5.82/
>> 237076605ea6b44ec7b97ee1158d5aa7f2f0b53c
>> 
>> The proposed 8.5.82 release is:
>> [ ] Broken - do not release
>> [X] Stable - go ahead and release as 8.5.82 (stable)
> 
> Well, I still have a problem. JSP seems to be less functional now with
> Java 17+ (at least the one from fedora).
> 
> As a quick test, maybe try
> http://127.0.0.1:8080/examples/jsp/include/include.jsp 
> 
> With it I get an error about JDT (we use an older version due to Java 7):

Hmm, I don’t get any errors with Java 17.0.2+8-86.

I have another question, when doing these tests, what JDK version should I 
choose for the tests?
Should I choose the lowest JDK version supported by the current tomcat version, 
or is anything above the lowest version ok?

Han.

> 
> 09-Aug-2022 16:22:22.856 SEVERE [http-nio-8080-exec-5]
> org.apache.jasper.compiler.JDTCompiler$1.findType Failed to load class
> [java.lang.System]
> org.eclipse.jdt.internal.compiler.classfmt.ClassFormatException
> at 
> org.eclipse.jdt.internal.compiler.classfmt.ClassFileReader.(ClassFileReader.java:406)
> at org.apache.jasper.compiler.JDTCompiler$1.findType(JDTCompiler.java:231)
> at org.apache.jasper.compiler.JDTCompiler$1.findType(JDTCompiler.java:207)
> at 
> org.eclipse.jdt.internal.compiler.lookup.LookupEnvironment.askForType(LookupEnvironment.java:174)
> 
> Rémy
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org 
> 
> For additional commands, e-mail: dev-h...@tomcat.apache.org 
> 

Re: [VOTE] Release Apache Tomcat 8.5.82

[Filip Hanik]

On Mon, Aug 8, 2022 at 3:15 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> The proposed Apache Tomcat 8.5.82 release is now available for voting.
>
> The notable changes compared to 8.5.81 are:
>
>   - Update the packaged version of the Tomcat Native Library to 1.2.35 to
> pick up Windows binaries built with OpenSSL 1.1.1q.
>
>   - Enable the use of the FIPS provider for TLS enabled Connectors when
> using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
>
>   - Improvements to HTTP/2 header handling.
>
>   - Fix CVE-2022-34305, a low severity XSS vulnerability in the
> Form authentication example.
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1385
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.82/
> 237076605ea6b44ec7b97ee1158d5aa7f2f0b53c
>
> The proposed 8.5.82 release is:
> [ ] Broken - do not release
>
> [X] Stable - go ahead and release as 8.5.82 (stable)

>
> -chris
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

Re: [VOTE] Release Apache Tomcat 8.5.82

[Mark Thomas]

On 09/08/2022 15:46, Mark Thomas wrote:

On 09/08/2022 15:12, Christopher Schultz wrote:

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able to 
generate the correct signed Windows binaries, of course, but you 
should theoretically be able to build everything else.


TL;DR the build isn't reproducible.

There is something weird going on with time zones and timestamps that I 
haven't got my head around yet. The tar.gz source archive is fine. The 
zip archive is not.


In the release vote files, the files in the zip archive have a timestamp 
15 hours earlier that those in the tar.gz archive. In my local build the 
files in the zip archive have a timestamp 1 hour later than the tar.gz 
archive.


I'm digging into this now.

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Mark Thomas]

On 09/08/2022 16:22, Mark Thomas wrote:

On 09/08/2022 15:46, Mark Thomas wrote:

On 09/08/2022 15:12, Christopher Schultz wrote:

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able 
to generate the correct signed Windows binaries, of course, but you 
should theoretically be able to build everything else.


TL;DR the build isn't reproducible.

There is something weird going on with time zones and timestamps that I 
haven't got my head around yet. The tar.gz source archive is fine. The 
zip archive is not.


In the release vote files, the files in the zip archive have a timestamp 
15 hours earlier that those in the tar.gz archive. In my local build the 
files in the zip archive have a timestamp 1 hour later than the tar.gz 
archive.


I'm digging into this now.


Good news and bad news.

Once I switched my machine to the same timezone Chris was in when he 
built the release, the release was 100% repeatable.


This issue is the zip files. Time stamps in zip files use local (yes, 
local - I didn't mistype that) time. Hence you need to use the same time 
zone to get a repeatable build.


We have a few options here:

1. Document the time zone in use for the build and require the same 
timezone to be used for repeatable builds.


2. Require UTC.

3. Find a way to force Ant to use a specific timezone.

Thoughts?

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Christopher Schultz]

Mark,

On 8/9/22 10:46, Mark Thomas wrote:

On 09/08/2022 15:12, Christopher Schultz wrote:

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able to 
generate the correct signed Windows binaries, of course, but you 
should theoretically be able to build everything else.


I'll give it a go.

Note that the signed Windows binaries should build correctly. The 
detached signatures for the installer should be in the tag and the 
installer build should be reproducible. It should be possible to insert 
the detached signatures and get a valid, signed Windows binary.


I didn't build-tag-build in order to produce those detatched signatures.

You will need to consult build.properties.release in order to use the 
same toolchain I used.


Hmm. I think I ran the release-prep target before upgrading my JDK to 
its current version. The build.properties.release file states I used 
"Adoptium 11.0.15+10" but in fact I used "Adoptium 11.0.16+8". I'm not 
sure if that will have a significant impact on the build in terms of 
reproducibility.


It will. The JARs that don't get processed by BND will have the Ant and 
JRE version in the manifest.


Wish me luck...


:D

-chris


On 8/8/22 18:15, Christopher Schultz wrote:

The proposed Apache Tomcat 8.5.82 release is now available for voting.

The notable changes compared to 8.5.81 are:

  - Update the packaged version of the Tomcat Native Library to 
1.2.35 to

    pick up Windows binaries built with OpenSSL 1.1.1q.

  - Enable the use of the FIPS provider for TLS enabled Connectors when
    using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.

  - Improvements to HTTP/2 header handling.

  - Fix CVE-2022-34305, a low severity XSS vulnerability in the
    Form authentication example.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1385
The tag is:
https://github.com/apache/tomcat/tree/8.5.82/
237076605ea6b44ec7b97ee1158d5aa7f2f0b53c

The proposed 8.5.82 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 8.5.82 (stable)

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Christopher Schultz]

Han,

On 8/9/22 10:46, Han Li wrote:




2022年8月9日 22:25，Rémy Maucherat  写道：

On Tue, Aug 9, 2022 at 12:16 AM Christopher Schultz
mailto:ch...@christopherschultz.net>> wrote:


The proposed Apache Tomcat 8.5.82 release is now available for voting.

The notable changes compared to 8.5.81 are:

- Update the packaged version of the Tomcat Native Library to 1.2.35 to
pick up Windows binaries built with OpenSSL 1.1.1q.

- Enable the use of the FIPS provider for TLS enabled Connectors when
using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.

- Improvements to HTTP/2 header handling.

- Fix CVE-2022-34305, a low severity XSS vulnerability in the
Form authentication example.

Along with lots of other bug fixes and improvements.

For full details, see the changelog:
https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1385
The tag is:
https://github.com/apache/tomcat/tree/8.5.82/
237076605ea6b44ec7b97ee1158d5aa7f2f0b53c

The proposed 8.5.82 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 8.5.82 (stable)


Well, I still have a problem. JSP seems to be less functional now with
Java 17+ (at least the one from fedora).

As a quick test, maybe try
http://127.0.0.1:8080/examples/jsp/include/include.jsp 

With it I get an error about JDT (we use an older version due to Java 7):


Hmm, I don’t get any errors with Java 17.0.2+8-86.

I have another question, when doing these tests, what JDK version should I 
choose for the tests?
Should I choose the lowest JDK version supported by the current tomcat version, 
or is anything above the lowest version ok?


You should use any version that is supported.

I use Java 8 because that's what I (still) run in production.

Theoretically, Java 7 should allow (nearly) all tests to pass, and the 
product should work properly.


So please feel free to use whatever you have laying around.

Thanks,
-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Christopher Schultz]

Mark,

On 8/9/22 14:09, Mark Thomas wrote:

On 09/08/2022 16:22, Mark Thomas wrote:

On 09/08/2022 15:46, Mark Thomas wrote:

On 09/08/2022 15:12, Christopher Schultz wrote:

All,

I'm curious to find out if anyone is able to build a byte-for-byte 
identical release given the 8.5.82 tag in GitHub. You won't be able 
to generate the correct signed Windows binaries, of course, but you 
should theoretically be able to build everything else.


TL;DR the build isn't reproducible.

There is something weird going on with time zones and timestamps that 
I haven't got my head around yet. The tar.gz source archive is fine. 
The zip archive is not.


In the release vote files, the files in the zip archive have a 
timestamp 15 hours earlier that those in the tar.gz archive. In my 
local build the files in the zip archive have a timestamp 1 hour later 
than the tar.gz archive.


I'm digging into this now.


Good news and bad news.

Once I switched my machine to the same timezone Chris was in when he 
built the release, the release was 100% repeatable.


This issue is the zip files. Time stamps in zip files use local (yes, 
local - I didn't mistype that) time. Hence you need to use the same time 
zone to get a repeatable build.


We have a few options here:

1. Document the time zone in use for the build and require the same 
timezone to be used for repeatable builds.


We might want to do this anyway, regardless.


2. Require UTC.


Can that be done on the CLI for a single process on Windows? It will 
likely work for *NIX no problem. I use a semi-dedicated Windows VM for 
building releases, so I have no problem just switching it to UTC.


I also really need to switch to building natively on my Mac because the 
whole VM thing is really cramping my style. :)



3. Find a way to force Ant to use a specific timezone.


-Duser.timezone?

-chris

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 66191] compile taglibs that are not (yet) included in jsp file

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=66191

Dan Caseley  changed:

   What|Removed |Added

 CC||d...@caseley.me.uk

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.82

[Han Li]

Thanks for your reply.

Han

> 2022年8月10日 02:36，Christopher Schultz  写道：
> 
> Han,
> 
> On 8/9/22 10:46, Han Li wrote:
>>> 2022年8月9日 22:25，Rémy Maucherat  写道：
>>> 
>>> On Tue, Aug 9, 2022 at 12:16 AM Christopher Schultz
>>> mailto:ch...@christopherschultz.net>> wrote:
 
 The proposed Apache Tomcat 8.5.82 release is now available for voting.
 
 The notable changes compared to 8.5.81 are:
 
 - Update the packaged version of the Tomcat Native Library to 1.2.35 to
 pick up Windows binaries built with OpenSSL 1.1.1q.
 
 - Enable the use of the FIPS provider for TLS enabled Connectors when
 using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
 
 - Improvements to HTTP/2 header handling.
 
 - Fix CVE-2022-34305, a low severity XSS vulnerability in the
 Form authentication example.
 
 Along with lots of other bug fixes and improvements.
 
 For full details, see the changelog:
 https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
 
 It can be obtained from:
 https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.82/
 The Maven staging repo is:
 https://repository.apache.org/content/repositories/orgapachetomcat-1385
 The tag is:
 https://github.com/apache/tomcat/tree/8.5.82/
 237076605ea6b44ec7b97ee1158d5aa7f2f0b53c
 
 The proposed 8.5.82 release is:
 [ ] Broken - do not release
 [X] Stable - go ahead and release as 8.5.82 (stable)
>>> 
>>> Well, I still have a problem. JSP seems to be less functional now with
>>> Java 17+ (at least the one from fedora).
>>> 
>>> As a quick test, maybe try
>>> http://127.0.0.1:8080/examples/jsp/include/include.jsp 
>>> 
>>> With it I get an error about JDT (we use an older version due to Java 7):
>> Hmm, I don’t get any errors with Java 17.0.2+8-86.
>> I have another question, when doing these tests, what JDK version should I 
>> choose for the tests?
>> Should I choose the lowest JDK version supported by the current tomcat 
>> version, or is anything above the lowest version ok?
> 
> You should use any version that is supported.
> 
> I use Java 8 because that's what I (still) run in production.
> 
> Theoretically, Java 7 should allow (nearly) all tests to pass, and the 
> product should work properly.
> 
> So please feel free to use whatever you have laying around.
> 
> Thanks,
> -chris
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org