Re: EOL - Tomcat versions
> On 19/01/2024 19:06, Francisco Dellanio Leite Alencar wrote: >> @Mark Thomas, >> >> Is it possible to consider that the minimum support time of Apache >> Tomcat 9.0.X is until 2027 (10 years since Released)? > > I'd say 2027 is a reasonable estimate of the likely EOL date for 9.0.x > but I'm not going to provide any guarantees on that. > > The Tomcat community has committed to providing at least 12 months > notice of EOL of any major version. > > More detail in the thread listed below against 9.0.x. > > If long term support is your concern then I'd consider looking at Tomcat > 10.1.x. It does require Java 11 (Tomcat 9.0.x requires Java 8) but it > will get you an additional ~3 years support. > > I will take the opportunity to point out that what you get with Tomcat > is already pretty good. > > - major versions support for ~10 years including new features, bug >fixes and security fixes > > - monthly releases throughout that ~10 year period (with the odd gap) > > - all reproducible bugs reported fixed in the next release (this is the >one where Tomcat really stands out) > > - you can actually talk to the folks the maintain the code > I'd like to thank the Tomcat community for all what they're doing. I know a lot of projects but Tomcat is really at the top of the list for all the things pointed out above! Regards, Simon - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: EOL - Tomcat versions
Top posting since my comments are not 100% relevant to the issue in the thread (i.e. related but not in detail). It would be nice if Tomcat published EOL's since there are applications (like HIPAA webapps [I do remote cardiac monitoring]) that are automatically declared to be insecure if the underlying platform has any EOL'ed components (this why just upgraded from 9.0.35 to 9.0.85) and in some cases (like HIPAA) have goverment imposed fines if there is a breach due to using EOL'ed components. Thus there is a need for known/published EOL dates in such apps. On Fri, Jan 19, 2024 at 6:58 PM Mark Thomas wrote: > > On 19/01/2024 19:06, Francisco Dellanio Leite Alencar wrote: > > @Mark Thomas, > > > > Is it possible to consider that the minimum support time of Apache Tomcat > > 9.0.X is until 2027 (10 years since Released)? > > I'd say 2027 is a reasonable estimate of the likely EOL date for 9.0.x > but I'm not going to provide any guarantees on that. > > The Tomcat community has committed to providing at least 12 months > notice of EOL of any major version. > > More detail in the thread listed below against 9.0.x. > > If long term support is your concern then I'd consider looking at Tomcat > 10.1.x. It does require Java 11 (Tomcat 9.0.x requires Java 8) but it > will get you an additional ~3 years support. > > I will take the opportunity to point out that what you get with Tomcat > is already pretty good. > > - major versions support for ~10 years including new features, bug >fixes and security fixes > > - monthly releases throughout that ~10 year period (with the odd gap) > > - all reproducible bugs reported fixed in the next release (this is the >one where Tomcat really stands out) > > - you can actually talk to the folks the maintain the code > > > If you really need 9.0.x and really need guarantees on dates then there > are commercial organizations that will sell you that service. Just make > sure you pick one that has the skills and in-depth Tomcat knowledge > necessary to deliver that support. > > Mark > > > > > > > Thanks. > > > > > > > > On 2024/01/08 08:42:28 Mark Thomas wrote: > >> > >> > >> On 08/01/2024 06:47, i...@flyingfischer.ch wrote: > >>> https://endoflife.date/tomcat > >>> > >>> Am 08.01.24 um 07:39 schrieb Deshmukh, Kedar: > Hello, > > Could you please throw some light on Tomcat versions and its EOL plan? > >> > >> See https://tomcat.apache.org/whichversion.html > >> > 1. 8.5.X > >> > >> EOL 31 March 2024 > >> > 2. 9.0.X > >> > >> No plans. > >> See https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0 > >> > 3. 10.0.X > >> > >> Already EOL as of 31 October 2022 > >> > 4. 10.1.X > >> > >> No plans. > >> See https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0 > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: EOL - Tomcat versions
> Top posting since my comments are not 100% relevant to the issue in > the thread (i.e. related but not in detail). > > It would be nice if Tomcat published EOL's since there are > applications (like HIPAA webapps [I do remote cardiac monitoring]) > that are automatically declared to be insecure if the underlying > platform has any EOL'ed components (this why just upgraded from 9.0.35 > to 9.0.85) and in some cases (like HIPAA) have goverment imposed fines > if there is a breach due to using EOL'ed components. Thus there is a > need for known/published EOL dates in such apps. Isn't it so that for every major version, like 9.0, all but the latest should be considered EOL? Like for now, 9.0.85 is supported and 9.0.84 and older should be considered EOL. Simon > > On Fri, Jan 19, 2024 at 6:58 PM Mark Thomas wrote: >> >> On 19/01/2024 19:06, Francisco Dellanio Leite Alencar wrote: >> > @Mark Thomas, >> > >> > Is it possible to consider that the minimum support time of Apache >> Tomcat 9.0.X is until 2027 (10 years since Released)? >> >> I'd say 2027 is a reasonable estimate of the likely EOL date for 9.0.x >> but I'm not going to provide any guarantees on that. >> >> The Tomcat community has committed to providing at least 12 months >> notice of EOL of any major version. >> >> More detail in the thread listed below against 9.0.x. >> >> If long term support is your concern then I'd consider looking at Tomcat >> 10.1.x. It does require Java 11 (Tomcat 9.0.x requires Java 8) but it >> will get you an additional ~3 years support. >> >> I will take the opportunity to point out that what you get with Tomcat >> is already pretty good. >> >> - major versions support for ~10 years including new features, bug >>fixes and security fixes >> >> - monthly releases throughout that ~10 year period (with the odd gap) >> >> - all reproducible bugs reported fixed in the next release (this is the >>one where Tomcat really stands out) >> >> - you can actually talk to the folks the maintain the code >> >> >> If you really need 9.0.x and really need guarantees on dates then there >> are commercial organizations that will sell you that service. Just make >> sure you pick one that has the skills and in-depth Tomcat knowledge >> necessary to deliver that support. >> >> Mark >> >> >> >> > >> > Thanks. >> > >> > >> > >> > On 2024/01/08 08:42:28 Mark Thomas wrote: >> >> >> >> >> >> On 08/01/2024 06:47, i...@flyingfischer.ch wrote: >> >>> https://endoflife.date/tomcat >> >>> >> >>> Am 08.01.24 um 07:39 schrieb Deshmukh, Kedar: >> Hello, >> >> Could you please throw some light on Tomcat versions and its EOL >> plan? >> >> >> >> See https://tomcat.apache.org/whichversion.html >> >> >> 1. 8.5.X >> >> >> >> EOL 31 March 2024 >> >> >> 2. 9.0.X >> >> >> >> No plans. >> >> See https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0 >> >> >> 3. 10.0.X >> >> >> >> Already EOL as of 31 October 2022 >> >> >> 4. 10.1.X >> >> >> >> No plans. >> >> See https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0 >> >> >> >> Mark >> >> >> >> - >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> >> > - >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> > For additional commands, e-mail: users-h...@tomcat.apache.org >> > >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > -- > Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: EOL - Tomcat versions
On Sat, Jan 20, 2024 at 4:29 AM Simon Matter wrote: > > > Top posting since my comments are not 100% relevant to the issue in > > the thread (i.e. related but not in detail). > > > > It would be nice if Tomcat published EOL's since there are > > applications (like HIPAA webapps [I do remote cardiac monitoring]) > > that are automatically declared to be insecure if the underlying > > platform has any EOL'ed components (this why just upgraded from 9.0.35 > > to 9.0.85) and in some cases (like HIPAA) have goverment imposed fines > > if there is a breach due to using EOL'ed components. Thus there is a > > need for known/published EOL dates in such apps. > > Isn't it so that for every major version, like 9.0, all but the latest > should be considered EOL? Like for now, 9.0.85 is supported and 9.0.84 and > older should be considered EOL. In large 24/7/365 production environments (especially life critical ones) it is often hard to do a migration and requires significant human labor to do. This is recognized by vendors when they publish EOL dates, for example OpenJDK 8 (LTS) is supported through 2030 (https://www.oracle.com/java/technologies/java-se-support-roadmap.html). Nonetheless we also upgraded to OpenJDK21 at the same time we upgraded tomcat [also upgraded the OS from FreeBSD 12 to FreeBSD 14] and it required about 500 source code fixes to a 100+k LOC project to make it compile correctly (we have a no warning policy and thus -Werror turned on). Luckily almost all the fixes were trivial but one or two were not and required several hours to plan how to fix them and another few days to do so (good example is significant change in behaviour in File.renameTo() without documentation [see another thread] thus we had to rewrite an entire low level I/O class to use Files.move() instead of File.renameTo() and other good example if new URL(String url) is now deprecated and needed to be rewritten as new URI(url).toURL() and put inside a totally different try catch block). -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
