Hi,

the tomcat9 backport is pretty much orphaned: newer tomcat9
versions don’t even build in buster any more¹, and both
bullseye² and buster received security fixes recently.

① One built in bullseye works on buster but that is, of course,
no option for bpo. (It works for my sysvinit-compatible local
builds though.)
② Although waiting for -3 before acting would be best.

Markus, Emmanuel, are you going to update the backport to the
latest version (9.0.43-3 or 9.0.43-3~deb11u1 once migrated)
fixing the compile time problem (some constants for Java™ 15
and newer are not defined yet) because the alternative is to
request removal of the backport now and informing the users.

bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

*************************************************

Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter

*************************************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

Am Dienstag, dem 10.08.2021 um 22:00 +0200 schrieb Thorsten Glaser:
[...]

Markus, Emmanuel, are you going to update the backport to the
latest version (9.0.43-3 or 9.0.43-3~deb11u1 once migrated)
fixing the compile time problem (some constants for Java™ 15
and newer are not defined yet) because the alternative is to
request removal of the backport now and informing the users.

Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If you prefer the latest updates then I'd suggest to focus on bullseye-backports from now on. I am not sure yet if the regression which I have fixed in 9.0.43-3 requires another security update for bullseye or buster at the moment, since an easy workaround is available and probably not many users are affected. I will monitor the situation though.

Regards,

Markus

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmES4k5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeScdQ//RgqzSv3APNAYS5PVFyoc8AYNrS5emIRSlxEr3b7dsYIfrcWANUy7Ximo Wvqbtl9/Q2u0USQMfpe5I6M5PDGNC3/5BhOXzfFj0Kt6CRp33PTWJfG3ye7L72RY OQcHRVGDJKFY2KLpPpQwqf9RCiFF6RUtQ5WQJsAYHd0tZeH9qKtqdDtp0w0TazJt VRsC9vLfQg4WQGHhmjSLCAYuAiA9U5V6FC6v+2LE6ASyurnCCamZ0U8P/xeqk2YL sfKDiv/ippU4qjpNYr92vuF/SVrI7yrzsAZL+vQF/OqfXJNNCxRK+bI0VvlOOBjg YxQBMDXdCCixz7O/g/s9PVjzdVpiNQNScfMR3WaRfvgmLcm1ZqnXRBHXkh6buTz5 HR2fjqskXRW/wgOlHbJV0mhRk+wN/OTo8vPdRPLtQqVzuI/pvdhuhLq17GQzqZQF dOape1aVOeHWucgt6E34AiWclqUtJ/sIFQHwvHPfpnoYmw6szQPfn79N5dl+LBXy mdGw5T1iHw26f1H5rp3+ptSxjFYrGsH1UmGBrVjivvg+63GmpiblU9LVppdF/YR6 xkzxk/V7wYDvKnlsswrL3LWIqeAxsl9SIQ9llZs7Rhc0PoP6mT8rl7+UY498a2su kv4+dREyQR9UW9tSDVRTk110lb3xmTG6NcYB1SF1S6QiOF/Qy6I=
=le9K
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 10 Aug 2021, Markus Koschany wrote:

Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If you
prefer the latest updates then I'd suggest to focus on bullseye-backports from

I think you misunderstood the intention of this request.

Packages in $version-backports have to be up-to-date wrt.
their corresponding packages from $(version+1), except
small, not very user-visible, etc. changes.

In the case of security updates, this is even more important.

The person who uploaded the first backport basically agreed
to keep the tomcat9 backport up-to-date over the lifetime of
buster-backports, that is, to approximately 14/15ᵗʰ August 2022(!).

now on. I am not sure yet if the regression which I have fixed in
9.0.43-3 requires another security update for bullseye or buster at
the moment, since an easy workaround is available and probably not
many users are affected. I will monitor the situation though.

Right.

However, if you’re not intending to update the buster backport,
please file a removal request and inform the users (via the bpo
mailing list) about this and the extant security issues in the
version they have installed.

Thanks,
//mirabilos

ObPlug: http://www.mirbsd.org/~tg/Debs/dists/buster/lts/Pkgs/tomcat9/
is what I try to keep reasonably up to date. It also contains
the sysvinit fixes. It’s built in a bullseye chroot though,
and as such does NOT follow the bpo rules. It’s a works-for-me
thing which one MAY use if they want, at their own risk.
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

*************************************************

Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter

*************************************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Am Dienstag, dem 10.08.2021 um 22:47 +0200 schrieb Thorsten Glaser:

On Tue, 10 Aug 2021, Markus Koschany wrote:

Currently I don't plan to update the bpo version of Tomcat 9 in Buster. If you
prefer the latest updates then I'd suggest to focus on bullseye-backports from

I think you misunderstood the intention of this request.

Packages in $version-backports have to be up-to-date wrt.
their corresponding packages from $(version+1), except
small, not very user-visible, etc. changes.

In the case of security updates, this is even more important.

The person who uploaded the first backport basically agreed
to keep the tomcat9 backport up-to-date over the lifetime of buster-backports, that is, to approximately 14/15ᵗʰ August 2022(!).

now on. I am not sure yet if the regression which I have fixed in
9.0.43-3 requires another security update for bullseye or buster at
the moment, since an easy workaround is available and probably not
many users are affected. I will monitor the situation though.

Right.

However, if you’re not intending to update the buster backport,
please file a removal request and inform the users (via the bpo
mailing list) about this and the extant security issues in the
version they have installed.

I have never uploaded tomcat9 to a debian-backports suite hence why I have only replied to the debian-java list. Obviously you should wait for Emmanuel's feedback before doing anything.

Regards,

Markus


-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmES521fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTizg//S0CYkSTGInN5z46x6j9cyJRK03+h5bhnq/kpWjjgAViYsCv0zn/tPGDt FOAXyTT+z9e4wjq97OZ3FLwXMWjjoCaZjduEoEfLk6i7JgK73js/NG9tC+uQRamn MdJdA292mGOwfJBYx6kpZeItVKbJu37Mb3/2H2vc6+jdWUjrNOX7+GkXQiUpqcQw wTJWzYky24Aeyeerj9ul63/7tHegcRNmhE2eciT2vcfRGGe7NfhqixsPb4MgtQuU SytLzGYF3xaMLxl8gSOALENn5+O4HeHZjk+Gb7GXvcZtdo6tix6gmIK4WcT0u+jJ cp2FALD8CPL5KHPmgNmKut4MxPK5+mVzWtV4Xw6lpxhSzCW9Otb5T27PW4Cju3Or Yk6dBDucaelCetjSKSHNKfjX/aEtepC2PCTQ2moDubD2isSLUCe5qfCJTRM8RVh5 6X/5l6+M9AChNze8eJHMeBTW8xlzexkGNvCAQglL3ukAtxD7AxHd5jfNdofnCdXC NjV31vQQD6tS19P15HTvtQkUYWGaYh/v21Ul3JEhbHfoIs1oYRfsapG7Ovlcg2JV rVMb82PRXPOnGt2+vgTMrHXg8ORxMAGzH62m3ylFY8KGadAbXdwm2Jn1bHqxsIhf JC/ZEPxFu/wH0YD8tn/CwF2790jri6ymdM4Kb3DvebvID6GvNnk=
=L2JZ
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, 10 Aug 2021, Markus Koschany wrote:

Obviously you should wait for Emmanuel's feedback before doing
anything.

So… Emmanuel?

bye,
//mirabilos
--
Infrastrukturexperte • tarent solutions GmbH
Am Dickobskreuz 10, D-53121 Bonn • http://www.tarent.de/
Telephon +49 228 54881-393 • Fax: +49 228 54881-235
HRB AG Bonn 5168 • USt-ID (VAT): DE122264941
Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg

*************************************************

Mit dem tarent-Newsletter nichts mehr verpassen: www.tarent.de/newsletter

*************************************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi backports team,

please remove tomcat9 from buster-backports because Emmanuel won't have the time to update the package for the next months and I don't intend to maintain it. My recommendation for all users of tomcat9 is to use the version in buster because it receives full security support. You also have the option to upgrade to bullseye.

Regards,

Markus

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmFon7ZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQTOQ//RVGBlHtMjYYC40RhSOk+Q0r+yFgW1Kh24CosRx7YJvSgBDi0Gt4ZDu3E fHx1mprLKqkWjn7Zd/4YpLrieY5B5BeWS71i0jNZSSnq7SGXOcA5TkNPrrJaZQ3W OHm0YtOVMHgwITKHXXDikCF/V3gVjNKb4Szaa3YlrvxTnECftxZ4gjhNFDeA+c1k vc2FVzZREPXyFsnAEMNcfVJ/kWOiWFYtVKa6RWnmge7nUjyhxohiHHM0Bzr1GhtN ao/KgP/nx0kdsV6WyvDGIHqsTbvnack8y8hAhaUOBt6ZTRbXSFM0P0ywfNdkq+L+ FC90eMICRDFquhFH490wS33amNRVQdl18MRrdBlCDC76cUvAJWI9qyBW5MuEk2Je Mpp12/eV9SHRBxajOQHDRfbFDjncMj76CZIKzMphQAkH9CnPR960b2dYWCbjnttm pWeCG9Hvzd+FrAZwzzxYbQ0oczuPsgRJ9i/c/wtQaSpk1B9tn9wMGsbOInH89kbP yNxLszvNRmMGcztZKlsmzxwa1h7UrhQn0HOixJI3kQNjzO/85gcwQAyU1sy6cW3f U32VCImaHg9rtwUpAM9miAmPLveX2hE30F5rtsARqWaDTxzHctUajfuSrcl+/rOD Q3yEwRFhltibUaUx5UfioO6L/VSIFkeKs5qGS7FaoSdSMT8olqE=
=igO/
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, Oct 14, 2021 at 11:23:01PM +0200, Markus Koschany wrote:

Hi backports team,

please remove tomcat9 from buster-backports because Emmanuel won't have the time to update the package for the next months and I don't intend to maintain it. My recommendation for all users of tomcat9 is to use the version in buster
because it receives full security support. You also have the option to upgrade
to bullseye.

Done

Alex


-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEbjlmweHRXblz0FtJHkX4yp3iOxYFAmFpP4kACgkQHkX4yp3i OxZx+BAAoRokkJCZOZhm2C1wAvQJ3A3NGX603RjUXPh4aQuikfGrCpqcVECwer68 CpxIVW5EWpxOtdMnOFAoqi+eZEYq6+u15JPcTyyWHuZdUh4SuyfJJ6Niw2jpRyfy D22iXDbIrOj3SgbivCoeSQeBb30Uq+a0g3e81uA6YhoSGO9x5qChJcpA52Wcdrzv PXmGrAA+vgBMNxxWbsrAaLZE8iZGFwjLSU1m78xwxxqG9d2KOAmlx1ocKoLyjOo7 NtyjiTeKjI6KWF11wgq7M+HDqFudjlyxlFmhVjMNxQ+OmQGIcelK8Cww8NgcQHHr YX5znWpYDE4LKK0Ew/R41Nhj0VxRBAbsy5R4A+M5oUCwVeBFHXiFDf1aX8t0RTyv x5BzINRwPlBBadXVPvsjfjG6EZKSeqM9D1hEB6EsntrIhprTNTRmAIFUzM/391YD bsUpmahY335azvBuZkaiqpKQCbmKn+1yacs3EM1YNtaFOImvE+Iatk62AujrqKAw qfXdCGgho6b/o0nSEBCQ5JnMSluNWvmB69SZgML2BajQEUMI0cOaV17CDK51REGS eCyT3BEkQxUmsNUqyb8i/DuDEeUyO7nRJ8cH6TvIkYctKrSExPY6PJoQ4IZCYrQU XglnXhbeZ2Qvit8UhNK0SZhm6WoLhYyrGfrf+3N6/ltvA6P6WWc=
=ec7g
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)