Tomcat 8.0.X end of life

[arthurblake]

Tomcat 8.0.X end of life has been announced which means there will be no more security updates/bug fixes after June 30, 2018: http://tomcat.apache.org/tomcat-80-eol.html

When will the lucee docker images be updated to Tomcat 8.5.x or even better, the 9.0.x line? The 9.0.x line only supports Java 8, but Java 8 is close to EOL as well (January 2019)...

[justincarter]

We'll upgrade Tomcat for Lucee 5.3.x releases :)

On Thu, 17 May 2018, 10:10 pm Arthur Blake, notifications@github.com wrote:

Tomcat 8.0.X end of life has been announced which means there will be no more security updates/bug fixes after June 30, 2018: http://tomcat.apache.org/tomcat-80-eol.html

When will the lucee docker images be updated to Tomcat 8.5.x or even better, the 9.0.x line? The 9.0.x line only supports Java 8, but Java 8 is close to EOL as well (January 2019)...

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/lucee/lucee-dockerfiles/issues/43, or mute the thread https://github.com/notifications/unsubscribe-auth/AAVYDW-qxl1Km4h4GawN5-Sb1srM-w-_ks5tzWjRgaJpZM4UC8kQ .

[arthurblake]

Is that just a matter of stability? I.E. Lucee 5.2.x has been tested out fully on Tomcat 8.0.x?

[justincarter]

Normally I wouldn't switch the base Tomcat image to a different minor/major version during a maintenance branch (e.g. Lucre 5.2.x) because an unexpected upgrade for users on the "latest" tag could break their builds. Stability is a key factor of base images which is why I was waiting for 5.3 and most likely looking at upgrading to Tomcat 9.

Security is of course important as well. If Tomcat 8.0 goes EOL and there's any significant vulnerabilities or we need to continue supporting Lucee 5.1/5.2 with security patches then we would of course upgrade Tomcat on those maintenance branches, probably to Tomcat 8.5 if it has better backwards compatibility.

Either way, any changes to the Tomcat version will be clearly communicated to minimise any issues where possible.

On Thu, 17 May 2018, 10:21 pm Arthur Blake, notifications@github.com wrote:

Is that just a matter of stability? I.E. Lucee 5.2.x has been tested out fully on Tomcat 8.0.x?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/lucee/lucee-dockerfiles/issues/43#issuecomment-389847233, or mute the thread https://github.com/notifications/unsubscribe-auth/AAVYDdyut6eEHUzxJrk8_-aiTOL6IkAqks5tzWs0gaJpZM4UC8kQ .

[arthurblake]

OK. Thank you.

[jamiejackson]

Lucee's installer keeps both Tomcat and Java up-to-date. Notice that it has been using Tomcat 8.5 since September, 2016!

As the Tomcat CVEs (and presumably Java and OS patches) keep stacking up, I find it strange how this project continues to ignore them. I would like to use this image directly, but its approach to maintenance is worrisome (#42). If a user really wants perfect repeatability (e.g., with regard to Tomcat versions), shouldn't it be on them to pin their version to a hash instead of a tag?

With the change in builds and tagging coming with #40, will the approach to maintenance change, as well?

[justincarter]

For the new Docker image repository we'll target Tomcat 9.0.x as the default for Lucee 5.3, and we can also provide other alternatives more easily now that the build matrix will allow it. This should give us all the options we need, and we could provide Tomcat 8.5.x for those who need it. Creating some retrospective builds for the latest builds of 5.2 could also be an option.

For the existing Docker image repositories the policy has been to stick with the same minor version of Tomcat, and for each Lucee release the underlying Tomcat is updated to the latest build of that minor version (i.e the last Lucee 5.2.x release is using 8.0.53 from July 2018). We use the official Tomcat image as a base which also contains the latest JRE at that time. Yes, we missed the Tomcat 8.5 upgrade that the installer did, it's a separate project unfortunately.

As I mentioned above in May, switching to Tomcat 8.5.x for the default image is an option going forward since 8.0.x is EOL, but users will also need to be aware of any compatibility issues they may have (https://tomcat.apache.org/migration-85.html#Migrating_from_8.0.x_to_8.5.x).

At the moment I can't find a list of CVEs affecting Tomcat 8.0.53, do you have a link?

[mattblaha]

Should this ticket be closed as 8.5 is available here from these Docker files? We had some confusion figuring out the relationship between these images and this repo until I reread the previous comments here.

https://hub.docker.com/r/lucee/lucee

These are official and from the same source files as the lucee52 images right? Just the Lucee 52 images won't be updated?

[andrew-dixon]

@mattblaha 👍