[WG: Sakai QA] [Deploying Sakai] [Building Sakai] sakai-2.6.3: test/recommend deployers useTomcat 5.5.28+?

David Haines dlhaines at umich.edu
Tue Jun 29 05:28:11 PDT 2010


I agree with Steven on not moving over to Tomcat 6 in a point release.  TC6 would be a great option but a bad requirement for 2.7.

- Dave


David Haines
CTools Developer
Digital Media Commons
University of Michigan 
dlhaines at umich.edu




On Jun 29, 2010, at 5:20 AM, Steve Swinsburg wrote:

> Hi all,
> 
> My last experiment in deploying Sakai 2.x to Tomcat 6 found that the Sakai Maven plugin didn't deploy things correctly. So this would need some further testing and possibly some work. 
> 
> There is also the option of adjusting the Tomcat classloader configuration in conf/catalina.properties to restore the old common/lib, shared/lib behaviour:
> shared.loader=${catalina.base}/shared/classes,${catalina.base}/shared/lib/*.jar
> 
> However, we would also need to be QA'ing against Tomcat 5.5 as well since some people might want to upgrade between 2.7 versions but not switch app servers.
> 
> I would -1 moving to Tomcat 6 in a point release of 2.7 and rather it go to 2.8 since it is quite a disruptive change.
> 
> And my opinion is to move to 5.5.29 over 5.5.28 for QA, more fixes and it is stable for me - although we are not in production with it.
> 
> cheers,
> Steve
> 
> 
> On 29/06/2010, at 5:46 PM, Berg, Alan wrote:
> 
>> Hi all,
>> 
>> I would like to reinforce Ian's question. What sort of work is required to move to Tomcat 6. I understand that there are classloader hierarchy differences, but technically can we push this into a minor 2.7 release? Is it just a question of solid QA test coverage or are there known issues.
>> 
>> Alan B.
>> 
>> Alan Berg
>> QA Director - The Sakai Foundation
>> 
>> Senior Developer / Quality Assurance
>> Group Education and Research Services
>> Central Computer Services
>> University of Amsterdam
>> 
>> http://home.uva.nl/a.m.berg
>> 
>> 
>> 
>> 
>> -----Original Message-----
>> From: sakai-dev-bounces at collab.sakaiproject.org on behalf of Ian Boston
>> Sent: Tue 29-6-2010 8:08
>> To: Anthony Whyte
>> Cc: production at collab.sakaiproject.org; Sakai QA; Developers Sakai-Dev
>> Subject: Re: [Building Sakai] sakai-2.6.3: test/recommend deployers useTomcat 5.5.28+?
>> 
>> I would be worried about
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157
>> which isnt fixed in 29, and AFAIK all our webapps are vulnerable.
>> 
>> also fixed in 29
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693
>> and related, as I will bet that many places still have the manager webapp available.
>> and if they are on windows, this wont help.
>> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548
>> 
>> 
>> Although these issues also exist in TC6, is there a reason why you are not testing on 6 ?
>> The kernel was patched about 2 years ago to run in TC6.
>> 
>> Ian
>> 
>> On 28 Jun 2010, at 17:36, Anthony Whyte wrote:
>> 
>> > We are now at work on readying the 2.6.x branch for a sakai-2.6.3 maintenance release (release date is yet to be determined).  The current recommended version of Tomcat for Sakai 2.6 is Tomcat 5.5.26 (released Feb 2008).  Both Alan and I think it worth discussing whether or not we should consider releasing sakai-2.6.3 with an updated Tomcat 5.5 version recommendation (5.5.28 or 5.5.29).  Alan is prepared to test 2.6.x using Tomcat 5.5.28 (released Sep 2009) or 5.5.29 (released Apr 2010).  Sakai 2.7.0 was tested against Tomcat 5.5.28.
>> >
>> > One change for 2.6 deployers who choose to run Sakai in Tomcat 5.5.27+ is the requirement to add the following system property in order to disable strict quote escaping, a change in Tomcat *.jsp handling that has yet to be addressed in certain tools such as portfolios (see SAK-15736).
>> >
>> > -Dorg.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING=false
>> >
>> > This workaround has been noted in the 2.6 install guides for quite some time and is by no means a surprise requirement.
>> >
>> > Tomcat 5.5.27-29 contain a number of security fixes that improve upon Tomcat 5.5.26 (see link below).   Looking over the Tomcat change log I don't see anything that raises any red flags (see link below).  But others should review the changes and raise any potential concerns. 
>> >
>> > Finally if you are running a Sakai 2.6 tag or 2.6.x in production using Tomcat 5.5.27+ please let us know whether or not based on your experience you think we should test 2.6.x against an upgraded version of Tomcat.
>> >
>> > Cheers,
>> >
>> > Anthony
>> >
>> > _____________________________
>> >
>> > Tomcat Security
>> >
>> > Tomcat 5.5 security fixes: http://tomcat.apache.org/security-5.html
>> >
>> > Tomcat change log
>> >
>> > http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
>> >
>> > Tomcat Release Notes
>> >
>> > 5.5.29 http://tomcat.apache.org/tomcat-5.5-doc/RELEASE-NOTES.txt
>> > 5.5.28 http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.28/RELEASE-NOTES
>> > 5.5.27 http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.27/RELEASE-NOTES
>> >
>> > _______________________________________________
>> > sakai-dev mailing list
>> > sakai-dev at collab.sakaiproject.org
>> > http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> >
>> > TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>> 
>> _______________________________________________
>> sakai-dev mailing list
>> sakai-dev at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/sakai-dev
>> 
>> TO UNSUBSCRIBE: send email to sakai-dev-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
>> 
>> 
>> _______________________________________________
>> production mailing list
>> production at collab.sakaiproject.org
>> http://collab.sakaiproject.org/mailman/listinfo/production
>> 
>> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"
> 
> _______________________________________________
> production mailing list
> production at collab.sakaiproject.org
> http://collab.sakaiproject.org/mailman/listinfo/production
> 
> TO UNSUBSCRIBE: send email to production-unsubscribe at collab.sakaiproject.org with a subject of "unsubscribe"

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://collab.sakaiproject.org/pipermail/sakai-qa/attachments/20100629/3bbbcb5f/attachment-0001.html 


More information about the sakai-qa mailing list