Support for the tomcat8 package
On Ubuntu 16.04 I've been using the tomcat8 package. I enjoyed an automatic installation process and was guaranteed to receive packaged security updates for 5 years courtesy of Canonical. So, even though version 8.0 has been declared EOL, I can still use it on my Ubuntu server knowing that any vulnerabilities are going to be addressed.
$ ubuntu-support-status --show-supported
Supported until April 2021 (Canonical - 5y):
tomcat8 tomcat8-admin tomcat8-common
Much to my dismay, on Ubuntu 18.04 the tomcat8 package has been moved to Universe. In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Is my understanding of things correct? Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Update: To be clearer, with 16.04 I could simply run apt update tomcat8 and be sure that there would be no vulnerabilities left unpatched. Running the same command today on 18.04, I get version 8.5.30-1ubuntu1 which is behind the latest available (8.5.37) and apparently affected by more than one known vulnerabilities.
server package-management updates security tomcat
asked Jan 15 at 14:18
simlevsimlev
1582212
add a comment |
On Ubuntu 16.04 I've been using the tomcat8 package. I enjoyed an automatic installation process and was guaranteed to receive packaged security updates for 5 years courtesy of Canonical. So, even though version 8.0 has been declared EOL, I can still use it on my Ubuntu server knowing that any vulnerabilities are going to be addressed.
$ ubuntu-support-status --show-supported
Supported until April 2021 (Canonical - 5y):
tomcat8 tomcat8-admin tomcat8-common
Much to my dismay, on Ubuntu 18.04 the tomcat8 package has been moved to Universe. In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Is my understanding of things correct? Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Update: To be clearer, with 16.04 I could simply run apt update tomcat8 and be sure that there would be no vulnerabilities left unpatched. Running the same command today on 18.04, I get version 8.5.30-1ubuntu1 which is behind the latest available (8.5.37) and apparently affected by more than one known vulnerabilities.
server package-management updates security tomcat
asked Jan 15 at 14:18
simlevsimlev
1582212
add a comment |
On Ubuntu 16.04 I've been using the tomcat8 package. I enjoyed an automatic installation process and was guaranteed to receive packaged security updates for 5 years courtesy of Canonical. So, even though version 8.0 has been declared EOL, I can still use it on my Ubuntu server knowing that any vulnerabilities are going to be addressed.
$ ubuntu-support-status --show-supported
Supported until April 2021 (Canonical - 5y):
tomcat8 tomcat8-admin tomcat8-common
Much to my dismay, on Ubuntu 18.04 the tomcat8 package has been moved to Universe. In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Is my understanding of things correct? Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Update: To be clearer, with 16.04 I could simply run apt update tomcat8 and be sure that there would be no vulnerabilities left unpatched. Running the same command today on 18.04, I get version 8.5.30-1ubuntu1 which is behind the latest available (8.5.37) and apparently affected by more than one known vulnerabilities.
server package-management updates security tomcat
asked Jan 15 at 14:18
simlevsimlev
1582212
On Ubuntu 16.04 I've been using the tomcat8 package. I enjoyed an automatic installation process and was guaranteed to receive packaged security updates for 5 years courtesy of Canonical. So, even though version 8.0 has been declared EOL, I can still use it on my Ubuntu server knowing that any vulnerabilities are going to be addressed.
$ ubuntu-support-status --show-supported
Supported until April 2021 (Canonical - 5y):
tomcat8 tomcat8-admin tomcat8-common
Much to my dismay, on Ubuntu 18.04 the tomcat8 package has been moved to Universe. In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Is my understanding of things correct? Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Update: To be clearer, with 16.04 I could simply run apt update tomcat8 and be sure that there would be no vulnerabilities left unpatched. Running the same command today on 18.04, I get version 8.5.30-1ubuntu1 which is behind the latest available (8.5.37) and apparently affected by more than one known vulnerabilities.
server package-management updates security tomcat
server package-management updates security tomcat
asked Jan 15 at 14:18
simlevsimlev
1582212
asked Jan 15 at 14:18
simlevsimlev
1582212
edited 2 days ago
simlev
asked Jan 15 at 14:18
simlevsimlev
1582212
asked Jan 15 at 14:18
simlevsimlev
1582212
asked Jan 15 at 14:18
simlevsimlev
1582212
1582212
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Correct but it is in their best interest to keep support up as long as possible.
Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Nothing changes for you; it only comes from a more direct channel so if anything you should see updates appear quicker and not just security updates.
Old: update tomcat by Apache -> Ubuntu security team evaluates changes and adds patches if that specific package has Ubuntu related changes -> update to you.
New: update tomcat by Apache -> update to you.
Canonical decided to kill the changes made to the package and as such could take it out of security. The fewer the changes to our default install means fewer issues. It is likely to happen and has happened with lots of other software since Canonical stopped with Unity: we are going back to the original source for our software.
answered Jan 15 at 14:33
RinzwindRinzwind
205k28390526
Thank you for the answer. I don't see it as an improvement, though, since in practice I end up having insecure tomcat versions. I'm thinking of a way of always having the latest version, maybe Docker can help...
– simlev
Jan 15 at 15:10
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109961%2fsupport-for-the-tomcat8-package%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Correct but it is in their best interest to keep support up as long as possible.
Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Nothing changes for you; it only comes from a more direct channel so if anything you should see updates appear quicker and not just security updates.
Old: update tomcat by Apache -> Ubuntu security team evaluates changes and adds patches if that specific package has Ubuntu related changes -> update to you.
New: update tomcat by Apache -> update to you.
Canonical decided to kill the changes made to the package and as such could take it out of security. The fewer the changes to our default install means fewer issues. It is likely to happen and has happened with lots of other software since Canonical stopped with Unity: we are going back to the original source for our software.
answered Jan 15 at 14:33
RinzwindRinzwind
205k28390526
Thank you for the answer. I don't see it as an improvement, though, since in practice I end up having insecure tomcat versions. I'm thinking of a way of always having the latest version, maybe Docker can help...
– simlev
Jan 15 at 15:10
add a comment |
In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Correct but it is in their best interest to keep support up as long as possible.
Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Nothing changes for you; it only comes from a more direct channel so if anything you should see updates appear quicker and not just security updates.
Old: update tomcat by Apache -> Ubuntu security team evaluates changes and adds patches if that specific package has Ubuntu related changes -> update to you.
New: update tomcat by Apache -> update to you.
Canonical decided to kill the changes made to the package and as such could take it out of security. The fewer the changes to our default install means fewer issues. It is likely to happen and has happened with lots of other software since Canonical stopped with Unity: we are going back to the original source for our software.
answered Jan 15 at 14:33
RinzwindRinzwind
205k28390526
Thank you for the answer. I don't see it as an improvement, though, since in practice I end up having insecure tomcat versions. I'm thinking of a way of always having the latest version, maybe Docker can help...
– simlev
Jan 15 at 15:10
add a comment |
In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Correct but it is in their best interest to keep support up as long as possible.
Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Nothing changes for you; it only comes from a more direct channel so if anything you should see updates appear quicker and not just security updates.
Old: update tomcat by Apache -> Ubuntu security team evaluates changes and adds patches if that specific package has Ubuntu related changes -> update to you.
New: update tomcat by Apache -> update to you.
Canonical decided to kill the changes made to the package and as such could take it out of security. The fewer the changes to our default install means fewer issues. It is likely to happen and has happened with lots of other software since Canonical stopped with Unity: we are going back to the original source for our software.
answered Jan 15 at 14:33
RinzwindRinzwind
205k28390526
In my understanding, there is no support guarantee and security patches may or may not be distributed as long as the mainstream product is supported by the Apache Foundation.
Correct but it is in their best interest to keep support up as long as possible.
Is there a convenient way to keep tomcat patched with security updates on Ubuntu 18.04 as easily as with 16.04?
Nothing changes for you; it only comes from a more direct channel so if anything you should see updates appear quicker and not just security updates.
Old: update tomcat by Apache -> Ubuntu security team evaluates changes and adds patches if that specific package has Ubuntu related changes -> update to you.
New: update tomcat by Apache -> update to you.
Canonical decided to kill the changes made to the package and as such could take it out of security. The fewer the changes to our default install means fewer issues. It is likely to happen and has happened with lots of other software since Canonical stopped with Unity: we are going back to the original source for our software.
answered Jan 15 at 14:33
RinzwindRinzwind
205k28390526
answered Jan 15 at 14:33
RinzwindRinzwind
205k28390526
answered Jan 15 at 14:33
RinzwindRinzwind
205k28390526
answered Jan 15 at 14:33
RinzwindRinzwind
205k28390526
205k28390526
Thank you for the answer. I don't see it as an improvement, though, since in practice I end up having insecure tomcat versions. I'm thinking of a way of always having the latest version, maybe Docker can help...
– simlev
Jan 15 at 15:10
add a comment |
Thank you for the answer. I don't see it as an improvement, though, since in practice I end up having insecure tomcat versions. I'm thinking of a way of always having the latest version, maybe Docker can help...
– simlev
Jan 15 at 15:10
Thank you for the answer. I don't see it as an improvement, though, since in practice I end up having insecure tomcat versions. I'm thinking of a way of always having the latest version, maybe Docker can help...
– simlev
Jan 15 at 15:10
Thank you for the answer. I don't see it as an improvement, though, since in practice I end up having insecure tomcat versions. I'm thinking of a way of always having the latest version, maybe Docker can help...
– simlev
Jan 15 at 15:10
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1109961%2fsupport-for-the-tomcat8-package%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
