Main Inclusion Report for tomcat6

Requirements

1. Availability: http://archive.ubuntu.com/ubuntu/pool/universe/t/tomcat6; available for all supported architectures.

2. Rationale:

   • Apache Tomcat 6 is a long-wanted feature in Ubuntu and is a necessary step in our effort to make Ubuntu and Ubuntu Server an adequate enterprise Java platform.

   • This is a new feature scheduled for the 8.10 release, see approved blueprint for reference.

3. Security:

   • CVE entries: Apache Tomcat in general has a rather long security history, though Tomcat 6.0 security design is better than the horrible 3.x / 4.x series. Released in October 2006, the Tomcat 6.0 line was hit by 16 CVEs. Most of them are information leaks (source code access, directory traversals) and cross-site-scripting issues in the provided example webapps.

   • Upstream reactivity: Like with most ASF packages, security issues are taken seriously and treated in an appropriate manner.

   • Secunia history: Secunia lists 10 advisories on its Tomcat 6.x page. The most critical ones were "Moderately Critical".

   • The Tomcat 6 daemon runs as the tomcat6 user. No suid/sgid binaries.
   • Network activity: Tomcat 6 opens several network ports. By default it opens an HTTP Connector port (8080) and an AJP Connector port (8009). It handles remote requests from untrusted clients.
   • Tomcat 6 does not directly process binary data. It just processes AJP/HTTP client requests.

   • No source code review performed. Fortify scans the latest Tomcat as part of its Java Open Review project and they found 1.615 estimated defects/KLOC (and 0 confirmed defects).

4. Quality assurance:

   • The package is known to work out of the box without configuration in all situations.
   • The package does not ask any debconf questions higher than priority 'medium'.

   • Debian bugs: none (but the Debian package only builds libservlet2.5-java).

   • Maintenance in Debian is very calm. No answer so far to my new packaging proposals.

   • Upstream is vigorous and responsive. As an example, security fixes for the Tomcat 4.1 line (released in 2003) will be shipped until at least June 2009.

   • Upstream bug tracker: most bugs filed are enhancement requests, no showstoppers.

   • Hardware: this package does not deal with hardware.
   • There is a small test suite in the upstream source, it is not enabled to run in the build at the moment.

5. Standards compliance:

   • The new Tomcat 6 packaging conforms to FHS. It is also compliant to Debian Policy, in particular the Java library and webapps subpolicies.

   • The package uses the debhelper packaging system, together with quilt as the patch system.

6. Dependencies:

   • Build dependencies (default-jdk, ant, ant-optional, debhelper, quilt, libecj-java) are all in main.

   • Runtime dependencies: adduser, libecj-java are already in main. jsvc, libcommons-dbcp-java and libcommons-pool-java still are in universe. libcommons-dbcp-java depends on libcommons-collections-java which also sits in universe. MIRs for the corresponding source packages (MainInclusionReportCommonsDaemon, MainInclusionReportLibCommonsDbcpJava, MainInclusionReportCommonsPool, MainInclusionReportLibCommonsCollectionsJava) have been filed.

7. Background information:

   • General purpose and context of the package (Servlet/JSP container) is clear from the package's debian/control file.
   • Upstream calls this software "Apache Tomcat 6.0".

Reviewers

MIR bug: https://launchpad.net/bugs/260382

ThierryCarrez