I’m not the first one struggling with this, but I could not find much in the forum here…
We just upgraded to Debian Bookworm only to notice (to our surprise, should have done more research in advance…) that the Xwiki Debian packages are not compatible with Tomcat 10 shipped with Bookworm, and Tomcat 9 is not shipped by Debian any more (and thus will not receive any security fixes)…
It’s the horrendous javax-vs-jakarta monster biting again…
As I understand, manually installing the WAR in Tomcat 10 logically also won’t work.
I’d really prefer not to install an older Tomcat 9 manually and have to keep track about security patches myself (not getting any package updates and more).
Similar issue with Docker containers - it will be heavier, and I currently don’t have any automated solution to keep Docker containers up-to-date in the light of security issues.
How is everyone else here serving Xwiki?
Do the official Xwiki Docker containers come with timely security updates?
How to more or less automate security update installation, while being able to chose the right point in time to do so?
Maybe I should stay on Bullseye’s tomcat9 packages with a mixed-repository setup - in this case it would be important to know if we get an upgrade path though.
Is a Tomcat 10 compatible Xwiki release in the works? Will the next LTS support Tomcat 10?
We started thinking about it, but there is a lot of work (and a lot of breakages…), and especially we need all our dependencies to move to jakarta (which is most probably not going to happen, so even more work to replace some of them). The current hope is to fully switch to jakarta in 17.0 so in January 2025 (which mean in terms of LTS, i.e. 17.10.x, end of 2025).
One thing I personally did not try yet (mainly because my hope are pretty low to be honest) is to use the Tomcat 10 compatibility layer.
What I plan to spend time on a shorter term is a Debian package bringing the XWiki Jetty package so that it can be used instead of the tomcat one in Debian 12+. Note that Ubuntu kept the tomcat9 package for now if you want something as close as possible to Debian without downgrading to Debian 11.
@watery: My Tomcat is reachable through the Internet, even though currently only after previous user authentication (behind an authenticating Apache 2 reverse proxy) - but I’d still prefer to run a supported version.
Also for Intranets I often read that most break-ins originate from within the network already - by e.g. getting a user to run malware with the restricted user account, and then trying to identify targets for access and privilege escalation within the network. So that’s something to keep in mind.
@tmortagne: I now added the Debian 11 repositories in addition to the Debian 12 repositories. This will provide Tomcat 9 security and maintenance upgrades while it’s still supported in Debian 11. (Not sure if Tomcat will be covered by their extended LTS support, need to check.)
I currently don’t know how long Tomcat 9 will be supported upstream in general, though. I could not easily find an official statement on that at the Tomcat page or by googling.
Regarding Jetty, the Xwiki documentation seems to recommend against deploying it in production scenarios?
This disclaimer is more related to HSQLDB than Jetty. The idea would be to use the Jetty package but continue with the current mariadb, mysql or postgresql options.