Page History

...

• We need CI to be running a performance test to check for obvious regressions

TODO - finish this formatting

9.0.x - change default to true for discardfacades

Test removal of recycling - collect GC stats

processorCache == 0 => bad for performance

Document 0 == no cache & performance implications

Secure by default

...

• . Need to extract results over time. How?
• Ensure discardFacades is true for all versions
• processorCache (Http11Processor) == 0 is very bad for performance (approx factor of 2) but very good for security. Document this.
• Could investigate what we could do about the above.
  • Do we need to clear if we don't need to recycle?
  • Are there some recycled objects we could just recreate?
• Shutdown port can have unexpected behaviour if there are two instances on same machine with same settings
  • Start A, Start B, Stop B actually stops A!
  • Switch default shutdown password to ${catalina.base}
• Review TLS settings
  • Vary by JVM
  • Document
  • Do we enable anything that all JVMs disable (TLS 1.1?)
  • Are we using the right default cipher list (check with SSLLabs)?
• Disabled more web applications by default
  • Package was WAR and then name AAA.war.disabled
• SecurityListener - schultz already started these threads on dev@
  • Check for writeable files that should not

...

• • be
  • Anything from the Tomcat security guide

...

• Remove SSI

...

• /

...

• CGI - schultz already started these threads on dev@

Next event

The majority of committers seem to be EU based. Next event likely to be most effective if EU based.

If there is a CoC next year, add on a day again. If not CoC , fosdem?Small group code review

Actions

Today

, before Fosdem is a likely candidate. Need to keep an eye on CoC EU plans.

Next event likely to have a different focus. More code review based. Want to look at:

• HTTP header parsing
• Other areas TBD

Assuming similar costs, we have sufficient funding to run two more events like this.HTTP header parsing review

Accounting

...