================================================================================
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
================================================================================

$Id: STATUS.txt 958980 2010-06-29 14:09:09Z jfclere $

                         =================================
                         Apache Tomcat 6.0 Patch Proposals
                         =================================


RELEASE SHOWSTOPPERS:


PATCHES ACCEPTED TO BACKPORT:
  [ start all new proposals below, under PATCHES PROPOSED. ]


PATCHES PROPOSED TO BACKPORT:
  [ New proposals should be added at the end of the list ]

* Fix the maven stuff for the maven repo.
  Before it does't find tomcat-juli.jar and the remoteRepository seems broken .
  http://people.apache.org/~jfclere/patches/maven.patch
  +1: jfclere
  -1: fhanik - easier to pass in the root path (lib/bin) to the macro instead of hacking around it
               if we remove the SCP auto feature, then there should be something to replace it with
               (http://ant.apache.org/manual/OptionalTasks/scp.html)  
  -1: kkolinko: 
       1. Ignoring ${maven.repo.url} in <remoteRepository/> does not look good,
        because that is a valuable argument, provided by deploy-snapshot,
        deploy-staging and deploy-release targets.
        I say/agree that there can be several implementations of this deploy
        action (ssh + key, local, ssh + pwd?), so maybe split it into several
        implementations and select one based on what property is defined.
       2. It publishes wrong tomcat-juli.jar, as already noted,
        http://markmail.org/message/5sysomjlrfhcd3ec

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48545
  Truststores don't have to have passwords
  Based on a patch by 'smmwpf54'
  http://svn.apache.org/viewvc?view=revision&revision=910266
  +1: markt
  -1: jfclere: Doc says it should use keystorePass (http://tomcat.apache.org/tomcat-6.0-doc/config/http.html).
               so that would break existing configurations.
      markt: It shouldn't break existing configs. JSSE allows trust stores to be
             read without providing the password

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49030
  Failure of one connector should not leave some connectors started and some
  ignored
  http://people.apache.org/~markt/patches/2010-06-14-bug49030.patch
  +1: markt
  -1: kkolinko: it breaks the fix for BZ 48625
    https://issues.apache.org/bugzilla/show_bug.cgi?id=49030#c4

  Alternative patch:
  https://issues.apache.org/bugzilla/attachment.cgi?id=25633
  +1: kkolinko
  -1:

* Configure Tomcat to use HttpOnly for session cookies by default
  http://people.apache.org/~kkolinko/patches/2010-04-21_tc6_context_httpOnly.patch
  +1: kkolinko
  -0: markt - There wasn't consensus previously.
            - If you are going to change the default, do it in the code
  -1:

* Backport a couple of loader fixes and enhancements:

  Expose the new WebappLoader flag in the VirtualWebappLoader,
  but allow alternative name searchVirtualFirst to make it
  consistent with the "virtual" terminology.
  Now you can decide, whether the virtual paths will
  be searched before the webapp or after it.
  If searched before, external resources take precendence
  over internal ones. Before that change one couldn't overwrite
  resources already present in the webapp.
  http://svn.apache.org/viewvc?view=revision&revision=936825
  http://people.apache.org/~rjung/patches/2010-05-14-loader-backport-r936825.patch
  +1: rjung
  -1: 
  -0: kkolinko: The patch itself is OK, but I think having a synonym will
   cause confusion. I'd prefer not to invent a new name, but mention the
   one that we already have when documenting virtualClasspath.

  Respect configurable search order in getURLs().
  http://svn.apache.org/viewvc?view=revision&revision=936892
  http://people.apache.org/~rjung/patches/2010-05-14-loader-backport-r936892.patch
  +1: rjung, kkolinko
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49343
  When ChannelException is thrown, remove listener from channel.
  http://svn.apache.org/viewvc?view=revision&revision=948402
  +1: kfujino, kkolinko
  -1: 
   kkolinko:
    Maybe "this.channel.removeChannelListener(this.rpcChannel);" call
    has to be replaced with "this.rpcChannel.breakdown();"
  
  Additional patch.
  "this.channel.removeChannelListener(this.rpcChannel);" call is 
  replaced with "this.rpcChannel.breakdown();". 
  http://svn.apache.org/viewvc?view=revision&revision=950922
  +1: kfujino, kkolinko
  -1: 

* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49099
  Provide a mechanism for including requests rejected by the CoyoteAdapter in
  the standard access log
  http://people.apache.org/~markt/patches/2010-07-07-bug49099.patch
  This is a backport of: r950587, r950809, r951018, r951093, r951447,
                         r951892, r952295
  +1: markt
  -1: 
   kkolinko: 1) It would be nice to log requests using the timestamp when it was
   received (like HTTPD 2.0+ does), not when it was processed. If that is to be
   implemented, an additional parameter will be needed for the log() method in
   the AccessLog interface. I suppose that might be "long t1, long t2" instead
   of "long time".
   2) I see no way to turn off this feature or filter the output.

* Backport the CSRF prevention filter to Tomcat 6 and configure the Manager and
  Host Manager applications to use it. The configuration is such that the using
  the old roles (manager, admin) will work and will bypass the CSRF protection
  but using the new roles (manager-gui, admin-gui etc.) will not bypass the CSRF
  protection.
  http://people.apache.org/~markt/patches/2010-06-26-crsf-prevention-filter-tc6.patch
  +1: markt
  -1: 

* Add support for *.jar pattern in VirtualWebappLoader
  and perform trimming of the tokens.
  I propose the following patch, but without removing the "not for production"
  warning from JavaDoc:
  http://svn.apache.org/viewvc?rev=958615&view=rev
  +1: kkolinko
  -1:
