tomcat9 will no longer work with jre8 on Ubuntu 22.04 (jammy)+ or Debian 11(bookworm)+

[James Bowden]

Hello all,

I am writing this messaging mostly as a heads up to the XNAT development team.

I have recently taken to deploying XNAT directly on Debian and Ubuntu servers using the tomcat9 package found in their repositories. My reason for doing this is that I believe docker introduces unnecessary complexity and also raises a number of security concerns (which I will not go into here).

During this process I have noticed that on Ubuntu 22.04 XNAT crashes with the following error:

> Message java.lang.UnsupportedClassVersionError: org/eclipse/jdt/internal/compiler/env/INameEnvironment has been compiled by a more recent version of the Java Runtime (class file version 55.0), this version of the Java Runtime only recognizes class file versions up to 52.0

This error is caused by the fact that Debian/Ubuntu's `libtomcat9-java` package depends on a package named `libeclipse-jdt-core-java`, and newer versions of `libeclipse-jdt-core-java` (>=4.21) are compiled with Java 11.

This means that XNAT can already not be deployed to the latest LTS release of Ubuntu (22.04) using the tomcat9 package provided by operating system.

This also means that XNAT will not be able to be deployed using the tomcat9 package provided in the next release of Debian (bookworm is currently in "testing"), even if you make use of the of the Adopt/Adoptium OpenJDK8 third party repository as suggested in the XNAT installation guide.

Please take a look at the following bug reports:
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1972829
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1006647

It appears that the Debian team's solution is to drop support for JRE8 altogether, since they no longer provide a package for it anyway.

Ubuntu may continue to provide a package for openjdk-8-jre, however it seems tomcat9 will no longer support it.

My hope is that we can find and/or create some apt source for a compatible version of `libeclipse-jdt-core-java`, or upgrade XNAT to work with JRE 11+.

So yes, once again please just consider this a heads up and a nudge for the development team to look for a solution, as XNAT is rapidly becoming incompatible with the software shipped with modern operating systems.

Kind regards,

James

[Herrick, Rick]

Hey James,

 

Thanks for the head’s up and detailed description of the issue. We’ll have a look at this sometime soon. I’m very aware of our impending obsolescence in this regard! Java 11 is a big jump, much more than 6 -> 7 or 7 -> 8, but is definitely something we’ll address soon, even if just for compatibility.

 

-- 

Rick Herrick

XNAT Architect/Developer

Computational Imaging Laboratory

Washington University School of Medicine

 

 

From: xnat_di...@googlegroups.com <xnat_di...@googlegroups.com> on behalf of James Bowden <james....@med.uni-goettingen.de>
Date: Thursday, May 12, 2022 at 10:05 AM
To: xnat_discussion <xnat_di...@googlegroups.com>
Subject: [XNAT Discussion] tomcat9 will no longer work with jre8 on Ubuntu 22.04 (jammy)+ or Debian 11(bookworm)+

* External Email - Caution *

--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to xnat_discussi...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/84055e42-a38c-45d6-ae57-8ba3d5567bfcn%40googlegroups.com.

 

---

The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.

[James Bowden]

Hey Rick,

Glad to hear this is something that is already being considered, and I am sorry to hear that migrating to Java 11 is a large task. I wish you the best of luck.

I would like to ask if the XNAT team has considered running their own package repository for one of the popular Linux distributions (ie a apt repository for Debian-like systems or a Yum repository for RHEL/CentOS like systems)?

This way you could distribute XNAT with all it's dependencies pinned to compatible versions, and worry less about decisions and changes made by the upstream OS maintainers.

 It would also help with increasing the security and trustworthiness of your software distributions, as these package managers support the signing of packages with GPG, meaning that users can have more confidence that the package they are installing is a legitimate XNAT release signed by a trusted source.

Currently the distributed WAR files are unsigned, and it appears that your developers are not even making use of GPG to sign their git commits or release tags (see: https://git-scm.com/book/en/v2/Git-Tools-Signing-Your-Work), so even building XNAT from source has it's security concerns in this regard.

Maybe this is a topic for another thread, but I thought I'd raise this concern here since the topic came to mind.

Once again thank you for for the quick response and I wish you the best of luck with the continued development of XNAT in the future.

All the best,

James

[james...@gmail.com]

Hey Rick,

Any update on continued long term Debian or Ubuntu support? (and sorry for the extra long message last time). I've been  using the Adopt/Adoptium OpenJDK8 repo since I fist made this post and I'm getting some push back from the IT sec team since they prefer us to use their repo mirrors hosted in the their data center. And they are just generally a suspicious bunch (as they should be)

I have noticed on the mailing list that a lot of people seem to be using CentOS with little to no issues to work around. Is this true? I guess I wouldn't mind switching to CentOS/RHEL but it would be a bit of a headache since i've been using deb based repos for almost 20 years and don't fancy relearning the idiosyncrasies and muscle merrory

All the best,
James