Hi team,
We're migrating to Jetty and we do have some questions related with Jetty
maintenance.
1. Does Jetty have separate security patches or bugs are fixed within a new
release?
Occasionally we have had specific security patches, but our most common response to security issue is to release a new version. Typically this will be on all active branches (9.4 and 10.0), but if the issue is significant we also will do 9.2 and 9.3 releases as well.
There are no security fixes for jetty < 9
2. If Jetty does have security patches, how often are they provided?
As above, they are included in regular releases unless there is a very special case. I can recall only a single instance of us needing to provide a patched jar for existing releases.
3. Does Jetty have a fixed schedule of upgrades? I looked at the release log
of 9.4.x versions, and it's updated approximately monthly
No. We release as often as necessary - frequency varies from several weeks to several months
4. We're running a standalone Jetty server, how can we upgrade Jetty to a
newer version? Just replace the ZIP file?
The intention of the jetty-home vs jetty-base layout is that you should not put any of your modifications into the unpacked jetty distribution - instead you put them all into a jetty-base directory. You can then upgrade simply by changing which jetty-home directory you are using. The following command sequence illustrates this:
JETTY_HOME=/opt/jetty-9.4.25
# create your application base directory
# configure a server in the base directory
java -jar $JETTY_HOME --create-startd --add-to-start=http,webapp,deploy
# deploy your application
cp $HOME/src/myapp/target/myapp.war webapp
JETTY_HOME=/opt/jetty-9.4.27
# start the upgraded server