On Sun, Jun 09, 2019 at 04:19:53PM -0700, tony mancill wrote: > On Sun, Jun 09, 2019 at 09:54:50PM +0200, Paul Gevers wrote: > > Hi, > > > > On 05-06-2019 22:28, Paul Gevers wrote: > > > I really want bug 900912 and 925071 fixed. It seems that is missing from > > > your second approach. Let me sleep on it. What are the chances of you > > > agreeing on doing the +really upstream version dance such that we can > > > get some testing done in unstable? > > > > Hmm, I forgot I hinted at a follow up from me while I was waiting for a > > response from you. > > > > Let's get this thing moving. We are running out of time (I do want to > > have some time where the package is actually used before the release). I > > still prefer a version via unstable that I can approve from there, but > > if this is too difficult because of version mangling (hinted in > > private), than please upload to tpu. You asked my preference for two > > versions by you, I suggest to go with the version based on the highest > > one that has been in unstable already. > > Hi Paul, > > I thought perhaps there was a side conversation going on, so thank you > for resuming the thread. Of the two debdiffs I included before, neither > was based on the current version in unstable, 11.0.4+4-1. I will start > with that package and patch upstream back to 11.0.3+7. > > For an upload to unstable the version will be: > > 11.0.4+4+really11.0.3+7-1 > > which will also roll unstable back to the upstream GA release.
Hi Paul, I have been thinking about risk (to our users) and adequate testing and now believe that I should revisit my position that buster should ship with 11.0.3+7 (the 11.0.3 GA). From what I understand, the Security Team is willing to take the 11.0.4 GA once it is available in July: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=928185#67 In that case, instead of taking buster through this sequence: 11.0.3+1 (buster now) -> 11.0.3+7 (soon) -> 11.0.4 GA (July) It seems less disruptive and allow for more testing to do: 11.0.4+4 (in unstable now) -> 11.0.4 GA (July) This addresses the open CVEs in buster and the 2 important bugs Paul mentions above. It will also give us more time to test against 11.0.4 before distributing it via security updates. As a minor bonus, it also avoids downgrading the JVM in unstable and doing odd things to the versioning and packaging repo. This aligns with what Matthias proposed here: https://lists.debian.org/debian-java/2019/06/msg00002.html Emmanuel, I recognize that I am reversing position turn on this. I know that you had expressed reservations about shipping with an EA version as well. I took a look at the diffs between 11.0.3+7 and 11.0.4+4, and all though there are a lot of them, they don't look particularly scary. Do you have specific concerns? In summary, what if we update this unblock to apply to the current version in unstable? Thanks, tony
signature.asc
Description: PGP signature
