On Thu, Nov 26, 2020 at 08:07:47AM +0000, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Wed, 2020-11-25 at 20:23 -0800, tony mancill wrote: > > I propose that openjdk-11 be updated to upstream 11.0.9.1+1 in the > > upcoming stable point release. This update addresses a regression > > [1] introduced in upstream release 11.0.9+11, which is present in > > buster via a security upload [2]. This keeps Debian on par with > > other vendors - e.g. RedHat [3], Ubuntu [4], and AdoptOpenJDK [5] - > > and introduces the same upstream version currently available in > > testing and unstable. > > > > Without this update, users may encounter crashes during bytecode > > compilation. This this is not an optional component of the JVM, > > there is no work-around and users would have to downgrade to 11.0.8 > > (which has open CVEs). > > > > I have prepared an update and performed basic smoke-testing of the > > resulting binaries. The attached debdiff is based on the version > > uploaded by Moritz Mühlenhoff for the DSA, 11.0.9+11-1~deb10u1. I > > checked with the OpenJDK Maintainers [6], where we agreed that this > > update for the regression wouldn't follow the DSA process. > > I'd have been more inclined to suggest fixing it via a DSA as a > regression if it's going to affect lots of users (even though it's not > a security update), given that's how the issue was introduced in the > first place. I can see Moritz was involved in the discussion though, so > I'm not going to push that too much right now. But this really > shouldn't end up being SRM having to choose between security > regressions or functional regressions for users when the latter were > introduced via a DSA. > > One difference between stable and unstable/testing that might be > relevant here is that stable still has the mips architecture. I have to > be honest that, from previous experiences with OpenJDK updates in > (old)stable, that and the reintroduction of tests being run does > concern me. But fingers crossed it all turns out fine.
Hi Adam, Thank you for considering this. An upstream regression introduced via a DSA does seem like it could go both ways (and OpenJDK always seems to be the exception to the rule). Does the confirmed tag indicate that I should proceed with a source upload? Thank you, tony
signature.asc
Description: PGP signature
