On 01/14/2013 11:48 PM, Niels Thykier wrote:
> On 2013-01-15 00:57, David Prévot wrote:
>> tags 698108 + patch
>> thanks
>>
>> Dear maintainer,
>>
>> I've prepared an NMU for java-package (versioned as 0.50+nmu2) and
>> uploaded it to DELAYED/2. Please feel free to tell me if I
>> should delay it longer (or even if I should dcut it to 0-day, given the
>> security matter).
>>
>> If you prefer to fix it in another not intrusive way (not c1fb4d0), I'm
>> happy to (quickly) sponsor your package too.
>>
>> Regards.
>>
>> David
>>
>> [...]
> 
> Seems to me your patch will prevent anyone from using java-package on
> the older Java7 binaries.  If we do remove this support because they are
> infested with security issues making them unsuitable for anything at
> all[1], I think it should have a nice little error message saying "Nope,
> won't do this - That version is vulnerable/unsupported/$whatever".
>   Just so people are aware it is a deliberate choice from "our" side and
> not a buggy script crashing.  (Particularly people have been using it
> with older versions before.  They might be surprised to see that
> non-descriptive error message the reporter included in the original mail).

I had the same thought - there may be a valid reason for someone to want
to run jdk-7u9.  This issue already appears to be addressed in the 0.51
package (but with a different patch).  I'm assuming we want to keep the
patch minimal - can we use this these patterns instead?

jdk-7u+([0-9])-linux-i586.tar.gz
jdk-7u+([0-9])-linux-x64.tar.gz

David, if you'd prefer not to upload again, could you remove the upload
and I'll prepare the update.  (But thank you for taking the initiative
in the first place!)

Thank you,
tony



Attachment: signature.asc
Description: OpenPGP digital signature

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to