Bug#675495: downgrading the severity of #675495 (openjdk-6 in,, wheezy)
Hi, On Wed, 06 Feb 2013, Matthias Klose wrote: - the security team's implications about Oracle's binary releases, and OpenJDK, which are just wrong. Andrew Haley made this clear in https://lists.debian.org/debian-java/2013/02/msg5.html I was under that false impression as well. But then to my surprise I noticed today that RHEL updated openjdk-6: https://rhn.redhat.com/errata/RHSA-2013-0246.html I would think this weighs in favour of keeping openjdk-6 in wheezy; users would be better served if patched releases can be made available, rather than if it is dropped and they are left with the last version that oldstable had. Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675495: downgrading the severity of #675495 (openjdk-6 in, wheezy)
OpenJDK Security support has always been a nightmare for the security team because there was no support from the maintainers. Security support is primarily the responsibility of the maintainer. So what kind of responsibility does the security team take at all? - In the past, the security team was fine to promote the proprietary sun-java5 and sun-java6 packages for stable releases, but did deny this for the corresponding openjdk packages. Now, these are gone fortunately. - The security team happily copies security informations for Oracle's binary releases, without checking and tracking. This is counter productive from my point of view; blindly opening issues for Oracle's web plugin and javaws implementation is wrong. If you do open these issues on the base of the binary releases, then please track them on your own as well. - At Debconf 10 Torsten and I had a chat with either you or Florian, about how to improve the situation. Afaicr we had the proposal to follow the update releases (bxx), exactly because backporting was not an option. I think you did experience this yourself in at least oldstable. Never did hear back about this ... Sure, it could be an option to have the bxx package in stable updates, or in backports. - To the best of my knowledge the security team, or single members of the team are not subscribed to Oracle's OpenJDK security advisories. Why not? Is somebody from the team willing to do so? Security updates were formerly handled by the security, maybe I did miss any announcement when the security team became a management-only team. Apologies for this. If you dump two packages in the archive without taking any precautions to get a clean solution this only makes things worse. Sure, an option would be to default back to gcj for the build process, disable the tests for java packages, and recommend users to download the Oracle binaries. Or to support the bxx updates in security updates, however your wording of dumping two packages doesn't really suggest this. Just to clarify, 6 is dumped by myself, while 7 is mostly dumped by Damien. In any case we cannot hide the issue under the carpet. We have three options: - Drop openjdk6 from Wheezy (and proceed with the needed changes to allow that) If you do want to drop openjdk7 too, fine. You don't seem to make a difference between 6 and 7 regarding the maintenance in Debian. - The Java maintainers take up the responsibility and step up to support openjdk6 in stable- and oldstable-security for Wheezy I'm not sure how this would help. If somebody wants to help with OpenJDK maintenance, that should happen within the OpenJDK team. I'm more than happy to add people, if they did show some involvement with OpenJDK, in Debian, upstream, or in IcedTea. - A note is being added to the release notes that openjdk6 is unmaintained security-wise in Wheezy and should not generally be used Again, why make a difference for 6 and 7? There are two things here to differentiate: - the security team's implications about Oracle's binary releases, and OpenJDK, which are just wrong. Andrew Haley made this clear in https://lists.debian.org/debian-java/2013/02/msg5.html - whether Debian should backport single patches or update to the bxx releases. I won't do the former, as I did see it fail already in Debian. However I can't speak for Damien and Torsten. Matthias -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675495: downgrading the severity of #675495 (openjdk-6 in wheezy)
On 2012-11-28 17:20, Julien Cristau wrote: On Tue, Aug 28, 2012 at 17:43:57 +0200, Moritz Muehlenhoff wrote: OpenJDK Security support has always been a nightmare for the security team because there was no support from the maintainers. Security support s primarily the responsibility of the maintainer. If you dump two packages in the archive without taking any precautions to get a clean solution this only makes things worse. In any case we cannot hide the issue under the carpet. We have three options: I agree the situation is not very optimal. It would have helped if we had been reminded about the lack of security support earlier. Though even if we were, I am not sure we would have made it in time (nor am I interested in placing blame here). - Drop openjdk6 from Wheezy (and proceed with the needed changes to allow that) Steve Chamberlain sent a list of packages. If my memory serves that is just the tip of the iceberg. OpenJDK-7 comes with a set of regressions (occasionally that is just the implementation being stricter), which in some cases the fix requires an API (or ABI) breakage. If you are interested in just how much of the iceberg you (probably) haven't seen yet, have a look at http://titanpad.com/WciYqDGRNd - The Java maintainers take up the responsibility and step up to support openjdk6 in stable- and oldstable-security for Wheezy For the record, Java maintainers != OpenJDK-X maintainers and I don't think that is about to change. Even if it did change, the Java implementation is completely unlike the Java packages we are used to maintain. On top of this, the Java team is currently down to about a handful of active maintainers (I am not even sure if I should include myself in that number) that have to keep 500+ packages floating. - A note is being added to the release notes that openjdk6 is unmaintained security-wise in Wheezy and should not generally be used Dumping this issue to the release notes doesn't sound like a reasonable option if there are lots of other packages still depending on it. We might as well drop all those packages, IMO. Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675495: downgrading the severity of #675495 (openjdk-6 in wheezy)
On Tue, Aug 28, 2012 at 17:43:57 +0200, Moritz Muehlenhoff wrote: OpenJDK Security support has always been a nightmare for the security team because there was no support from the maintainers. Security support s primarily the responsibility of the maintainer. If you dump two packages in the archive without taking any precautions to get a clean solution this only makes things worse. In any case we cannot hide the issue under the carpet. We have three options: - Drop openjdk6 from Wheezy (and proceed with the needed changes to allow that) - The Java maintainers take up the responsibility and step up to support openjdk6 in stable- and oldstable-security for Wheezy - A note is being added to the release notes that openjdk6 is unmaintained security-wise in Wheezy and should not generally be used Dumping this issue to the release notes doesn't sound like a reasonable option if there are lots of other packages still depending on it. We might as well drop all those packages, IMO. Cheers, Julien -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#675495: downgrading the severity of #675495 (openjdk-6 in, wheezy)
Hi, Related to this issue, at least the following packages depend on openjdk-6 rather than java6-runtime or something less specific. As such, I found them listed on edos.d.o as uninstallable on kfreebsd-*, and they would remain so even after we can get openjdk-7 built for those arches (probably through wheezy-backports sometime after release). So that gives another reason to check if these could potentially build and/or run with openjdk-7 : biogenesis carmetal imagej jabref javamorph jaxe jedit jftp jxplorer libiscwt-java libknopflerfish-osgi-framework-java libwoodstox-java neobio openrocket osgi-framework-java sweethome3d tunnelx Regards, -- Steven Chamberlain ste...@pyro.eu.org -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
