Public bug reported:
[Availability]
The package openjdk-25 is already in Ubuntu universe.
The package openjdk-25 build for the architectures it is designed to work on.
It currently builds and works for architectures: amd64, amd64v3, arm64, armhf,
i386, ppc64el, riscv64, s390x
Link to package https://launchpad.net/ubuntu/+source/openjdk-25
[Rationale]
- The package openjdk-25 is required in Ubuntu main to provide the default
Java Virtual Machine implementation.
- The package openjdk-25 will generally be useful for a large part of
our user base
- This is the first time package will be in main, although openjdk-XX (-7, -8,
-11,-17 and -21)
package was present in main to provide default JVM since trusty:
$ rmadison openjdk-7
openjdk-7 | 7u51-2.4.6-1ubuntu4 | trusty | source
openjdk-7 | 7u211-2.6.17-0ubuntu0.1 | trusty-security | source
openjdk-7 | 7u211-2.6.17-0ubuntu0.1 | trusty-updates | source
I could not find the relevant MIR issue on Launchpad.
- The binary packages: openjdk-25-jdk-headless, openjdk-25-jdk,
openjdk-25-jre-headless, openjdk-25-jre-zero, openjdk-25-jre needs
to be in main to achieve to provide default Java Virtual Machine
implementation.
- All other binary packages built by openjdk-25 should remain in universe:
openjdk-25-jvmci-jdk - build dependency for GraalVM,
openjdk-25-source - openjdk sources,
openjdk-25-testsupport - jtreg binary test image,
openjdk-25-dbg - debug symbols,
openjdk-25-demo - openjdk demos,
openjdk-25-demo - documentation.
- The package openjdk-25 is required in Ubuntu main no later than 26.04 feature
freeze
due to uploading java-common update to switch the default version to openjdk
25.
[Security]
- Had 3 security issues in the past
- links to such security issues in trackers:
https://openjdk.org/groups/vulnerability/advisories/2025-10-21
- The security issues are embargoed and released in quarterly security
updates:
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.1+8-1
- no `suid` or `sgid` binaries
- no executables in `/sbin` and `/usr/sbin`
- Package does not install services, timers or recurring jobs
- Security has been kept in mind and common isolation/risk-mitigation
patterns are in place utilizing the following features: The package provides
a general runtime environment and does not provide isolation features such as
apparmor profiles.
- Package does not open privileged ports (ports < 1024).
- Package does not expose any external endpoints
- Packages does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
- The package explicitly disables deprecated algorithms in java.security:
—
jdk.tls.disabledAlgorithms=SSLv3, TLSv1, TLSv1.1, DTLSv1.0, RC4, DES, \
MD5withRSA, DH keySize < 1024, EC keySize < 224, 3DES_EDE_CBC, anon, NULL, \
ECDH, TLS_RSA_*, rsa_pkcs1_sha1 usage HandshakeSignature, \
ecdsa_sha1 usage HandshakeSignature, dsa_sha1 usage HandshakeSignature
—
But those can be enabled by the user, by editing the system configuration file.
[Quality assurance - function/usage]
- The package works well right after install
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu/Upstream and does
not have too many, long-term & critical, open bugs:
- Ubuntu https://bugs.launchpad.net/ubuntu/+source/openjdk-25/+bug
- Debian https://bugs.debian.org/cgi-bin/pkgreport.cgi?src=openjdk-25
- Upstream's bug tracker, e.g., GitHub Issues
https://bugs.openjdk.org/secure/Dashboard.jspa
[Quality assurance - testing]
- The package runs a test suite on build time, if it fails
it does not make the build fail, link to build log:
https://launchpad.net/ubuntu/+source/openjdk-25/25.0.1+8-1/+build/31394212/+files/buildlog_ubuntu-resolute-amd64.openjdk-25_25.0.1+8-1_BUILDING.txt.gz
Reason: LP infrastructure, occasional buggy tests. The maintainers review the
build logs before marking the package ready for the security release.
- The package runs an autopkgtest, and is currently passing on
this amd64, arm64, ppc64el, s390x, armhf, link to test logs:
See https://autopkgtest.ubuntu.com/packages/openjdk-25
amd64:
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/amd64/o/openjdk-25/20251209_021730_79d99@/log.gz
Arm64:
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/arm64/o/openjdk-25/20251208_225019_a2713@/log.gz
Armhf (zero build, no jtreg run, validates that java can be launched and smart
card library loads)
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/armhf/o/openjdk-25/20251208_211437_7e753@/log.gz
I386 (zero build, no jtreg run, validates that java can be launched)
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/i386/o/openjdk-25/20260116_154354_31c93@/log.gz
ppc64el
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/ppc64el/o/openjdk-25/20251208_225545_597b1@/log.gz
s390x:
https://autopkgtest.ubuntu.com/results/autopkgtest-resolute/resolute/s390x/o/openjdk-25/20251209_141233_8eff7@/log.gz
Failing on tests ( FLAKY non-zero exit status 2) due to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-25/+bug/2130784
The issue is not observed outside LP infrastructure
- The package does have failing autopkgtests tests right now, but since
they always fail, they are handled as "ignored failure", this is ok, as it is
present on s390x on launchpad only.
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
- This package does not yield massive lintian Warnings, Errors
- Please link to a recent build log of the package openjdk-25:
https://launchpadlibrarian.net/826181346/buildlog_ubuntu-resolute-amd64.openjdk-25_25.0.1+8-1_BUILDING.txt.gz
- Please attach the full output you have got from
`lintian --pedantic` as an extra post to this bug.:
P: openjdk-25 source: redundant-rules-requires-root-no-field [debian/control:20]
As of dpkg version 1.22.13, this field is set to "no" by default. As such, in
this case the Rules-Requires-Root field is redundant and should be removed.
We need the rule for the Noble backport that has 1.22.6ubuntu6.5
- Lintian overrides are present, but ok because:
They are used either to address backport issues or upstream source code
structure.
Note: some fixes pending upload -
- This package does not rely on obsolete or about to be demoted packages.
- This package has no python2 or GTK2 dependencies
- The package will not be installed by default
- Packaging is complex, but that is ok because the package needs to be
backported to the stable releases on a quarterly basis. The packaging
contains rules for older releases that can be removed.
[UI standards]
- Application is not end-user facing (does not need translation)
- End-user applications that ships a standard conformant desktop file,
see debian/JB-*.desktop.in. The entries are hidden and are used to launch jar
files from the desktop.
[Dependencies]
- Used check-mir from ubuntu-dev-tools to validate all dependencies or
recommends are in main.
The binary dependencies in universe are needed for the packages that will
remain in universe: openjdk-25-testsupport and openjdk-25-doc
Checking support status of binary dependencies...
* openjdk-25-jre-headless binary and source package is in universe
* openjdk-25-jre binary and source package is in universe
* openjdk-25-jdk-headless binary and source package is in universe
* openjdk-25-jre-headless binary and source package is in universe
* openjdk-25-jre binary and source package is in universe
* openjdk-25-jdk binary and source package is in universe
* libjs-jquery-ui binary and source package is in universe
* libjs-jquery-ui-theme-base binary and source package is in universe
* openjdk-25-jre-headless binary and source package is in universe
* openjdk-25-jre binary and source package is in universe
* openjdk-25-jdk binary and source package is in universe
* xfwm4 binary and source package is in universe
* xvfb is in universe, but its source xorg-server is already in main; file an
ubuntu-archive bug for promoting the current preferred alternative
* jtreg7 binary and source package is in universe
* libtestng7-java binary and source package is in universe
* openjdk-25-jre-headless binary and source package is in universe
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- The owning team will be Foundations/Toolchains and I have their
acknowledgment for
that commitment
- This does not use static builds
- The team Foundations/Toolchains is aware of the implications of vendored code
and (as
alerted by the security team) commits to provide updates and backports
to the security team for any affected vendored code for the lifetime of the
release (including ESM).
The package vendors googletest used in the package unit tests for the
backports compatibility.
- This package uses vendored code, refreshing that code is outlined
in debian/README.source
- This package is not rust based
- The package has been built within the last 3 months in the archive
- Build link on
launchpad:https://launchpad.net/ubuntu/+source/openjdk-25/25.0.1+8-3
- This change will not impact other teams
[Background information]
The Package description explains the package well
Upstream Name is OpenJDK
Link to upstream project https://github.com/openjdk/jdk
** Affects: openjdk-25 (Ubuntu)
Importance: Undecided
Status: New
** Summary changed:
- [MIR] openjdk-25
+ [MIR] openjdk-25 (non-blocking)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2138526
Title:
[MIR] openjdk-25 (non-blocking)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openjdk-25/+bug/2138526/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
