[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openjdk maintenance for wheezy and squeeze

On 2013-02-18 13:08, Steven Chamberlain wrote:
> [...]
>> OpenJDK6 therefore should be considered obsolete when Wheezy is released.
> I wouldn't use the word 'obsolete' so long as there are packages that
> *can* use it...  I'd call it 'maintenance only'.
> Before deciding the post-wheezy fate of openjdk-6, why not wait, and see
> how well things work out over the next few months.  Let's see what
> security issues affect openjdk-6 vs. openjdk-7.  Let's see how Red Hat's
> security maintenance for openjdk-6 compares to Oracle's own Java 7 fixes
> being pulled into openjdk-7 (in terms of expediency, complexity of
> changes, regressions).

Well, that being a fair argument - however, are you volunteering to
(co-)maintain OpenJDK-6 while we found out?  And even if it turns out to
be worse?  I know I can't answer yes to either myself.
  That is why I support getting rid of OpenJDK-6 ASAP[0]; to ease the
maintaince burden for the OpenJDK maintainers.

> For example, if I had some public-facing Java-based service, I would
> rather have been running it on openjdk-6 over the past months because it
> had fewer security issues and perhaps no regressions caused by fixes.

As far as I know, the recent "flood" of CVEs affect OpenJDK-6 as well.
Compare [1] with [2] - the majority of the CVEs starting at
"CVE-2012-1531" and "down" appear to be almost identical.

> OTOH some packages may switch to openjdk-7 post-wheezy or ship a new
> upstream version that has at least been fixed to be able to use it.
> Regards,


[0] ASAP being post-wheezy AFAICT, see:


[1] https://security-tracker.debian.org/tracker/source-package/openjdk-6

[2] https://security-tracker.debian.org/tracker/source-package/openjdk-7

Reply to: