Re: openjdk maintenance for wheezy and squeeze
On 2013-02-18 13:08, Steven Chamberlain wrote:
> [...]
>> OpenJDK6 therefore should be considered obsolete when Wheezy is released.
>
> I wouldn't use the word 'obsolete' so long as there are packages that
> *can* use it... I'd call it 'maintenance only'.
>
>
> Before deciding the post-wheezy fate of openjdk-6, why not wait, and see
> how well things work out over the next few months. Let's see what
> security issues affect openjdk-6 vs. openjdk-7. Let's see how Red Hat's
> security maintenance for openjdk-6 compares to Oracle's own Java 7 fixes
> being pulled into openjdk-7 (in terms of expediency, complexity of
> changes, regressions).
>
Well, that being a fair argument - however, are you volunteering to
(co-)maintain OpenJDK-6 while we found out? And even if it turns out to
be worse? I know I can't answer yes to either myself.
That is why I support getting rid of OpenJDK-6 ASAP[0]; to ease the
maintaince burden for the OpenJDK maintainers.
> For example, if I had some public-facing Java-based service, I would
> rather have been running it on openjdk-6 over the past months because it
> had fewer security issues and perhaps no regressions caused by fixes.
>
As far as I know, the recent "flood" of CVEs affect OpenJDK-6 as well.
Compare [1] with [2] - the majority of the CVEs starting at
"CVE-2012-1531" and "down" appear to be almost identical.
> OTOH some packages may switch to openjdk-7 post-wheezy or ship a new
> upstream version that has at least been fixed to be able to use it.
>
> Regards,
~Niels
[0] ASAP being post-wheezy AFAICT, see:
<512162EC.9040507@thykier.net>
[1] https://security-tracker.debian.org/tracker/source-package/openjdk-6
[2] https://security-tracker.debian.org/tracker/source-package/openjdk-7
Reply to: