Re: Bug#675495: downgrading the severity of #675495 (openjdk-6 in wheezy)

To: Julien Cristau <jcristau@debian.org>
Cc: Moritz Muehlenhoff <jmm@debian.org>, 675495@bugs.debian.org, doko@ubuntu.com, debian-java@lists.debian.org
Subject: Re: Bug#675495: downgrading the severity of #675495 (openjdk-6 in wheezy)
From: Niels Thykier <niels@thykier.net>
Date: Thu, 29 Nov 2012 10:10:50 +0100
Message-id: <[🔎] 50B7269A.7000600@thykier.net>
In-reply-to: <[🔎] 20121128162045.GA23645@crater2.logilab.fr>
References: <4FEDBCAD.6040302@ubuntu.com> <20120629234204.GA25157@radis.cristau.org> <20120828154357.GB25516@inutil.org> <[🔎] 20121128162045.GA23645@crater2.logilab.fr>

On 2012-11-28 17:20, Julien Cristau wrote:
> On Tue, Aug 28, 2012 at 17:43:57 +0200, Moritz Muehlenhoff wrote:
> 
>> OpenJDK Security support has always been a nightmare for the security
>> team because there was no support from the maintainers. Security support 
>> s primarily the responsibility of the maintainer.
>>
>> If you dump two packages in the archive without taking any precautions
>> to get a clean solution this only makes things worse. In any case we
>> cannot hide the issue under the carpet. We have three options: 
>>

I agree the situation is not very optimal.  It would have helped if we
had been reminded about the lack of security support earlier.  Though
even if we were, I am not sure we would have made it in time (nor am I
interested in "placing blame" here).

>> - Drop openjdk6 from Wheezy (and proceed with the needed changes to allow
>>   that)

Steve Chamberlain sent a list of packages.  If my memory serves that is
just the "tip of the iceberg".  OpenJDK-7 comes with a set of
regressions (occasionally that is just the implementation being
stricter), which in some cases the "fix" requires an API (or ABI) breakage.

If you are interested in just how much of the iceberg you (probably)
haven't seen yet, have a look at http://titanpad.com/WciYqDGRNd

>> - The Java maintainers take up the responsibility and step up to support
>>   openjdk6 in stable- and oldstable-security for Wheezy

For the record, "Java maintainers" != "OpenJDK-X maintainers" and I
don't think that is about to change.  Even if it did change, the Java
implementation is completely unlike the Java packages we are used to
maintain.
  On top of this, the Java team is currently down to about a handful of
active maintainers (I am not even sure if I should include myself in
that number) that have to keep 500+ packages floating.

>> - A note is being added to the release notes that openjdk6 is unmaintained
>>   security-wise in Wheezy and should not generally be used
>>
> Dumping this issue to the release notes doesn't sound like a reasonable
> option if there are lots of other packages still depending on it.  We
> might as well drop all those packages, IMO.
> 
> Cheers,
> Julien
> 
>

Reply to:

References:
- Re: Bug#675495: downgrading the severity of #675495 (openjdk-6 in wheezy)
  - From: Julien Cristau <jcristau@debian.org>

Prev by Date: hai
Next by Date: Fwd: Fwd: Bug#694418: ITP: fits -- Java library for the I/O handling of FITS files
Previous by thread: Re: Bug#675495: downgrading the severity of #675495 (openjdk-6 in wheezy)
Next by thread: Error in m68k specific part of cacao
Index(es):
- Date
- Thread