[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: openjdk maintenance for wheezy and squeeze

Thanks a lot for explaining the situation and alternative paths forward.

My view as a user:

I only want OpenJDK7 (maybe OpenJDK8 when that becomes generally
available on September 9, 2013 :-)

Oracle has announced that no more new public updates of Java SE 6 will
be made available after February 2013:

OpenJDK6 therefore should be considered obsolete when Wheezy is released.

Is there any collaboration with other distributions and/or the OpenJDK
project on this ?


Matthias Klose:
> There is a bug report open for openjdk-6 in wheezy (#675495) and squeeze didn't
> see any security updates for several months.  To summarize, no party involved is
> capable or willing to provide security updates based on backports of single
> patches to the released openjdk-6 version in a stable release. So what to do
> about it?
>  - Remove openjdk-6 in wheezy. Probably would require falling back to
>    gcj. Not recommended as a runtime environment, but should work fine
>    for building packages, as ecj is used for byte-code compilation.
>    Falling back to an easier-to-main jvm could be an option too, but
>    I didn't check how well that would work.
>    Not having a fall-back would require removing most of java in Debian.
>  - Updating to openjdk-7 in wheezy would not solve any issues from my
>    point of view, and it would need some porting of packages to 7, and
>    probably removing some packages which are not yet ported.
>    Otoh removing openjdk-7 for wheezy could be an option if only one
>    version should be supported for a stable release.
>  - Release openjdk-6 with wheezy, and provide security support by
>    updating to new OpenJDK and IcedTea versions.  Usually this does
>    include some backports and other fixes.  The potential for
>    regressions could be higher, however even the single security fixes
>    show regressions, as shown by the last security update on Feb 1.
>    These builds could be provided as security updates, updates to
>    the stable releases, or as backports. As a proof of concept, see [1].
>  - Release openjdk-7 with wheezy, and do the same as with openjdk-6.
>    The issue here is that 7 sees more changes than 6, and that the
>    current openjdk-7 release doesn't build anymore on mips or mipsel,
>    as communicated to the Debian mips porters, so an update would
>    require removal of the binary mips packages.  Fine if somebody wants
>    to fix it, but apparently there is no-one interested in that. So
>    this looks more difficult than the openjdk-6 updates. Removing
>    the openjdk mips binaries would require changes to source packages
>    building arch any packages and build-depending on default-jdk or
>    openjdk.
> We should find a solution where the resources are available to handle this
> solution.  In the OpenJDK team, I think it's safe to assume that Torsten Werner
> isn't currently working on openjdk anymore and recently I got an email from
> Damien Raude-Morvan, that he can't work on OpenJDK-7 in the forseeable future
> anymore.  Apparently one of the security team members who did work on OpenJDK
> security updates left the team too.  I think that moving maintainership to the
> Debian Java team would just make the maintainership issue less explicit.
> While not a that important issue, the mips and kfreebsd issue could be improved
> as well:
>  - The mipsel porter box is again down for several months. Having a porter
>    box to test backports would be appreciated (yes, openjdk-7 in experimental
>    currently fails on mips, not mipsel).
>  - Afaik openjdk-7 for kfreebsd does build on kfreebsd (according to Damien)
>    with the kfreebsd kernel from wheezy. So maybe some commitment could be
>    found to upgrade and maintain the kernels before wheezy is released?
> Matthias
> [1] deb http://people.debian.org/~doko/tmp/openjdk-6-squeeze ./

Reply to: