Re: openjdk maintenance for wheezy and squeeze
Thanks a lot for explaining the situation and alternative paths forward.
My view as a user:
I only want OpenJDK7 (maybe OpenJDK8 when that becomes generally
available on September 9, 2013 :-)
Oracle has announced that no more new public updates of Java SE 6 will
be made available after February 2013:
http://www.oracle.com/technetwork/java/eol-135779.html
OpenJDK6 therefore should be considered obsolete when Wheezy is released.
Is there any collaboration with other distributions and/or the OpenJDK
project on this ?
Cheers,
Andreas
---
Matthias Klose:
> There is a bug report open for openjdk-6 in wheezy (#675495) and squeeze didn't
> see any security updates for several months. To summarize, no party involved is
> capable or willing to provide security updates based on backports of single
> patches to the released openjdk-6 version in a stable release. So what to do
> about it?
>
> - Remove openjdk-6 in wheezy. Probably would require falling back to
> gcj. Not recommended as a runtime environment, but should work fine
> for building packages, as ecj is used for byte-code compilation.
> Falling back to an easier-to-main jvm could be an option too, but
> I didn't check how well that would work.
> Not having a fall-back would require removing most of java in Debian.
>
> - Updating to openjdk-7 in wheezy would not solve any issues from my
> point of view, and it would need some porting of packages to 7, and
> probably removing some packages which are not yet ported.
> Otoh removing openjdk-7 for wheezy could be an option if only one
> version should be supported for a stable release.
>
> - Release openjdk-6 with wheezy, and provide security support by
> updating to new OpenJDK and IcedTea versions. Usually this does
> include some backports and other fixes. The potential for
> regressions could be higher, however even the single security fixes
> show regressions, as shown by the last security update on Feb 1.
>
> These builds could be provided as security updates, updates to
> the stable releases, or as backports. As a proof of concept, see [1].
>
> - Release openjdk-7 with wheezy, and do the same as with openjdk-6.
> The issue here is that 7 sees more changes than 6, and that the
> current openjdk-7 release doesn't build anymore on mips or mipsel,
> as communicated to the Debian mips porters, so an update would
> require removal of the binary mips packages. Fine if somebody wants
> to fix it, but apparently there is no-one interested in that. So
> this looks more difficult than the openjdk-6 updates. Removing
> the openjdk mips binaries would require changes to source packages
> building arch any packages and build-depending on default-jdk or
> openjdk.
>
> We should find a solution where the resources are available to handle this
> solution. In the OpenJDK team, I think it's safe to assume that Torsten Werner
> isn't currently working on openjdk anymore and recently I got an email from
> Damien Raude-Morvan, that he can't work on OpenJDK-7 in the forseeable future
> anymore. Apparently one of the security team members who did work on OpenJDK
> security updates left the team too. I think that moving maintainership to the
> Debian Java team would just make the maintainership issue less explicit.
>
> While not a that important issue, the mips and kfreebsd issue could be improved
> as well:
>
> - The mipsel porter box is again down for several months. Having a porter
> box to test backports would be appreciated (yes, openjdk-7 in experimental
> currently fails on mips, not mipsel).
>
> - Afaik openjdk-7 for kfreebsd does build on kfreebsd (according to Damien)
> with the kfreebsd kernel from wheezy. So maybe some commitment could be
> found to upgrade and maintain the kernels before wheezy is released?
>
> Matthias
>
> [1] deb http://people.debian.org/~doko/tmp/openjdk-6-squeeze ./
>
>
Reply to: