Re: openjdk maintenance for wheezy and squeeze
On 2013-02-18 13:08, Steven Chamberlain wrote:
>> OpenJDK6 therefore should be considered obsolete when Wheezy is released.
> I wouldn't use the word 'obsolete' so long as there are packages that
> *can* use it... I'd call it 'maintenance only'.
> Before deciding the post-wheezy fate of openjdk-6, why not wait, and see
> how well things work out over the next few months. Let's see what
> security issues affect openjdk-6 vs. openjdk-7. Let's see how Red Hat's
> security maintenance for openjdk-6 compares to Oracle's own Java 7 fixes
> being pulled into openjdk-7 (in terms of expediency, complexity of
> changes, regressions).
Well, that being a fair argument - however, are you volunteering to
(co-)maintain OpenJDK-6 while we found out? And even if it turns out to
be worse? I know I can't answer yes to either myself.
That is why I support getting rid of OpenJDK-6 ASAP; to ease the
maintaince burden for the OpenJDK maintainers.
> For example, if I had some public-facing Java-based service, I would
> rather have been running it on openjdk-6 over the past months because it
> had fewer security issues and perhaps no regressions caused by fixes.
As far as I know, the recent "flood" of CVEs affect OpenJDK-6 as well.
Compare  with  - the majority of the CVEs starting at
"CVE-2012-1531" and "down" appear to be almost identical.
> OTOH some packages may switch to openjdk-7 post-wheezy or ship a new
> upstream version that has at least been fixed to be able to use it.
 ASAP being post-wheezy AFAICT, see: