On 22.06.2016 18:19, Markus Koschany wrote: > On 22.06.2016 08:47, Moritz Mühlenhoff wrote: >> On Wed, Jun 22, 2016 at 01:01:14AM +0200, Markus Koschany wrote: >>> On 22.06.2016 00:43, Emmanuel Bourg wrote: >>>> Le 22/06/2016 à 00:28, Markus Koschany a écrit : >>>> >>>>> Houston, we have a problem. It seems the latest upstream release >>>>> requires Java 8 for building JDBC 4. In Jessie even Java 6 was >>>>> sufficient. I suggest we ship version 5.1.34 of mysql-connector-java >>>>> instead, which should build fine with Java 6/7 and also fix the security >>>>> vulnerability. If there is a better way, please let me know. >>>> >>>> We could also ignore the JDBC 4.2 classes and build with Java 7. If I'm >>>> not mistaken it's just a matter of removing this build step: >>>> >>>> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L903 >>>> >>>> Emmanuel Bourg >>> >>> That might be a solution. Perhaps we should also disable the testsuite >>> in >>> https://sources.debian.net/src/mysql-connector-java/5.1.39-1/build.xml/#L962 >>> >>> I am not sure if this would prevent all possible runtime errors though. >>> This would require more testing. In any case we have two options: >>> Patching 5.1.39 and make it compatible for Jessie /Wheezy or use 5.1.34 >>> directly. >> >> I'd prefer to make 5.1.39 compatible, there might an additional mysql-connector-java >> security issue in the future, for which 5.1.34 will be insufficient and then we >> already have the java 7 compat sorted out. > > Yup, but new vulnerabilities could well have been introduced after > 5.1.34, thus we will never really know in advance, what approach had > saved us more time. > > I have pushed my update for Jessie, 5.1.39-1~deb8u1, to > > https://anonscm.debian.org/cgit/pkg-java/mysql-connector-java.git/log/?h=jessie-security > > The debdiff is huge so I didn't bother to attach it to this e-mail. > > I have rebuilt all reverse build-dependencies successfully. I have also > used the library to connect to a local mysql database. I couldn't spot > obvious regressions but I would appreciate it if more people tested the > new version. *ping* Can I go ahead with an upload to jessie-security? Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature