Hi, Am 27.10.18 um 12:38 schrieb Behrooz Nobakht: [...] > To summarize my questions: > > - Is there a policy page or a discussion list that clarifies when/how a > security/patch update on OpenJDK is applied on a Debian (LTS) version? > > - How a default version of OpenJDK is chosen for a Debian LTS version? We always choose a OpenJDK version that will receive long-term support by upstream which we will then release with the next stable release. The current stable release is Debian 9 "Stretch". The only supported OpenJDK version is 8 and we expect it will receive upstream support (either by Oracle or Red Hat) until 2022. For Buster, OpenJDK 11 will be the default Java runtime environment because it is also a long-term supported release. Since Oracle does not disclose detailed information about a vulnerability we always upgrade to the latest patch release to fix security vulnerabilities. > - Is there a document/page that explains how the current infrastructure for > building OpenJDK packages are on Debian? I understand that OpenJDK > releases > binaries instead of source which makes it harder for OS distribution > packaging. OpenJDK releases source code otherwise Debian would be unable to distribute the package in our main archive since it would violate the Debian Free Software Guidelines. > The main motivations that drive the above questions are trying build a base > image for production systems that have been using Java on Debian-based > distros > and now need to look at Java alternatives with the new release cycle and > support > policies. For Debian 10 "Buster" we will provide support for OpenJDK 11. For Debian 11 everything is open for discussion but I expect we will try to focus on another long-term supported OpenJDK version again. Regards, Markus
Attachment:
signature.asc
Description: OpenPGP digital signature