On 5/20/19 2:32 PM, Emmanuel Bourg wrote: > Le 20/05/2019 à 13:54, Aleksey Shipilev a écrit : > >> Right. Maybe then "-ea" or "-preview" in version tag would communicate that intent more clearly, on >> the off-chance "stretch" users would install openjdk-11, thinking it is somehow stable. > > Do you think the 11.0.3+1 package in stretch is affected by serious > issues compared to the GA release that should be addressed quickly? Yes. Security fixes and Japanese epoch changes are delivered in 11.0.3+7, after security embargo was lifted. The fixes are not in 11.0.3+6, which was tagged before the embargo lifted. You are looking for these: http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/175eb80c253a http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/2996b4523925 http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/f0d8b845de21 http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/1084d119236b http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/c61b8801f0e4 http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/59610bddd37a So yes, I would say the update should be high priority. >> Excellent, do you have any rough ETA? Having 11.0.4+x in "unstable" (preferably with "-ea" suffix) >> and 11.0.3+7 in "testing"/"stable" would be the good state for the current moment. > > That may happen later this week if no other update is uploaded in > unstable and the release team approves the transition (that's a big "if" > because testing is currently in deep freeze, and the previous minor > update 11.0.2 broke a ton of packages due to javadoc changes). A likely > outcome is that Debian 10 gets released with OpenJDK 11.0.3+1 and > receives a 11.0.4 update after the release. That would be rather bad, see above why. Maybe at least cherry-pick the fixes from above to get sane security baseline? >> Yup, would be nice if outlier like the current one does not happen again. I think you can always >> check with upstream 8u/11u maintainers if the tags you're building from are sane for "stable", >> especially if you cannot see the -ga tags in the upstream repo. > > I've just noticed the new *-ga tags added recently to the OpenJDK 8/11 > repositories, that's a very welcome change. That will allow us to write > debian/watch files detecting the release tags. Yup, just as planned. -- Thanks, -Aleksey
Attachment:
signature.asc
Description: OpenPGP digital signature