[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian distributions of stable OpenJDK updates

On 5/20/19 2:32 PM, Emmanuel Bourg wrote:
> Le 20/05/2019 à 13:54, Aleksey Shipilev a écrit :
>> Right. Maybe then "-ea" or "-preview" in version tag would communicate that intent more clearly, on
>> the off-chance "stretch" users would install openjdk-11, thinking it is somehow stable.
> Do you think the 11.0.3+1 package in stretch is affected by serious
> issues compared to the GA release that should be addressed quickly?

Yes. Security fixes and Japanese epoch changes are delivered in 11.0.3+7, after security embargo was
lifted. The fixes are not in 11.0.3+6, which was tagged before the embargo lifted. You are looking
for these:

So yes, I would say the update should be high priority.

>> Excellent, do you have any rough ETA? Having 11.0.4+x in "unstable" (preferably with "-ea" suffix)
>> and 11.0.3+7 in "testing"/"stable" would be the good state for the current moment.
> That may happen later this week if no other update is uploaded in
> unstable and the release team approves the transition (that's a big "if"
> because testing is currently in deep freeze, and the previous minor
> update 11.0.2 broke a ton of packages due to javadoc changes). A likely
> outcome is that Debian 10 gets released with OpenJDK 11.0.3+1 and
> receives a 11.0.4 update after the release.

That would be rather bad, see above why. Maybe at least cherry-pick the fixes from above to get sane
security baseline?

>> Yup, would be nice if outlier like the current one does not happen again. I think you can always
>> check with upstream 8u/11u maintainers if the tags you're building from are sane for "stable",
>> especially if you cannot see the -ga tags in the upstream repo.
> I've just noticed the new *-ga tags added recently to the OpenJDK 8/11
> repositories, that's a very welcome change. That will allow us to write
> debian/watch files detecting the release tags.

Yup, just as planned.


Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: