Re: Debian distributions of stable OpenJDK updates
Le 22/05/2019 à 06:17, tony mancill a écrit :
> For stable backports and buster, I agree that we should upload an
> 11.0.3-ga package, particularly given the vulnerabilities still present
> in 11.0.3+1: CVE-2019-2698, CVE-2019-2684, and CVE-2019-2602
I've uploaded 11.0.3+1 with a patch bringing it up to 11.0.3+7 to
stretch-backports yesterday, it's still pending validation.
> It would be nice to do the same for buster, although now that 11.0.4+x
> has been introduced to unstable, I believe we'll have to be creative
> with the naming, either by introducing an epoch or using the
> "11.0.4+1_really11.0.3-ga" trick.
I think we should leave 11.0.4 in unstable until the GA release in July
and upload 11.0.3+7-4 directly to testing through
testing-proposed-updates. I'm volunteering to deal with this upload if
Matthias agrees.
> In general, I think it would be helpful for our users if we uploaded the
> prereleases to experimental but stuck to GA releases for unstable,
> testing, and backports. I think it is easy to mistake, for example, an
> 11.0.3+x (prerelease) version in Debian with the 11.0.3 GA release being
> distributed by other projects.
It looks like upstream is going to append a -ea suffix to the version
reported by the pre-releases [1]. This is a welcome clarification and we
should ensure our builds do it as well.
Emmanuel Bourg
[1] https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-May/009369.html
Reply to: