[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian distributions of stable OpenJDK updates

Le 22/05/2019 à 06:17, tony mancill a écrit :

> For stable backports and buster, I agree that we should upload an
> 11.0.3-ga package, particularly given the vulnerabilities still present
> in 11.0.3+1: CVE-2019-2698, CVE-2019-2684, and CVE-2019-2602

I've uploaded 11.0.3+1 with a patch bringing it up to 11.0.3+7 to
stretch-backports yesterday, it's still pending validation.

> It would be nice to do the same for buster, although now that 11.0.4+x
> has been introduced to unstable, I believe we'll have to be creative
> with the naming, either by introducing an epoch or using the
> "11.0.4+1_really11.0.3-ga" trick.

I think we should leave 11.0.4 in unstable until the GA release in July
and upload 11.0.3+7-4 directly to testing through
testing-proposed-updates. I'm volunteering to deal with this upload if
Matthias agrees.

> In general, I think it would be helpful for our users if we uploaded the
> prereleases to experimental but stuck to GA releases for unstable,
> testing, and backports.  I think it is easy to mistake, for example, an
> 11.0.3+x (prerelease) version in Debian with the 11.0.3 GA release being
> distributed by other projects.

It looks like upstream is going to append a -ea suffix to the version
reported by the pre-releases [1]. This is a welcome clarification and we
should ensure our builds do it as well.

Emmanuel Bourg

[1] https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-May/009369.html

Reply to: