On Wed, May 22, 2019 at 12:24:03PM +0200, Emmanuel Bourg wrote: > Le 22/05/2019 à 06:17, tony mancill a écrit : > > > For stable backports and buster, I agree that we should upload an > > 11.0.3-ga package, particularly given the vulnerabilities still present > > in 11.0.3+1: CVE-2019-2698, CVE-2019-2684, and CVE-2019-2602 > > I've uploaded 11.0.3+1 with a patch bringing it up to 11.0.3+7 to > stretch-backports yesterday, it's still pending validation. > > > > It would be nice to do the same for buster, although now that 11.0.4+x > > has been introduced to unstable, I believe we'll have to be creative > > with the naming, either by introducing an epoch or using the > > "11.0.4+1_really11.0.3-ga" trick. > > I think we should leave 11.0.4 in unstable until the GA release in July > and upload 11.0.3+7-4 directly to testing through > testing-proposed-updates. I'm volunteering to deal with this upload if > Matthias agrees. Ah, that's great if we can upload 11.0.3+7 without having to play any games with the version string. Also, I should have said explicitly that I'm also volunteering to help with uploads - both this version and going forward. > > In general, I think it would be helpful for our users if we uploaded the > > prereleases to experimental but stuck to GA releases for unstable, > > testing, and backports. I think it is easy to mistake, for example, an > > 11.0.3+x (prerelease) version in Debian with the 11.0.3 GA release being > > distributed by other projects. > > It looks like upstream is going to append a -ea suffix to the version > reported by the pre-releases [1]. This is a welcome clarification and we > should ensure our builds do it as well. > > [1] https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-May/009369.html Excellent! Let's see if Matthias has any concerns. Cheers, tony
Attachment:
signature.asc
Description: PGP signature