[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian distributions of stable OpenJDK updates

On Wed, May 22, 2019 at 12:24:03PM +0200, Emmanuel Bourg wrote:
> Le 22/05/2019 à 06:17, tony mancill a écrit :
> > For stable backports and buster, I agree that we should upload an
> > 11.0.3-ga package, particularly given the vulnerabilities still present
> > in 11.0.3+1: CVE-2019-2698, CVE-2019-2684, and CVE-2019-2602
> I've uploaded 11.0.3+1 with a patch bringing it up to 11.0.3+7 to
> stretch-backports yesterday, it's still pending validation.
> > It would be nice to do the same for buster, although now that 11.0.4+x
> > has been introduced to unstable, I believe we'll have to be creative
> > with the naming, either by introducing an epoch or using the
> > "11.0.4+1_really11.0.3-ga" trick.
> I think we should leave 11.0.4 in unstable until the GA release in July
> and upload 11.0.3+7-4 directly to testing through
> testing-proposed-updates. I'm volunteering to deal with this upload if
> Matthias agrees.

Ah, that's great if we can upload 11.0.3+7 without having to play
any games with the version string.  Also, I should have said explicitly
that I'm also volunteering to help with uploads - both this version and
going forward.

> > In general, I think it would be helpful for our users if we uploaded the
> > prereleases to experimental but stuck to GA releases for unstable,
> > testing, and backports.  I think it is easy to mistake, for example, an
> > 11.0.3+x (prerelease) version in Debian with the 11.0.3 GA release being
> > distributed by other projects.
> It looks like upstream is going to append a -ea suffix to the version
> reported by the pre-releases [1]. This is a welcome clarification and we
> should ensure our builds do it as well.
> [1] https://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-May/009369.html
Excellent!  Let's see if Matthias has any concerns.


Attachment: signature.asc
Description: PGP signature

Reply to: