On Thu, May 23, 2019 at 11:58:14PM +0200, Emmanuel Bourg wrote: > Le 23/05/2019 à 19:04, Martijn Verburg a écrit : > > > What was the difficulty in grabbing the 11.0.3+7 tag directly? > > The difficulty is the policy that applies to backported packages. A > package that is backported from the Debian release n+1 to the release n > has to remain upgradable when the system is upgraded. For this to happen > the version backported must rank lower than the version in the next > release. That's why there are weird suffixes appended to the versions of > the backported packages (1.2.3-1~bpo9+1 is lower than 1.2.3-1). > > Currently Debian Buster has openjdk-11/11.0.3+1-1, so it isn't possible > to upload the version 11.0.3+7-1~bpo9+1 to stretch-backports. The only > solutions is to either upgrade openjdk-11 in testing to a version higher > than 11.0.3+7, or patch the existing version. Since testing is currently > frozen and difficult to update until the release of Buster, it leaves > only the patch solution. Emmanuel, It seems like we need to bring this up with the Release and Security teams. Releasing Buster with mulitple critical open CVEs in the JVM isn't a good experience for our users. My proposal is that we do what we need to get 11.0.3-ga-1 into Buster. From a versioning standpoint, this should work. Am I missing something? $ dpkg --compare-versions 11.0.3-ga-1 gt 11.0.3+7-1 && echo "11.0.3-ga-1 is newer" 11.0.3-ga-1 is newer Thanks, tony
Attachment:
signature.asc
Description: PGP signature