[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian distributions of stable OpenJDK updates

On Thu, May 23, 2019 at 11:58:14PM +0200, Emmanuel Bourg wrote:
> Le 23/05/2019 à 19:04, Martijn Verburg a écrit :
> > What was the difficulty in grabbing the 11.0.3+7 tag directly?
> The difficulty is the policy that applies to backported packages. A
> package that is backported from the Debian release n+1 to the release n
> has to remain upgradable when the system is upgraded. For this to happen
> the version backported must rank lower than the version in the next
> release. That's why there are weird suffixes appended to the versions of
> the backported packages (1.2.3-1~bpo9+1 is lower than 1.2.3-1).
> Currently Debian Buster has openjdk-11/11.0.3+1-1, so it isn't possible
> to upload the version 11.0.3+7-1~bpo9+1 to stretch-backports. The only
> solutions is to either upgrade openjdk-11 in testing to a version higher
> than 11.0.3+7, or patch the existing version. Since testing is currently
> frozen and difficult to update until the release of Buster, it leaves
> only the patch solution.


It seems like we need to bring this up with the Release and Security
teams.  Releasing Buster with mulitple critical open CVEs in the JVM
isn't a good experience for our users.  My proposal is that we do what
we need to get 11.0.3-ga-1 into Buster.

From a versioning standpoint, this should work.  Am I missing something?

$ dpkg --compare-versions 11.0.3-ga-1 gt 11.0.3+7-1 && echo "11.0.3-ga-1 is newer"
11.0.3-ga-1 is newer


Attachment: signature.asc
Description: PGP signature

Reply to: