[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Debian distributions of stable OpenJDK updates

On 22.05.19 12:24, Emmanuel Bourg wrote:
> Le 22/05/2019 à 06:17, tony mancill a écrit :
> 
>> For stable backports and buster, I agree that we should upload an
>> 11.0.3-ga package, particularly given the vulnerabilities still present
>> in 11.0.3+1: CVE-2019-2698, CVE-2019-2684, and CVE-2019-2602
> 
> I've uploaded 11.0.3+1 with a patch bringing it up to 11.0.3+7 to
> stretch-backports yesterday, it's still pending validation.
> 
> 
>> It would be nice to do the same for buster, although now that 11.0.4+x
>> has been introduced to unstable, I believe we'll have to be creative
>> with the naming, either by introducing an epoch or using the
>> "11.0.4+1_really11.0.3-ga" trick.
> 
> I think we should leave 11.0.4 in unstable until the GA release in July
> and upload 11.0.3+7-4 directly to testing through
> testing-proposed-updates. I'm volunteering to deal with this upload if
> Matthias agrees.

well, I disagree ;)  The Debian security team has the policy to take any OpenJDK
update and backport that to stable release.   From my point of view, the Debian
release team is playing games with both the security team, and the OpenJDK
packagers to force something else, although it's unknown to me what they really
want to achieve, if further backports land in stable-security anyway.

>> In general, I think it would be helpful for our users if we uploaded the
>> prereleases to experimental but stuck to GA releases for unstable,
>> testing, and backports.  I think it is easy to mistake, for example, an
>> 11.0.3+x (prerelease) version in Debian with the 11.0.3 GA release being
>> distributed by other projects.

I would like to avoid experimental, because it really doesn't get much testing.
 See the openjdk-11 updates as a stable release branch, and it's worth to check
these out early, because upstream doesn't test most Debian architectures.

> It looks like upstream is going to append a -ea suffix to the version
> reported by the pre-releases [1]. This is a welcome clarification and we
> should ensure our builds do it as well.

no, at least not for the recent release:
https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html

Matthias
Reply to: