OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny

To: Debian Java Liste <debian-java@lists.debian.org>
Cc: Debian Release <debian-release@lists.debian.org>, debian-mips@lists.debian.org, security@debian.org
Subject: OpenJDK / default JDK for squeeze / issues on mips / open security issues for lenny
From: Matthias Klose <doko@ubuntu.com>
Date: Thu, 29 Jul 2010 01:44:57 +0200
Message-id: <4C50C0F9.5000607@ubuntu.com>

OpenJDK was just uploaded to unstable, based on the IcedTea6-1.8.1 release [1].This version addresses some security issues, and this version should be shippedwith squeeze. The package should build on all architectures except on mips.openjdk-6 on mips doesn't seem to be good enough to build itself, and apparentlygcj isn't able to build openjdk-6 on mips anymore. Having spent some time tobuild it on gabrielli.d.o I don't see any obvious issues with the build and Idon't intend to spend more time to fix the mips issues in the time frame forsqueeze. Unless a mips porter wants to address these build issues, I suggestthat the default-{jre,jdk} packages for mips point to gcj, although it's not themost viable choice. An option would be the backport of the mips hotspot build toopenjdk-6 [2].

openjdk-6 in stable didn't see any security updates for more than a year. Idon't plan to provide updates myself. Is the security team interested in fixingthese, or anybody else? Or does everybody see openjdk as an alibi for Debian tobuild things and then use the sun-java packages from non-free? I see that thereare a few bug reports open requesting adding CVE numbers to the debian changelog[3], [4], [5]. If this prevents the security team on fixing outstanding realissues, I'd be happy to apply a patch for the changelog, just send it. The mainproblem seems to be that the CVE numbers are not known before preparing anupdate and nobody is willing to track these.

For those who are interested in an openjdk-6 update for stable, I did prepare anupdate for some architectures at


  deb http://people.debian.org/~doko/archive stable/

I don't plan any updates for unstable/testing beyond 6b18. 6b20 is available inexperimental, but disables the ARM assembler interpreter (which is 3-5x timesfaster than the plain zero build), and 6b20 doesn't build anymore on sparc.


  Matthias

[1] http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2010-July/009814.html
[2] http://lists.debian.org/debian-mips/2010/04/msg00003.html
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=560908
[4] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566769
[5] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=566770

Reply to:

Prev by Date: icu package RC bug and fix
Next by Date: Re: Intent to upload git-core to proposed-updates
Previous by thread: icu package RC bug and fix
Next by thread: libvirt 0.4.6-10+lenny1 stable update
Index(es):
- Date
- Thread