Re: Bug#645881: critical update 29 available

To: Thijs Kinkhorst <thijs@debian.org>
Cc: Matthias Klose <doko@ubuntu.com>, Sylvestre Ledru <sylvestre@debian.org>, 645881@bugs.debian.org, debian-release@lists.debian.org, debian-security@lists.debian.org
Subject: Re: Bug#645881: critical update 29 available
From: Philipp Kern <pkern@debian.org>
Date: Wed, 19 Oct 2011 16:33:57 +0200
Message-id: <20111019143357.GA5502@thrall.0x539.de>
In-reply-to: <a022548bb2db4ab2477511adccb72c57.squirrel@wm.kinkhorst.nl>
References: <20111019102156.27924.91833.reportbug@incagijs.uvt.nl> <1319021415.28383.181.camel@korcula.inria.fr> <a99694a8206b782c0176d9df732e4a3a.squirrel@wm.kinkhorst.nl> <4E9EBF7C.7020501@ubuntu.com> <a022548bb2db4ab2477511adccb72c57.squirrel@wm.kinkhorst.nl>

On Wed, Oct 19, 2011 at 03:28:02PM +0200, Thijs Kinkhorst wrote:
> What I'm wondering is if we tried to ask upstream whether they would be
> willing to extend the DLJ offer so we can keep security fixes for the
> sun-java6 version in stable coming in for the lifetime of this release,
> notwithstanding the fact that we're removing it from the next release.

They won't.

| I'm not familiar with the Debian Project's practices around security issues
| in non-free packages to be able to make a specific recommendation other than to
| recommend using the open source OpenJDK code base for Debian's packaging needs.
| 
| Like I said on my blog, there won't be further Oracle JDK 6 releases published
| under the DLJ license. Oracle's schedule for Critical Patch Updates (CPUs) is
| public, and available at
| http://www.oracle.com/technetwork/topics/security/alerts-086861.html

> > (in the past the security team
> > didn't care about this at all for the current oldstable).
> I don't know what this refers to, but it doesn't seem relevant because
> we're talking about the present.

Well, non-free used to be unsupported security-wise AFAIK.  doko is right
that the security team still didn't care in the present, though, as the
updates were through p-u and not the security archive.  That said I'm glad
that somebody stepped up and did the updates that were possible.

There might be one other option, but one I probably wouldn't be happy with
due to it probably being impossible to review: improve openjdk in stable enough
to replace sun-java6.

Apart from this it's either a DSA telling people that it contains known
flaws (if they're critical enough) and that there will be no further
security updates.  OTOH the updates didn't pass security anyway because
there's no non-free there.  Or it's the removal of the package.  Or
we simply don't care because it's freaking non-free and people are
supposed to use it in secure environments with a grain of salt.

Kind regards,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org

Attachment: signature.asc
Description: Digital signature

Reply to:

Follow-Ups:
- Re: Bug#645881: critical update 29 available
  - From: Torsten Werner <twerner@debian.org>

References:
- Re: Bug#645881: critical update 29 available
  - From: Sylvestre Ledru <sylvestre@debian.org>
- Re: Bug#645881: critical update 29 available
  - From: "Thijs Kinkhorst" <thijs@debian.org>
- Re: Bug#645881: critical update 29 available
  - From: Matthias Klose <doko@ubuntu.com>
- Re: Bug#645881: critical update 29 available
  - From: "Thijs Kinkhorst" <thijs@debian.org>

Prev by Date: Re: Bug#645881: critical update 29 available
Next by Date: Re: [SRU] update for powertop in 6.0.1
Previous by thread: Re: Bug#645881: critical update 29 available
Next by thread: Re: Bug#645881: critical update 29 available
Index(es):
- Date
- Thread