openjdk maintenance for wheezy and squeeze
There is a bug report open for openjdk-6 in wheezy (#675495) and squeeze didn't
see any security updates for several months. To summarize, no party involved is
capable or willing to provide security updates based on backports of single
patches to the released openjdk-6 version in a stable release. So what to do
about it?
- Remove openjdk-6 in wheezy. Probably would require falling back to
gcj. Not recommended as a runtime environment, but should work fine
for building packages, as ecj is used for byte-code compilation.
Falling back to an easier-to-main jvm could be an option too, but
I didn't check how well that would work.
Not having a fall-back would require removing most of java in Debian.
- Updating to openjdk-7 in wheezy would not solve any issues from my
point of view, and it would need some porting of packages to 7, and
probably removing some packages which are not yet ported.
Otoh removing openjdk-7 for wheezy could be an option if only one
version should be supported for a stable release.
- Release openjdk-6 with wheezy, and provide security support by
updating to new OpenJDK and IcedTea versions. Usually this does
include some backports and other fixes. The potential for
regressions could be higher, however even the single security fixes
show regressions, as shown by the last security update on Feb 1.
These builds could be provided as security updates, updates to
the stable releases, or as backports. As a proof of concept, see [1].
- Release openjdk-7 with wheezy, and do the same as with openjdk-6.
The issue here is that 7 sees more changes than 6, and that the
current openjdk-7 release doesn't build anymore on mips or mipsel,
as communicated to the Debian mips porters, so an update would
require removal of the binary mips packages. Fine if somebody wants
to fix it, but apparently there is no-one interested in that. So
this looks more difficult than the openjdk-6 updates. Removing
the openjdk mips binaries would require changes to source packages
building arch any packages and build-depending on default-jdk or
openjdk.
We should find a solution where the resources are available to handle this
solution. In the OpenJDK team, I think it's safe to assume that Torsten Werner
isn't currently working on openjdk anymore and recently I got an email from
Damien Raude-Morvan, that he can't work on OpenJDK-7 in the forseeable future
anymore. Apparently one of the security team members who did work on OpenJDK
security updates left the team too. I think that moving maintainership to the
Debian Java team would just make the maintainership issue less explicit.
While not a that important issue, the mips and kfreebsd issue could be improved
as well:
- The mipsel porter box is again down for several months. Having a porter
box to test backports would be appreciated (yes, openjdk-7 in experimental
currently fails on mips, not mipsel).
- Afaik openjdk-7 for kfreebsd does build on kfreebsd (according to Damien)
with the kfreebsd kernel from wheezy. So maybe some commitment could be
found to upgrade and maintain the kernels before wheezy is released?
Matthias
[1] deb http://people.debian.org/~doko/tmp/openjdk-6-squeeze ./
Reply to: