Bug#928185: unblock: openjdk-11/11.0.3+7-4

To: tony mancill <tmancill@debian.org>
Cc: Emmanuel Bourg <ebourg@apache.org>, 928185@bugs.debian.org, Matthias Klose <doko@debian.org>
Subject: Bug#928185: unblock: openjdk-11/11.0.3+7-4
From: Paul Gevers <elbrus@debian.org>
Date: Wed, 5 Jun 2019 22:28:48 +0200
Message-id: <[🔎] 0316d259-c335-ea1d-6a3a-06164bd69d19@debian.org>
Reply-to: Paul Gevers <elbrus@debian.org>, 928185@bugs.debian.org
In-reply-to: <[🔎] 20190605060736.wdz7yzypfg53napi@lark>
References: <20190502083014.GA3969@tomate.cristau.org> <afd01db1-5db9-373d-bc65-ec8cdde8e5aa@debian.org> <3cecd4e8-d125-ab57-cd12-7ac129b3959b@apache.org> <3cecd4e8-d125-ab57-cd12-7ac129b3959b@apache.org> <0ed4fdbe-9a11-425a-e168-06232b7d9de3@debian.org> <2f6fccd7-c82d-566f-ea35-a951e99dfe0d@apache.org> <e5704337-17af-db43-bfff-440c5a4e06bf@debian.org> <810323c2-fe5f-b704-f042-0650159107e4@apache.org> <3eaae642-c11b-a437-8052-59177d4ad7ca@debian.org> <[🔎] daa2a166-682f-e650-31c3-75e36180a881@debian.org> <[🔎] 20190605060736.wdz7yzypfg53napi@lark> <6463f9b8-a225-eb43-590b-3b640c05c5eb@debian.org>

Hi Tony, Emmanuel, Matthias,

On 05-06-2019 08:07, tony mancill wrote:
> On Tue, Jun 04, 2019 at 09:36:56PM +0200, Paul Gevers wrote:
>> Ping... [fixed borked address of doko and added Tony]
>>
>> On 29-05-2019 20:22, Paul Gevers wrote:
>>> Control: tags -1 928185 moreinfo
>>> Control: reopen -1
>>>
>>> Hi,
>>>
>>> On 28-05-2019 23:50, Emmanuel Bourg wrote:
>>>> Tony Mancill has prepared the tpu upload yesterday and Matthias was ok
>>>> with 11.0.3+7 in testing [1].
>>>
>>> Can I see a debdiff please?
>>>
>>>> Unless Buster is expected at the end of July I'd advise against having
>>>> 11.0.4+2 in testing. This version is an early access release, the final
>>>> 11.0.4 release is expected on July 16th [2]. Debian is currently being
>>>> criticized [3] for allowing EA versions of OpenJDK in Debian stable, I
>>>> think it's important to ship Buster with a GA release.
>>>
>>> Then please refrain from uploading the wrong version to unstable, we
>>> have experimental for that. TPU doesn't get much testing, and for sure
>>> isn't covered well by our QA yet. So having such a high profile package
>>> with so much changes going through tpu is awkward.
> 
> Hi Paul!
> 
> Thank you for copying me on this as I missed this bug, despite being
> part of a related thread on debian-java [1] (that probably mentions it
> somewhere).  Also, aside from sponsoring an upload of openjdk-8 to
> experimental for Tiago last year, I haven't worked much with the openjdk
> packaging and so am trying to come up to speed.  However, I do think
> it's important that Buster ship with a "GA" version of openjdk-11 (if
> possible), which is why I have volunteered to help.
> 
> I've looked at a couple different approaches, both of which result in
> large debdiffs.
> 
> The first is to take Matthias' upload of 11.0.3+7-4 to unstable [2] and
> then revert the jdk11u-dev updates patch as per a suggestion made by
> Emmanuel in IRC.  The resulting debdiff against the current package in
> buster is about 310k [3].
> 
> The second approach was to go back to the 11.0.3+1-1 package in buster
> and then import upstream 11.0.3+7, resulting in a debdiff of 270k [4].
> (I am numbered this 11.0.3+7-1 for my local build, since that's still
> less than the version in unable, but let's ignore the package revision
> for now.)  My hope was that the second approach would result in a smaller
> diff to make it more palatable to the Release Team, but 270k is big. 
> 
> Note that the second approach is essentially the one Emmanuel took with
> openjdk-11 backport for stretch [5].  The reason the debdiff is smaller
> is because debian/patches/changes-from-11.0.3+1-to-11.0.3+7.patch
> doesn't prunes the changes to upstream tests that changed between those
> releases.  Or to put it another way, most of the large debdiff is due to
> tests, not changes to the runtime.
> 
> All that said, I'm not well-versed in all of the packaging changes made
> since the freeze and haven't formed a strong opinion on which approach
> is better for Buster.  At a minimum we need to address the CVEs present
> in 11.0.3+1, so the idea with jumping to 11.0.3+7 is that we address the
> security issues and are building from an upstream GA tag instead of an
> early-access tag.
> 
> Sorry for the book - I know all you asked for was the debdiff...
> 
> Thanks,
> tony
> 
> [1] https://lists.debian.org/debian-java/2019/05/msg00007.html
> [2] https://tracker.debian.org/news/1038802/accepted-openjdk-11-11037-4-source-into-unstable/
> [3] https://people.debian.org/~tmancill/openjdk-11/11.0.3+1-1.dsc_vs_11.0.3+7-5.dsc.debdiff
> [4] https://people.debian.org/~tmancill/openjdk-11/buster_minimal_11.0.3+1-1_11.0.3+7-1_dsc.debdiff
> [5] https://tracker.debian.org/news/1040268/accepted-openjdk-11-11031-1bpo92-source-amd64-all-into-stretch-backports-backports-policy-stretch-backports/
I really want bug 900912 and 925071 fixed. It seems that is missing from
your second approach. Let me sleep on it. What are the chances of you
agreeing on doing the +really upstream version dance such that we can
get some testing done in unstable?

Paul

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

References:
- Bug#928185: unblock: openjdk-11/11.0.3+7-4
  - From: Paul Gevers <elbrus@debian.org>
- Bug#928185: unblock: openjdk-11/11.0.3+7-4
  - From: tony mancill <tmancill@debian.org>

Prev by Date: Bug#929171: unblock: espeakup/1:0.80-15
Next by Date: Bug#926118: Alternative for Re: Bug#926118: unblock: libmspack/0.10.1-1
Previous by thread: Bug#928185: unblock: openjdk-11/11.0.3+7-4
Next by thread: Bug#928185: unblock: openjdk-11/11.0.3+7-4
Index(es):
- Date
- Thread