Re: Debian distributions of stable OpenJDK updates

To: Emmanuel Bourg <ebourg@apache.org>, debian-java@lists.debian.org
Subject: Re: Debian distributions of stable OpenJDK updates
From: Aleksey Shipilev <shade@redhat.com>
Date: Mon, 20 May 2019 14:38:44 +0200
Message-id: <[🔎] a7b71570-a04c-2c48-c1dd-6a0a7a18ab4c@redhat.com>
In-reply-to: <[🔎] 67ac780f-42e1-26cc-a8ed-f26ba091a9a0@apache.org>
References: <[🔎] 4471343c-9b11-c218-2cc4-771170fe0e84@redhat.com> <[🔎] d7bd9794-cfa3-a766-659b-f90fa8b279d8@apache.org> <[🔎] 4312b8ae-a1e9-7780-d7f5-37a2a7ec768a@redhat.com> <[🔎] 67ac780f-42e1-26cc-a8ed-f26ba091a9a0@apache.org>

On 5/20/19 2:32 PM, Emmanuel Bourg wrote:
> Le 20/05/2019 à 13:54, Aleksey Shipilev a écrit :
> 
>> Right. Maybe then "-ea" or "-preview" in version tag would communicate that intent more clearly, on
>> the off-chance "stretch" users would install openjdk-11, thinking it is somehow stable.
> 
> Do you think the 11.0.3+1 package in stretch is affected by serious
> issues compared to the GA release that should be addressed quickly?

Yes. Security fixes and Japanese epoch changes are delivered in 11.0.3+7, after security embargo was
lifted. The fixes are not in 11.0.3+6, which was tagged before the embargo lifted. You are looking
for these:
  http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/175eb80c253a
  http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/2996b4523925
  http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/f0d8b845de21
  http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/1084d119236b
  http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/c61b8801f0e4
  http://hg.openjdk.java.net/jdk-updates/jdk11u/rev/59610bddd37a

So yes, I would say the update should be high priority.

>> Excellent, do you have any rough ETA? Having 11.0.4+x in "unstable" (preferably with "-ea" suffix)
>> and 11.0.3+7 in "testing"/"stable" would be the good state for the current moment.
> 
> That may happen later this week if no other update is uploaded in
> unstable and the release team approves the transition (that's a big "if"
> because testing is currently in deep freeze, and the previous minor
> update 11.0.2 broke a ton of packages due to javadoc changes). A likely
> outcome is that Debian 10 gets released with OpenJDK 11.0.3+1 and
> receives a 11.0.4 update after the release.

That would be rather bad, see above why. Maybe at least cherry-pick the fixes from above to get sane
security baseline?

>> Yup, would be nice if outlier like the current one does not happen again. I think you can always
>> check with upstream 8u/11u maintainers if the tags you're building from are sane for "stable",
>> especially if you cannot see the -ga tags in the upstream repo.
> 
> I've just noticed the new *-ga tags added recently to the OpenJDK 8/11
> repositories, that's a very welcome change. That will allow us to write
> debian/watch files detecting the release tags.

Yup, just as planned.

-- 
Thanks,
-Aleksey

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to:

Follow-Ups:
- Re: Debian distributions of stable OpenJDK updates
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Debian distributions of stable OpenJDK updates
  - From: Emmanuel Bourg <ebourg@apache.org>

References:
- Debian distributions of stable OpenJDK updates
  - From: Aleksey Shipilev <shade@redhat.com>
- Re: Debian distributions of stable OpenJDK updates
  - From: Emmanuel Bourg <ebourg@apache.org>
- Re: Debian distributions of stable OpenJDK updates
  - From: Aleksey Shipilev <shade@redhat.com>
- Re: Debian distributions of stable OpenJDK updates
  - From: Emmanuel Bourg <ebourg@apache.org>

Prev by Date: Re: Debian distributions of stable OpenJDK updates
Next by Date: Re: Debian distributions of stable OpenJDK updates
Previous by thread: Re: Debian distributions of stable OpenJDK updates
Next by thread: Re: Debian distributions of stable OpenJDK updates
Index(es):
- Date
- Thread