Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #11224

Re: Debian distributions of stable OpenJDK updates

From tony mancill <tmancill@debian.org>
Newsgroups linux.debian.maint.java
Subject Re: Debian distributions of stable OpenJDK updates
Date 2019-05-27 00:00 +0200
Message-ID <y29ln-5aH-1@gated-at.bofh.it> (permalink)
References (5 earlier) <y0Zo6-34M-13@gated-at.bofh.it> <y13UJ-5GX-3@gated-at.bofh.it> <y1iK6-6EQ-9@gated-at.bofh.it> <y1n73-ZJ-3@gated-at.bofh.it> <y27jz-3XG-3@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

On Sun, May 26, 2019 at 09:47:13PM +0200, Matthias Klose wrote:
> On 24.05.19 20:29, Martijn Verburg wrote:
> > On Fri, 24 May 2019 at 15:40, tony mancill <tmancill@debian.org> wrote:
> > 
> >> On Thu, May 23, 2019 at 11:58:14PM +0200, Emmanuel Bourg wrote:
> >>> Le 23/05/2019 à 19:04, Martijn Verburg a écrit :
> >>>
> >>>> What was the difficulty in grabbing the 11.0.3+7 tag directly?
> >>>
> >>> The difficulty is the policy that applies to backported packages. A
> >>> package that is backported from the Debian release n+1 to the release n
> >>> has to remain upgradable when the system is upgraded. For this to happen
> >>> the version backported must rank lower than the version in the next
> >>> release. That's why there are weird suffixes appended to the versions of
> >>> the backported packages (1.2.3-1~bpo9+1 is lower than 1.2.3-1).
> >>>
> >>> Currently Debian Buster has openjdk-11/11.0.3+1-1, so it isn't possible
> >>> to upload the version 11.0.3+7-1~bpo9+1 to stretch-backports. The only
> >>> solutions is to either upgrade openjdk-11 in testing to a version higher
> >>> than 11.0.3+7, or patch the existing version. Since testing is currently
> >>> frozen and difficult to update until the release of Buster, it leaves
> >>> only the patch solution.
> >>
> >> Emmanuel,
> >>
> >> It seems like we need to bring this up with the Release and Security
> >> teams.  Releasing Buster with mulitple critical open CVEs in the JVM
> >> isn't a good experience for our users.  My proposal is that we do what
> >> we need to get 11.0.3-ga-1 into Buster.
> >>
> >> From a versioning standpoint, this should work.  Am I missing something?
> >>
> >> $ dpkg --compare-versions 11.0.3-ga-1 gt 11.0.3+7-1 && echo "11.0.3-ga-1
> >> is newer"
> >> 11.0.3-ga-1 is newer
> 
> I don't think that playing games with version numbers is a good thing to do.
> Version numbers should match the upstream source release, and the binary
> packages should not change that version.  Of course openjdk has a split
> personality to give even another version when called with java --version
> 
> The final 11.0.3 release:
> https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html
> 
> does *not* contain the ea specifier.

Hi Matthias,

Thank you for weighing in on the thread.  I have been building openjdk
packages all weekend and now understand that the version number is
required to be numeric as per the upstream build system - i.e.,
VERSION_BUILD won't pass the test here [1] if it is arbitrarily changed
from from 7 to ga.  So 11.0.3+7 it is.  My bad for proposing otherwise
in this thread, before I got more familiar with the build system...

For the update to buster via testing-proposed-updates, I have prepared
11.0.3+7-4+deb10u1, which is simply your 11.0.3+7-4 package [2] targeted
at buster via t-p-u and with the changelog updated to note that 11.0.3+7
is the GA release from OpenJDK.  This will address the CVEs currently
open against the version in buster.

Does that sound acceptable for upload to Debian?  Would you prefer a
different approach?

Thank you,
tony

[1] http://hg.openjdk.java.net/jdk-updates/jdk11u/file/175eb80c253a/make/autoconf/jdk-version.m4#l40 
[2] https://tracker.debian.org/news/1038802/accepted-openjdk-11-11037-4-source-into-unstable/

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-20 12:20 +0200
  Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-20 14:40 +0200
    Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-20 15:10 +0200
      Re: Debian distributions of stable OpenJDK updates tony mancill <tmancill@debian.org> - 2019-05-22 06:20 +0200
        Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-22 12:30 +0200
          Re: Debian distributions of stable OpenJDK updates tony mancill <tmancill@debian.org> - 2019-05-22 16:40 +0200
          Re: Debian distributions of stable OpenJDK updates Matthias Klose <doko@debian.org> - 2019-05-26 22:00 +0200
            Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-27 00:00 +0200
              Re: Debian distributions of stable OpenJDK updates Matthias Klose <doko@debian.org> - 2019-05-27 16:00 +0200
            Re: Debian distributions of stable OpenJDK updates Thorsten Glaser <t.glaser@tarent.de> - 2019-05-27 18:50 +0200
    Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-23 18:00 +0200
      Re: Debian distributions of stable OpenJDK updates Martijn Verburg <martijnverburg@gmail.com> - 2019-05-23 19:10 +0200
        Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-24 00:00 +0200
          Re: Debian distributions of stable OpenJDK updates Thorsten Glaser <t.glaser@tarent.de> - 2019-05-24 00:50 +0200
            Re: Debian distributions of stable OpenJDK updates tony mancill <tmancill@debian.org> - 2019-05-25 18:10 +0200
              Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-27 17:10 +0200
              Re: Debian distributions of stable OpenJDK updates Thorsten Glaser <t.glaser@tarent.de> - 2019-05-27 18:40 +0200
                Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-28 10:40 +0200
                Re: Debian distributions of stable OpenJDK updates Thorsten Glaser <t.glaser@tarent.de> - 2019-05-29 14:20 +0200
                Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-30 00:10 +0200
          Re: Debian distributions of stable OpenJDK updates tony mancill <tmancill@debian.org> - 2019-05-24 15:50 +0200
            Re: Debian distributions of stable OpenJDK updates Martijn Verburg <martijnverburg@gmail.com> - 2019-05-24 20:30 +0200
              Re: Debian distributions of stable OpenJDK updates Matthias Klose <doko@debian.org> - 2019-05-26 21:50 +0200
                Re: Debian distributions of stable OpenJDK updates tony mancill <tmancill@debian.org> - 2019-05-27 00:00 +0200
                Re: Debian distributions of stable OpenJDK updates Matthias Klose <doko@debian.org> - 2019-05-27 16:10 +0200
                Re: Debian distributions of stable OpenJDK updates Thorsten Glaser <t.glaser@tarent.de> - 2019-05-27 18:40 +0200
                debian/watch file for OpenJDK (was Re: Debian distributions of stable  OpenJDK updates) Emmanuel Bourg <ebourg@apache.org> - 2019-05-28 10:30 +0200
                Re: debian/watch file for OpenJDK (was Re: Debian distributions of  stable OpenJDK updates) Paul Wise <pabs@debian.org> - 2019-05-28 11:20 +0200
                Re: debian/watch file for OpenJDK (was Re: Debian distributions of  stable OpenJDK updates) Emmanuel Bourg <ebourg@apache.org> - 2019-05-28 11:30 +0200
                Re: debian/watch file for OpenJDK (was Re: Debian distributions of  stable OpenJDK updates) Tiago Daitx <tiago.daitx@canonical.com> - 2019-05-29 04:10 +0200
                Re: debian/watch file for OpenJDK (was Re: Debian distributions of  stable OpenJDK updates) Tiago Daitx <tiago.daitx@canonical.com> - 2019-05-29 04:20 +0200
                Re: debian/watch file for OpenJDK (was Re: Debian distributions of  stable OpenJDK updates) Thorsten Glaser <t.glaser@tarent.de> - 2019-05-29 14:20 +0200
                Re: debian/watch file for OpenJDK (was Re: Debian distributions of  stable OpenJDK updates) Dalibor Topic <dalibor.topic@oracle.com> - 2019-05-29 16:00 +0200
                Re: Debian distributions of stable OpenJDK updates Emmanuel Bourg <ebourg@apache.org> - 2019-05-30 00:00 +0200
                Re: Debian distributions of stable OpenJDK updates Thorsten Glaser <t.glaser@tarent.de> - 2019-05-30 00:30 +0200
                Re: Debian distributions of stable OpenJDK updates Matthias Klose <doko@debian.org> - 2019-06-10 11:40 +0200
                Re: Debian distributions of stable OpenJDK updates Martijn Verburg <martijnverburg@gmail.com> - 2019-05-27 12:30 +0200

csiph-web