openjdk team mailing list archive
-
openjdk team
-
Mailing list archive
-
Message #08931
Bug#675495: downgrading the severity of #675495 (openjdk-6 in, wheezy)
> OpenJDK Security support has always been a nightmare for the security
> team because there was no support from the maintainers. Security support
> is primarily the responsibility of the maintainer.
So what kind of responsibility does the security team take at all?
- In the past, the security team was fine to promote the
proprietary sun-java5 and sun-java6 packages for stable
releases, but did deny this for the corresponding
openjdk packages. Now, these are gone fortunately.
- The security team happily copies security informations for
Oracle's binary releases, without checking and tracking.
This is counter productive from my point of view; blindly opening
issues for Oracle's web plugin and javaws implementation is
wrong. If you do open these issues on the base of the binary releases,
then please track them on your own as well.
- At Debconf 10 Torsten and I had a chat with either you or Florian,
about how to improve the situation. Afaicr we had the proposal
to follow the update releases (bxx), exactly because backporting
was not an option. I think you did experience this yourself in
at least oldstable.
Never did hear back about this ...
Sure, it could be an option to have the bxx package in stable
updates, or in backports.
- To the best of my knowledge the security team, or single members
of the team are not subscribed to Oracle's OpenJDK security advisories.
Why not? Is somebody from the team willing to do so?
Security updates were formerly handled by the security, maybe I did miss any
announcement when the security team became a management-only team. Apologies for
this.
> If you dump two packages in the archive without taking any precautions
> to get a clean solution this only makes things worse.
Sure, an option would be to default back to gcj for the build process, disable
the tests for java packages, and recommend users to download the Oracle
binaries. Or to support the bxx updates in security updates, however your
wording of "dumping two packages" doesn't really suggest this.
Just to clarify, 6 is "dumped" by myself, while 7 is mostly "dumped" by Damien.
> In any case we
> cannot hide the issue under the carpet. We have three options:
>
> - Drop openjdk6 from Wheezy (and proceed with the needed changes to allow
> that)
If you do want to drop openjdk7 too, fine. You don't seem to make a difference
between 6 and 7 regarding the maintenance in Debian.
> - The Java maintainers take up the responsibility and step up to support
> openjdk6 in stable- and oldstable-security for Wheezy
I'm not sure how this would help. If somebody wants to help with OpenJDK
maintenance, that should happen within the OpenJDK team. I'm more than happy to
add people, if they did show some involvement with OpenJDK, in Debian, upstream,
or in IcedTea.
> - A note is being added to the release notes that openjdk6 is unmaintained
> security-wise in Wheezy and should not generally be used
Again, why make a difference for 6 and 7?
There are two things here to differentiate:
- the security team's implications about Oracle's binary releases, and
OpenJDK, which are just wrong.
Andrew Haley made this clear in
https://lists.debian.org/debian-java/2013/02/msg00005.html
- whether Debian should backport single patches or update to the bxx
releases. I won't do the former, as I did see it fail already in
Debian. However I can't speak for Damien and Torsten.
Matthias