openjdk team mailing list archive

[Matthias Klose <doko@xxxxxxxxxx>]

> OpenJDK Security support has always been a nightmare for the security
> team because there was no support from the maintainers. Security support
> is primarily the responsibility of the maintainer.

So what kind of responsibility does the security team take at all?

 - In the past, the security team was fine to promote the
   proprietary sun-java5 and sun-java6 packages for stable
   releases, but did deny this for the corresponding
   openjdk packages. Now, these are gone fortunately.

 - The security team happily copies security informations for
   Oracle's binary releases, without checking and tracking.
   This is counter productive from my point of view; blindly opening
   issues for Oracle's web plugin and javaws implementation is
   wrong. If you do open these issues on the base of the binary releases,
   then please track them on your own as well.

 - At Debconf 10 Torsten and I had a chat with either you or Florian,
   about how to improve the situation. Afaicr we had the proposal
   to follow the update releases (bxx), exactly because backporting
   was not an option. I think you did experience this yourself in
   at least oldstable.

   Never did hear back about this ...

   Sure, it could be an option to have the bxx package in stable
   updates, or in backports.

 - To the best of my knowledge the security team, or single members
   of the team are not subscribed to Oracle's OpenJDK security advisories.
   Why not?  Is somebody from the team willing to do so?

Security updates were formerly handled by the security, maybe I did miss any
announcement when the security team became a management-only team. Apologies for
this.

> If you dump two packages in the archive without taking any precautions
> to get a clean solution this only makes things worse.

Sure, an option would be to default back to gcj for the build process, disable
the tests for java packages, and recommend users to download the Oracle
binaries.  Or to support the bxx updates in security updates, however your
wording of "dumping two packages" doesn't really suggest this.

Just to clarify, 6 is "dumped" by myself, while 7 is mostly "dumped" by Damien.

> In any case we
> cannot hide the issue under the carpet. We have three options:
>
> - Drop openjdk6 from Wheezy (and proceed with the needed changes to allow
>   that)

If you do want to drop openjdk7 too, fine. You don't seem to make a difference
between 6 and 7 regarding the maintenance in Debian.

> - The Java maintainers take up the responsibility and step up to support
>   openjdk6 in stable- and oldstable-security for Wheezy

I'm not sure how this would help.  If somebody wants to help with OpenJDK
maintenance, that should happen within the OpenJDK team.  I'm more than happy to
add people, if they did show some involvement with OpenJDK, in Debian, upstream,
or in IcedTea.

> - A note is being added to the release notes that openjdk6 is unmaintained
>   security-wise in Wheezy and should not generally be used

Again, why make a difference for 6 and 7?

There are two things here to differentiate:

 - the security team's implications about Oracle's binary releases, and
   OpenJDK, which are just wrong.

   Andrew Haley made this clear in
   https://lists.debian.org/debian-java/2013/02/msg00005.html

 - whether Debian should backport single patches or update to the bxx
   releases. I won't do the former, as I did see it fail already in
   Debian. However I can't speak for Damien and Torsten.

Matthias