On 01/14/2013 11:48 PM, Niels Thykier wrote: > On 2013-01-15 00:57, David Prévot wrote: >> tags 698108 + patch >> thanks >> >> Dear maintainer, >> >> I've prepared an NMU for java-package (versioned as 0.50+nmu2) and >> uploaded it to DELAYED/2. Please feel free to tell me if I >> should delay it longer (or even if I should dcut it to 0-day, given the >> security matter). >> >> If you prefer to fix it in another not intrusive way (not c1fb4d0), I'm >> happy to (quickly) sponsor your package too. >> >> Regards. >> >> David >> >> [...] > > Seems to me your patch will prevent anyone from using java-package on > the older Java7 binaries. If we do remove this support because they are > infested with security issues making them unsuitable for anything at > all[1], I think it should have a nice little error message saying "Nope, > won't do this - That version is vulnerable/unsupported/$whatever". > Just so people are aware it is a deliberate choice from "our" side and > not a buggy script crashing. (Particularly people have been using it > with older versions before. They might be surprised to see that > non-descriptive error message the reporter included in the original mail).
I had the same thought - there may be a valid reason for someone to want to run jdk-7u9. This issue already appears to be addressed in the 0.51 package (but with a different patch). I'm assuming we want to keep the patch minimal - can we use this these patterns instead? jdk-7u+([0-9])-linux-i586.tar.gz jdk-7u+([0-9])-linux-x64.tar.gz David, if you'd prefer not to upload again, could you remove the upload and I'll prepare the update. (But thank you for taking the initiative in the first place!) Thank you, tony
signature.asc
Description: OpenPGP digital signature