On Mon, Sep 28, 2020 at 12:24 PM tony mancill <tmanc...@debian.org> wrote: > > On Mon, Sep 28, 2020 at 02:05:24PM +0200, Matthias Klose wrote: > > On 9/24/20 7:47 PM, tony mancill wrote: > > > Control: tags 944738 + pending > > > > > > Hello Matthias, > > > > > > I've prepared an NMU for openjdk-11 (versioned as 11.0.8+10-1.1) and > > > uploaded it to DELAYED/15. Please feel free to tell me if I should delay > > > it longer or remove the upload from the queue. > > > > please could you stop doing these NMUs? There's no reason to fast-track > > those > > before the next regular updates. Disappointed about that communication > > style, > > after your words at FOSDEM, nothing happened and then suddenly you start > > NMUing. > > Hi Matthias, > > Yes, I will both cease and also remove these NMUs from the upload queue > if you would prefer that. Regarding communication, we have been > discussing the bug in the BTS since September 18th and I announced my > intention to NMU on September 20th: > > > Once the upload is ready (see below), I will upload it as an NMU to > > the delayed queue if we haven't heard back from Matthias. > > (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=944738#79) > > I assumed that you saw the traffic - after all, you did see the nmudiff > email - but would you prefer a direct cc: in the future? > > Regarding the sudden activity - in my opinion, the jlink bug is serious. > Part of the functionality of the JDK was broken in order to support > reproducible builds - and so I was trying to help address that. I'm > grateful that Julian discovered the root cause.
Disclaimer: I am not involved in Debian and not very familiar with how NMUs are done and how they affect the package/distro, I'm just stating my opinion as an Ubuntu maintainer for the OpenJDK security releases regarding the patch itself. I agree with Tony's statement that this is a serious issue - and I'm also very glad that Julian found the root cause. The next security update comes out on Oct 20th and we should have it packaged in the same week, so while waiting until then seems ok, I believe it could be very useful to have the jlink patch out now so users can report back if they see any issues on the current fix. cheers! -- Tiago Stürmer Daitx Software Engineer tiago.da...@canonical.com PGP Key: 4096R/F5B213BE (hkp://keyserver.ubuntu.com) Fingerprint = 45D0 FE5A 8109 1E91 866E 8CA4 1931 8D5E F5B2 13BE
