Source: jtreg7 Version: 7.3.1+1-1 Severity: wishlist Dear Maintainer,
jtreg7 depends on newer versions of the Java packages such as junit4, junit5, hamcrest, etc. Updating them in the stable releases will require significant effort. Vendoring the dependencies introduces a pattern of packaging that is not sanctioned or otherwise frowned upon by other teams within Debian. Vendored dependencies might introduce security vulnerabilities if not updated promptly. jtreg7 only purpose is to run the openjdk tests, and the package is not security-sensitive, so embedding the package might not be a concern. OpenJDK receives regular updates in stable releases and often requires an updated jtreg package to run tests. Vendoring dependencies can be an acceptable compromise to avoid introducing additional complexity into the openjdk updates release process. -- System Information: Debian Release: trixie/sid APT prefers mantic-updates APT policy: (500, 'mantic-updates'), (500, 'mantic-security'), (500, 'mantic'), (100, 'mantic-backports') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.5.0-26-generic (SMP w/32 CPU threads; PREEMPT) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled