> OpenJDK Security support has always been a nightmare for the security > team because there was no support from the maintainers. Security support > is primarily the responsibility of the maintainer.
So what kind of responsibility does the security team take at all? - In the past, the security team was fine to promote the proprietary sun-java5 and sun-java6 packages for stable releases, but did deny this for the corresponding openjdk packages. Now, these are gone fortunately. - The security team happily copies security informations for Oracle's binary releases, without checking and tracking. This is counter productive from my point of view; blindly opening issues for Oracle's web plugin and javaws implementation is wrong. If you do open these issues on the base of the binary releases, then please track them on your own as well. - At Debconf 10 Torsten and I had a chat with either you or Florian, about how to improve the situation. Afaicr we had the proposal to follow the update releases (bxx), exactly because backporting was not an option. I think you did experience this yourself in at least oldstable. Never did hear back about this ... Sure, it could be an option to have the bxx package in stable updates, or in backports. - To the best of my knowledge the security team, or single members of the team are not subscribed to Oracle's OpenJDK security advisories. Why not? Is somebody from the team willing to do so? Security updates were formerly handled by the security, maybe I did miss any announcement when the security team became a management-only team. Apologies for this. > If you dump two packages in the archive without taking any precautions > to get a clean solution this only makes things worse. Sure, an option would be to default back to gcj for the build process, disable the tests for java packages, and recommend users to download the Oracle binaries. Or to support the bxx updates in security updates, however your wording of "dumping two packages" doesn't really suggest this. Just to clarify, 6 is "dumped" by myself, while 7 is mostly "dumped" by Damien. > In any case we > cannot hide the issue under the carpet. We have three options: > > - Drop openjdk6 from Wheezy (and proceed with the needed changes to allow > that) If you do want to drop openjdk7 too, fine. You don't seem to make a difference between 6 and 7 regarding the maintenance in Debian. > - The Java maintainers take up the responsibility and step up to support > openjdk6 in stable- and oldstable-security for Wheezy I'm not sure how this would help. If somebody wants to help with OpenJDK maintenance, that should happen within the OpenJDK team. I'm more than happy to add people, if they did show some involvement with OpenJDK, in Debian, upstream, or in IcedTea. > - A note is being added to the release notes that openjdk6 is unmaintained > security-wise in Wheezy and should not generally be used Again, why make a difference for 6 and 7? There are two things here to differentiate: - the security team's implications about Oracle's binary releases, and OpenJDK, which are just wrong. Andrew Haley made this clear in https://lists.debian.org/debian-java/2013/02/msg00005.html - whether Debian should backport single patches or update to the bxx releases. I won't do the former, as I did see it fail already in Debian. However I can't speak for Damien and Torsten. Matthias _______________________________________________ Mailing list: https://launchpad.net/~openjdk Post to : [email protected] Unsubscribe : https://launchpad.net/~openjdk More help : https://help.launchpad.net/ListHelp
