Re: Bug#645881: critical update 29 available
Hi all, Le dimanche 11 décembre 2011 17:25:41, Holger Levsen a écrit : On Sonntag, 11. Dezember 2011, Matthias Klose wrote: the DLJ bundles were created because you are not allowed to re-distribute the jdk packages from oracle. Did that change recently? I believe inside an organisation I can rebundle their bundles to my prefered kind of bundle, that is, form of distribution (inside the organisation), anything else would be riciculous, or? All I suggest is to document how to enhance their bundles to proper Debian packages :-) You should have a look at old make-jpkg tool which used to be provided by java-package : http://packages.qa.debian.org/j/java-package.html Purpose of this tool is to repackage binaries provided by Oracle and integrate them inside Debian : alternatives, FHS directories, plugin registration, etc... Maybe we can provide some support to integrate non-free Oracle JDK with this tool (but someone has to do the work to support newer JDK in this tool). Cheers, -- Damien - Debian Developper http://wiki.debian.org/DamienRaudeMorvan signature.asc Description: This is a digitally signed message part.
Re: Bug#645881: critical update 29 available
Hi Moritz, hi all, On Thu, Dec 08, 2011 at 08:43:06PM +0100, Moritz Mühlenhoff wrote: Since openjdk-6 is fixed now, now would be a good time to remove sun-java6 from stable in the next point update? sorry, but I'd rather like to have an announcement that it has a bug, describing its impact to the users, which is not going to be fixed than for it to tbe removed. I know it's not your fault but it even took ages to get openjdk-6 fixed, for something which you claim to be a high profile bug, so I'm not sure it's really that critical. non-free doesn't get security support and there are people relying on it anyway because they have no choice in squeeze. I'd be ok with a debconf note upon install, for example. But squeeze is supposed to be frozen unless for packages, which are so broken that they don't work anymore and where fixing them is either impossible because the patches would be way to intrusive or because the (possibly former) maintainer dropped the ball. sun-java6 is sadly still a very high profile package. I won't go and break all those installations which force sun-java6 over openjdk-6 locally, either in unattended installations or through other means. openjdk-6 might well be a viable replacement in wheezy, but there are no efforts to backport those compatibility patches that might be in newer versions. Kind regards Philipp Kern signature.asc Description: Digital signature
Re: Bug#645881: critical update 29 available
Hi, On Sonntag, 11. Dezember 2011, Philipp Kern wrote: sorry, but I'd rather like to have an announcement that it has a bug, me too, for all the reasons Philipp noted. It's also trivial to download the fixed jdk from oracle and build a fixed package, so IMHO an announcement containing these information plus no removal would be best: diff -Nru sun-java6-6.26/debian/changelog sun-java6-6.29/debian/changelog --- sun-java6-6.26/debian/changelog 2011-08-26 11:58:59.0 +0200 +++ sun-java6-6.29/debian/changelog 2011-11-23 18:49:33.0 +0100 @@ -1,3 +1,11 @@ +sun-java6 (6.29-1) unstable; urgency=low + + * Non-maintainer upload. + * New upstream version to fix + http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html#AppendixJAVA + + -- Holger Levsen hol...@debian.org Wed, 23 Nov 2011 18:49:02 +0100 + sun-java6 (6.26-3) unstable; urgency=low * ia32-sun-java6-bin has improperly equal alternatives priority on amd64 diff -Nru sun-java6-6.26/debian/rules sun-java6-6.29/debian/rules --- sun-java6-6.26/debian/rules 2011-08-26 11:58:59.0 +0200 +++ sun-java6-6.29/debian/rules 2011-11-23 20:04:38.0 +0100 @@ -43,7 +43,7 @@ jdirname := $(ia32_prefix)java-$(version)-$(VENDOR)-$(jdkversion).$(releng_ver) jdiralias := $(ia32_prefix)java-$(version)-$(VENDOR) srcdir := $(arch)-jdk -bin_pattern= jdk-$(version)u$(releng_ver)-dlj-linux-%.bin +bin_pattern= jdk-$(version)u$(releng_ver)-linux-%.bin all_archs = $(filter $(subst =, , $(arch_map)), \ $(subst -, , $(patsubst %.bin, %, $(wildcard *.bin priority := 63 @@ -316,8 +316,8 @@ exit 1; \ fi -diff_ignore = -I 'Wednesday, May 4' \ - -I 'Wed May 04' -I '^ *// java GenerateCharacter' +diff_ignore = -I 'Monday, October 3' \ + -I 'Mon Oct 03' -I '^ *// java GenerateCharacter' with_check = yes $ debdiff sun-java6_6.26-3.dsc sun-java6_6.29-1.dsc|diffstat debian/changelog |8 debian/rules |6 jdk-6u26-dlj-linux-amd64.bin |327520 -- jdk-6u26-dlj-linux-i586.bin |327113 -- jdk-6u29-linux-amd64.bin |327526 +++ jdk-6u29-linux-i586.bin |325585 ++ 6 files changed, 653122 insertions(+), 654636 deletions(-) cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Bug#645881: critical update 29 available
* Philipp Kern: sun-java6 is sadly still a very high profile package. I won't go and break all those installations which force sun-java6 over openjdk-6 locally, either in unattended installations or through other means. It's really unfortunate that most of those installations seem to need sun-java6-plugin, which the package which is actually dangerous to install. (Presumably, only the first stage payload is pure Java, and the dropped malware won't run, but it's a bit unsettling.) At least this package doesn't seem to be install without explicit request, so it's not extremely bad. openjdk-6 might well be a viable replacement in wheezy, but there are no efforts to backport those compatibility patches that might be in newer versions. We will have to switch to a different IcedTea version in squeeze because the 1.8 branch we currently use will cease to receive security fixes soonish, probably after the next round of updates. If we switch to branch where the plugin is separate (1.10 and later, IIRC), we could start fixing compatibility issues more aggressively if we wanted to. openjdk-6 might well be a viable replacement in wheezy, but there are no efforts to backport those compatibility patches that might be in newer versions. I doubt it. The incompatibilities do not vanish, unless there is a critical mass of users who also contribute bug fixes. We just don't seem to be there yet. (I also doubt that Oracle can drop security support for the Java 6 plugin in mid-2012, for mostly the same reason, at lesat if they don't want to be entirely reckless. They haven't even started pushing Java 7 to end users yet.) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wra3i6q4@mid.deneb.enyo.de
Re: Bug#645881: critical update 29 available
Hi, I forgot: On Sonntag, 11. Dezember 2011, Holger Levsen wrote: $ debdiff sun-java6_6.26-3.dsc sun-java6_6.29-1.dsc|diffstat debian/changelog |8 debian/rules |6 jdk-6u26-dlj-linux-amd64.bin |327520 -- jdk-6u26-dlj-linux-i586.bin |327113 -- jdk-6u29-linux-amd64.bin |327526 +++ jdk-6u29-linux-i586.bin |325585 ++ 6 files changed, 653122 insertions(+), 654636 deletions(-) $ sha1sum *bin a73580ed8ac42040f1bbcab62617719a31c6f487 jdk-6u29-linux-i586.bin 45286e11864285c0d9d5cafd0355dbe04d272951 jdk-6u29-linux-amd64.bin And I had to rename the second one... cheers, Holger signature.asc Description: This is a digitally signed message part.
Re: Bug#645881: critical update 29 available
On 12/11/2011 01:07 PM, Holger Levsen wrote: Hi, On Sonntag, 11. Dezember 2011, Philipp Kern wrote: sorry, but I'd rather like to have an announcement that it has a bug, me too, for all the reasons Philipp noted. It's also trivial to download the fixed jdk from oracle and build a fixed package, so IMHO an announcement containing these information plus no removal would be best: the DLJ bundles were created because you are not allowed to re-distribute the jdk packages from oracle. Did that change recently? -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4ee4d0ad.4080...@ubuntu.com
Re: Bug#645881: critical update 29 available
On Sonntag, 11. Dezember 2011, Matthias Klose wrote: the DLJ bundles were created because you are not allowed to re-distribute the jdk packages from oracle. Did that change recently? I believe inside an organisation I can rebundle their bundles to my prefered kind of bundle, that is, form of distribution (inside the organisation), anything else would be riciculous, or? All I suggest is to document how to enhance their bundles to proper Debian packages :-) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201112111725.44749.hol...@layer-acht.org
Re: Bug#645881: critical update 29 available
Florian Weimer f...@deneb.enyo.de writes: * Philipp Kern: sun-java6 is sadly still a very high profile package. I won't go and break all those installations which force sun-java6 over openjdk-6 locally, either in unattended installations or through other means. It's really unfortunate that most of those installations seem to need sun-java6-plugin, which the package which is actually dangerous to install. I'm not sure that we actually know that. popcon tends to overweight desktop systems, since servers more often have security policies that don't allow use of popcon for one reason or another. I know we (Stanford) have a whole ton of server systems that are using sun-java6 with Tomcat or similar application architectures. We're working on migrating them all to OpenJDK, of course, but we don't expect to finish that until the wheezy release unless something that seriously affects server use of the Sun JDK crops up. (And we have some vendor apps that unfortunately so far have refused to even consider or test OpenJDK. Sigh.) We know that OpenJDK doesn't work with some of our applications currently, mostly for stupid reasons, like a web service that doesn't support any remotely modern SSL implementation. -- Russ Allbery (r...@debian.org) http://www.eyrie.org/~eagle/ -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87pqfuaon1@windlord.stanford.edu
Re: Bug#645881: critical update 29 available
* Matthias Klose: On 12/11/2011 01:07 PM, Holger Levsen wrote: Hi, On Sonntag, 11. Dezember 2011, Philipp Kern wrote: sorry, but I'd rather like to have an announcement that it has a bug, me too, for all the reasons Philipp noted. It's also trivial to download the fixed jdk from oracle and build a fixed package, so IMHO an announcement containing these information plus no removal would be best: the DLJ bundles were created because you are not allowed to re-distribute the jdk packages from oracle. Did that change recently? The main difference seems to be this (DLJ first): | [...] Sun also grants you a non-exclusive, non-transferable, | royalty-free limited license to reproduce and distribute the | Software [...] provided that: (b) the Software is distributed with | your Operating System, and such distribution is solely for the | purposes of running Programs under the control of your Operating | System and designing, developing and testing Programs to be run | under the control of your Operating System; [...] | [...] Oracle grants you a non-exclusive, non-transferable, limited | license without fees to reproduce and distribute the Software, | provided that (i) you distribute the Software complete and | unmodified and only bundled as part of, and for the sole purpose of | running, your Programs, [...] Other problematic clauses (indemnification, no bundling with reimplementatiosn of java.* classes and so on) are also part of the DLJ. (I still don't understand why the DLJ was suitable for non-free, so I'm clearly not qualified to judge these license matters for Debian.) -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87zkeylvww@mid.deneb.enyo.de
Re: Bug#645881: critical update 29 available
On Thu, Dec 01, 2011 at 09:47:53PM +0100, Florian Weimer wrote: * Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on these updates, I'll gladly share what I've learnt about the packaging. OpenJDK maintainers, can you take care of preparing security updates in the future? We need maintainer support, especially for such intricate packages with frequent security issues. Since openjdk-6 is fixed now, now would be a good time to remove sun-java6 from stable in the next point update? Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111208194306.GA4317@pisco.westfalen.local
Re: Bug#645881: critical update 29 available
Il 01/12/2011 21:47, Florian Weimer ha scritto: * Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on these updates, I'll gladly share what I've learnt about the packaging. I would also be very happy of helping, if possible. I'm not a Debian expert, but I'm quite smart with linux (I've used Slackware and Gentoo until this year) and since I feel sooo confortable with Debian I really would like to delve into the distibution internals and, why not, help the security team! :-) So, if you think I can help you, just let me know how. Andrea -- *Andrea Zwirner* *email:* and...@linkspirit.org *cell:* +39 366 1872016 *Linkspirit Sistemi Informatici* /Applicazioni raffinate della scienza informatica/ Via Delle Industrie 5 - 33050 Ronchis UD *tel:* +39 0432 1845030 - *fax:* +39 0432 309903 *web:* www.linkspirit.it - *email:* i...@linkspirit.it *P Please consider the environment before printing this email*
Re: Bug#645881: critical update 29 available
* Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on these updates, I'll gladly share what I've learnt about the packaging. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87sjl4vx1i@mid.deneb.enyo.de
Re: Bug#645881: critical update 29 available
On Thu, Dec 01, 2011 at 09:47:53PM +0100, Florian Weimer wrote: * Moritz Mühlenhoff: Florian, what's the status of openjdk6 for stable/oldstable? I've released the pending update for squeeze. lenny will eventually follow, and so will the pending updates for squeeze, but judging by my past performance, it will take a while. If someone else wants to work on these updates, I'll gladly share what I've learnt about the packaging. I am happy to help in any way I can, but I have no Debian-hat nor status. Is there something I could help with? - Henri Salo -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111201215307.gd29...@foo.fgeek.fi
Re: Bug#645881: critical update 29 available
Le vendredi 21 octobre 2011 à 08:41 +0200, Moritz Muehlenhoff a écrit : On Wed, Oct 19, 2011 at 06:20:12PM +0200, Torsten Werner wrote: Hi Philipp, Am 19.10.2011 16:33, schrieb Philipp Kern: Or it's the removal of the package. we should remove sun-java5 from oldstable, too, if we are going to remove sun-java6 from (old)stable. But I do not have a strong opinion on that. In any case we should go ahead with the removal from unstable ASAP. OK. I will fill a request tonight. As for stable/oldstable: I noticed that Red Hat provided packages for update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): http://lwn.net/Articles/463919/ Well, I wonder how (if ?) they can do that... Sylvestre -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1319189695.2676.3.ca...@pomegues.inria.fr
AW: Bug#645881: critical update 29 available
Hi Von: Sylvestre Ledru [sylves...@debian.org] Gesendet: Freitag, 21. Oktober 2011 11:34 As for stable/oldstable: I noticed that Red Hat provided packages for update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): http://lwn.net/Articles/463919/ Well, I wonder how (if ?) they can do that... I'd expect RedHat has a agreement with Oracle that allows them to do so (including financial agreement) ;) - Mathieu -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/6A26EF6B7A56E04EBBE1839FF122B456780AFBE6E9@poschta2.gymnasium.koeniz
Re: Bug#645881: critical update 29 available
On Wed, Oct 19, 2011 at 06:20:12PM +0200, Torsten Werner wrote: Hi Philipp, Am 19.10.2011 16:33, schrieb Philipp Kern: Or it's the removal of the package. we should remove sun-java5 from oldstable, too, if we are going to remove sun-java6 from (old)stable. But I do not have a strong opinion on that. In any case we should go ahead with the removal from unstable ASAP. As for stable/oldstable: I noticed that Red Hat provided packages for update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): http://lwn.net/Articles/463919/ Cheers, Moritz -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20111021064138.ga22...@inutil.org
Re: Bug#645881: critical update 29 available
* Moritz Muehlenhoff: As for stable/oldstable: I noticed that Red Hat provided packages for update 29 for RHEL 4 (RHEL 5 onwards use OpenJDK): http://lwn.net/Articles/463919/ If anyone remembers the rationale behind the DLJ, perhaps they can check if the current BCL matches our needs, too? The licensing conditions for the stock JDK distribution probably have changed since the Oracle acquisition, and perhaps these changes are sufficient to permit redistribution by Debian. I have also uploaded the fixes for openjdk-6 to security-master (for squeeze). It's currently stuck in the unchecked queue, along with the still-missing previous update for lenny. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87lisebtm5@mid.deneb.enyo.de
Re: Bug#645881: critical update 29 available
CC debian release security Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit : Upstream has released Java SE 6 update 29 yesterday: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html with security fixes. Well, that especially means that it is now time to consider the removal of sun-java6 from Debian. We, the distros, are no longer allowed by Oracle to redistribute this version [1] [2]. The OpenJDK (6 or 7) is now the way to go. About stable, I don't know what the security team would recommend here ?! Thanks, Sylvestre [1] http://sylvestre.ledru.info/blog/sylvestre/2011/08/26/sun_java6_packages_removed_from_debian_u [2] http://jdk-distros.java.net/ The DLJ has finally been retired, and so has been this project. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1319021415.28383.181.ca...@korcula.inria.fr
Re: Bug#645881: critical update 29 available
On Wed, Oct 19, 2011 at 6:50 AM, Sylvestre Ledru sylves...@debian.org wrote: CC debian release security Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit : Upstream has released Java SE 6 update 29 yesterday: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html with security fixes. Well, that especially means that it is now time to consider the removal of sun-java6 from Debian. We, the distros, are no longer allowed by Oracle to redistribute this version [1] [2]. The OpenJDK (6 or 7) is now the way to go. About stable, I don't know what the security team would recommend here ?! I can personally recommend the openjdk from other work I'm doing. The improvement in the packaging alone justifies the switch for software maintainers, but it's also worked well under load for me with Ant and JBoss tests I've done recently. -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/caocn9ryvzm-gmnqirani3_6gqpazyp8opvmiqktpyh+zivc...@mail.gmail.com
Re: Bug#645881: critical update 29 available
On Wed, October 19, 2011 12:50, Sylvestre Ledru wrote: CC debian release security Le mercredi 19 octobre 2011 à 12:21 +0200, Thijs Kinkhorst a écrit : Upstream has released Java SE 6 update 29 yesterday: http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html with security fixes. Well, that especially means that it is now time to consider the removal of sun-java6 from Debian. We, the distros, are no longer allowed by Oracle to redistribute this version [1] [2]. The OpenJDK (6 or 7) is now the way to go. About stable, I don't know what the security team would recommend here ?! Well, stable is supposed to be stable. I'm all for removal of sun-java6 from unstable and hence not including it in wheezy, but we've released stable with the expectations for users that they can run it for its lifetime without large disruptions. While software has been removed from stable as a last resort, it really should be the last resort. Have we been in contact with Oracle upstream and explained that we are eager to comply with their wish to move entirely to openjdk for our next release, but have the problem that we have a stable release out in the field that people rely on? Are there possibilities to extend the offer for the lifetime of stable, or at least until it becomes oldstable? cheers, Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/a99694a8206b782c0176d9df732e4a3a.squir...@wm.kinkhorst.nl
Re: Bug#645881: critical update 29 available
On 10/19/2011 02:09 PM, Thijs Kinkhorst wrote: Have we been in contact with Oracle upstream and explained that we are eager to comply with their wish to move entirely to openjdk for our next release, but have the problem that we have a stable release out in the field that people rely on? Are there possibilities to extend the offer for the lifetime of stable, or at least until it becomes oldstable? there's nothing which hinders you to still have the current version in stable. The license isn't changed for the existing package. It's up to the security/release teams to decide if they want to have a version with known security issues in the stable release (in the past the security team didn't care about this at all for the current oldstable). Matthias -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e9ebf7c.7020...@ubuntu.com
Re: Bug#645881: critical update 29 available
On Wed, October 19, 2011 14:15, Matthias Klose wrote: On 10/19/2011 02:09 PM, Thijs Kinkhorst wrote: Have we been in contact with Oracle upstream and explained that we are eager to comply with their wish to move entirely to openjdk for our next release, but have the problem that we have a stable release out in the field that people rely on? Are there possibilities to extend the offer for the lifetime of stable, or at least until it becomes oldstable? there's nothing which hinders you to still have the current version in stable. The license isn't changed for the existing package. It's up to the security/release teams to decide if they want to have a version with known security issues in the stable release I understand that, and I think the situation where we keep something in unstable while refraining from publishing security updates is undesirable. What I'm wondering is if we tried to ask upstream whether they would be willing to extend the DLJ offer so we can keep security fixes for the sun-java6 version in stable coming in for the lifetime of this release, notwithstanding the fact that we're removing it from the next release. (in the past the security team didn't care about this at all for the current oldstable). I don't know what this refers to, but it doesn't seem relevant because we're talking about the present. Thijs -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/a022548bb2db4ab2477511adccb72c57.squir...@wm.kinkhorst.nl
Re: Bug#645881: critical update 29 available
On mer., 2011-10-19 at 15:28 +0200, Thijs Kinkhorst wrote: What I'm wondering is if we tried to ask upstream whether they would be willing to extend the DLJ offer so we can keep security fixes for the sun-java6 version in stable coming in for the lifetime of this release, notwithstanding the fact that we're removing it from the next release. Do we know the situation for other distribution (Red Hat, Ubuntu, Suse, ...) which might ship sun-java6 in stable / long term support releases? Could this be discussed on the cross-distro list? Regards, -- Yves-Alexis signature.asc Description: This is a digitally signed message part
Re: Bug#645881: critical update 29 available
On Wed, Oct 19, 2011 at 03:28:02PM +0200, Thijs Kinkhorst wrote: What I'm wondering is if we tried to ask upstream whether they would be willing to extend the DLJ offer so we can keep security fixes for the sun-java6 version in stable coming in for the lifetime of this release, notwithstanding the fact that we're removing it from the next release. They won't. | I'm not familiar with the Debian Project's practices around security issues | in non-free packages to be able to make a specific recommendation other than to | recommend using the open source OpenJDK code base for Debian's packaging needs. | | Like I said on my blog, there won't be further Oracle JDK 6 releases published | under the DLJ license. Oracle's schedule for Critical Patch Updates (CPUs) is | public, and available at | http://www.oracle.com/technetwork/topics/security/alerts-086861.html (in the past the security team didn't care about this at all for the current oldstable). I don't know what this refers to, but it doesn't seem relevant because we're talking about the present. Well, non-free used to be unsupported security-wise AFAIK. doko is right that the security team still didn't care in the present, though, as the updates were through p-u and not the security archive. That said I'm glad that somebody stepped up and did the updates that were possible. There might be one other option, but one I probably wouldn't be happy with due to it probably being impossible to review: improve openjdk in stable enough to replace sun-java6. Apart from this it's either a DSA telling people that it contains known flaws (if they're critical enough) and that there will be no further security updates. OTOH the updates didn't pass security anyway because there's no non-free there. Or it's the removal of the package. Or we simply don't care because it's freaking non-free and people are supposed to use it in secure environments with a grain of salt. Kind regards, Philipp Kern -- .''`. Philipp KernDebian Developer : :' : http://philkern.de Stable Release Manager `. `' xmpp:p...@0x539.de Wanna-Build Admin `-finger pkern/k...@db.debian.org signature.asc Description: Digital signature
Re: Bug#645881: critical update 29 available
Hi Philipp, Am 19.10.2011 16:33, schrieb Philipp Kern: Or it's the removal of the package. we should remove sun-java5 from oldstable, too, if we are going to remove sun-java6 from (old)stable. But I do not have a strong opinion on that. Cheers, Torsten -- To UNSUBSCRIBE, email to debian-security-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4e9ef8bc.9080...@debian.org