Re: [Mageia-dev] Removal of sun java

[Colin Guthrie]

'Twas brillig, and Sander Lepik at 30/03/12 18:34 did gyre and gimble:
> 30.03.2012 17:04, Thierry Vignaud kirjutas:
>> On 30 March 2012 16:00, nicolas vigier  wrote:
 Assuming we do not want to abandon them, what do we do? I'd suggest
 shipping a new empty package that replaces it with a README.urpmi
 telling them to go to Sun directly is the most responsible thing for us
 to do. If they do not have a JRE installed, and they have packages that
 require one, then they should be prompted to install e.g. openjdk to
 satisfy package deps. That should work OK right?
>>> I think an empty package is not a good idea, it would be better to
>>> obsolete it in task-obsolete :
>>>   - it's more clear that the package is obsoleted and is not a regular
>>>update. Users installing an empty package as update would only see
>>> that
>>>it is removed but not updated when it's already removed.
>>>   - package is really removed and no longer listed as installed in rpm
>>>database
>>>   - it's easy to add task-obsolete in urpmi skip.list for people who
>>>don't want unmaintained packages to be automatically removed
>>>
>> In that case, I don't think so.
>> We can thus popup a README.urpmi explaining what happened.
>> Also user can find out this when running rpm -ql java-sun-foobar
> We can obsolete it in mga2 and create an empty package for mga 1,
> explaining what's happening. So in mga2 we get rid of it and in mga1
> people are warned that it's now removed because of its security issues.

That won't work unless people have a fully up-to-date mga1 before they
upgrade to mga2. Maybe this is "not supported", but I'm pretty confident
it will actually happen!



Col


-- 

Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

Re: [Mageia-dev] Removal of sun java

[zezinho]

Em 30-03-2012 13:50, Jerome Quelin escreveu:

On 12/03/30 13:19 +0200, D.Morgan wrote:

is sun java of any use ?


in france, to declare our salaries before taxes are applied, the web app
used to require a "trusted" version of java - that is, sun jdk. i don't
know if openjdk works nowadays.

This is no more true for 3 years the overkill java applet to sign is 
gone.

Re: [Mageia-dev] Removal of sun java

[Sander Lepik]

30.03.2012 17:04, Thierry Vignaud kirjutas:

On 30 March 2012 16:00, nicolas vigier  wrote:

Assuming we do not want to abandon them, what do we do? I'd suggest
shipping a new empty package that replaces it with a README.urpmi
telling them to go to Sun directly is the most responsible thing for us
to do. If they do not have a JRE installed, and they have packages that
require one, then they should be prompted to install e.g. openjdk to
satisfy package deps. That should work OK right?

I think an empty package is not a good idea, it would be better to
obsolete it in task-obsolete :
  - it's more clear that the package is obsoleted and is not a regular
   update. Users installing an empty package as update would only see that
   it is removed but not updated when it's already removed.
  - package is really removed and no longer listed as installed in rpm
   database
  - it's easy to add task-obsolete in urpmi skip.list for people who
   don't want unmaintained packages to be automatically removed


In that case, I don't think so.
We can thus popup a README.urpmi explaining what happened.
Also user can find out this when running rpm -ql java-sun-foobar
We can obsolete it in mga2 and create an empty package for mga 1, explaining what's 
happening. So in mga2 we get rid of it and in mga1 people are warned that it's now removed 
because of its security issues.


--
Sander

Re: [Mageia-dev] Removal of sun java

[Oliver Burger]

Am 30.03.2012 17:39, schrieb Maarten Vanraes:

Op vrijdag 30 maart 2012 16:00:22 schreef nicolas vigier:
[...]

I think an empty package is not a good idea, it would be better to
obsolete it in task-obsolete :
  - it's more clear that the package is obsoleted and is not a regular
update. Users installing an empty package as update would only see that
it is removed but not updated when it's already removed.
  - package is really removed and no longer listed as installed in rpm
database
  - it's easy to add task-obsolete in urpmi skip.list for people who
don't want unmaintained packages to be automatically removed


wrt to task-obsolete, do the users get notified?

maybe a README.urpmi listing all the packages and reasons would be an option
to get notified?

And how do you decide, when to put which warning in it?
If you leave a warnign in it for too long, the user will get notified 
again and again and again on each update of task-obsolete.
If you change the warnings every release of task-obsolte a user not 
updating frequently will miss some.


But in this case, why not replacing the java sun packages by an empty 
package obsoleting the whole java sun stack <= our last package and 
showing the information via README.urpmi file and obsoleting that 
package in say two months so it will be completely gone?


Oliver

Re: [Mageia-dev] Removal of sun java

[Maarten Vanraes]

Op vrijdag 30 maart 2012 16:03:14 schreef Guillaume Rousse:
[...]
> Issuing a specific sun jdk security update package, containing only a
> README.urpmi file and a shell script inciting the user to read this file
> eventually, would be a fair compromise for me. And can be considered as
> a standard practice for semi-automatically removing
> very-dangerous-packages-we-cannot-afford-to-let-installed-anywhere-otherwis
> e-the-apocalypse-will-happen.

if at all possible, i'd like a similar solution, but with task-obsolete 
somehow, since it ties in nicely with all the related stuff (iiuc above)

but i think it is nice to have such a notification with such kind of 
packages...

ie: if we're proposing to delete something, i'd rather know why...

Re: [Mageia-dev] Removal of sun java

[Maarten Vanraes]

Op vrijdag 30 maart 2012 16:00:22 schreef nicolas vigier:
[...]
> I think an empty package is not a good idea, it would be better to
> obsolete it in task-obsolete :
>  - it's more clear that the package is obsoleted and is not a regular
>update. Users installing an empty package as update would only see that
>it is removed but not updated when it's already removed.
>  - package is really removed and no longer listed as installed in rpm
>database
>  - it's easy to add task-obsolete in urpmi skip.list for people who
>don't want unmaintained packages to be automatically removed

wrt to task-obsolete, do the users get notified?

maybe a README.urpmi listing all the packages and reasons would be an option 
to get notified?

Re: [Mageia-dev] Removal of sun java

[Thierry Vignaud]

On 30 March 2012 16:00, nicolas vigier  wrote:
>> Assuming we do not want to abandon them, what do we do? I'd suggest
>> shipping a new empty package that replaces it with a README.urpmi
>> telling them to go to Sun directly is the most responsible thing for us
>> to do. If they do not have a JRE installed, and they have packages that
>> require one, then they should be prompted to install e.g. openjdk to
>> satisfy package deps. That should work OK right?
>
> I think an empty package is not a good idea, it would be better to
> obsolete it in task-obsolete :
>  - it's more clear that the package is obsoleted and is not a regular
>   update. Users installing an empty package as update would only see that
>   it is removed but not updated when it's already removed.
>  - package is really removed and no longer listed as installed in rpm
>   database
>  - it's easy to add task-obsolete in urpmi skip.list for people who
>   don't want unmaintained packages to be automatically removed
>

In that case, I don't think so.
We can thus popup a README.urpmi explaining what happened.
Also user can find out this when running rpm -ql java-sun-foobar

Re: [Mageia-dev] Removal of sun java

[Guillaume Rousse]

Le 30/03/2012 15:25, Christian Lohmaier a écrit :

If that is not reading: Don't push the security updates to the users,
let the user take care of that manually, then what else?
That just means 'give the end user everything he needs to take a 
decision (advice, notification, packages, popup, whatever) but let him 
take this decision about this specific issue himself'.


Let's try to move toward a consensus...

Mixing removing of sun jdk with updating another jdk for security seems 
an unfair bundle, as you can't have one without another.


Issuing a specific sun jdk security update package, containing only a 
README.urpmi file and a shell script inciting the user to read this file 
eventually, would be a fair compromise for me. And can be considered as 
a standard practice for semi-automatically removing 
very-dangerous-packages-we-cannot-afford-to-let-installed-anywhere-otherwise-the-apocalypse-will-happen.


--
BOFH excuse #8:

static buildup

Re: [Mageia-dev] Removal of sun java

[nicolas vigier]

On Fri, 30 Mar 2012, Colin Guthrie wrote:

> 'Twas brillig, and Guillaume Rousse at 30/03/12 10:17 did gyre and gimble:
> > Using task-obsolete is fine:
> > - its purpose is crystal-clear
> > - if I don't want it, I don't install it
> > 
> > Adding an obsolete tag in openjdk to remove sun jdk now, for security
> > concernes, whereas we had suffered a useless mess of at least four
> > available java environnement at once for years uselessly (excepted for
> > blindly applying jpackage project practices), doesn't seems quite similar.
> 
> Well think of it this way (assuming I have the facts vaguely straight):
> 
> Forget about Cauldron and mga2
> 
> We're providing a known insecure version to mga1 users.
> 
> We need to find a way to update mga1 somehow right? Or do we want to
> just abandon them?
> 
> Assuming we do not want to abandon them, what do we do? I'd suggest
> shipping a new empty package that replaces it with a README.urpmi
> telling them to go to Sun directly is the most responsible thing for us
> to do. If they do not have a JRE installed, and they have packages that
> require one, then they should be prompted to install e.g. openjdk to
> satisfy package deps. That should work OK right?

I think an empty package is not a good idea, it would be better to
obsolete it in task-obsolete :
 - it's more clear that the package is obsoleted and is not a regular
   update. Users installing an empty package as update would only see that
   it is removed but not updated when it's already removed.
 - package is really removed and no longer listed as installed in rpm
   database
 - it's easy to add task-obsolete in urpmi skip.list for people who
   don't want unmaintained packages to be automatically removed

Re: [Mageia-dev] Removal of sun java

[Christian Lohmaier]

Hi Guillaume,

On Fri, Mar 30, 2012 at 3:11 PM, Guillaume Rousse
 wrote:
> Le 30/03/2012 15:04, Christian Lohmaier a écrit :
>> On Fri, Mar 30, 2012 at 2:52 PM, Dimitrios Glentadakis
>>  wrote:
>>
>> Well - that is what he said:
>> "Don't push security updates to users by replacing package A by package
>> B."
>> Or: "I don't care that other people will continue using software with
>> security flaws, since I know what I am doing."
>
> That is pure over-interpretation of my argumentation. I could be as well
> irrespective of your point of view by replying "you lie".

I think that paraphrasing matched what you were writing prettly closely.

But let's use a few quotes then:
"[...] don't treat uses as blatant idiots.
If I want to keep a proprietary JRE [...] that is my choice, not yours."

"I think I'm best placed than anyone else to evaluate the exact risk
I'm facing on the machines I'm running [...]. The decision [...]
belongs to me. You [Mageia] are not a system administrator [...], you
are a technical solution provider. You're clearly confusing the roles
here."

If that is not reading: Don't push the security updates to the users,
let the user take care of that manually, then what else?

Sure, call me lying, but then I call you schizophrenic.

ciao
Christian

Re: [Mageia-dev] Removal of sun java

[Guillaume Rousse]

Le 30/03/2012 15:04, Christian Lohmaier a écrit :

Hi Dimitrios, *,

On Fri, Mar 30, 2012 at 2:52 PM, Dimitrios Glentadakis  wrote:

[...]
I interpreted Guillaume's approach as about the impact that can have Mageia's 
decisions in a
system and the respect of the user and his system as a priority, but it was 
finally interpreted
as he wants something for his personal use or he does nt care about a security 
issue, for the
same reason.  At least, is what i got.


Well - that is what he said:
"Don't push security updates to users by replacing package A by package B."
Or: "I don't care that other people will continue using software with
security flaws, since I know what I am doing."
That is pure over-interpretation of my argumentation. I could be as well 
irrespective of your point of view by replying "you lie".


--
BOFH excuse #49:

Bogon emissions

Re: [Mageia-dev] Removal of sun java

[Christian Lohmaier]

Hi Dimitrios, *,

On Fri, Mar 30, 2012 at 2:52 PM, Dimitrios Glentadakis  wrote:
> [...]
> I interpreted Guillaume's approach as about the impact that can have Mageia's 
> decisions in a
> system and the respect of the user and his system as a priority, but it was 
> finally interpreted
> as he wants something for his personal use or he does nt care about a 
> security issue, for the
> same reason.  At least, is what i got.

Well - that is what he said:
"Don't push security updates to users by replacing package A by package B."
Or: "I don't care that other people will continue using software with
security flaws, since I know what I am doing."

And I strongly oppose to this attitude/point of view. Not limited to
Java, but in general. When a package *cannot* be updated and thus
there will never be a security fix (and not just a delay of a couple
of days/weeks), then the only sane thing for a distro is to replace
the package by something equivalent. In the case of Java it is just so
much easier, as there already exists a package that virtually does the
very same thing.

He wants to keep java for a special need, so that "I don't want this
package A to be removed" is his own personal use. I'm sure that >98%
of the users will not be amused when you tell them after a year or two
that they have been running a version of java that has a big security
flaw for all that time, just because one didn't want to obsolete the
package.

Of course "obsoletes" shall not be taken lightly. But i the case for
Java, the rationale that oracle gives for no longer having the
distributor's license is that OpenJDK and Oracle's java are now very
close, that they are no longer separate things, but that Oracle's Java
just builds on top of OpenJDK.

For people just in need for "java" there will hardly be any
difference. People with a special need for specific versions of java
can still download and install java from Oracle's site.

It is not a case where installing OpenJDK would make using Oracle's
java impossible/that you have to install OpenJDK in the first place.

ciao
Christian

Re: [Mageia-dev] Removal of sun java

[Dimitrios Glentadakis]

Στις 30/03/2012 13:34:23 Christian Lohmaier γράψατε:
> But don't argue that the rest of the userbase should continue running
> a flawed version just because you have a special need. Users have a
> choice to unselect updates. If they don't read the update's
> description, it is their fault, not mageias.


I interpreted Guillaume's approach as about the impact that can have Mageia's 
decisions in a system and the respect of the user and his system as a priority, 
but it was finally interpreted as he wants something for his personal use or he 
does nt care about a security issue, for the same reason.  At least, is what i 
got.



 

-- 
Dimitrios Glentadakis

Re: [Mageia-dev] Removal of sun java

[Jerome Quelin]

On 12/03/30 13:19 +0200, D.Morgan wrote:
> is sun java of any use ?

in france, to declare our salaries before taxes are applied, the web app
used to require a "trusted" version of java - that is, sun jdk. i don't
know if openjdk works nowadays.

> btw sun java is provided upstream as a rpm that need user "input" to
> validate the licence so i don't think we can do something.

the advantage of having it in the dist is that a maintainer is following
the version and updates them. user doesn't have to check a website for
new versions.

jérôme 

Re: [Mageia-dev] Removal of sun java

[Christian Lohmaier]

Hi *,

On Fri, Mar 30, 2012 at 9:52 AM, Guillaume Rousse
 wrote:
> [...]
> You're not a system administrator, whose duty is to take this kind of
> decision, you are a technical solution provider. You're clearly confusing
> the roles here.

I don't get your problem really. Of course Mageia will only replace
the mageia packaged version of Sun's java, not a version you obtained
from Oracle.

So while the user who has a security-flawed version of mageia's
sun-java installed will have it scheduled for an update and replaced
by OpenJDK, that user
a) is not forced to do the update
b) can just install a fixed version of Java from Oracle instead
c) update and not care that much (>90% of the user base)

> But automatically removing software
> for security concerns, without asking for user consent,

You are asked for confirmation when installing updates - you get
notification that there are updates, and then have the choice to
accept them or decline them.

And there is a possiblilty to flag packages as "don't update those"
via configuration files.

> would be a first
> step into transfering decision power from user to operating system vendor.
> Trusted computing approach, in other terms.

This is a weak argument really, as there were always security updates.
Those as well were telling the user to update, and not wait until
$system-admin decided it is time to check for vulnerabilities.
There have been obsolete packages in the past as well, replacing
unmaintained/outdated packages by better (for most) alternatives.

This time it is just both at the same time.

So if you want your outdated mageia-version of java, just tell urpmi
to not touch it.

But don't argue that the rest of the userbase should continue running
a flawed version just because you have a special need. Users have a
choice to unselect updates. If they don't read the update's
description, it is their fault, not mageias.
Users have the choice to specify packages that must never be removed
in configuration files

ciao
Christian

Re: [Mageia-dev] Removal of sun java

[D.Morgan]

On Fri, Mar 30, 2012 at 12:29 PM, Jerome Quelin  wrote:
> On 12/03/30 08:29 +0200, D.Morgan wrote:
>> > Can't it be put into the tainted/PLF sort of repository?
>> tainted is not for nonfree packages and sun doesn't allow to
>> redistribute it anymore
>
> can a get-sunjdk package be created that actually downloads it, same as
> what is done for get-skype?
>
> jérôme

is sun java of any use ?

btw sun java is provided upstream as a rpm that need user "input" to
validate the licence so i don't think we can do something.

Re: [Mageia-dev] Removal of sun java

[Jerome Quelin]

On 12/03/30 08:29 +0200, D.Morgan wrote:
> > Can't it be put into the tainted/PLF sort of repository?
> tainted is not for nonfree packages and sun doesn't allow to
> redistribute it anymore

can a get-sunjdk package be created that actually downloads it, same as
what is done for get-skype?

jérôme 

Re: [Mageia-dev] Removal of sun java

[Colin Guthrie]

'Twas brillig, and Guillaume Rousse at 30/03/12 10:17 did gyre and gimble:
> Using task-obsolete is fine:
> - its purpose is crystal-clear
> - if I don't want it, I don't install it
> 
> Adding an obsolete tag in openjdk to remove sun jdk now, for security
> concernes, whereas we had suffered a useless mess of at least four
> available java environnement at once for years uselessly (excepted for
> blindly applying jpackage project practices), doesn't seems quite similar.

Well think of it this way (assuming I have the facts vaguely straight):

Forget about Cauldron and mga2

We're providing a known insecure version to mga1 users.

We need to find a way to update mga1 somehow right? Or do we want to
just abandon them?

Assuming we do not want to abandon them, what do we do? I'd suggest
shipping a new empty package that replaces it with a README.urpmi
telling them to go to Sun directly is the most responsible thing for us
to do. If they do not have a JRE installed, and they have packages that
require one, then they should be prompted to install e.g. openjdk to
satisfy package deps. That should work OK right?


Otherwise we're basically washing our hands of our users' security. This
isn't hand holding or taking away choice. It's about informing them and
being a socially responsible distributor.

I don't why this is even a problem point for discussion.



Whatever is decided, the position on mga1 then just then flows through
into mga2.

Col








-- 

Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

Re: [Mageia-dev] Removal of sun java

[Guillaume Rousse]

Le 30/03/2012 10:10, Thierry Vignaud a écrit :

On 30 March 2012 10:06, Guillaume Rousse  wrote:

We can do like RH&Ubuntu, provides an empty package that explain sun
doesn't enable us anymore to distribute it and that they've to install (&
update)
it manually from sun.com


Why should we manage this case differently from other similar situations ?
That's not the first time we remove something from the distribution, because
it is not supported anymore usually, and has known available
vulnerabilities.


Actually, _YOU_ want us to "manage this case differently from other similar
situations".
In case you didn't see, other packages are obsoleted by task-obsolete (if
no better package)

Using task-obsolete is fine:
- its purpose is crystal-clear
- if I don't want it, I don't install it

Adding an obsolete tag in openjdk to remove sun jdk now, for security 
concernes, whereas we had suffered a useless mess of at least four 
available java environnement at once for years uselessly (excepted for 
blindly applying jpackage project practices), doesn't seems quite similar.



In this case, we even have strong decisions to do so:
1) users don't report bugs in our bugzilla
2) users get aware it's no longer supported by us
3) users get aware they won't get any security update anymore
4) users get aware they have to look at sun.com for updates
5) ...
'user get aware' is a perfectly fine objective. 'users get managed 
automatically' is not.



So please don't invent special exceptions to our policies for
your own comfort.
Get me a simple example of a similar situation, when a package A, after 
peacefully coexisting with package B for years, suddenly obsoleted it as 
B was removed from the distribution, for any kind of reason.


And that's not really my own confort, as I don't have any java usage 
anymore. I really don't care about this specific package, I care about 
the limit between end user and packager for this kind of decision. If 
the global consensus here is toward enforcing operating system vendor 
choices, I'd rather not volonteer for for a role in the project...


--
BOFH excuse #337:

the butane lighter causes the pincushioning

Re: [Mageia-dev] Removal of sun java

[Wolfgang Bornath]

2012/3/30 Thierry Vignaud :
> On 30 March 2012 10:40, Wolfgang Bornath  wrote:
 Actually, _YOU_ want us to "manage this case differently from other similar
 situations".
 In case you didn't see, other packages are obsoleted by task-obsolete (if
 no better package)
>>>
>>> So I think we should obsolete sun-java in task-obsolete, and add it to
>>> release notes. Then people who want to remove unsupported packages can
>>> install task-obsolete.
>>
>> Do all average users know about task-obsolete (I did not, never needed
>> it) ? You can't use what you don't know about and what has not been
>> documented in userland. Except you want to narrow down the target
>> group for Mageia to people with technical knowledge and interest.
>
> Actually, if it's obsoleted by task-obsolete, task-obsolete will be
> automatically installed.
> Providing it's on the media (eg: in the DVD case)

Ok, thx for the explanation.

But thinking further task-obsolete will not be needed in this case:

People who install a new system can not install it because it is removed anyway.
People who update will get an update of java-sun-plugin telling them
about the removal of the package and the reason

Or do I misunderstand?

-- 
wobo

Re: [Mageia-dev] Removal of sun java

[Thierry Vignaud]

On 30 March 2012 10:52, Anne nicolas  wrote:
> Actually, _YOU_ want us to "manage this case differently from other 
> similar
> situations".
> In case you didn't see, other packages are obsoleted by task-obsolete (if
> no better package)

 So I think we should obsolete sun-java in task-obsolete, and add it to
 release notes. Then people who want to remove unsupported packages can
 install task-obsolete.
>>>
>>> Do all average users know about task-obsolete (I did not, never needed
>>> it) ? You can't use what you don't know about and what has not been
>>> documented in userland. Except you want to narrow down the target
>>> group for Mageia to people with technical knowledge and interest.
>>
>> Actually, if it's obsoleted by task-obsolete, task-obsolete will be
>> automatically installed.
>> Providing it's on the media (eg: in the DVD case)
>
> It isn't at the moment. Where should we add it ? rpmsrate ?

yes in the INSTALL section

Re: [Mageia-dev] Removal of sun java

[Anne nicolas]

2012/3/30 Thierry Vignaud :
> On 30 March 2012 10:40, Wolfgang Bornath  wrote:
 Actually, _YOU_ want us to "manage this case differently from other similar
 situations".
 In case you didn't see, other packages are obsoleted by task-obsolete (if
 no better package)
>>>
>>> So I think we should obsolete sun-java in task-obsolete, and add it to
>>> release notes. Then people who want to remove unsupported packages can
>>> install task-obsolete.
>>
>> Do all average users know about task-obsolete (I did not, never needed
>> it) ? You can't use what you don't know about and what has not been
>> documented in userland. Except you want to narrow down the target
>> group for Mageia to people with technical knowledge and interest.
>
> Actually, if it's obsoleted by task-obsolete, task-obsolete will be
> automatically installed.
> Providing it's on the media (eg: in the DVD case)

It isn't at the moment. Where should we add it ? rpmsrate ?

-- 
Anne
http://www.mageia.org

Re: [Mageia-dev] Removal of sun java

[nicolas vigier]

On Fri, 30 Mar 2012, Wolfgang Bornath wrote:

> 2012/3/30 nicolas vigier :
> > On Fri, 30 Mar 2012, Thierry Vignaud wrote:
> >
> >> On 30 March 2012 10:06, Guillaume Rousse  wrote:
> >> >> We can do like RH&  Ubuntu, provides an empty package that explain sun
> >> >> doesn't enable us anymore to distribute it and that they've to install 
> >> >> (&  update)
> >> >> it manually from sun.com
> >> >
> >> > Why should we manage this case differently from other similar situations 
> >> > ?
> >> > That's not the first time we remove something from the distribution, 
> >> > because
> >> > it is not supported anymore usually, and has known available
> >> > vulnerabilities.
> >>
> >> Actually, _YOU_ want us to "manage this case differently from other similar
> >> situations".
> >> In case you didn't see, other packages are obsoleted by task-obsolete (if
> >> no better package)
> >
> > So I think we should obsolete sun-java in task-obsolete, and add it to
> > release notes. Then people who want to remove unsupported packages can
> > install task-obsolete.
> 
> Do all average users know about task-obsolete (I did not, never needed
> it) ? You can't use what you don't know about and what has not been
> documented in userland. Except you want to narrow down the target
> group for Mageia to people with technical knowledge and interest.

It can be added to the release notes.

Re: [Mageia-dev] Removal of sun java

[Thierry Vignaud]

On 30 March 2012 10:40, Wolfgang Bornath  wrote:
>>> Actually, _YOU_ want us to "manage this case differently from other similar
>>> situations".
>>> In case you didn't see, other packages are obsoleted by task-obsolete (if
>>> no better package)
>>
>> So I think we should obsolete sun-java in task-obsolete, and add it to
>> release notes. Then people who want to remove unsupported packages can
>> install task-obsolete.
>
> Do all average users know about task-obsolete (I did not, never needed
> it) ? You can't use what you don't know about and what has not been
> documented in userland. Except you want to narrow down the target
> group for Mageia to people with technical knowledge and interest.

Actually, if it's obsoleted by task-obsolete, task-obsolete will be
automatically installed.
Providing it's on the media (eg: in the DVD case)

Re: [Mageia-dev] Removal of sun java

[Wolfgang Bornath]

2012/3/30 nicolas vigier :
> On Fri, 30 Mar 2012, Thierry Vignaud wrote:
>
>> On 30 March 2012 10:06, Guillaume Rousse  wrote:
>> >> We can do like RH&  Ubuntu, provides an empty package that explain sun
>> >> doesn't enable us anymore to distribute it and that they've to install (& 
>> >>  update)
>> >> it manually from sun.com
>> >
>> > Why should we manage this case differently from other similar situations ?
>> > That's not the first time we remove something from the distribution, 
>> > because
>> > it is not supported anymore usually, and has known available
>> > vulnerabilities.
>>
>> Actually, _YOU_ want us to "manage this case differently from other similar
>> situations".
>> In case you didn't see, other packages are obsoleted by task-obsolete (if
>> no better package)
>
> So I think we should obsolete sun-java in task-obsolete, and add it to
> release notes. Then people who want to remove unsupported packages can
> install task-obsolete.

Do all average users know about task-obsolete (I did not, never needed
it) ? You can't use what you don't know about and what has not been
documented in userland. Except you want to narrow down the target
group for Mageia to people with technical knowledge and interest.

-- 
wobo

Re: [Mageia-dev] Removal of sun java

[Wolfgang Bornath]

2012/3/30 Thierry Vignaud :
> On 29 March 2012 22:59, Pascal Terjan  wrote:
>>> perhaps we can obsolete it with one of those nonfree getters? (if security
>>> bug)
>>>
>>> or, maybe a package that gives an README.urpmi ...
>>>
>>> IMHO: i think obsoleting it is fine, but with a README.urpmi that says
>>> notifies
>>> that it's been obsoleted.
>>
>>
>> Yes that seems the best solution to me
>
> We can do like RH & Ubuntu, provides an empty package that explain sun doesn't
> enable us anymore to distribute it and that they've to install (& update) it
> manually from sun.com

That's what others and I suggested in the bug report.

We are not sysadmins of user's systems. But that's only the academical
point of view. Reality is that the main target of Mageia is the
average user who will likely not read technical papers or security
alert and will probably not know about the security issue at all. Even
if he reads something about it in a newspaper he will usually trust
Mageia's repos, more so since we keep telling the users that we do QA
for all software in the "official" repos.

Telling that all over the place implies a responsibility which we can
not simply put away with by telling that we are not sysadmins of the
user's systems. Supplying a software in our repos does not allow us in
cases like this one to simply point at the user and tell him that it
is his own fault if he installs the software. We can do that if he
installs software from a 3rd party source but not from our own repos.

So, just removing the package and leaving the users who already
installed it out in the rain is wrong and could even mean bad
reputation. That's why I strongly suggest to think beyond the rim of a
developer's bowl.

-- 
wobo

Re: [Mageia-dev] Removal of sun java

[nicolas vigier]

On Fri, 30 Mar 2012, Thierry Vignaud wrote:

> On 30 March 2012 10:06, Guillaume Rousse  wrote:
> >> We can do like RH&  Ubuntu, provides an empty package that explain sun
> >> doesn't enable us anymore to distribute it and that they've to install (&  
> >> update)
> >> it manually from sun.com
> >
> > Why should we manage this case differently from other similar situations ?
> > That's not the first time we remove something from the distribution, because
> > it is not supported anymore usually, and has known available
> > vulnerabilities.
> 
> Actually, _YOU_ want us to "manage this case differently from other similar
> situations".
> In case you didn't see, other packages are obsoleted by task-obsolete (if
> no better package)

So I think we should obsolete sun-java in task-obsolete, and add it to
release notes. Then people who want to remove unsupported packages can
install task-obsolete.

Re: [Mageia-dev] Removal of sun java

[Thierry Vignaud]

On 30 March 2012 10:06, Guillaume Rousse  wrote:
>> We can do like RH&  Ubuntu, provides an empty package that explain sun
>> doesn't enable us anymore to distribute it and that they've to install (&  
>> update)
>> it manually from sun.com
>
> Why should we manage this case differently from other similar situations ?
> That's not the first time we remove something from the distribution, because
> it is not supported anymore usually, and has known available
> vulnerabilities.

Actually, _YOU_ want us to "manage this case differently from other similar
situations".
In case you didn't see, other packages are obsoleted by task-obsolete (if
no better package)

In this case, we even have strong decisions to do so:
1) users don't report bugs in our bugzilla
2) users get aware it's no longer supported by us
3) users get aware they won't get any security update anymore
4) users get aware they have to look at sun.com for updates
5) ...

So please don't invent special exceptions to our policies for
your own comfort.

Re: [Mageia-dev] Removal of sun java

[Guillaume Rousse]

Le 30/03/2012 09:58, Thierry Vignaud a écrit :

On 29 March 2012 22:59, Pascal Terjan  wrote:

perhaps we can obsolete it with one of those nonfree getters? (if security
bug)

or, maybe a package that gives an README.urpmi ...

IMHO: i think obsoleting it is fine, but with a README.urpmi that says
notifies
that it's been obsoleted.



Yes that seems the best solution to me


We can do like RH&  Ubuntu, provides an empty package that explain sun doesn't
enable us anymore to distribute it and that they've to install (&  update) it
manually from sun.com
Why should we manage this case differently from other similar situations 
? That's not the first time we remove something from the distribution, 
because it is not supported anymore usually, and has known available 
vulnerabilities.


--
Old and precious carpets weaken bowels and bladders.
-- Jenning's Corollary Concerning Oriental Carpets and Pets

Re: [Mageia-dev] Removal of sun java

[Thierry Vignaud]

On 29 March 2012 22:59, Pascal Terjan  wrote:
>> perhaps we can obsolete it with one of those nonfree getters? (if security
>> bug)
>>
>> or, maybe a package that gives an README.urpmi ...
>>
>> IMHO: i think obsoleting it is fine, but with a README.urpmi that says
>> notifies
>> that it's been obsoleted.
>
>
> Yes that seems the best solution to me

We can do like RH & Ubuntu, provides an empty package that explain sun doesn't
enable us anymore to distribute it and that they've to install (& update) it
manually from sun.com

Re: [Mageia-dev] Removal of sun java

[Guillaume Rousse]

Le 29/03/2012 23:06, Florian Hubold a écrit :

Am 29.03.2012 22:23, schrieb Maarten Vanraes:

Op donderdag 29 maart 2012 21:08:22 schreef David Walser:

Guillaume Rousse  writes:

If I want to keep a proprietary JRE on my computers, because I trust it
more to run crap proprietary applications (also called
corporate-compliants), than marvelous free-licensed environment they
have never been tested with, that is my choice, not yours.

So you say that you really want to keep an outdated
package with many security holes, which even the
infamous Zeus bot is said to exploit?
I think I'm best placed than anyone else to evaluate the exact risk I'm 
facing on the machines I'm running, because I know what they are used 
for, how they are managed, and how they are protected exactly from 
external threat such as Zeus. The decision of how to manage this problem 
exactly belongs to me.



Sure, that's your choice and you're free to do this,
but we can't keep our users susceptible to such
problems.
You're not a system administrator, whose duty is to take this kind of 
decision, you are a technical solution provider. You're clearly 
confusing the roles here.


Removing the sun java package from the distribution is perfectly fine 
(and anyway, there is no real choice). Explaining it in release notes, 
with alternative solutions suggestions also. But automatically removing 
software for security concerns, without asking for user consent, would 
be a first step into transfering decision power from user to operating 
system vendor. Trusted computing approach, in other terms.

--
BOFH excuse #301:

appears to be a Slow/Narrow SCSI-0 Interface problem

Re: [Mageia-dev] Removal of sun java

[D.Morgan]

On Fri, Mar 30, 2012 at 3:03 AM, Eugeni Dodonov  wrote:
> On Thu, Mar 29, 2012 at 12:32, D.Morgan  wrote:
>>
>> Hi,
>>
>> i removed java sun from non free repository as now we are not able to
>> provide it anymore.
>
>
> Can't it be put into the tainted/PLF sort of repository?
>
> --
> Eugeni Dodonov
>

tainted is not for nonfree packages and sun doesn't allow to
redistribute it anymore

Re: [Mageia-dev] Removal of sun java

[Eugeni Dodonov]

On Thu, Mar 29, 2012 at 12:32, D.Morgan  wrote:

> Hi,
>
> i removed java sun from non free repository as now we are not able to
> provide it anymore.
>

Can't it be put into the tainted/PLF sort of repository?

-- 
Eugeni Dodonov
 

Re: [Mageia-dev] Removal of sun java

[Florian Hubold]

Am 29.03.2012 22:23, schrieb Maarten Vanraes:
> Op donderdag 29 maart 2012 21:08:22 schreef David Walser:
>> Guillaume Rousse  writes:
>>> If I want to keep a proprietary JRE on my computers, because I trust it
>>> more to run crap proprietary applications (also called
>>> corporate-compliants), than marvelous free-licensed environment they
>>> have never been tested with, that is my choice, not yours.
So you say that you really want to keep an outdated
package with many security holes, which even the
infamous Zeus bot is said to exploit?

Sure, that's your choice and you're free to do this,
but we can't keep our users susceptible to such
problems.
>> If they really want to keep Sun Java, shouldn't they just download the
>> installer from Sun and install it themselves, rather than using some
>> obsolete Mageia 1 package of it?
>
> well, iinm the version that the people have, will still have the correct 
> license and we are able to distribute it fine.
>
> i would argue that if security bugs we could remove it, but i'm not too sure 
> on this point... i mean, can we really remove it from them? otoh, people 
> wanting to have the proprietary ones, likely know what they are doing...
>
> perhaps we can obsolete it with one of those nonfree getters? (if security 
> bug)
>
> or, maybe a package that gives an README.urpmi ...
>
> IMHO: i think obsoleting it is fine, but with a README.urpmi that says 
> notifies 
> that it's been obsoleted.
That was the proposal, and that's what Ubuntu has done,
IIRC, they blanked the existing packages and notified
people, that they should either use OpenJDK or manually
get Java from Oracle.
>
> (unless someone wants to have and maintain a nonfree getter application that 
> fetches the upstream releases)
>
> we really shouldn't keep stuff we can't maintain...
>

Re: [Mageia-dev] Removal of sun java

[Pascal Terjan]

On Thu, Mar 29, 2012 at 21:23, Maarten Vanraes  wrote:

> Op donderdag 29 maart 2012 21:08:22 schreef David Walser:
> > Guillaume Rousse  writes:
> > > If I want to keep a proprietary JRE on my computers, because I trust it
> > > more to run crap proprietary applications (also called
> > > corporate-compliants), than marvelous free-licensed environment they
> > > have never been tested with, that is my choice, not yours.
> >
> > If they really want to keep Sun Java, shouldn't they just download the
> > installer from Sun and install it themselves, rather than using some
> > obsolete Mageia 1 package of it?
>
>
> well, iinm the version that the people have, will still have the correct
> license and we are able to distribute it fine.
>
> i would argue that if security bugs we could remove it, but i'm not too
> sure
> on this point... i mean, can we really remove it from them? otoh, people
> wanting to have the proprietary ones, likely know what they are doing...
>

http://www.h-online.com/open/news/item/Critical-Java-hole-being-exploited-on-a-large-scale-Update-1485681.html

If people want it they should install the fixed version that we are not
allowed to distribute

perhaps we can obsolete it with one of those nonfree getters? (if security
> bug)
>
> or, maybe a package that gives an README.urpmi ...
>
> IMHO: i think obsoleting it is fine, but with a README.urpmi that says
> notifies
> that it's been obsoleted.
>

Yes that seems the best solution to me


> (unless someone wants to have and maintain a nonfree getter application
> that
> fetches the upstream releases)
>
> we really shouldn't keep stuff we can't maintain...
>

Re: [Mageia-dev] Removal of sun java

[Maarten Vanraes]

Op donderdag 29 maart 2012 21:08:22 schreef David Walser:
> Guillaume Rousse  writes:
> > If I want to keep a proprietary JRE on my computers, because I trust it
> > more to run crap proprietary applications (also called
> > corporate-compliants), than marvelous free-licensed environment they
> > have never been tested with, that is my choice, not yours.
> 
> If they really want to keep Sun Java, shouldn't they just download the
> installer from Sun and install it themselves, rather than using some
> obsolete Mageia 1 package of it?


well, iinm the version that the people have, will still have the correct 
license and we are able to distribute it fine.

i would argue that if security bugs we could remove it, but i'm not too sure 
on this point... i mean, can we really remove it from them? otoh, people 
wanting to have the proprietary ones, likely know what they are doing...

perhaps we can obsolete it with one of those nonfree getters? (if security 
bug)

or, maybe a package that gives an README.urpmi ...

IMHO: i think obsoleting it is fine, but with a README.urpmi that says notifies 
that it's been obsoleted.

(unless someone wants to have and maintain a nonfree getter application that 
fetches the upstream releases)

we really shouldn't keep stuff we can't maintain...

Re: [Mageia-dev] Removal of sun java

[David Walser]

Guillaume Rousse  writes:
> If I want to keep a proprietary JRE on my computers, because I trust it 
> more to run crap proprietary applications (also called 
> corporate-compliants), than marvelous free-licensed environment they 
> have never been tested with, that is my choice, not yours.

If they really want to keep Sun Java, shouldn't they just download the installer
from Sun and install it themselves, rather than using some obsolete Mageia 1
package of it?

Re: [Mageia-dev] Removal of sun java

[Guillaume Rousse]

Le 29/03/2012 20:26, Florian Hubold a écrit :

Actually i thought https://bugs.mageia.org/show_bug.cgi?id=3101#c10
to be a good idea. So we should now at least have it automatically removed
from end-user machines, one way or another.

*automatically* is the contention point here.


This is not about babysitting, but caring for security of our users.

Advise the problem, then, but don't treat users as blatant idiots.

If I want to keep a proprietary JRE on my computers, because I trust it 
more to run crap proprietary applications (also called 
corporate-compliants), than marvelous free-licensed environment they 
have never been tested with, that is my choice, not yours.

--
BOFH excuse #150:

Arcserve crashed the server again.

Re: [Mageia-dev] Removal of sun java

[Florian Hubold]

Am 29.03.2012 19:35, schrieb David Walser:
> D.Morgan  writes:
>> Hi,
>>
>> i removed java sun from non free repository as now we are not able to
>> provide it anymore.
> Should we have openjdk obsolete it so this insecure thing gets removed from
> users systems who already have it installed?
>
>
Actually i thought https://bugs.mageia.org/show_bug.cgi?id=3101#c10
to be a good idea. So we should now at least have it automatically removed
from end-user machines, one way or another.

This is not about babysitting, but caring for security of our users.

Re: [Mageia-dev] Removal of sun java

[Guillaume Rousse]

Le 29/03/2012 19:35, David Walser a écrit :

D.Morgan  writes:

Hi,

i removed java sun from non free repository as now we are not able to
provide it anymore.


Should we have openjdk obsolete it so this insecure thing gets removed from
users systems who already have it installed?
Don't baysit users too much... As a distribution, you're responsible to 
provide content, not to manage end-users machines.


--
BOFH excuse #287:

Telecommunications is downshifting.

Re: [Mageia-dev] Removal of sun java

[David Walser]

D.Morgan  writes:
> Hi,
> 
> i removed java sun from non free repository as now we are not able to
> provide it anymore.

Should we have openjdk obsolete it so this insecure thing gets removed from
users systems who already have it installed?

Re: [Mageia-dev] Removal of sun java

[Bertaux Xavier]

Oh OK !

Thank's

Le 29/03/2012 18:44, nicolas vigier a écrit :
> On Thu, 29 Mar 2012, Bertaux Xavier wrote:
>
>> Why ?
> Because newer versions of sun java are not longer available under the
> same license as before :
> http://robilad.livejournal.com/90792.html
>

Re: [Mageia-dev] Removal of sun java

[nicolas vigier]

On Thu, 29 Mar 2012, Bertaux Xavier wrote:

> Why ?

Because newer versions of sun java are not longer available under the
same license as before :
http://robilad.livejournal.com/90792.html

Re: [Mageia-dev] Removal of sun java

[Bertaux Xavier]

Why ?

Xavier

Le 29/03/2012 17:32, D.Morgan a écrit :
> Hi,
>
> i removed java sun from non free repository as now we are not able to
> provide it anymore.

[Mageia-dev] Removal of sun java

[D.Morgan]

Hi,

i removed java sun from non free repository as now we are not able to
provide it anymore.

Regards.