Bug#960692: src:netbeans: Please add support to build against libjson-simple-java >= 3

[Gilles Filippini]

Package: src:netbeans
Version: 10.0-3
Severity: normal
Tags: patch

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

I'd like to transition json-simple 3.1.1 to unstable, but netbeans is a blocker 
since it builds against libjson-simple-java << 3 only.

The json-simple classes used by netbeans were deprecated in version 2.0.0 [1]. 
There were removed in versions 3.x [2].

[1] https://github.com/cliftonlabs/json-simple/blob/json-simple-2.0.0/README.txt
[2] https://github.com/cliftonlabs/json-simple/blob/json-simple-3.0.1/CHANGELOG

Please find attached a patch proposal to use the current json-simple classes. 
I've tested that the package builds correctly against libjson-simple-java 
version 2.3.0-1 from unstable and version 3.1.1-1~exp2 currently in 
experimental. But I don't known how to test the package afterward.

Because this is a huge patch it may have errors, but they should be easy to fix 
once discovered. Please do not hesitate to ping me in case of broken tests.

Once this cleared, this patch should be push upstream. They can't keep going 
using this deprecated json-simple 1.x API.

Thanks in advance for considering.

_g.

- -- System Information:
Debian Release: buster/sid
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.6.0-1-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

-BEGIN PGP SIGNATURE-

iQEzBAEBCgAdFiEEoJObzArDE05WtIyR7+hsbH/+z4MFAl6+nIgACgkQ7+hsbH/+
z4NK6wf/bcGCD9GJDh9QMfp13jsxhM9/xN+uz1z27mA3z2jzeUQKYmeYfwOFyia2
kX1ABSF9h7MjleXi2g0Q4rnyqEjDAoCZGroS5UDP9yCbauNRsJPuYRiiU0lPty5/
cMIUB1WHKVl/AhoWO0+aBAJY7WxOHaCPfBbwPxRKOgHZX9x6uXX3W+DabDm4F3Qp
usSABBCWr4/BM98qN/zdwTvnAZL8kRjbAHdG0ba2MU3daZ8/QmwsiyDVNlMzIh7M
IkFepPW2cZsAfKjdhBRW1+oT0PC2ELUGRZ0NxjVxvSHS9UvktY1AgyCTrSHpXHzE
5DhGp7cZofiWVIQ0CnS26h7oVrdnSA==
=ECGc
-END PGP SIGNATURE-


netbean-json-simple.debdiff.gz
Description: application/gzip
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

apache-log4j1.2_1.2.17-8+deb10u1_amd64.changes ACCEPTED into proposed-updates->stable-new

[Debian FTP Masters]

Mapping stable-security to proposed-updates.

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2020 16:46:05 +0200
Source: apache-log4j1.2
Binary: liblog4j1.2-java liblog4j1.2-java-doc
Architecture: source all
Version: 1.2.17-8+deb10u1
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 liblog4j1.2-java - Logging library for java
 liblog4j1.2-java-doc - Documentation for liblog4j1.2-java
Closes: 947124
Changes:
 apache-log4j1.2 (1.2.17-8+deb10u1) buster-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2019-17571. (Closes: #947124)
 Included in Log4j 1.2 is a SocketServer class that is vulnerable to
 deserialization of untrusted data which can be exploited to remotely
 execute arbitrary code when combined with a deserialization gadget when
 listening to untrusted network traffic for log data.
Checksums-Sha1:
 370f4757ed517251293211fea7ed4bf9f59ea151 2497 
apache-log4j1.2_1.2.17-8+deb10u1.dsc
 2cba16006cb6f16dfb0eb83dab94af179ddad5f5 9908 
apache-log4j1.2_1.2.17-8+deb10u1.debian.tar.xz
 691ab57d543d668222d1ca27b854b4d4eef3f3b1 9034 
apache-log4j1.2_1.2.17-8+deb10u1_amd64.buildinfo
 b018f098d8f3ed52d54aecd485872b6601484099 498624 
liblog4j1.2-java-doc_1.2.17-8+deb10u1_all.deb
 a24ff7740874d0daf3b47e6db9098afaf98d0f37 437744 
liblog4j1.2-java_1.2.17-8+deb10u1_all.deb
Checksums-Sha256:
 bb6b440f13bbbfbdf98df055acc4a5742a52b5b532e0b3503c0783c53092007e 2497 
apache-log4j1.2_1.2.17-8+deb10u1.dsc
 6d8ae488afab3ee374fa6f2eb4048a6790284184e14d430011e5a3cd200727fe 9908 
apache-log4j1.2_1.2.17-8+deb10u1.debian.tar.xz
 486d4df7ecdb3ea0530560803667f948a1b532cb2049dd6f8a48929653e0331b 9034 
apache-log4j1.2_1.2.17-8+deb10u1_amd64.buildinfo
 e91d215b9be4ff75a353d5e62156b2fa40dc6d1a60e781740de38f4e1046c99a 498624 
liblog4j1.2-java-doc_1.2.17-8+deb10u1_all.deb
 24c66265ada8f249eaeb81da599e121cb03648d341c7b9bd0895e49bed1137e7 437744 
liblog4j1.2-java_1.2.17-8+deb10u1_all.deb
Files:
 f69ea6df5cc7a3598e47d0a12c29970e 2497 java optional 
apache-log4j1.2_1.2.17-8+deb10u1.dsc
 9758d7b41669e649b8350931e7ca0cc2 9908 java optional 
apache-log4j1.2_1.2.17-8+deb10u1.debian.tar.xz
 c87b15c16ac5976454e3204221fbe9b4 9034 java optional 
apache-log4j1.2_1.2.17-8+deb10u1_amd64.buildinfo
 c3a2510b76553817f6801930baf959f1 498624 doc optional 
liblog4j1.2-java-doc_1.2.17-8+deb10u1_all.deb
 4fb9fef3597cd24e5c6eafcae6e594c8 437744 java optional 
liblog4j1.2-java_1.2.17-8+deb10u1_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl63D7JfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1Hk2akP/ir/gp8308LYK92Gm+PeE89rA6eFqPcUn/Fo
Wj0nElkOns3b5JZSIU/t3NQn+ZifdLc8FAJ27LOdt0y7Aszv8vrCh4/Eaoptn4ei
GGmX0fgAtRPgzHciI6OywFFnOlF20rxX9KHGno7dIZdBP4wWvvWW7Jhg+5wj9Ja2
g/13Jf60upRYzkJGZIVy8/7sn3thUvAAM+Z1Vup/kr2kYx5uGj789+HCH67+BlNH
XdVWq90B4ALPZ8jEcZd0zc7GYmwosfWZMEQJlM6RPirFAm62pYS7St9sWoMdi/E4
8KVISr3K1O5f+qJMGzjIfsyhDiLhoFcgNKlmaQYYthhIinHmOyGZsipoLbgu+AoQ
rZ0ViFCyQ9OS/ZZPLuDq8tLAu75+rdzVZ4RVkolwmd8zwBzb44F6XOMNqKOxswVo
l2RmcCbUolQocXkZBd2K6/8zZh9Gullpnu+qCc7ntvc0B2k34pPRsSMfgZCueeXq
tLgg1e4QZR3NtSgZ1pM/UKlBT1UiIoeu2QrEII0lYNjHeNcDrx8WcW3zzJOXkOdk
w5m50XBLMoYNYXSkRpbPXGbPUnIwRfyhdzFCgND2ZBlZhiLksvpsTAFhoDTFa5/k
wHRtlGEOAyUnRhPYR1x3k6O9+LwXqqMhPLt+AVnGq1tHzQ0PD05JeCLd+izj4Dfi
CYYDhbUV
=Rf1q
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

apache-log4j1.2_1.2.17-7+deb9u1_amd64.changes ACCEPTED into oldstable-proposed-updates->oldstable-new

[Debian FTP Masters]

Mapping oldstable-security to oldstable-proposed-updates.

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Sat, 02 May 2020 16:38:32 +0200
Source: apache-log4j1.2
Binary: liblog4j1.2-java liblog4j1.2-java-doc
Architecture: source all
Version: 1.2.17-7+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers 

Changed-By: Markus Koschany 
Description:
 liblog4j1.2-java - Logging library for java
 liblog4j1.2-java-doc - Documentation for liblog4j1.2-java
Closes: 947124
Changes:
 apache-log4j1.2 (1.2.17-7+deb9u1) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2019-17571. (Closes: #947124)
 Included in Log4j 1.2 is a SocketServer class that is vulnerable to
 deserialization of untrusted data which can be exploited to remotely
 execute arbitrary code when combined with a deserialization gadget when
 listening to untrusted network traffic for log data.
Checksums-Sha1:
 ce9f1dcc0e56d66ca184e91446227245fdf74c7f 2497 
apache-log4j1.2_1.2.17-7+deb9u1.dsc
 a03a876f4ada27f8053564b23bc04e30b6449ac5 9900 
apache-log4j1.2_1.2.17-7+deb9u1.debian.tar.xz
 29b16b3abc1cd94f7a5266de0ecd3eaea64d6acc 11600 
apache-log4j1.2_1.2.17-7+deb9u1_amd64.buildinfo
 2487f9e30f98fcceab0f717d0cf8b85c6ebea46f 248308 
liblog4j1.2-java-doc_1.2.17-7+deb9u1_all.deb
 18ba7701cdd240e4f1b46867ee59429a53cda2e8 430572 
liblog4j1.2-java_1.2.17-7+deb9u1_all.deb
Checksums-Sha256:
 10a58d90a8b2c7c8ca6d2fc19e1799dc8c0cc1d78efba9bb79d2b736608f75b9 2497 
apache-log4j1.2_1.2.17-7+deb9u1.dsc
 963631dd761cf3275159450838d3460bfa8d7041159765a060de7a8e141c6c6d 9900 
apache-log4j1.2_1.2.17-7+deb9u1.debian.tar.xz
 78c17606857df9efe35463f3cb3d4205d821eb75983edddabe29afd9c73ceb01 11600 
apache-log4j1.2_1.2.17-7+deb9u1_amd64.buildinfo
 549886bf31a46846528055f5655d7885eacdbc360d8421cce531dbdc7f337af7 248308 
liblog4j1.2-java-doc_1.2.17-7+deb9u1_all.deb
 93ad2eb90ed0820adede976ab9b277a007db7e310a449ef128d5b8ddf690b484 430572 
liblog4j1.2-java_1.2.17-7+deb9u1_all.deb
Files:
 f8d6b1d379436c02dc2152c96352ce7a 2497 java optional 
apache-log4j1.2_1.2.17-7+deb9u1.dsc
 fd288d6c3d9bebfb1a60845568f0c048 9900 java optional 
apache-log4j1.2_1.2.17-7+deb9u1.debian.tar.xz
 d866856e963c7cdf7d3711f68495d7a4 11600 java optional 
apache-log4j1.2_1.2.17-7+deb9u1_amd64.buildinfo
 d36b14ed6875869cba5bf9ffcfb83753 248308 doc optional 
liblog4j1.2-java-doc_1.2.17-7+deb9u1_all.deb
 d1e37289a227840d4084211ba068583f 430572 java optional 
liblog4j1.2-java_1.2.17-7+deb9u1_all.deb

-BEGIN PGP SIGNATURE-

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl63D6FfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkVvoP/RsbD31Yy/UznaEq6MrARp1R5Z5/Y1G5Or1E
SNLAUYkf9fEoey45SsD6QRiGfybhuRm69QyabfDsTZhxxY1ENh5jsTMIIK7Xppl7
GZGta48idUu8CHOBSDS6bM+Rqw/GtfrvGTl4jCHQB7FXhGtEmGd5oyZxAWjscH89
A13jnUU8BWmuoabN5fY60pnVt2+pZucvHrJVmyLXNcPMtYOdAODSJEPSLayXnMMk
Vr6yNCdjtyaC2inNVq7ub1J6eOQejccCH6wmCg2BBZ1qfTOq4871ynrCxXMnf742
edG9+7fXaUuwhxihgFLKdCBBBdatAXx0irFDzzZZLtVkgD4hN6qK1WIGGUSN887O
AEzEuELUKiHQN/pViCwjs9y3310ZAwY8BWQaMbH6DugCPKaPsihKPdzyKob4ih/f
24R3WWXUR7iCRvY8HAmG9ZDvac82QaC0XEbzffx2hhggeDDt6XJ7w9sucDQMuABH
xyi90Rba8ilc1sdxzE2R0PVAzTv4Dnm/XmNDN6ZOg0AcERHTwCIGs6E8xWpjiMtS
RM4JIwNr8+pHFXcitay/SBoFuir61h52BLDgt1DV5NPI6Ve9NxK/Ul5dKsb9X7g7
vDcbno5XmwQhWZSfDotS5RoJ0O2rUFh2FfWJ96h+hOvOqXv3zvFV8HN0y8EybtVJ
e4e3pKTH
=j4wv
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#960692: src:netbeans: Please add support to build against libjson-simple-java >= 3

[Markus Koschany]

Hi Gilles,

Am 15.05.20 um 15:43 schrieb Gilles Filippini:
> Package: src:netbeans
> Version: 10.0-3
> Severity: normal
> Tags: patch
>
> Hi,
> 
> I'd like to transition json-simple 3.1.1 to unstable, but netbeans is a 
> blocker since it builds against libjson-simple-java << 3 only.

[...]

As I have previously announced on the debian-java mailing list, I
believe netbeans will be removed from Debian. It is already affected by
RC bugs, so I don't think it should be a blocker for json-simple. You
can just ignore it, if you don't want to be the maintainer of netbeans.

Regards,

Markus




signature.asc
Description: OpenPGP digital signature
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

jmock2: status change on tests.reproducible-builds.org/debian

[Reproducible builds folks]

2020-05-13 20:15 
https://tests.reproducible-builds.org/debian/unstable/amd64/jmock2 changed from 
FTBFS -> reproducible

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

guava-libraries: status change on tests.reproducible-builds.org/debian

[Reproducible builds folks]

2020-05-10 04:16 
https://tests.reproducible-builds.org/debian/unstable/amd64/guava-libraries 
changed from reproducible -> FTBR

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

libxalan2-java 2.7.2-4 MIGRATED to testing

[Debian testing watch]

FYI: The status of the libxalan2-java source package
in Debian's testing distribution has changed.

  Previous version: 2.7.2-3
  Current version:  2.7.2-4

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

bouncycastle 1.65-1 MIGRATED to testing

[Debian testing watch]

FYI: The status of the bouncycastle source package
in Debian's testing distribution has changed.

  Previous version: 1.61-1
  Current version:  1.65-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

xml-commons-external 1.4.01-5 MIGRATED to testing

[Debian testing watch]

FYI: The status of the xml-commons-external source package
in Debian's testing distribution has changed.

  Previous version: 1.4.01-4
  Current version:  1.4.01-5

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of checker-framework_3.0.0+repack1-1~exp1_amd64.changes

[Debian FTP Masters]

checker-framework_3.0.0+repack1-1~exp1_amd64.changes uploaded successfully to 
localhost
along with the files:
  checker-framework_3.0.0+repack1-1~exp1.dsc
  checker-framework_3.0.0+repack1.orig.tar.xz
  checker-framework_3.0.0+repack1-1~exp1.debian.tar.xz
  checker-framework-java_3.0.0+repack1-1~exp1_all.deb
  checker-framework_3.0.0+repack1-1~exp1_amd64.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

checker-framework_3.0.0+repack1-1~exp1_amd64.changes is NEW

[Debian FTP Masters]

binary:checker-framework-java is NEW.
binary:checker-framework-java is NEW.
source:checker-framework is NEW.

Your package has been put into the NEW queue, which requires manual action
from the ftpteam to process. The upload was otherwise valid (it had a good
OpenPGP signature and file hashes are valid), so please be patient.

Packages are routinely processed through to the archive, and do feel
free to browse the NEW queue[1].

If there is an issue with the upload, you will receive an email from a
member of the ftpteam.

If you have any questions, you may reply to this email.

[1]: https://ftp-master.debian.org/new.html
 or https://ftp-master.debian.org/backports-new.html for *-backports

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.