Bug#1006140: New version can't load old databases

[Jochen Sprickerhof]

Hi Markus,

now that Ubuntu Jammy is out of the way, I would like to plan for the 
future of h2. Sadly the upstream of jameica/hibiscus declined to upgrade 
it for now as it would involve multiple plugins and projects.


Currently we have these users of h2 in the repo:

$ apt rdepends libh2-java
libh2-java
Reverse Depends:
  Suggests: libh2-java-doc (same package)
  Depends: mediathekview (will move to SQLite)
  Depends: jameica

$ build-rdeps libh2-java
Reverse Build-depends in main:
--

commons-csv (only used in one unit test)
hibiscus (part of jameica)
jverein (part of jameica)
libhibernate3-java (only used in unit tests, I think)
mediathekview
undertow (seems to not use it and builds fine without)

So once mediathekview is updated the only relevant usage of h2 in Debian 
is jameica and plugins. Note that jameica does not use the console 
interface of h2 so it should not be affected by the security bugs.


I see two ways forward:

- Keep the current (old) version of h2 in Debian till jameica is 
  updated, given that jameica is the only user.


- Upload the old version of h2 as jameica-h2database and move the jar to 
  /usr/share/jameica. That would basically mark the package as jameica 
  only and would free up the h2database package to move to a newer 
  version.


What do you think?

Cheers Jochen


* Markus Koschany  [2022-02-19 23:39]:

Am Samstag, dem 19.02.2022 um 23:13 +0100 schrieb Jochen Sprickerhof:

* Markus Koschany  [2022-02-19 22:38]:
> Ok. Did you file an upstream bug report already?

I did not yet. Upstream bundles the old binary version so I don't think
I can convince them to do a quick migration.
But I will open a bug to get it fixed there.

> The old version of H2 is already present in Ubuntu or Debian stable. You
> could
> either ask users to execute all those commands manually (README.Debian,
> Debian.NEWS) or there could be some kind of pre/post hook script that does
> all
> that automatically.

Asking users to install packages from other releases does not sound
convincing. We can't use the pre/post maintainer scripts as the database
files could be stored anywhere on disk (default is in $HOME but could
even be on a thumb drive). So we can only hook into the jameica
executable. I don't think doing this before the Ubuntu jammy freeze is
feasible.


I believe there is a misunderstanding somewhere. We don't need to ask users to
install anything. They simply upgrade from an older version to a newer one.
There must be some sort of logic for the database storage. It is possible to
move a file to a different location but your program will always look in the
same place. If your database isn't there, then a good script would ask where it
is, you enter the new location and the program proceeds.


> For a quick solution you could upload 1.4.197 again based on the version in
> Bullseye

Thanks, I will do that, i.e. I will upload 2.1.210+really1.4.197-1 =
1.4.197-4+deb11u1 as proposed in my initial bug report.

> but this doesn't really solve the problem.

Can you explain what you mean here?



You only fix your single use case. You keep an unsupported and buggy version of
the H2 database in Debian and this is not how we usually solve problems in
Debian.



> As I said we don't need multiple H2 versions in Debian.

Can you give reasons why you think so? As I stated multiple times I
don't see a way not to have multiple versions available in one release
to support the migration.


You don't need multiple version of H2 in Bookworm. We ship 1.4.197 in Bullseye
and 2.x in Bookworm, that's it. When users upgrade from Bullseye to Bookworm,
they either have to perform some manual migration steps, or the package takes
care of them automatically. That's how it works for every package in Debian. We
also don't ship multiple Tomcat or Jetty, MariaDB or PostgreSQL versions in
stable releases because we support only one of them for their life cycle. This
is because of security and maintenance reasons, otherwise we would have
multiple versions of every piece of Java software in Debian and we could stop
using system libraries and instead bundle everything together in fat jars. At
one point you have to upgrade to a newer H2 database, that's a fact and it
should happen before we freeze for Bookworm.


> You should only do that if you are willing to
> support an officially unsupported piece of software for the next Debian 12
> LTS
> cycle until the year 2028. And that means taking care of all other libh2-
> java
> dependencies too, dealing with people who request an upgrade to 2.x because
> their use case depends on it, etc. And you and the rest of the users should
> be
> fine with the disabled H2 console and all the other bugs in that version.

That would be fine with me.


Ok, that's your choice but please add yourself to the list of Uploaders and
keep an eye on all H2 bug reports from now on because I won't. ;>







signature.asc
Description: PGP signature
__
This is the maintaine

Bug#1006140: New version can't load old databases

[Markus Koschany]

Hi Jochen,

Am Donnerstag, dem 24.02.2022 um 11:26 +0100 schrieb Jochen Sprickerhof:
> 
> 
> - Keep the current (old) version of h2 in Debian till jameica is 
>    updated, given that jameica is the only user.
> 
> - Upload the old version of h2 as jameica-h2database and move the jar to 
>    /usr/share/jameica. That would basically mark the package as jameica 
>    only and would free up the h2database package to move to a newer 
>    version.
> 
> What do you think?

I would rather tend to option two in order to move forward and to provide the
latest version of h2 which is supported by upstream and easier to maintain in
the future. You could also try to import the h2 1.4.x source code into jameica
or hibiscus for the time being and then use it to build both packages. That
would allow us to simply upgrade the existing h2 source package and you could
do whatever you want with the old h2 version. We just have to keep track of
potential security vulnerabilities but the attack surface should be much
smaller. I leave the decision to you because your packages are the only real
consumers of h2 in Debian.

Cheers,

Markus


signature.asc
Description: This is a digitally signed message part
__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

Processing of libphonenumber_8.12.44-1_source.changes

[Debian FTP Masters]

libphonenumber_8.12.44-1_source.changes uploaded successfully to localhost
along with the files:
  libphonenumber_8.12.44-1.dsc
  libphonenumber_8.12.44.orig.tar.gz
  libphonenumber_8.12.44-1.debian.tar.xz
  libphonenumber_8.12.44-1_amd64.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

libphonenumber_8.12.44-1_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 24 Feb 2022 06:56:52 -0800
Source: libphonenumber
Architecture: source
Version: 8.12.44-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers 

Changed-By: tony mancill 
Changes:
 libphonenumber (8.12.44-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 8.12.44
 Metadata changes:
  - Updated phone metadata for region code(s):
AG, AI, AS, BB, BM, BS, CA, CV, DM, DO, GD, GU, JM, KN, KY, LC, MP, MS, 
PR,
SC, SX, TC, TT, US, VC, VG, VI
  - Updated short number metadata for region code(s): BE, PT, SC, SE, US
  - Updated geocoding data for country calling code(s):
61 (en), 238 (en), 1345 (en)
  - Updated carrier data for country calling code(s): 238 (en), 248 (en)
Checksums-Sha1:
 3a796634c4e8dc296506eadc089dd1a84e3e7a6e 2707 libphonenumber_8.12.44-1.dsc
 b239085320d69702ea3ebf07b99dc4d17688a746 11140129 
libphonenumber_8.12.44.orig.tar.gz
 8ccb95bc4cfe2e07d49fa175a68cda1d9719478d 11848 
libphonenumber_8.12.44-1.debian.tar.xz
 21800e4630802ecb34346861f21b4454372668ff 16355 
libphonenumber_8.12.44-1_amd64.buildinfo
Checksums-Sha256:
 d205b59f72694f6bf8f48bf2b7766046631ed9161f67a6d27d7e7da0dd38e73c 2707 
libphonenumber_8.12.44-1.dsc
 02337c60e3a055e0a4bc4e0a60e8ae31aa567adce59f266cfd37961fceea74c2 11140129 
libphonenumber_8.12.44.orig.tar.gz
 74006f8a9505bd8a19d6f5587c69eb3a61215a4fbffa3f6e89e6b828800e814e 11848 
libphonenumber_8.12.44-1.debian.tar.xz
 640dd8aeb4022a600af9a297ab255da5059d8a148d9063a320e36b981795d0cf 16355 
libphonenumber_8.12.44-1_amd64.buildinfo
Files:
 a78401dff33719153f1cf0c1cb1af2a6 2707 libs optional 
libphonenumber_8.12.44-1.dsc
 44de02634bed65524541de48ddcbdaa9 11140129 libs optional 
libphonenumber_8.12.44.orig.tar.gz
 72c982837ab968cda09e0b340bbf 11848 libs optional 
libphonenumber_8.12.44-1.debian.tar.xz
 790b2525ff2f12c0ec5c6343d4f8b84f 16355 libs optional 
libphonenumber_8.12.44-1_amd64.buildinfo

-BEGIN PGP SIGNATURE-

iQJIBAEBCgAyFiEE5Qr9Va3SequXFjqLIdIFiZdLPpYFAmIXn60UHHRtYW5jaWxs
QGRlYmlhbi5vcmcACgkQIdIFiZdLPpa1UxAAh5p20Jxm7aPNlQsM21lxhCbZH9uF
BTPtf4YP/MhDPM+cVNFX4W3zfY7v5W0n4ESst/xpXQvQ1jqTxPSawPXt9Wc7wGZP
VhRSftBwke0RyuljZefee1B1+tQ2Mc9uayxZST5GGcsaIdO77aHJ5VD/ka9U6W1m
hBS2ta2b+LNCZM+K3SAWuxV2X/XDe26P5DSwGJbO8JJVEdtzubd8vMbWInxO+euq
TjznqTVtRVl4FW4mU3OakL/aJd5FN/qWG2glPgLw4Q+FI+CqU5cqpv1BeN/NN7r+
MHZN9bjaoV2GBmSCgnbIKI3PE4rOBL4vZytmUpYZCeOcg1cdpbxKcGn/Gv2RVv1K
ULr5F3IQRignr8TA2Jifj2W0MjHfRH7CsVQcKeInOJX1xbycQl+7cahu22FNFTYC
a5fAUSfFwpIaltBzU2IQtH7qTi3qzH77nV5fmYXcFio20AZ4yYqkTsPnuTlK2pGB
8I6A+z+eLIBoLvdGq+YyCbzAW0R1o0FkZPt+FmqRzkHYyFMNH/QQGBTTm2ZGY/pR
/n2AKz9VNS6HD0w/NDtP6L1yo69ztbVM4V9HwbKsi95msc/AIkvPIgSd8gOOu0lj
SiJhb12Hubo//eG+ayJ0PCVN5DwbtyBl2zc7hZqDfP5/1dEvI3vfcF37O7iIi+8k
oCKMTtjsuNJy8Qs=
=3aPi
-END PGP SIGNATURE-


Thank you for your contribution to Debian.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.

h2database 2.1.210+really1.4.197-1 MIGRATED to testing

[Debian testing watch]

FYI: The status of the h2database source package
in Debian's testing distribution has changed.

  Previous version: 2.1.210-1
  Current version:  2.1.210+really1.4.197-1

-- 
This email is automatically generated once a day.  As the installation of
new packages into testing happens multiple times a day you will receive
later changes on the next day.
See https://release.debian.org/testing-watch/ for more information.

__
This is the maintainer address of Debian's Java team
.
 Please use
debian-j...@lists.debian.org for discussions and questions.