On 2013-02-18 13:08, Steven Chamberlain wrote: > [...] >> OpenJDK6 therefore should be considered obsolete when Wheezy is released. > > I wouldn't use the word 'obsolete' so long as there are packages that > *can* use it... I'd call it 'maintenance only'. > > > Before deciding the post-wheezy fate of openjdk-6, why not wait, and see > how well things work out over the next few months. Let's see what > security issues affect openjdk-6 vs. openjdk-7. Let's see how Red Hat's > security maintenance for openjdk-6 compares to Oracle's own Java 7 fixes > being pulled into openjdk-7 (in terms of expediency, complexity of > changes, regressions). >
Well, that being a fair argument - however, are you volunteering to (co-)maintain OpenJDK-6 while we found out? And even if it turns out to be worse? I know I can't answer yes to either myself. That is why I support getting rid of OpenJDK-6 ASAP[0]; to ease the maintaince burden for the OpenJDK maintainers. > For example, if I had some public-facing Java-based service, I would > rather have been running it on openjdk-6 over the past months because it > had fewer security issues and perhaps no regressions caused by fixes. > As far as I know, the recent "flood" of CVEs affect OpenJDK-6 as well. Compare [1] with [2] - the majority of the CVEs starting at "CVE-2012-1531" and "down" appear to be almost identical. > OTOH some packages may switch to openjdk-7 post-wheezy or ship a new > upstream version that has at least been fixed to be able to use it. > > Regards, ~Niels [0] ASAP being post-wheezy AFAICT, see: <512162ec.9040...@thykier.net> [1] https://security-tracker.debian.org/tracker/source-package/openjdk-6 [2] https://security-tracker.debian.org/tracker/source-package/openjdk-7 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51221dd1.9090...@thykier.net
