Florian Weimer wrote:
* Matthias Klose:
So, we are late with OpenJDK for lenny. I still think lenny would
benefit from having OpenJDK. I'm proposing the following steps,
realizing that not all of them probably can be realized.
Is there upstream security support for OpenJDK 6? I'm asking because
the DLJ stuff used to lag quite a bit.
FWIW I've been working to make sure the DLJ bundles gets published more
in line with the regular bundles. I took over DLJ in Jan/Feb when Tom
went off to greener pastures.
If you need to know details about the security fix releases I can get a
statement from one of the guys directly involved. The model we're
moving to (have moved to) is to synchronize security fix releases across
all the JDK release channels we have. We're still releasing JDK's back
to 1.3.1 (for some reason). Each synchronized security release
involves simultaneous release of all current binary JDK bundles as well
as OpenJDK 6/7 source releases of the same bug fixes. For OpenJDK there
is some kind of behind the scenes source handshaking as (I think) is
common among open source projects and if you want to know more either I
or Dalibor could get the information to you. We of course don't want to
release source for a security fix until the matching binary JDK build
has been released.
OpenJDK 6 b 11 was the matching synchronized security release
http://blogs.sun.com/darcy/entry/openjdk_6_sources_for_b11
The matching DLJ bundle, 5.0u17 and 6u7, was published within a couple
hours of the normal (non-DLJ) bundles. This was much better than the
release lag for earlier DLJ bundle releases (heavy sigh).
- David Herron
