There is a bug report open for openjdk-6 in wheezy (#675495) and squeeze didn't see any security updates for several months. To summarize, no party involved is capable or willing to provide security updates based on backports of single patches to the released openjdk-6 version in a stable release. So what to do about it?
- Remove openjdk-6 in wheezy. Probably would require falling back to gcj. Not recommended as a runtime environment, but should work fine for building packages, as ecj is used for byte-code compilation. Falling back to an easier-to-main jvm could be an option too, but I didn't check how well that would work. Not having a fall-back would require removing most of java in Debian. - Updating to openjdk-7 in wheezy would not solve any issues from my point of view, and it would need some porting of packages to 7, and probably removing some packages which are not yet ported. Otoh removing openjdk-7 for wheezy could be an option if only one version should be supported for a stable release. - Release openjdk-6 with wheezy, and provide security support by updating to new OpenJDK and IcedTea versions. Usually this does include some backports and other fixes. The potential for regressions could be higher, however even the single security fixes show regressions, as shown by the last security update on Feb 1. These builds could be provided as security updates, updates to the stable releases, or as backports. As a proof of concept, see [1]. - Release openjdk-7 with wheezy, and do the same as with openjdk-6. The issue here is that 7 sees more changes than 6, and that the current openjdk-7 release doesn't build anymore on mips or mipsel, as communicated to the Debian mips porters, so an update would require removal of the binary mips packages. Fine if somebody wants to fix it, but apparently there is no-one interested in that. So this looks more difficult than the openjdk-6 updates. Removing the openjdk mips binaries would require changes to source packages building arch any packages and build-depending on default-jdk or openjdk. We should find a solution where the resources are available to handle this solution. In the OpenJDK team, I think it's safe to assume that Torsten Werner isn't currently working on openjdk anymore and recently I got an email from Damien Raude-Morvan, that he can't work on OpenJDK-7 in the forseeable future anymore. Apparently one of the security team members who did work on OpenJDK security updates left the team too. I think that moving maintainership to the Debian Java team would just make the maintainership issue less explicit. While not a that important issue, the mips and kfreebsd issue could be improved as well: - The mipsel porter box is again down for several months. Having a porter box to test backports would be appreciated (yes, openjdk-7 in experimental currently fails on mips, not mipsel). - Afaik openjdk-7 for kfreebsd does build on kfreebsd (according to Damien) with the kfreebsd kernel from wheezy. So maybe some commitment could be found to upgrade and maintain the kernels before wheezy is released? Matthias [1] deb http://people.debian.org/~doko/tmp/openjdk-6-squeeze ./ -- To UNSUBSCRIBE, email to debian-java-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/51215401.8010...@ubuntu.com
