On Sun, May 26, 2019 at 09:47:13PM +0200, Matthias Klose wrote: > On 24.05.19 20:29, Martijn Verburg wrote: > > On Fri, 24 May 2019 at 15:40, tony mancill <tmanc...@debian.org> wrote: > > > >> On Thu, May 23, 2019 at 11:58:14PM +0200, Emmanuel Bourg wrote: > >>> Le 23/05/2019 à 19:04, Martijn Verburg a écrit : > >>> > >>>> What was the difficulty in grabbing the 11.0.3+7 tag directly? > >>> > >>> The difficulty is the policy that applies to backported packages. A > >>> package that is backported from the Debian release n+1 to the release n > >>> has to remain upgradable when the system is upgraded. For this to happen > >>> the version backported must rank lower than the version in the next > >>> release. That's why there are weird suffixes appended to the versions of > >>> the backported packages (1.2.3-1~bpo9+1 is lower than 1.2.3-1). > >>> > >>> Currently Debian Buster has openjdk-11/11.0.3+1-1, so it isn't possible > >>> to upload the version 11.0.3+7-1~bpo9+1 to stretch-backports. The only > >>> solutions is to either upgrade openjdk-11 in testing to a version higher > >>> than 11.0.3+7, or patch the existing version. Since testing is currently > >>> frozen and difficult to update until the release of Buster, it leaves > >>> only the patch solution. > >> > >> Emmanuel, > >> > >> It seems like we need to bring this up with the Release and Security > >> teams. Releasing Buster with mulitple critical open CVEs in the JVM > >> isn't a good experience for our users. My proposal is that we do what > >> we need to get 11.0.3-ga-1 into Buster. > >> > >> From a versioning standpoint, this should work. Am I missing something? > >> > >> $ dpkg --compare-versions 11.0.3-ga-1 gt 11.0.3+7-1 && echo "11.0.3-ga-1 > >> is newer" > >> 11.0.3-ga-1 is newer > > I don't think that playing games with version numbers is a good thing to do. > Version numbers should match the upstream source release, and the binary > packages should not change that version. Of course openjdk has a split > personality to give even another version when called with java --version > > The final 11.0.3 release: > https://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-April/000951.html > > does *not* contain the ea specifier.
Hi Matthias, Thank you for weighing in on the thread. I have been building openjdk packages all weekend and now understand that the version number is required to be numeric as per the upstream build system - i.e., VERSION_BUILD won't pass the test here [1] if it is arbitrarily changed from from 7 to ga. So 11.0.3+7 it is. My bad for proposing otherwise in this thread, before I got more familiar with the build system... For the update to buster via testing-proposed-updates, I have prepared 11.0.3+7-4+deb10u1, which is simply your 11.0.3+7-4 package [2] targeted at buster via t-p-u and with the changelog updated to note that 11.0.3+7 is the GA release from OpenJDK. This will address the CVEs currently open against the version in buster. Does that sound acceptable for upload to Debian? Would you prefer a different approach? Thank you, tony [1] http://hg.openjdk.java.net/jdk-updates/jdk11u/file/175eb80c253a/make/autoconf/jdk-version.m4#l40 [2] https://tracker.debian.org/news/1038802/accepted-openjdk-11-11037-4-source-into-unstable/
signature.asc
Description: PGP signature
