On Tue, May 28, 2019 at 10:59 PM Tiago Daitx <tiago.da...@canonical.com> wrote:
>
> On Tue, May 28, 2019 at 6:21 AM Emmanuel Bourg <ebo...@apache.org> wrote:
> >
> > Le 28/05/2019 à 11:11, Paul Wise a écrit :
> >
> > > FTR, uscan is now flexible enough that it can apply arbitrary
> > > transformations to the HTML and download URL so it is easy enough to
> > > create a watch file that works:
> > >
> > > version=4
> > > opts="pagemangle=s{<a
> > > href=\"/jdk-updates/jdk11u/rev/[^\"]*\">\s*(jdk-11\.[^<\s]*)}{<a
> > > href=\"archive/$1.tar.gz">$1}g" \
> > > https://hg.openjdk.java.net/jdk-updates/jdk11u/tags \
> > > .*/jdk-(.*).tar.gz
> > >
> > > $ uscan --watchfile watch --package openjdk --upstream-version 0
> > > uscan: Newest version of openjdk on remote site is 11.0.4+4, local
> > > version is 0
> > > uscan: => Newer package available from
> > >
> > > https://hg.openjdk.java.net/jdk-updates/jdk11u/archive/jdk-11.0.4+4.tar.gz
> >
> > Thank you Paul. After I posted the previous message I dug into the uscan
> > documentation and found the new pagemangle option.
> >
> > Here is the watch file I wrote to match the OpenJDK 11 GA releases:
> >
> > version=4
> > opts="repack,compression=xz,pagemangle=s%(jdk-.*)%<a
> > href='http://hg.openjdk.java.net/jdk-updates/jdk11u/archive/$1.tar.gz'>$1</a>%g"
> > \
> > http://hg.openjdk.java.net/jdk-updates/jdk11u-dev/tags
> > .*/archive/jdk-(11\..*)-ga.tar.gz
> >
> > Emmanuel Bourg
> >
>
> Hi,
>
> Bellow is the watch file that I have been using for openjdk-11 in
> Ubuntu which was not copied to Debian. It tracks the upstream tarballs
> that RedHat has been generating since they got project leadership for
> OpenJDK 11. Kudos to RedHat for such tarballs!
>
> version=4
> opts=pgpmode=auto https://openjdk-sources.osci.io/openjdk11/
> openjdk@ANY_VERSION@@ARCHIVE_EXT@
>
> They only provide tarballs for official releases, so one would find
> only "GA" equivalent tags there. My aim is to use those tarballs to
> generate Ubuntu security updates for our openjdk-11 package. I would
> appreciate feedback on why this is better or worse than following the
> mercurial tags for the official releases. The advantage I see is that
> the tarballs are signed and do not need to be repacked, the downside
> being that such watch file cannot track "pre"-releases (as that helps
> testing the pre-releases) and won't work for openjdk-12 or openjdk-13
> as Oracle does no such tarballs releases.
>
> And compared to the "previous" way of updating openjdk-11 (ie. running
> "debian/rule get-orig") it won't clear up the tree from some system
> libraries - I don't find that to be a problem for builds, in all the
> tests I did the libraries don't get used due to the configure flags we
> (already) set. Matthias did mention something about the licenses from
> those libraries. I tested adding Files-Excluded rules to
> debian/copyright, which worked okay-ish: libjavajpeg required manually
> listing files as a couple need to be kept, so does not scale that well
> when new files get added (somebody will need to notice it and manually
> add them to the list).
>
>
> Emmanuel and Paul,
>
> Great work on getting a watch file that works with the mercurial tags!
> I know it is only meant to tracks ga, but with a few tweaks it can be
> used to track pre-releases which might help testing those.
>
> Regards,
> Tiago
Just to be clear: the above discussion was all about openjdk-11.
OpenJDK 8 is another beast and the openjdk-8 package has to track a
lot more repositories: the "root" openjdk repository, corba, 3 hotspot
repositories (1 for the oracle supported archs, 1 for armhf, another
one for arm64), jaxp, jaxws, jdk, langtools, hotspot, nashorn. And the
arm related hotspot repositories usually lag behind the official one
from a few days to a few months (specially aarch32 used for armhf), so
that can delay the release or require hotspot security patches to be
applied on top of the arm hotspot. That makes having a watch file for
it much harder since the OpenJDK 8 tarballs don't include the code for
the arm hotspots. Hopefully the arm repositories will be eventually
merged upstream now that RedHat is leading OpenJDK 8.
That said, sorry to side track the discussion, if anyone wants to
discuss openjdk-8 further I recommend doing that in a separated
thread. ;-)
--
Tiago Stürmer Daitx
Software Engineer
tiago.da...@canonical.com
PGP Key: 4096R/F5B213BE (hkp://keyserver.ubuntu.com)
Fingerprint = 45D0 FE5A 8109 1E91 866E 8CA4 1931 8D5E F5B2 13BE
