Am 19.11.2015 um 21:45 schrieb Moritz Mühlenhoff: [...] > Another package which needs to be sorted out is the support for > Java. wheezy has both openjdk-6 and openjdk-7 (jessie has only > -7 and stretch will also only have one version). > > Currently the maintenance heavily relies on the gruntwork done > by Matthias Klose (and recently indirectly Tiago St�rmer Daitx): > The unstable releases are backported. > > It needs to be sorted with them out how long these openjdk-6 > uploads will be available in experimental (and how long upstream > support in icedtea will happen). Otherwise it might make more > sense to only support openjdk-7 in Debian LTS. Some rdeps in > wheezy will not allow that, but I think most people use openjdk > to run external java apps and not the Java apps packaged in > Debian (with maybe Tomcat as the exception). >
Hi, I believe Debian Java is more than just OpenJDK and Tomcat and it is rather discouraging to read that "most people use openjdk to run external java apps and not the Java apps packaged in Debian". The Debian Java team alone maintains about 900 source packages and according to popcon there are several packages besides Tomcat with a significant user base. I suggest to keep the Java team involved when it comes to security support in LTS releases, so that we can help to identify important packages and sort things out. There are some Java packages which have no security implications at all (API packages) and others that deserve more attention and where we gladly accept help from the (LTS-) security team. I think I am not the only one who is interested in improving the security support for Java packages but we should really discuss this together. For what it's worth security support for OpenJDK 6 can be dropped at some time during Wheezy LTS. It is sensible to advise users to switch to OpenJDK 7 then. Most packages should continue to work because they were compiled against version 5 anyway. Regards, Markus
signature.asc
Description: OpenPGP digital signature
