Date: Sat, 10 Aug 2019 11:39:01 -0700 From: Greg Lewis <glewis@eyesbeyond.com> To: Michael Osipov <1983-01-06@gmx.net> Cc: java@freebsd.org Subject: Re: RFC: Future of java/openjdk6 and java/openjdk7 Message-ID: <20190810183901.GA76800@misty.eyesbeyond.com> In-Reply-To: <935ee70b-0f6e-1813-25c3-ced836143e32@gmx.net> References: <20190802014149.GA59118@misty.eyesbeyond.com> <935ee70b-0f6e-1813-25c3-ced836143e32@gmx.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 02, 2019 at 08:07:39AM +0200, Michael Osipov wrote: > Am 2019-08-02 um 03:41 schrieb Greg Lewis: > > Oracle ended official releases of JDK 7 in April of 2015, and JDK 6 even > > earlier. In the FreeBSD ports collection both java/openjdk6 and > > java/openjdk7 have fallen out of maintenance and are considerably behind > > in terms of updates (which likely include fixes for security > > vulnerabilities). In addition, openjdk6 will soon become unbuildable in > > FreeBSD 12-STABLE based on > > > > https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234792 > > > > With OpenJDK 8 having been the default JDK for a number of years now, > > OpenJDK 11 and 12 both being available (and soon 13) I would suggest > > that both openjdk6 and openjdk7 be removed, along with any ports > > depending explicitly on them(*) which are unable to be updated to use a > > newer version. > > Being an Apache Maven PMC member and a happy FreeBSD user, we guarantee > that the entire Maven stack runs on top of Java 7+, so I run all > integration tests for all components I change on a regular basis on > several BSD boxes (home, work) to test compat outside of the monotonic > Windows/Linux world. > > Just because Oracle does not provide any binary packages for Java 7 it > does not meean that it is not supported. There are a lot of vendors > still providing Java 7 packages, e.g, Azul Systems, RHEL, HPE for HP-UX > (Java SE 7 is supported till July 2022 and Java SE 8 is supported till > March 2025) and likely others. Given this is the only response so far, I assume all are comfortable with removing openjdk6 and I'm going to go ahead with that once the ports that need upgrading have done so. With openjdk7, removing the port will not force you to remove the package from your system. I still have some older JDK ports on my desktop even though they've been removed from the ports tree. The problem with leaving it in the tree is that it has security vulnerabilities with the current version and no one has volunteered to update it to the latest version. My question then is whether that would work. You leave the port on your machine and/or build a local package of it prior to removal. That should be sufficient to use it for the lifecycle of the current FreeBSD release and further without leaving a vulnerable port in the ports tree. -- Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190810183901.GA76800>