Date: Sat, 10 Aug 2019 20:52:26 +0200 From: Michael Osipov <1983-01-06@gmx.net> To: Greg Lewis <glewis@eyesbeyond.com> Cc: java@freebsd.org Subject: Re: RFC: Future of java/openjdk6 and java/openjdk7 Message-ID: <22887160-4c94-9907-84f3-23fff562c239@gmx.net> In-Reply-To: <20190810183901.GA76800@misty.eyesbeyond.com> References: <20190802014149.GA59118@misty.eyesbeyond.com> <935ee70b-0f6e-1813-25c3-ced836143e32@gmx.net> <20190810183901.GA76800@misty.eyesbeyond.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 2019-08-10 um 20:39 schrieb Greg Lewis: > On Fri, Aug 02, 2019 at 08:07:39AM +0200, Michael Osipov wrote: >> Am 2019-08-02 um 03:41 schrieb Greg Lewis: >>> Oracle ended official releases of JDK 7 in April of 2015, and JDK 6 ev= en >>> earlier. In the FreeBSD ports collection both java/openjdk6 and >>> java/openjdk7 have fallen out of maintenance and are considerably behi= nd >>> in terms of updates (which likely include fixes for security >>> vulnerabilities). In addition, openjdk6 will soon become unbuildable = in >>> FreeBSD 12-STABLE based on >>> >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D234792 >>> >>> With OpenJDK 8 having been the default JDK for a number of years now, >>> OpenJDK 11 and 12 both being available (and soon 13) I would suggest >>> that both openjdk6 and openjdk7 be removed, along with any ports >>> depending explicitly on them(*) which are unable to be updated to use = a >>> newer version. >> >> Being an Apache Maven PMC member and a happy FreeBSD user, we guarantee >> that the entire Maven stack runs on top of Java 7+, so I run all >> integration tests for all components I change on a regular basis on >> several BSD boxes (home, work) to test compat outside of the monotonic >> Windows/Linux world. >> >> Just because Oracle does not provide any binary packages for Java 7 it >> does not meean that it is not supported. There are a lot of vendors >> still providing Java 7 packages, e.g, Azul Systems, RHEL, HPE for HP-UX >> (Java SE 7 is supported till July 2022 and Java SE 8 is supported till >> March 2025) and likely others. > > Given this is the only response so far, I assume all are comfortable wit= h > removing openjdk6 and I'm going to go ahead with that once the ports tha= t > need upgrading have done so. > > With openjdk7, removing the port will not force you to remove the packag= e > from your system. I still have some older JDK ports on my desktop even > though they've been removed from the ports tree. The problem with leavi= ng > it in the tree is that it has security vulnerabilities with the current > version and no one has volunteered to update it to the latest version. > > My question then is whether that would work. You leave the port on your > machine and/or build a local package of it prior to removal. That shoul= d > be sufficient to use it for the lifecycle of the current FreeBSD release > and further without leaving a vulnerable port in the ports tree. Well, I am not a huge fan of this because I cannot reproduce the build at any time -- making an OSS component virtually useless. I don't want to be dependent on others to produce it. I have gone through this with the "HP-UX Porting and Archive Centre" and abandoned all packages from them because they never brought there changes upstream and I was not really able to reproduce their builds. To make a long story short, if you want to cut OpenJDK 7, perform a final update, announce the port as deprecated and remove it at some point. That would be fair deal. OpenJDK 6 is obsolete. Regards, Michael
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?22887160-4c94-9907-84f3-23fff562c239>