Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 10 Aug 2019 12:35:29 -0700
From:      Greg Lewis <glewis@eyesbeyond.com>
To:        Michael Osipov <1983-01-06@gmx.net>
Cc:        java@freebsd.org
Subject:   Re: RFC: Future of java/openjdk6 and java/openjdk7
Message-ID:  <20190810193529.GA38493@misty.eyesbeyond.com>
In-Reply-To: <22887160-4c94-9907-84f3-23fff562c239@gmx.net>
References:  <20190802014149.GA59118@misty.eyesbeyond.com> <935ee70b-0f6e-1813-25c3-ced836143e32@gmx.net> <20190810183901.GA76800@misty.eyesbeyond.com> <22887160-4c94-9907-84f3-23fff562c239@gmx.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Aug 10, 2019 at 08:52:26PM +0200, Michael Osipov wrote:
> Am 2019-08-10 um 20:39 schrieb Greg Lewis:
> > On Fri, Aug 02, 2019 at 08:07:39AM +0200, Michael Osipov wrote:
> >> Am 2019-08-02 um 03:41 schrieb Greg Lewis:
> >>> Oracle ended official releases of JDK 7 in April of 2015, and JDK 6 even
> >>> earlier.  In the FreeBSD ports collection both java/openjdk6 and
> >>> java/openjdk7 have fallen out of maintenance and are considerably behind
> >>> in terms of updates (which likely include fixes for security
> >>> vulnerabilities).  In addition, openjdk6 will soon become unbuildable in
> >>> FreeBSD 12-STABLE based on
> >>>
> >>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234792
> >>>
> >>> With OpenJDK 8 having been the default JDK for a number of years now,
> >>> OpenJDK 11 and 12 both being available (and soon 13) I would suggest
> >>> that both openjdk6 and openjdk7 be removed, along with any ports
> >>> depending explicitly on them(*) which are unable to be updated to use a
> >>> newer version.
> >>
> >> Being an Apache Maven PMC member and a happy FreeBSD user, we guarantee
> >> that the entire Maven stack runs on top of Java 7+, so I run all
> >> integration tests for all components I change on a regular basis on
> >> several BSD boxes (home, work) to test compat outside of the monotonic
> >> Windows/Linux world.
> >>
> >> Just because Oracle does not provide any binary packages for Java 7 it
> >> does not meean that it is not supported. There are a lot of vendors
> >> still providing Java 7 packages, e.g, Azul Systems, RHEL, HPE for HP-UX
> >> (Java SE 7 is supported till July 2022 and Java SE 8 is supported till
> >> March 2025) and likely others.
> >
> > Given this is the only response so far, I assume all are comfortable with
> > removing openjdk6 and I'm going to go ahead with that once the ports that
> > need upgrading have done so.
> >
> > With openjdk7, removing the port will not force you to remove the package
> > from your system.  I still have some older JDK ports on my desktop even
> > though they've been removed from the ports tree.  The problem with leaving
> > it in the tree is that it has security vulnerabilities with the current
> > version and no one has volunteered to update it to the latest version.
> >
> > My question then is whether that would work.  You leave the port on your
> > machine and/or build a local package of it prior to removal.  That should
> > be sufficient to use it for the lifecycle of the current FreeBSD release
> > and further without leaving a vulnerable port in the ports tree.
> 
> Well, I am not a huge fan of this because I cannot reproduce the build
> at any time -- making an OSS component virtually useless. I don't want
> to be dependent on others to produce it. I have gone through this with
> the "HP-UX Porting and Archive Centre" and abandoned all packages from
> them because they never brought there changes upstream and I was not
> really able to reproduce their builds.
> 
> To make a long story short, if you want to cut OpenJDK 7, perform a
> final update, announce the port as deprecated and remove it at some
> point. That would be fair deal. OpenJDK 6 is obsolete.

To reiterate, I am not planning on spending any time on openjdk7 since it
has been EoL for so long.  There are more important (IMO) uses of my time
in regards to newer versions.  I will however mark it as vulnerable and
to be removed within 3 months.  If someone with time and interest steps
up within that time span and produces an update then it can potentially
be kept for longer.

I'll do the same for openjdk6, but with a much shorter time span.  A
couple of weeks tops.

-- Greg



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190810193529.GA38493>