RFC: Future of java/openjdk6 and java/openjdk7

Michael Osipov 1983-01-06 at gmx.net
Sat Aug 10 19:35:30 UTC 2019 

Am 2019-08-10 um 20:39 schrieb Greg Lewis:
> On Fri, Aug 02, 2019 at 08:07:39AM +0200, Michael Osipov wrote:
>> Am 2019-08-02 um 03:41 schrieb Greg Lewis:
>>> Oracle ended official releases of JDK 7 in April of 2015, and JDK 6 even
>>> earlier.  In the FreeBSD ports collection both java/openjdk6 and
>>> java/openjdk7 have fallen out of maintenance and are considerably behind
>>> in terms of updates (which likely include fixes for security
>>> vulnerabilities).  In addition, openjdk6 will soon become unbuildable in
>>> FreeBSD 12-STABLE based on
>>>
>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234792
>>>
>>> With OpenJDK 8 having been the default JDK for a number of years now,
>>> OpenJDK 11 and 12 both being available (and soon 13) I would suggest
>>> that both openjdk6 and openjdk7 be removed, along with any ports
>>> depending explicitly on them(*) which are unable to be updated to use a
>>> newer version.
>>
>> Being an Apache Maven PMC member and a happy FreeBSD user, we guarantee
>> that the entire Maven stack runs on top of Java 7+, so I run all
>> integration tests for all components I change on a regular basis on
>> several BSD boxes (home, work) to test compat outside of the monotonic
>> Windows/Linux world.
>>
>> Just because Oracle does not provide any binary packages for Java 7 it
>> does not meean that it is not supported. There are a lot of vendors
>> still providing Java 7 packages, e.g, Azul Systems, RHEL, HPE for HP-UX
>> (Java SE 7 is supported till July 2022 and Java SE 8 is supported till
>> March 2025) and likely others.
>
> Given this is the only response so far, I assume all are comfortable with
> removing openjdk6 and I'm going to go ahead with that once the ports that
> need upgrading have done so.
>
> With openjdk7, removing the port will not force you to remove the package
> from your system.  I still have some older JDK ports on my desktop even
> though they've been removed from the ports tree.  The problem with leaving
> it in the tree is that it has security vulnerabilities with the current
> version and no one has volunteered to update it to the latest version.
>
> My question then is whether that would work.  You leave the port on your
> machine and/or build a local package of it prior to removal.  That should
> be sufficient to use it for the lifecycle of the current FreeBSD release
> and further without leaving a vulnerable port in the ports tree.

Well, I am not a huge fan of this because I cannot reproduce the build
at any time -- making an OSS component virtually useless. I don't want
to be dependent on others to produce it. I have gone through this with
the "HP-UX Porting and Archive Centre" and abandoned all packages from
them because they never brought there changes upstream and I was not
really able to reproduce their builds.

To make a long story short, if you want to cut OpenJDK 7, perform a
final update, announce the port as deprecated and remove it at some
point. That would be fair deal. OpenJDK 6 is obsolete.

Regards,

Michael

More information about the freebsd-java mailing list