RFC: Future of java/openjdk6 and java/openjdk7

Sat Aug 10 19:48:18 UTC 2019

Am 2019-08-10 um 21:35 schrieb Greg Lewis:
> On Sat, Aug 10, 2019 at 08:52:26PM +0200, Michael Osipov wrote:
>> Am 2019-08-10 um 20:39 schrieb Greg Lewis:
>>> On Fri, Aug 02, 2019 at 08:07:39AM +0200, Michael Osipov wrote:
>>>> Am 2019-08-02 um 03:41 schrieb Greg Lewis:
>>>>> Oracle ended official releases of JDK 7 in April of 2015, and JDK 6 even
>>>>> earlier.  In the FreeBSD ports collection both java/openjdk6 and
>>>>> java/openjdk7 have fallen out of maintenance and are considerably behind
>>>>> in terms of updates (which likely include fixes for security
>>>>> vulnerabilities).  In addition, openjdk6 will soon become unbuildable in
>>>>> FreeBSD 12-STABLE based on
>>>>>
>>>>> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=234792
>>>>>
>>>>> With OpenJDK 8 having been the default JDK for a number of years now,
>>>>> OpenJDK 11 and 12 both being available (and soon 13) I would suggest
>>>>> that both openjdk6 and openjdk7 be removed, along with any ports
>>>>> depending explicitly on them(*) which are unable to be updated to use a
>>>>> newer version.
>>>>
>>>> Being an Apache Maven PMC member and a happy FreeBSD user, we guarantee
>>>> that the entire Maven stack runs on top of Java 7+, so I run all
>>>> integration tests for all components I change on a regular basis on
>>>> several BSD boxes (home, work) to test compat outside of the monotonic
>>>> Windows/Linux world.
>>>>
>>>> Just because Oracle does not provide any binary packages for Java 7 it
>>>> does not meean that it is not supported. There are a lot of vendors
>>>> still providing Java 7 packages, e.g, Azul Systems, RHEL, HPE for HP-UX
>>>> (Java SE 7 is supported till July 2022 and Java SE 8 is supported till
>>>> March 2025) and likely others.
>>>
>>> Given this is the only response so far, I assume all are comfortable with
>>> removing openjdk6 and I'm going to go ahead with that once the ports that
>>> need upgrading have done so.
>>>
>>> With openjdk7, removing the port will not force you to remove the package
>>> from your system.  I still have some older JDK ports on my desktop even
>>> though they've been removed from the ports tree.  The problem with leaving
>>> it in the tree is that it has security vulnerabilities with the current
>>> version and no one has volunteered to update it to the latest version.
>>>
>>> My question then is whether that would work.  You leave the port on your
>>> machine and/or build a local package of it prior to removal.  That should
>>> be sufficient to use it for the lifecycle of the current FreeBSD release
>>> and further without leaving a vulnerable port in the ports tree.
>>
>> Well, I am not a huge fan of this because I cannot reproduce the build
>> at any time -- making an OSS component virtually useless. I don't want
>> to be dependent on others to produce it. I have gone through this with
>> the "HP-UX Porting and Archive Centre" and abandoned all packages from
>> them because they never brought there changes upstream and I was not
>> really able to reproduce their builds.
>>
>> To make a long story short, if you want to cut OpenJDK 7, perform a
>> final update, announce the port as deprecated and remove it at some
>> point. That would be fair deal. OpenJDK 6 is obsolete.
>
> To reiterate, I am not planning on spending any time on openjdk7 since it
> has been EoL for so long.

Where is this EOL? I see regular changes here:
http://hg.openjdk.java.net/jdk7u/jdk7u/