F22 System Wide Change: Legacy implementations of the Java platform in Fedora

Mikolaj Izdebski mizdebsk at redhat.com
Tue Feb 24 17:22:03 UTC 2015 

On 02/24/2015 05:21 PM, Mario Torre wrote:
> On Tue, 2015-02-24 at 15:37 +0100, Mikolaj Izdebski wrote:
>> On 02/24/2015 02:15 PM, Jiri Vanek wrote:
>>> On 02/24/2015 12:43 PM, Mikolaj Izdebski wrote:
>>>> I am against official guidelines or policy for legacy JDK packages. I
>>>> don't think that any such policy is needed and it would only encourage
>>>> adoption of old packages for which there might be no security updates.
>>>
>>> Well thats the point - people are calling for them. And wont to maintain
>>> them with this risk.
>>
>> I thought that the point of this change proposal was "enabling community
>> to maintain legacy JDKs", not encouraging people to package them without
>> good reason or without involvement to truly maintaining them. Packaging
>> older JDKs is *already* possible, so IMHO this change accomplishes
>> nothing but showing people how they can dump old, unmaintained software
>> into Fedora.
> 
> Well, in this case it would not be un-maintained, the Fedora package
> would *not* be maintained *by us* (the Red Hat Java Team) indeed, but we
> are still actively contributing to the upstream software in its various
> versions. While you as a packager cannot specifically count on that,
> there's still a level of confidence that the base software won't be
> abandoned any time soon. And even when we will stop supporting those
> older versions, the community will take over if there is a need for
> that, exactly like we have done ourselves before.
> 
> Indeed, there's an overhead for the downstream maintainers, we may need
> to drop specific version of OpenJDK, or skip a release, or do other
> funny things and the Fedora maintainers will have to adapt, but this is
> no different than usual I believe. Realistically, we are so conservative
> with older JDKs that I doubt this will ever really be an issue.

Correct me if I am wrong, but in my understanding maintaining JDK
package requires a lot of ongoing work (including obtaining and applying
patches, running TCK, pushing updates in timely manner and so on). JDK
maintainers should know this and I'm assuming that the amount of
required work is the main reason for them not wanting to maintain older
JDKs.

The work required to add old JDK package to Fedora is relatively small
compared to ongoing maintenance work. Someone willing to truly maintain
JDK in Fedora should have knowledge about JDK packaging and they
shouldn't have problem finding time to come up with a working solution,
proposing and discussing it.

If you make the process of adding legacy JDKs to Fedora too easy then
someone without enough time and required knowledge will surely do that
and we may easily end with unmaintained package. I'd rather not have old
JDK than have unmaintained JDK with security holes.

>> Package that doesn't pass review shouldn't be part of Fedora.
> 
> Well, if your goal is to reduce the user base of Fedora, I'm sure we can
> talk about removing the JDK :)

We can't sacrifice our basic principles (such as passing review) for the
sake of increasing user base.

-- 
Mikolaj Izdebski
Software Engineer, Red Hat
IRC: mizdebsk

More information about the devel mailing list