F22 System Wide Change: Legacy implementations of the Java platform in Fedora

Jiri Vanek jvanek at redhat.com
Thu Feb 26 08:06:06 UTC 2015


On 02/24/2015 06:22 PM, Mikolaj Izdebski wrote:
> On 02/24/2015 05:21 PM, Mario Torre wrote:
>> On Tue, 2015-02-24 at 15:37 +0100, Mikolaj Izdebski wrote:
>>> On 02/24/2015 02:15 PM, Jiri Vanek wrote:
>>>> On 02/24/2015 12:43 PM, Mikolaj Izdebski wrote:
>>>>> I am against official guidelines or policy for legacy JDK packages. I
>>>>> don't think that any such policy is needed and it would only encourage
>>>>> adoption of old packages for which there might be no security updates.
>>>>
>>>> Well thats the point - people are calling for them. And wont to maintain
>>>> them with this risk.
>>>
>>> I thought that the point of this change proposal was "enabling community
>>> to maintain legacy JDKs", not encouraging people to package them without
>>> good reason or without involvement to truly maintaining them. Packaging
>>> older JDKs is *already* possible, so IMHO this change accomplishes
>>> nothing but showing people how they can dump old, unmaintained software
>>> into Fedora.
>>
>> Well, in this case it would not be un-maintained, the Fedora package
>> would *not* be maintained *by us* (the Red Hat Java Team) indeed, but we
>> are still actively contributing to the upstream software in its various
>> versions. While you as a packager cannot specifically count on that,
>> there's still a level of confidence that the base software won't be
>> abandoned any time soon. And even when we will stop supporting those
>> older versions, the community will take over if there is a need for
>> that, exactly like we have done ourselves before.
>>
>> Indeed, there's an overhead for the downstream maintainers, we may need
>> to drop specific version of OpenJDK, or skip a release, or do other
>> funny things and the Fedora maintainers will have to adapt, but this is
>> no different than usual I believe. Realistically, we are so conservative
>> with older JDKs that I doubt this will ever really be an issue.
>
> Correct me if I am wrong, but in my understanding maintaining JDK
> package requires a lot of ongoing work (including obtaining and applying

Here you are right,

> patches, running TCK, pushing updates in timely manner and so on). JDK
> maintainers should know this and I'm assuming that the amount of
> required work is the main reason for them not wanting to maintain older
> JDKs.


I would say here you are not. No one will force the legacy jdks to be uodated. And afaik there will 
be no need to do it somehow furiously.

Keeping package of EOLed programis actually most simple thing... (unles it FBfS and die by naturalk 
death)

>
> The work required to add old JDK package to Fedora is relatively small
> compared to ongoing maintenance work. Someone willing to truly maintain
> JDK in Fedora should have knowledge about JDK packaging and they
> shouldn't have problem finding time to come up with a working solution,
> proposing and discussing it.
>
> If you make the process of adding legacy JDKs to Fedora too easy then
> someone without enough time and required knowledge will surely do that

Thats not an intention of the proposal.
But the need to highlight that regular review can not appy to java packages was necessary.

> and we may easily end with unmaintained package. I'd rather not have old
> JDK than have unmaintained JDK with security holes.

There is no workaround for human factor.
>
>>> Package that doesn't pass review shouldn't be part of Fedora.
>>
>> Well, if your goal is to reduce the user base of Fedora, I'm sure we can
>> talk about removing the JDK :)
>
> We can't sacrifice our basic principles (such as passing review) for the
> sake of increasing user base.
>

As told, it is not it. But java packages will not never ever pass regular review. And in adition the 
legacy ones will probably need to follow even more rules (aka this proposal...)

J.



More information about the devel mailing list