Bug#698108: java-package: diff for NMU version 0.50+nmu2

Niels Thykier niels at thykier.net
Tue Jan 15 07:48:59 UTC 2013


On 2013-01-15 00:57, David Prévot wrote:
> tags 698108 + patch
> thanks
> 
> Dear maintainer,
> 
> I've prepared an NMU for java-package (versioned as 0.50+nmu2) and
> uploaded it to DELAYED/2. Please feel free to tell me if I
> should delay it longer (or even if I should dcut it to 0-day, given the
> security matter).
> 
> If you prefer to fix it in another not intrusive way (not c1fb4d0), I'm
> happy to (quickly) sponsor your package too.
> 
> Regards.
> 
> David
> 
> [...]

Seems to me your patch will prevent anyone from using java-package on
the older Java7 binaries.  If we do remove this support because they are
infested with security issues making them unsuitable for anything at
all[1], I think it should have a nice little error message saying "Nope,
won't do this - That version is vulnerable/unsupported/$whatever".
  Just so people are aware it is a deliberate choice from "our" side and
not a buggy script crashing.  (Particularly people have been using it
with older versions before.  They might be surprised to see that
non-descriptive error message the reporter included in the original mail).

~Niels

[1] Something I would find entirely plausible at this point.



More information about the pkg-java-maintainers mailing list