[Mageia-dev] Removal of sun java

Colin Guthrie mageia at colin.guthr.ie
Fri Mar 30 11:43:17 CEST 2012


'Twas brillig, and Guillaume Rousse at 30/03/12 10:17 did gyre and gimble:
> Using task-obsolete is fine:
> - its purpose is crystal-clear
> - if I don't want it, I don't install it
> 
> Adding an obsolete tag in openjdk to remove sun jdk now, for security
> concernes, whereas we had suffered a useless mess of at least four
> available java environnement at once for years uselessly (excepted for
> blindly applying jpackage project practices), doesn't seems quite similar.

Well think of it this way (assuming I have the facts vaguely straight):

Forget about Cauldron and mga2

We're providing a known insecure version to mga1 users.

We need to find a way to update mga1 somehow right? Or do we want to
just abandon them?

Assuming we do not want to abandon them, what do we do? I'd suggest
shipping a new empty package that replaces it with a README.urpmi
telling them to go to Sun directly is the most responsible thing for us
to do. If they do not have a JRE installed, and they have packages that
require one, then they should be prompted to install e.g. openjdk to
satisfy package deps. That should work OK right?


Otherwise we're basically washing our hands of our users' security. This
isn't hand holding or taking away choice. It's about informing them and
being a socially responsible distributor.

I don't why this is even a problem point for discussion.



Whatever is decided, the position on mga1 then just then flows through
into mga2.

Col








-- 

Colin Guthrie
colin(at)mageia.org
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/


More information about the Mageia-dev mailing list