2 Nov 2024 |
| * emily requests changes – the convention is one CVE per entry | 00:51:08 |
Tomodachi94 (they/them) | Done at https://github.com/NixOS/nixpkgs/pull/353034 | 00:58:45 |
emily | hm, I'm pretty sure 8 and 11 are supported: https://endoflife.date/oracle-jdk | 00:59:55 |
emily | it's just that nobody has been updating ours | 01:00:17 |
emily | (and there is no reason to, because… it's just an OpenJDK build with a bad licence) | 01:00:36 |
emily | or maybe not for the free ones?? | 01:01:57 |
emily | it's Oracle so it's of course incomprehensible | 01:02:07 |
emily | https://www.oracle.com/uk/java/technologies/javase/javase8u211-later-archive-downloads.html 8u421 is available at least. | 01:03:19 |
emily | (just a message nit, not a proposal to handle the situation differently) | 01:03:42 |
Tomodachi94 (they/them) | Hmm maybe we just drop it right away and leave 24.05 alone? | 01:11:26 |
Tomodachi94 (they/them) | I'll see if anyone on the Fediverse knows what's up with Oracle JDK | 01:13:18 |
emily | sorry, I'm a bit confused | 01:13:46 |
emily | there's nothing up with Oracle JDK except that it has a weird licence and is pointless to use since you can get OpenJDKs with normal licences | 01:13:59 |
emily | the problem with our package is that nobody has updated it with 2021, and clearly nobody will, and even if they would there's no reason for us to carry it since it's just a footgun to use it | 01:14:19 |
emily | * the problem with our package is that nobody has updated it since 2021, and clearly nobody will, and even if they would there's no reason for us to carry it since it's just a footgun to use it | 01:14:24 |
Tomodachi94 (they/them) | Oh, so it's OpenJDK with the Oracle nametag | 01:14:32 |
emily | it should definitely get knownVulnerabilities on 24.05, since it's unsafe to use | 01:14:33 |
emily | yeah | 01:14:36 |
emily | and a really onerous licence | 01:14:40 |
emily | there's basically no reason for it to exist beyond Oracle's business model of entrapping people into having to pay them money | 01:15:07 |
emily | in the past, we carried it for AArch64, apparently | 01:15:44 |
emily | per doc/languages-frameworks/java.section.md | 01:15:54 |
emily | which needs updating to reflect reality | 01:15:57 |
Tomodachi94 (they/them) | In reply to@emilazy:matrix.org it should definitely get knownVulnerabilities on 24.05, since it's unsafe to use So a message like "Oracle JDKs are unsafe to use and are unmaintained in Nixpkgs. OpenJDK provides a comparable implementation." ? | 01:18:19 |
emily | In reply to @emilazy:matrix.org would you mind knownVulnerabilities ing the Oracle JDKs on 24.05 too? no need to go CVE-hunting, can just say e.g. "Not updated for 4 years, many disclosed vulnerabilities" I would just go for something like this ^ with the URL | 01:19:46 |
emily | fine to say "use openjdk " too if you'd like | 01:19:53 |
emily | and then on master we can e.g. oraclejdk = throw "Oracle JDKs were removed as they had been unmaintained in Nixpkgs since 2021 and contained many known vulnerabilities; use `openjdk` instead"; | 01:20:37 |
emily | and we should update the docs too, but that's less pressing | 01:21:10 |
Tomodachi94 (they/them) | Tweaked wording as you suggested | 01:24:16 |
emily | LGTM :) | 01:25:48 |