| 1 Nov 2024 |
 emily | time flies. | 18:32:22 |
| emily | actually no I played classic for like 5 minutes once before that. | 18:32:32 |
| emily | the real old heads are the ones who played with the neon green leaves | 18:33:22 |
 Tomodachi94 (they/them) | Looks like the only in-tree consumer of OracleJDK is javacard-devkit | 20:51:29 |
| emily | which is some other proprietary Oracle stuff that hasn't been updated since it was added in 2019 | 21:02:04 |
| emily | "Oracle has already released 3.0.5, but versions after 2.2.2 appear to be Windows-only." and was, um, a major version behind at that point? | 21:02:20 |
| emily | I think we can kill it, but I'd assume it would work with OpenJDK too since I'm pretty sure our Oracle JDK is just an OpenJDK build without anything too fancy? | 21:02:49 |
| Tomodachi94 (they/them) | I'll go ahead and PR a fix that makes it use the jre attribute, then another that drops the OracleJDKs | 23:53:54 |
| Tomodachi94 (they/them) | I'll also try to find out whether java-devkit is even maintained, and drop it after the feature freeze | 23:54:45 |
| Tomodachi94 (they/them) | * I'll also try to find out whether javacard-devkit is even maintained, and drop it after the feature freeze | 23:54:53 |
| emily | fwiw the author has not contributed to NixOS all year | 23:54:54 |
| emily | In reply to @emilazy:matrix.org
"Oracle has already released 3.0.5, but versions after 2.2.2 appear to be Windows-only." and was, um, a major version behind at that point? it's sort of definitionally unmaintained though given ^ | 23:55:06 |
| Tomodachi94 (they/them) | Oh missed that, my bad | 23:55:23 |
| emily | I just checked: looks like it's from 2006? | 23:56:04 |
| emily | In reply to @tomodachi94:matrix.org
I'll go ahead and PR a fix that makes it use the jre attribute, then another that drops the OracleJDKs would you mind knownVulnerabilitiesing the Oracle JDKs on 24.05 too? no need to go CVE-hunting, can just say e.g. "Not updated for 4 years, many disclosed vulnerabilities" | 23:57:15 |
| 2 Nov 2024 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
would you mind knownVulnerabilitiesing the Oracle JDKs on 24.05 too? no need to go CVE-hunting, can just say e.g. "Not updated for 4 years, many disclosed vulnerabilities" Sure :) I'll do that first, then drop on master once it's merged | 00:13:28 |
|  Toma joined the room. | 00:34:39 |
| Tomodachi94 (they/them) | Hmm, does anyone have a good link for the oraclejdk knownVulns entry? | 00:41:02 |
| emily | https://openjdk.org/groups/vulnerability/advisories/ | 00:44:04 |
| emily | I don't suggest trying to list every single applicable CVE, because there are so many | 00:44:22 |
| Tomodachi94 (they/them) | Yes definitely, this should have been dropped a while ago afaict | 00:50:08 |
| Tomodachi94 (they/them) | casually writes knownVulns entry with 50+ CVEs listed /joking | 00:50:52 |
| * emily requests changes – the convention is one CVE per entry | 00:51:08 |
| Tomodachi94 (they/them) | Done at https://github.com/NixOS/nixpkgs/pull/353034 | 00:58:45 |
| emily | hm, I'm pretty sure 8 and 11 are supported: https://endoflife.date/oracle-jdk | 00:59:55 |
| emily | it's just that nobody has been updating ours | 01:00:17 |
| emily | (and there is no reason to, because… it's just an OpenJDK build with a bad licence) | 01:00:36 |
| emily | or maybe not for the free ones?? | 01:01:57 |
| emily | it's Oracle so it's of course incomprehensible | 01:02:07 |
| emily | https://www.oracle.com/uk/java/technologies/javase/javase8u211-later-archive-downloads.html 8u421 is available at least. | 01:03:19 |
