| 2 Nov 2024 |
 Tomodachi94 (they/them) | Hmm maybe we just drop it right away and leave 24.05 alone? | 01:11:26 |
| Tomodachi94 (they/them) | I'll see if anyone on the Fediverse knows what's up with Oracle JDK | 01:13:18 |
 emily | sorry, I'm a bit confused | 01:13:46 |
| emily | there's nothing up with Oracle JDK except that it has a weird licence and is pointless to use since you can get OpenJDKs with normal licences | 01:13:59 |
| emily | the problem with our package is that nobody has updated it with 2021, and clearly nobody will, and even if they would there's no reason for us to carry it since it's just a footgun to use it | 01:14:19 |
| emily | * the problem with our package is that nobody has updated it since 2021, and clearly nobody will, and even if they would there's no reason for us to carry it since it's just a footgun to use it | 01:14:24 |
| Tomodachi94 (they/them) | Oh, so it's OpenJDK with the Oracle nametag | 01:14:32 |
| emily | it should definitely get knownVulnerabilities on 24.05, since it's unsafe to use | 01:14:33 |
| emily | yeah | 01:14:36 |
| emily | and a really onerous licence | 01:14:40 |
| emily | there's basically no reason for it to exist beyond Oracle's business model of entrapping people into having to pay them money | 01:15:07 |
| emily | in the past, we carried it for AArch64, apparently | 01:15:44 |
| emily | per doc/languages-frameworks/java.section.md | 01:15:54 |
| emily | which needs updating to reflect reality | 01:15:57 |
| Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
it should definitely get knownVulnerabilities on 24.05, since it's unsafe to use So a message like "Oracle JDKs are unsafe to use and are unmaintained in Nixpkgs. OpenJDK provides a comparable implementation." ? | 01:18:19 |
| emily | In reply to @emilazy:matrix.org
would you mind knownVulnerabilitiesing the Oracle JDKs on 24.05 too? no need to go CVE-hunting, can just say e.g. "Not updated for 4 years, many disclosed vulnerabilities" I would just go for something like this ^ with the URL | 01:19:46 |
| emily | fine to say "use openjdk" too if you'd like | 01:19:53 |
| emily | and then on master we can e.g. oraclejdk = throw "Oracle JDKs were removed as they had been unmaintained in Nixpkgs since 2021 and contained many known vulnerabilities; use `openjdk` instead"; | 01:20:37 |
| emily | and we should update the docs too, but that's less pressing | 01:21:10 |
| Tomodachi94 (they/them) | Tweaked wording as you suggested | 01:24:16 |
| emily | LGTM :) | 01:25:48 |
| emily | will merge once nixpkgs-vet passes | 01:26:28 |
| emily | uh wow, javacard-devkit is i686-linux | 01:27:28 |
| Tomodachi94 (they/them) | Wtf | 01:27:42 |
| emily | does it like, actually run? | 01:27:42 |
| Tomodachi94 (they/them) | Only one way to find out 😉 does anyone have an i686 machine running Nix? | 01:28:17 |
| emily | you don't need it, the package will work on x86-64 | 01:28:38 |
| Tomodachi94 (they/them) | Oh oops | 01:28:46 |
| emily | (we don't support hosting a full NixOS on i686-linux) | 01:28:54 |
| Tomodachi94 (they/them) | Is it even technically restricted to i686 if it's a JAR? 😉 | 01:30:32 |
