| 1 Nov 2024 |
 emily | In reply to @tomodachi94:matrix.org
I'll go ahead and PR a fix that makes it use the jre attribute, then another that drops the OracleJDKs would you mind knownVulnerabilitiesing the Oracle JDKs on 24.05 too? no need to go CVE-hunting, can just say e.g. "Not updated for 4 years, many disclosed vulnerabilities" | 23:57:15 |
| 2 Nov 2024 |
 Tomodachi94 (they/them) | In reply to@emilazy:matrix.org
would you mind knownVulnerabilitiesing the Oracle JDKs on 24.05 too? no need to go CVE-hunting, can just say e.g. "Not updated for 4 years, many disclosed vulnerabilities" Sure :) I'll do that first, then drop on master once it's merged | 00:13:28 |
|  Toma joined the room. | 00:34:39 |
| Tomodachi94 (they/them) | Hmm, does anyone have a good link for the oraclejdk knownVulns entry? | 00:41:02 |
| emily | https://openjdk.org/groups/vulnerability/advisories/ | 00:44:04 |
| emily | I don't suggest trying to list every single applicable CVE, because there are so many | 00:44:22 |
| Tomodachi94 (they/them) | Yes definitely, this should have been dropped a while ago afaict | 00:50:08 |
| Tomodachi94 (they/them) | casually writes knownVulns entry with 50+ CVEs listed /joking | 00:50:52 |
| * emily requests changes – the convention is one CVE per entry | 00:51:08 |
| Tomodachi94 (they/them) | Done at https://github.com/NixOS/nixpkgs/pull/353034 | 00:58:45 |
| emily | hm, I'm pretty sure 8 and 11 are supported: https://endoflife.date/oracle-jdk | 00:59:55 |
| emily | it's just that nobody has been updating ours | 01:00:17 |
| emily | (and there is no reason to, because… it's just an OpenJDK build with a bad licence) | 01:00:36 |
| emily | or maybe not for the free ones?? | 01:01:57 |
| emily | it's Oracle so it's of course incomprehensible | 01:02:07 |
| emily | https://www.oracle.com/uk/java/technologies/javase/javase8u211-later-archive-downloads.html 8u421 is available at least. | 01:03:19 |
| emily | (just a message nit, not a proposal to handle the situation differently) | 01:03:42 |
| Tomodachi94 (they/them) | Hmm maybe we just drop it right away and leave 24.05 alone? | 01:11:26 |
| Tomodachi94 (they/them) | I'll see if anyone on the Fediverse knows what's up with Oracle JDK | 01:13:18 |
| emily | sorry, I'm a bit confused | 01:13:46 |
| emily | there's nothing up with Oracle JDK except that it has a weird licence and is pointless to use since you can get OpenJDKs with normal licences | 01:13:59 |
| emily | the problem with our package is that nobody has updated it with 2021, and clearly nobody will, and even if they would there's no reason for us to carry it since it's just a footgun to use it | 01:14:19 |
| emily | * the problem with our package is that nobody has updated it since 2021, and clearly nobody will, and even if they would there's no reason for us to carry it since it's just a footgun to use it | 01:14:24 |
| Tomodachi94 (they/them) | Oh, so it's OpenJDK with the Oracle nametag | 01:14:32 |
| emily | it should definitely get knownVulnerabilities on 24.05, since it's unsafe to use | 01:14:33 |
| emily | yeah | 01:14:36 |
| emily | and a really onerous licence | 01:14:40 |
| emily | there's basically no reason for it to exist beyond Oracle's business model of entrapping people into having to pay them money | 01:15:07 |
| emily | in the past, we carried it for AArch64, apparently | 01:15:44 |
| emily | per doc/languages-frameworks/java.section.md | 01:15:54 |
