Changing the IcedTea Release Policy

Andrew Hughes gnu.andrew at redhat.com
Wed Apr 9 22:03:26 UTC 2014 

At present, the IcedTea policy is to maintain two releases per OpenJDK
version.  Currently, this means maintaining the 1.12.x & 1.13.x series
for OpenJDK 6 and the 2.3.x & 2.4.x series for OpenJDK 7.
 
This is already proving to be a significant workload, especially as the
frequency and quantity of security patches has seen a notable increase
over the last year and there are still no upstream security source
releases.  With OpenJDK 8 now entering into the equation, it
seems unlikely we can continue to maintain so many versions, which will
increase to six, and even more when we are transitioning from one to another.
 
There's also the issue that it's not always possible to backport all
patches, particularly with regard to those applying to HotSpot.  Our
recent 2.3 releases [0] has already run into problems due to the
differences between HotSpot 23 and 24, and we've been lucky to
maintain HotSpot 20 in OpenJDK 6 as long as we have.
 
In light of this, we will be switching to maintaining just one release
per OpenJDK version, reducing the load from 4 (soon to be 6) to just
2 (soon to be 3).  There will continue to be a brief transition phase,
as has just occurred with 1.11.x, meaning that there would be one further
security update for the previous release, following a new major release.
 
For example, the current plan is as follows:
 
* April 2014: Security updates released for 1.13.x and 2.4.x
* May 2014: 2.5.0 released as u60 reaches general availability
* July 2014: Security updates released for 1.13.x, 2.4.x and 2.5.x
* October 2014: Security updates released for 1.13.x and 2.5.x.

1.11.x, 1.12.x and 2.3.x have all been updated for the last security
update (January 2014). There will now be no further updates to these and
they will become obsolete with the next security release, scheduled for
the 15th of April, 2014. [1]
 
Of course, if anyone wishes to continue to maintain additional releases, they
are more than welcome to do so.
 
[0] http://bitly.com/1fZgDGL
[1] http://www.oracle.com/technetwork/topics/security/alerts-086861.html
 
Thanks,
--
Andrew :)
 
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07

More information about the distro-pkg-dev mailing list