Welcome to gambaru.de. Here is my monthly report that covers what I have been doing for Debian. If you're interested in Java, Games and LTS topics, this might be interesting for you.
- I could close a KDE specific startup bug in ace-of-penguins (#883707) thanks to the help of Esa Peuha.
- New upstream releases this month: springlobby, trackballs and freeciv.
- Bug fixes and package updates: foobillardplus (#892338, #889523), tuxpuck (#892349), micropolis-activity (RC #891338, #870761), beneath-a-steel-sky.
- I sponsored an NMU for Innocent de Marchi, xjig 2.4-14.1 and reviewed jpeces, a puzzle game written in Java for him.
- This was a rather quiet month for Debian Games. We still have a couple of open RC bugs due to the removal of obsolete Gnome 2 libraries. No progress in regard to last month.
- I spent most of my free time on Java packages because...OpenJDK 9 is now the default Java runtime environment in Debian! As of today I count 319 RC bugs (bugs with severity normal would be serious today as well) of which 227 are already resolved. That means one third of the Java team's packages have to be adjusted for the new OpenJDK version. Java 9 comes with a new module system called Jigsaw. Undoubtedly it represents a lot of new interesting ideas but it is also a major paradigm shift. For us mere packagers it means more work than any other version upgrade in the past. Let's say we are a handful of regular contributors (I'm generous) and we spend most of our time to stabilize the Java ecosystem in Debian to the point that we can build all of our packages again. Repeat for every new Debian release. Unfortunately not much time is actually spent on packaging new and cool applications or libraries unless they are strictly required to fix a specific Java 9 issue. It just doesn't feel right at the moment. Most upstreams are rather indifferent or relaxed when it comes to porting their applications to Java 9 because they still can use Java 8, so why can't we? They don't have to provide security support for five years and can make the switch to Java 9 much later. They can also cherry-pick certain versions of libraries whereas we have to ensure that everything works with one specific version of a library. But that's not all: Java 9 will not be shipped with Buster and we even aim for OpenJDK 11! Releases of OpenJDK will be more frequent from now on, expect a new release every six months, and there are certain versions which will receive extended security support like OpenJDK 11. One thing we can look forward to: Apparently more commercial features of Oracle JDK will be merged into OpenJDK and it appears the longterm goal is to make Oracle JDK and OpenJDK builds completely interchangeable. So maybe one day only one free software JDK for everything and everyone? I hope so.
- I worked on the following packages to address Java 9 or other bugs: activemq, snakeyaml, libjchart2d-java, jackson-dataformat-yaml, jboss-threads, jboss-logmanager, jboss-logging-tools, qdox2, wildfly-common, activemq-activeio, jackson-datatype-joda, antlr, axis, libitext5-java, libitext1-java, libitext-java, jedit, conversant-disruptor, beansbinding, cglib, undertow, entagged, jackson-databind, libslf4j-java, proguard, libhtmlparser-java, libjackson-json-java and sweethome3d (patch by Emmanuel Bourg)
- New upstream versions: jboss-threads, okio, libokhttp-java, snakeyaml, robocode.
- I NMUed jtb and applied a patch from Tiago Stürmer Daitx.
- From 19.03.2018 until 25.03.2018 I was in charge of our LTS frontdesk. I investigated and triaged CVE in imagemagick, libvirt, freeplane, exempi, calibre, gpac, ipython, binutils, libraw, memcached, mosquitto, sdl-image1.2, slurm-llnl, graphicsmagick, libslf4j-java, radare2, sam2p, net-snmp, apache2, ldap-account-manager, librelp, ruby-rack-protection, libvncserver, zsh and xerces-c.
- DLA-1310-1. Issued a security update for exempi fixing 6 CVE.
- DLA-1315-1. Issued a security update for libvirt fixing 2 CVE.
- DLA-1316-1. Issued a security update for freeplane fixing 1 CVE.
- DLA-1322-1. Issued a security update for graphicsmagick fixing 6 CVE.
- DLA-1325-1. Issued a security update for drupal7 fixing 1 CVE.
- DLA-1326-1. Issued a security update for php5 fixing 1 CVE.
- DLA-1328-1. Issued a security update for xerces-c fixing 1 CVE.
- DLA-1335-1. Issued a security update for zsh fixing 2 CVE.
- DLA-1340-1. Issued a security update for sam2p fixing 5 CVE. I also prepared a security update for Jessie. (#895144)
- DLA-1341-1. Issued a security update for sdl-image1.2 fixing 6 CVE.
- I triaged all open bugs in imlib2 and forwarded the issues upstream. The current developer of imlib2 was very responsive and helpful. Thanks to Kim Woelders several longstanding bugs could be fixed.
- There was also a new upstream release for xarchiver. Check it out!
Thanks for reading and see you next time.