-
-
Notifications
You must be signed in to change notification settings - Fork 14.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Backport of #43811 jdk updates (help needed) #43842
Conversation
We can keep it, but mark it as insecure. |
oraclejdk: 10.0.1 -> 10.0.2 [Critical security fixes] (cherry picked from commit defa760)
I've constrained this to 10.0.1 -> 10.0.2 since I'm not sure how to deal with the insecure mark. |
I'm referring to
|
Right, I know about the option, but the way the oraclejdks are set up, this would require duplicating the content of the general package since it has no meta parameterization or passthrough. |
@andir any opinions here? I think it's still important to get this into 18.03 before it's EOL'd completely. |
@samueldr thanks for the ping. We should definitly get the fixes in to 18.03. @srhb How about just changing the PSU release to something like shown below? It is probably not the pretties we could come up with but that should get the job done. { callPackage, ... }@_args:
let
drv = import ./jdk-linux-base.nix {
productVersion = "8";
patchVersion = "172";
downloadUrl = http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html;
sha256.i686-linux = "0csskx8xis0dr1948j76fgrwwsj4gzdbjqfi7if4v4j62b9i0hqa";
sha256.x86_64-linux = "0inkx73rwv7cvn9lqcr3hmnm0sr89h1fh29yamikb4dn02a0p818";
sha256.armv7l-linux = "1576cb0rlc42dsnmh388gy1wjas7ac6g135s8h74x8sm4b56qpln";
sha256.aarch64-linux = "0zpkmq8zxmpifawj611fg67srki63haz02rm6xwfc5qm2lxx5g6s";
jceName = "jce_policy-8.zip";
jceDownloadUrl = http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html;
sha256JCE = "0n8b6b8qmwb14lllk2lk1q1ahd3za9fnjigz5xn65mpg48whl0pk";
};
args = removeAttrs _args ["callPackage"];
in
(callPackage drv args).overrideAttrs (attrs: {
meta = attrs.meta // {
knownVulnerabilities = [ "CVE-XXX-YYYYY" ];
};
}) |
Thanks @andir, I had something similar but was unable to test it since Oracles website apparently has some draconic requirements before you can even get at the archived versions. I propose clicking the button and getting the 10.0.1 -> 10.0.2 bump done and raising a separate issue for marking the psu release insecure. I'll leave oracle backports to others in the future to avoid similar hold-ups. Apologies. :) |
Backport of NixOS#43811 jdk updates (help needed)
Backport of parts of #43811
oraclejdk: 10.0.1 -> 10.0.2 [Critical security fixes]
(cherry picked from commit defa760)
Motivation for this change
I am unsure what the correct approach here. From the release notes, it seems like we should drop the oraclejdk8psu_distro entirely, but is that a sensible thing to do on our stable branch?
Opinions wanted. :-)
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)