Well Manjaro adds 2 extra layers on top of Arch. So Arch reports security issues,fixes some of them and depending on the risk Manjaro is recompiling them as needed / if possible to other branches like testing and stable.
Pulling them only from Arch into our unstable branch only fixes the issues there.
If there is any fix it needs to be verified by someone. So security experts are needed. Canonical employs those in a team. Arch has only a team of volunteers, which may delay things. Arch is also a do Ćt yourself Distributon. So in the end youāre the Admin of your system.
no offence, your problem is expecting everything from once prime projects that now sports the open* moniker abandoned after mergers that were least bothered to keep the open part of it. paid close sourced oracle version is the only one with proper housekeeping.
and before saying this and that distro should be like, please do your research to find where it is at now with the others. from the rolling distros i know only alpine, gentoo, solus has managed to update to something atleast close to the supposedly latest with most of them beta.
Itās hard to keep manual updates for many machines especially hot security updates that fix high risk bugs, while the distro is keeping an old version of it.
Removing a package because the distro doesnāt provide the suitable hot updates is not the solution, that package is still used by many heavy business apps that require it for running.
That can be true, but a regular user might not need JDK8 preinstalled, which is just true for our XFCE install. So removing or changing it to JDK17 is recommended.
Some apps like Steam may need openssl-1.0, which is out of support for years. This task shows again, that the wider community made the extra effort to provide the needed PKGBUILD changes based on the work of Canonical and others to backport fixes as needed, even when those only are available for premium users. To me it seems that the maintainer of the packager might either update or not.
Seems people who still use those libs are at least able to fix it, if they apply the patches themselves ā¦
iām sorry what sort of environment with multiple boxes are you talking about.
in case yours is alike, youāve made wrong choices all over. anyone with remote possibility of running semi or production level environment will not choose;
manjaro unstable(or even stable) updated by a user to get the latest security patches, this applies to not just open-jdk any package for stability stake.
expecting latest hot fixes from OSS teams overburdened/underfunded is a big security lapse by whoever is making security decisions at you place. dont get me wrong there are those orgs like apache foundation which are reasonably funded by IBM, but manjaro/arch/openJDK are not.
iām no security expert but i wouldnt expect anything short of enterprise grade host solution with support with oracle jdk to meet you expectations.
Itās just small number of machines where a JavaFX app using JRE8 needs to be installed, Itās impossible to run it on JRE11 or 17 because it uses many libraries that rely on JRE8, I was using Ubuntu for that, so Iām trying to test the possibility with Manjaro because Iām using it for over two years on my personal laptop, so I thought it would work and pull latest upgrades without any problem and I anticipated it to work better than Ubuntu in that matter, but Iām blocked now because all machines are connected to internet and the risk of running not patched JRE8 is high. There is no need for paid support because now even Oracle JDK is provided free to all users, and OpenJDK is leading Java development and funded by many big companies.
Another one might be: It took almost 5 months since it was flagged out of date even though there were open security issues with the packaged older version.
Well for those having an issue open already a comment might help to get some notice out. Openssl-1.0 is such a package with low interest, but patches are provided.
I meant he opened his issue on Arch, it got noticed, and updated, less than 10 hours later.
I will even give you one more, there now is a package with new vulnerabilities already known
Maybe the package was flagged out of date for long time, but I guess there are limited resources, limited time, limited people to manage all Arch and things need to be prioritized, and probably this old package didnāt get lot of attention because it is old version of a package not widely used in the system. Probably the issue opened today and specifically the list of CVE was the thing that made people look at it and update the package.
Well, I for one was happily surprised when I discovered that JDK8 was pre-installed in my Manjaro Xfce. Itās not that I necessarily need JDK8, but I like to use LibreOffice Writer in combination with the LanguageTool add-on, and this add-on needs Java 8 or later. Under Ubuntu and Ubuntu Budgie I always had to install Java myself. Under Manjaro this was not necessary, and therefore a fine thing for me.
However, a general question: Is it generally recommended for simple end users like me to replace jdk8-openjdk with jdk-openjdk?
Something like that went through my head as well, but as Yochanan quoted: Arch rules say, one shouldnāt open bug reports for outdated packages.
I guess OP (and all jdk8 users) got lucky this time and Iām happy for them.
Time will tell, if this works in other similar situations as well.