Can't Manjaro outperform Arch and provides updates for high risk packages?

Feedback
23

no offence, your problem is expecting everything from once prime projects that now sports the open* moniker abandoned after mergers that were least bothered to keep the open part of it. paid close sourced oracle version is the only one with proper housekeeping.

and before saying this and that distro should be like, please do your research to find where it is at now with the others. from the rolling distros i know only alpine, gentoo, solus has managed to update to something atleast close to the supposedly latest with most of them beta.

https://repology.org/project/openjdk/versions

1 Like
24

There is no specific java release for a specific linux distro, each update is released for any 64bits linux distro.

25

i fail to see your problem, if you have your desired binaries for any distro whats keeping you from using them, and expecting the distro to deliver it

26

Itā€™s hard to keep manual updates for many machines especially hot security updates that fix high risk bugs, while the distro is keeping an old version of it.

27

Java is more or less an optional dependency and can be removed from your system. On my end it would look like this:

[phil@development community]$ export LANG=C
[phil@development community]$ pacman -Qi jdk8-openjdk
Name            : jdk8-openjdk
Version         : 8.u292-1
Description     : OpenJDK Java 8 development kit
Architecture    : x86_64
URL             : https://openjdk.java.net/
Licenses        : custom
Groups          : None
Provides        : java-environment=8  java-environment-openjdk=8
Depends On      : java-environment-common  jre8-openjdk=8.u292-1
Optional Deps   : None
Required By     : None
Optional For    : libreoffice-fresh  subversion
Conflicts With  : None
Replaces        : jdk8-openjdk-wm
Installed Size  : 38,32 MiB
Packager        : Allan McRae <allan@archlinux.org>
Build Date      : Sa 24 Apr 2021 03:44:11 CEST
Install Date    : Sa 24 Apr 2021 09:21:01 CEST
Install Reason  : Explicitly installed
Install Script  : Yes
Validated By    : Signature

Since it was explicitly installed we have to check why ā€¦

2 Likes
28

Removing a package because the distro doesnā€™t provide the suitable hot updates is not the solution, that package is still used by many heavy business apps that require it for running.

29

That can be true, but a regular user might not need JDK8 preinstalled, which is just true for our XFCE install. So removing or changing it to JDK17 is recommended.

Some apps like Steam may need openssl-1.0, which is out of support for years. This task shows again, that the wider community made the extra effort to provide the needed PKGBUILD changes based on the work of Canonical and others to backport fixes as needed, even when those only are available for premium users. To me it seems that the maintainer of the packager might either update or not.

Seems people who still use those libs are at least able to fix it, if they apply the patches themselves ā€¦

2 Likes
30

iā€™m sorry what sort of environment with multiple boxes are you talking about.

in case yours is alike, youā€™ve made wrong choices all over. anyone with remote possibility of running semi or production level environment will not choose;

  • manjaro unstable(or even stable) updated by a user to get the latest security patches, this applies to not just open-jdk any package for stability stake.
  • expecting latest hot fixes from OSS teams overburdened/underfunded is a big security lapse by whoever is making security decisions at you place. dont get me wrong there are those orgs like apache foundation which are reasonably funded by IBM, but manjaro/arch/openJDK are not.

iā€™m no security expert but i wouldnt expect anything short of enterprise grade host solution with support with oracle jdk to meet you expectations.

over and out

31

PSSST: B.T.W.: Thereā€™s no such thing. Itā€™s just ā€œout.ā€

32

Itā€™s just small number of machines where a JavaFX app using JRE8 needs to be installed, Itā€™s impossible to run it on JRE11 or 17 because it uses many libraries that rely on JRE8, I was using Ubuntu for that, so Iā€™m trying to test the possibility with Manjaro because Iā€™m using it for over two years on my personal laptop, so I thought it would work and pull latest upgrades without any problem and I anticipated it to work better than Ubuntu in that matter, but Iā€™m blocked now because all machines are connected to internet and the risk of running not patched JRE8 is high. There is no need for paid support because now even Oracle JDK is provided free to all users, and OpenJDK is leading Java development and funded by many big companies.

33

@medmedin Apparently you didnā€™t follow the instructions before filing your Arch bug report:

Please read this before reporting a bug:
Bug reporting guidelines - ArchWiki

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the ā€˜flag out of dateā€™ link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

Iā€™m sure the maintainer is already aware, but you did not provide any details about the security risks. The report will most likely be closed.

3 Likes
34

I donā€™t have the full list of all security risks that were patched in u302 and u312, I updated the bug report with some of them :

CVE-2021-2341 (Low)
CVE-2021-2369 (Medium)
CVE-2021-2388 (High)
CVE-2021-35550 (Medium)
CVE-2021-35556 (Medium)
CVE-2021-35559 (Medium)
CVE-2021-35561 (Medium)
CVE-2021-35564 (Medium)
CVE-2021-35565 (Medium)
CVE-2021-35567 (Medium)
CVE-2021-35578 (Medium)
CVE-2021-35586 (Medium)
CVE-2021-35588 (Low)
CVE-2021-35603 (Low)

35

And it is now updated in Arch.

https://archlinux.org/packages/?q=jdk8-openjdk

It took less time for the new version to be updated than all the previous replies here in this thread.

3 Likes
36

That is one way to look at it, I guess.

Another one might be: It took almost 5 months since it was flagged out of date even though there were open security issues with the packaged older version.

2 Likes
37

Well for those having an issue open already a comment might help to get some notice out. Openssl-1.0 is such a package with low interest, but patches are provided.

If there is constructive noise why not.

1 Like
38

I meant he opened his issue on Arch, it got noticed, and updated, less than 10 hours later.

I will even give you one more, there now is a package with new vulnerabilities already known :wink:

Maybe the package was flagged out of date for long time, but I guess there are limited resources, limited time, limited people to manage all Arch and things need to be prioritized, and probably this old package didnā€™t get lot of attention because it is old version of a package not widely used in the system. Probably the issue opened today and specifically the list of CVE was the thing that made people look at it and update the package.

1 Like
39

Well, I for one was happily surprised when I discovered that JDK8 was pre-installed in my Manjaro Xfce. Itā€™s not that I necessarily need JDK8, but I like to use LibreOffice Writer in combination with the LanguageTool add-on, and this add-on needs Java 8 or later. Under Ubuntu and Ubuntu Budgie I always had to install Java myself. Under Manjaro this was not necessary, and therefore a fine thing for me. :slight_smile:

However, a general question: Is it generally recommended for simple end users like me to replace jdk8-openjdk with jdk-openjdk?

40

Something like that went through my head as well, but as Yochanan quoted: Arch rules say, one shouldnā€™t open bug reports for outdated packages.
I guess OP (and all jdk8 users) got lucky this time and Iā€™m happy for them.
Time will tell, if this works in other similar situations as well.

41

If jdk-openjdk works well with libreoffice, you can replace jdk8-openjdk with jdk-openjdk.

1 Like