Reintroducing openjdk-8 for Bullseye?

Moritz Mühlenhoff jmm at inutil.org
Wed May 6 22:19:42 BST 2020 

On Fri, Apr 24, 2020 at 03:05:33PM +0200, Graham Inggs wrote:
> Resending to team at security.debian.org
> 
> Note, there are already some replies at:
> https://lists.debian.org/debian-security/2020/04/msg00016.html
> 
> 
> On Thu, 9 Apr 2020 at 20:57, Graham Inggs <ginggs at debian.org> wrote:
> >
> > Dear Security Team
> >
> > The package nvidia-cuda-toolkit (non-free) ships some Java-based
> > visual tools; Nvidia Visual Profiler and Nsight Eclipse Edition, which
> > require the OpenJDK 8 JRE.
> >
> > When Debian switched default-jre, we started to ship Nvidia's bundled
> > JRE as nvidia-openjdk-8-jre (see #900300).
> >
> > As of nvidia-cuda-toolkit 10.1.243, upstream stopped shipping the
> > bundle JRE, and expect users to download it directly from Oracle.  We
> > are considering our options, and one which is very attractive for us
> > is for openjdk-8 to be reintroduced for Bullseye, but the question is
> > who gets to maintain it?

Sorry for the late response.

It's surprising to hear that nvidia-cuda-toolkit shipped a bundled JRE,
I was totally unaware of that until your mail.

In any case reintroducing openjdk-8 as a generic package is not an
option; that causes significant additional overhead to keep it updated
in stable. We can only reasonably have one OpenJDK per stable release.

What is the JRE used for? I suppose it provides Java language bindings
to access the CUDA libs?

Possible options which come to my mind:

- If only some users need the JRE, simply document where users can download
it from adoptopenjdk.net (or even Oracle, after all CUDA is already non-free
anyway). After all, that's what upstream chose to support as well.

- Switch CUDA to multi tarball source package which includes the CUDA
tarball plus the last version of OpenJDK 8. non-free isn't covered by
security support anyway and for language bindings it shouldn't even
ne strictly needed to follow the upstream releases (I guess Nvidia
didn't either when they still bundled it?)

Cheers,
        Moritz

More information about the pkg-nvidia-devel mailing list