Hello,

The packages glassfish-* shipped in all the version of Debian are version 2.1.1.
The glassfish v2 open souce code hasn't received any updates since 2010, not even critical security updates.
( https://svn.java.net/svn/glassfish~svn/trunk/v2/ )



Only the Oracle Enterprise version is still maintained.
Even if those are not the full server stack ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964 ), they may contains security flaws.


We just don't know, right?

The v3 version is very stable and actively maintained. I would consider shipping it instead of v2.

Thanks,
Benjamin Jaton

Let me clarify:
What I am saying is that upstream is no longer maintaining it.
The Glassfish open source team has made a commit in v2 since 2010.

On Wed, Jul 18, 2012 at 10:39 AM, Benjamin Jaton <benjamin.jaton@gmail.com> wrote:

Hello,

The packages glassfish-* shipped in all the version of Debian are version 2.1.1.
The glassfish v2 open souce code hasn't received any updates since 2010, not even critical security updates.

( https://svn.java.net/svn/glassfish~svn/trunk/v2/ )



Only the Oracle Enterprise version is still maintained.
Even if those are not the full server stack ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964 ), they may contains security flaws.



We just don't know, right?

The v3 version is very stable and actively maintained. I would consider shipping it instead of v2.

Thanks,
Benjamin Jaton

Le 18/07/2012 19:39, Benjamin Jaton a écrit*:
Hello,



The packages glassfish-* shipped in all the version of Debian are
version 2.1.1.

The glassfish v2 open souce code hasn't received any updates since
2010, not even critical security updates.

( https://svn.java.net/svn/glassfish~svn/trunk/v2/
)

Only the Oracle Enterprise version is still maintained.

Even if those are not the full server stack ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964
), they may contains security flaws.

We just don't know, right?



The v3 version is very stable and actively maintained. I would
consider shipping it instead of v2.




Thanks for the information.

Do you think we should ask for a removal in Wheezy ?

Are you volunteer to package the v3 ?



ThanksS

>From there I don't know, I feel like it should be removed for safety but other packages rely on them.
Unfortunately I won't be a volunteer to package the v3.

Ben

On Wed, Jul 18, 2012 at 3:14 PM, Sylvestre Ledru <sylvestre@debian.org> wrote:






Le 18/07/2012 19:39, Benjamin Jaton a écrit*:
Hello,



The packages glassfish-* shipped in all the version of Debian are
version 2.1.1.

The glassfish v2 open souce code hasn't received any updates since
2010, not even critical security updates.

( https://svn.java.net/svn/glassfish~svn/trunk/v2/
)

Only the Oracle Enterprise version is still maintained.

Even if those are not the full server stack ( http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653964
), they may contains security flaws.

We just don't know, right?



The v3 version is very stable and actively maintained. I would
consider shipping it instead of v2.




Thanks for the information.

Do you think we should ask for a removal in Wheezy ?

Are you volunteer to package the v3 ?



ThanksS