Bug 25253

Summary: datanucleus packages use unsupported version
Product: Mageia Reporter: Andy Jefferson <andy_jefferson>
Component: RPM PackagesAssignee: Guillaume Rousse <guillomovitch>
Status: RESOLVED WONTFIX QA Contact:
Severity: enhancement    
Priority: Normal    
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:

Description Andy Jefferson 2019-08-10 08:50:58 CEST 
Description of problem:
Mageia 7 provides the following RPMs
datanucleus-api-jdo
datanucleus-api-jdo-javadoc
datanucleus-core
datanucleus-core-javadoc
datanucleus-rdbms
datanucleus-rdbms-javadoc
datanucleus-maven-parent


Version-Release number of selected component (if applicable):
3.x


The problem is that none of these versions of datanucleus software are supported. They are from back in 2013. I know, because I write DataNucleus software and am the main developer for it. 

The currently supported versions are v5.1 and v5.2, see http://www.datanucleus.org/documentation/products.html
Comment 1 Lewis Smith 2019-08-10 22:05:58 CEST 
Thank you Andy for this edification...
> The problem is that none of these versions of datanucleus software are
> supported. They are from back in 2013. I know, because I write DataNucleus
> software and am the main developer for it.
It is not often a bug is so authoratitive, and raises a smile!

Assigning to guillomovitch as the registered maintainer.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2019-08-11 18:17:58 CEST 
I have no idea why Guillaume imported these packages, but packaging Java stuff like this is very problematic, and none of it is up to date.  The Java stack is a house of cards with so many interdependencies and it's almost impossible to update anything, as updating one thing usually breaks several other things.  Also, we certainly don't have the manpower to maintain these packages ourselves.  We just sync them with Fedora.  You really should report this to Fedora, as that's where it needs to be fixed.  They have more manpower, but even they don't do a good job of maintaining their Java stack, as they don't have enough resources for it either.  Not only is stuff out of date, but there's dozens of known security vulnerabilities that have been fixed in upstreams, that Fedora never gets around to addressing.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 3 Guillaume Rousse 2019-08-11 19:19:01 CEST 
I have no clue what this software is exactly, I only imported it in order to satisfy the dependencies of yet another Java package (I can't remember which one exactly), in order to try to fix issue #24018. As David said, unless someone who understand Java volonteer in order to cleanup the current mess, we're doomed to lazily sync with Fedora from times to times.