25253 – datanucleus packages use unsupported version

Bug 25253 - datanucleus packages use unsupported version

Summary: datanucleus packages use unsupported version

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	RPM Packages (show other bugs)
Version:	7
Hardware:	All Linux

Priority:	Normal Severity: enhancement
Target Milestone:	---
Assignee:	Guillaume Rousse
QA Contact:

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2019-08-10 08:50 CEST by Andy Jefferson
Modified:	2019-08-11 19:19 CEST (History)
CC List:	0 users

See Also:
Source RPM:
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Andy Jefferson 2019-08-10 08:50:58 CEST

Description of problem:
Mageia 7 provides the following RPMs
datanucleus-api-jdo
datanucleus-api-jdo-javadoc
datanucleus-core
datanucleus-core-javadoc
datanucleus-rdbms
datanucleus-rdbms-javadoc
datanucleus-maven-parent


Version-Release number of selected component (if applicable):
3.x


The problem is that none of these versions of datanucleus software are supported. They are from back in 2013. I know, because I write DataNucleus software and am the main developer for it. 

The currently supported versions are v5.1 and v5.2, see http://www.datanucleus.org/documentation/products.html

Comment 1 Lewis Smith 2019-08-10 22:05:58 CEST

Thank you Andy for this edification...
> The problem is that none of these versions of datanucleus software are
> supported. They are from back in 2013. I know, because I write DataNucleus
> software and am the main developer for it.
It is not often a bug is so authoratitive, and raises a smile!

Assigning to guillomovitch as the registered maintainer.

Assignee: bugsquad => guillomovitch

Comment 2 David Walser 2019-08-11 18:17:58 CEST

I have no idea why Guillaume imported these packages, but packaging Java stuff like this is very problematic, and none of it is up to date.  The Java stack is a house of cards with so many interdependencies and it's almost impossible to update anything, as updating one thing usually breaks several other things.  Also, we certainly don't have the manpower to maintain these packages ourselves.  We just sync them with Fedora.  You really should report this to Fedora, as that's where it needs to be fixed.  They have more manpower, but even they don't do a good job of maintaining their Java stack, as they don't have enough resources for it either.  Not only is stuff out of date, but there's dozens of known security vulnerabilities that have been fixed in upstreams, that Fedora never gets around to addressing.

Resolution: (none) => WONTFIX
Status: NEW => RESOLVED

Comment 3 Guillaume Rousse 2019-08-11 19:19:01 CEST

I have no clue what this software is exactly, I only imported it in order to satisfy the dependencies of yet another Java package (I can't remember which one exactly), in order to try to fix issue #24018. As David said, unless someone who understand Java volonteer in order to cleanup the current mess, we're doomed to lazily sync with Fedora from times to times.

Note You need to log in before you can comment on or make changes to this bug.