monsieurp@epsilon ~/gentoo-x86/dev-java/jython $ ls *.ebuild jython-2.1-r11.ebuild jython-2.2.1-r1.ebuild jython-2.2.1-r2.ebuild jython-2.5.3-r3.ebuild jython-2.7.0.ebuild Can we do away with versions < 2.7? monsieurp@epsilon ~/gentoo-x86/dev-java/jython $ equery d -a dev-java/jython * These packages depend on dev-java/jython: app-editors/jext-5.0 (dev-java/jython:0) app-editors/jext-5.0-r1 (dev-java/jython:0) dev-java/batik-1.7-r3 (python ? dev-java/jython:0) dev-java/batik-1.8 (python ? dev-java/jython:0) dev-java/bsf-2.4.0-r1 (python ? >=dev-java/jython-2.1-r5:0) dev-java/freemarker-2.3.13 (>=dev-java/jython-2.2:0) dev-java/freemarker-2.3.13-r1 (>=dev-java/jython-2.2:0) dev-java/mx4j-3.0.1-r4 (examples ? =dev-java/jython-2.2*) dev-java/mx4j-3.0.2 (examples ? dev-java/jython:2.5) dev-java/mx4j-3.0.2-r1 (examples ? dev-java/jython:2.7) dev-java/mx4j-tools-3.0.1-r2 (dev-java/jython:0) dev-java/mx4j-tools-3.0.2 (dev-java/jython:2.5) dev-java/mx4j-tools-3.0.2-r1 (dev-java/jython:2.7) net-p2p/frostwire-4.20.9 (dev-java/jython:0) If I search jython-2.1 for instance in Google, it takes me to this web page http://www.jython.org/archive/21/download.html which takes me back to a time where the latest version of the JVM available was 1.1 (!). Let's clean this up, shall we? Reproducible: Always
Are you guys OK with this bug report?
CC'ing in the python herd too.
Sounds good to me. Progress was mostly stalled on jython-2.7 final taking a few years longer than expected :)
CVE-2013-2027 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-2027): Jython 2.2.1 uses the current umask to set the privileges of the class cache files, which allows local users to bypass intended access restrictions via unspecified vectors.
If you are aware of vulnerabilities in a package, please make sure you notify security@. Are there any plans to keyword ppc to bring a new stable version to them?
Hi Sean Thanks for picking up on this bug. I wasn't aware of serious and/or major security bugs with jython versions < 2.7 but thanks for clearing this up and letting us know we have to remove them from the main tree. We'll get this bug out of the way ASAP.
I have gained access to timberdoodle and set up ppc/ppc64 chroots *just* for this task. I will start to keyword python forward dependencies on both platforms to get rid of the junk and make way for the new. Watch this space.
After a bit of hacking and keywording (I basically lowered the required jre/jdk), I eventually ran into the following error: [javac] (use -source 7 or higher to enable try-with-resources) [javac] /var/tmp/portage/dev-java/jython-2.7.0/work/src/org/python/modules/sre/PatternObject.java:376: error: try-with-resources is not supported in -source 1.6 [javac] try (PyBuffer buf = ((BufferProtocol)obj).getBuffer(PyBUF.FULL_RO)){ It's a bit of a bummer. Talked to Chewi about it and as suggested by him, the "easy" way out of this situation for the time being is to wait for ppc platforms to support Java 8.
I created PR https://github.com/gentoo/gentoo/pull/813 to address this bug report. QA tests are all green so I'm going to merge it.
commit a3539bf (HEAD, origin/master, origin/HEAD, master) Merge: 0302844 6f65d65 Author: Patrice Clement <monsieurp@gentoo.org> Date: Tue Feb 9 18:42:56 2016 +0000 Merge remote-tracking branch 'github/pr/813'. Gentoo-Bug: 552452 Pull-Request: https://github.com/gentoo/gentoo/pull/813 dev-java/jython-2.7 stabilisation was done in bug 553374. Security team, please vote.
GLSA Vote: No
Vote No Closing noglsa