[tbb-bugs] #31130 [Applications/Tor Browser]: Use Debian 10 for our Android container images
Tor Bug Tracker & Wiki
blackhole at torproject.org
Thu Nov 28 10:41:01 UTC 2019
#31130: Use Debian 10 for our Android container images
-------------------------------------------+-------------------------------
Reporter: gk | Owner: sisbell
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-rbm, TorBrowserTeam201911 | Actual Points:
Parent ID: #31127 | Points: 0.5
Reviewer: | Sponsor:
-------------------------------------------+-------------------------------
Comment (by boklm):
Replying to [comment:52 gk]:
> Replying to [comment:51 boklm]:
> > Replying to [comment:50 gk]:
> > > Replying to [comment:48 sisbell]:
> > > > Looks like we just need one additional dependency installed for
the JDK headless installation. I verified a full build.
> > > >
> > > > https://github.com/sisbell/tor-browser-
build/commit/005b6651ba42737c7e1bd177f01286294355c02f
> > >
> > > Okay, we are close. Looking over the patch again I see you are
pointing to `https://deb.debian.org/debian/pool/main/o/openjdk-8` for the
openjdk packages. However, that seems to be brittle to me as it's easily
conceivable that our version is getting superseded by newer updates in the
couple of weeks, essentially getting unavailable. Better is using
`snapshot.debian.org` (e.g.
https://snapshot.debian.org/archive/debian/20191031T212011Z/pool/main/o/openjdk-8/).
> >
> > As it's an update for a stable distribution, I think previous versions
of the packages are not removed from mirrors (until the whole suite is
removed, which I think will not be before 2022 for stretch). So I think
using `https://deb.debian.org/` is fine (but using snapshot.debian.org is
fine too).
>
> I think you are wrong here. Have a look at
>
>
https://snapshot.debian.org/archive/debian/20191001T024204Z/pool/main/o/openjdk-8/
and
>
https://snapshot.debian.org/archive/debian/20191031T212011Z/pool/main/o/openjdk-8/
>
> in the former you still find `8u232-b04` binaries but not the latter
right now there are `8u232-b09-1~deb9u1` ones *instead* of the former
which the stable archive mirrors but it seems that's not guaranteed to
hold. That is there seems to be no reason to assume that
`8u232-b09-1~deb9u1` could not get replaced in the future by a successor,
which is why I think we should go the snapshot route to be on the safe
side.
I think `8u232-b04` was removed because it never was in the
stable/oldstable suite, but only in experimental:
https://tracker.debian.org/news/1062184/accepted-openjdk-8-8u232-b04-1
-source-into-experimental/
Packages from unstable, experimental and testing are removed from mirrors
when a new version of the package is available, however it seemed to me
this was not the case for stable or oldstable, but after looking at it
more closely it seems it is not always the case. So using snapshot sounds
good.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/31130#comment:53>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tbb-bugs
mailing list