Hi, Am Samstag, dem 19.02.2022 um 18:52 +0100 schrieb Jochen Sprickerhof: > Package: libh2-java > Version: 2.1.210-1 > Severity: important > X-Debbugs-Cc: jspri...@debian.org, Markus Koschany <a...@debian.org> > Control: -1 affects mediathekview jameica hibiscus > > Hi, > > the new version of libh2-java uses a new SQL syntax and file format and > is not able to read old data or work with the old syntax: > > https://h2database.com/html/migration-to-v2.html > > This renders all it's users, i.e. mediathekview and jameica/hibiscus, > unusable.
I had rebuilt all reverse-dependencies of libh2-java and they still can be built from source. Unfortunately there are runtime problems as you have rightly pointed out. Actually only mediathekview and jamaica/hibiscus are really affected. Mediathekview downloads a large json file from the internet (the filmlist) and then it is converted into a h2 database. Normally it should be fine to remove the old database and then mediathekview would create a new database again. Persistent settings are saved in xml files anyway. However I just noticed at least one SQLException when this happens and the conversion appears to take forever. Probably solvable but... the latest version of Mediathekview uses a SQLite database now, because upstream likes changing dependencies, thus upgrading to the lastest upstream release would solve the problem. That means only hibiscus/jameica require our attention. I would try to remove the obsolete connection setting mentioned in #1005838. You could also try to dump the SQL database with the current version in stable and then try to re- import the SQL tables with H2 in unstable. That should actually work because the SQL syntax will not have changed. (See also the Upgrading paragraph here https://h2database.com/html/migration-to-v2.html) > > Given that there is no online conversion available, the H2MigrationTool > actually contains jars of the different version, I would propose to > upload the v2 version with a new source and binary package name and > upload the v1 version to unstable again with a +really version number: > > 2.1.210+really1.4.197-1 > > based on the git tag debian/1.4.197-4+deb11u1. > > Given that this affects all linked programs and that v2 already > transitioned to testing as well as the next Ubuntu version (which will > stop importing from Debian soon) I would like to get this fixed fast. > > I'm planning to upload the +really version tomorrow unless someone > disagrees. I would advise against that plan because a) jameica/hibiscus is the only affected package b) the grave security issues would be present again #1003894. I have fixed the most severe ones in stable releases by disabling the H2 console and JNDI lookups. There are probably more issues mentioned by upstream here: https://github.com/h2database/h2database/issues/3360#issuecomment-1018351050 However users would want an up-to-date version of H2 in the future. At some point an upgrade is inevitable. c) two source packages make only sense if we talk about an (important) library that is incompatible and breaks many reverse-dependencies. H2 is a database and affects only 2 packages. d) versions 1.4.xxx are no longer supported. 1.4.197 is already four years old. That makes security support or any support in general not feasible if we want to release this version again for Bookworm. I would contact jameica/hibiscus upstream and report this issue as a bug. A database dump and re-import should be possible in any case and depending on a supported version of H2 is surely desirable for all parties. Regards, Markus
signature.asc
Description: This is a digitally signed message part
