OpenRefine in Debian 2025

Hi folks,

I wanted to give you a brief status update for the OpenRefine package in Debian and tell you what happened in the past 18 months. In short: OpenRefine 3.8.7 is currently available in Debian stable aka “trixie” and 3.9.5 is the latest available version in Debian experimental. I will upload this version to unstable shortly.

I aimed for the inclusion of 3.8.7 into Debian stable because it was the latest available version at that time in January this year. The upcoming Debian freeze policy dictated that only minor changes could be made in the following months until the final release of Debian 13 “trixie” in August 2025. This explains why I could only upload 3.9.3 to experimental at that time and why this one is not part of the stable release. 2024 started without notable changes. Up to version 3.7.8 packaging new releases was straightforward. Then followed a period when several CVE were reported for OpenRefine.

Security updates

After careful consideration I decided against backporting CVE patches at that time and to wait for new releases of OpenRefine to fix those problems. I don’t think these issues warranted a security announcement because the exploit conditions were rather unrealistic and the use case of OpenRefine makes most of them unlikely in my opinion. All CVE have been addressed in Debian stable and all except of CVE-2024-47879 are also fixed in Debian 12 “bookworm”. The update will be part of the next official point update. I suggest to continue fixing CVE but only in Debian stable and testing versions and to encourage users from older Debian releases to use the latest stable version instead. What is your take on that?

Packaging frequency and point of contact

Sometimes I wait for a bigger change before I package a new version. So I if we are at version 3.8.0, I may skip 3.8.1 and 3.8.2 and move on to 3.8.3. for example. The goal is always to get the latest version into Debian stable though. Feel free to contact me if you feel that a specific version needs special attention or you just want to see it packaged. I believe I missed a message from Antonin to the Debian Java mailing list. The best way to report a bug is to file a Debian bug report with reportbug or with your favorite email client. Debian -- Debian BTS - reporting bugs

The second best way is to send me a PM via this forum.

Bugs

There are currently 4 open bugs for OpenRefine in Debian. Three of them are Debian specific. I believe I fixed Number 4 in version 3.8.7-2. Apparently I missed a link to the localizer.jar file which caused some problems with non-English language settings. I’m not 100% sure though, because the bug submitter never replied back. If you can reproduce the problem or confirm that it is solved in 3.8.7-2, that would be great.

Outlook

I believe next is OpenRefine 3.10. I’m also looking forward to OpenRefine 4. Do you have any estimates when it will replace the 3.x series? I have also been working on Jetty 12 in Debian but there were a couple of problems that prevented the complete switch from Jetty9 to 12, so this is still ongoing work and I keep you informed because it affects OpenRefine too of course.

I’m happy to answer any questions. Best,

Markus

Thanks for reaching out @apo! This is a really interesting update and I'm sorry for letting this sit for so long. In addition to this information, I was wondering if you're able to provide insight into how this package is used. Do you have information like download counts/rates, or in what kind of environment(s) people use our Debian package?

Sadly no, I don't think we have an estimate of when 4.0 will be released. Thank you for your work on Jetty12! I imagine that's something we'll want to cover in OpenRefine 4.

Hi Rory,

as soon as you install a new Debian release, users will be asked if they like to participate in Debian’s popularity-contest (popcon). By default this option is set to no because of privacy reasons. The current popcon values for openrefine are available here. As you can see there are currently 36 reported installations of openrefine. So what does it mean? Compared to coreutils, an essential Debian package, the number is small because coreutils is installed on every Debian system while openrefine is only optional. In comparison to tomcat11, a popular Java package, the number is reasonable. Since the release of Debian 13 both packages appeared to attract roughly the same number of new users. There are several drawbacks to popcon though. First of all I compare two completely different packages, one targeted for headless servers, the other one for single-user desktop environments. It is unlikely both are installed on the same system but we don’t have any data to confirm or deny that. Popcon also doesn’t include installations from all of Debian’s 100+ derivatives, only a few smaller ones. The larger ones like Ubuntu or Mint are not included but many desktop users use them. So in short you have to take these information with a grain of salt. Usually the numbers ramp up after a package was included in several stable releases because most Debian users prefer stable and you can see an uptrend since the release of Debian 13 last year.

I should also note that the introduction of openrefine required new Java libraries or tools for Debian which may also have a distinct user base or will be used by other people for different software projects now or in the future. I don’t have any exact numbers though.

Maybe you could promote the Debian package a little if you put a notice or link on the download page?