Hi folks,
I wanted to give you a brief status update for the OpenRefine package in Debian and tell you what happened in the past 18 months. In short: OpenRefine 3.8.7 is currently available in Debian stable aka “trixie” and 3.9.5 is the latest available version in Debian experimental. I will upload this version to unstable shortly.
I aimed for the inclusion of 3.8.7 into Debian stable because it was the latest available version at that time in January this year. The upcoming Debian freeze policy dictated that only minor changes could be made in the following months until the final release of Debian 13 “trixie” in August 2025. This explains why I could only upload 3.9.3 to experimental at that time and why this one is not part of the stable release. 2024 started without notable changes. Up to version 3.7.8 packaging new releases was straightforward. Then followed a period when several CVE were reported for OpenRefine.
Security updates
After careful consideration I decided against backporting CVE patches at that time and to wait for new releases of OpenRefine to fix those problems. I don’t think these issues warranted a security announcement because the exploit conditions were rather unrealistic and the use case of OpenRefine makes most of them unlikely in my opinion. All CVE have been addressed in Debian stable and all except of CVE-2024-47879 are also fixed in Debian 12 “bookworm”. The update will be part of the next official point update. I suggest to continue fixing CVE but only in Debian stable and testing versions and to encourage users from older Debian releases to use the latest stable version instead. What is your take on that?
Packaging frequency and point of contact
Sometimes I wait for a bigger change before I package a new version. So I if we are at version 3.8.0, I may skip 3.8.1 and 3.8.2 and move on to 3.8.3. for example. The goal is always to get the latest version into Debian stable though. Feel free to contact me if you feel that a specific version needs special attention or you just want to see it packaged. I believe I missed a message from Antonin to the Debian Java mailing list. The best way to report a bug is to file a Debian bug report with reportbug or with your favorite email client. Debian -- Debian BTS - reporting bugs
The second best way is to send me a PM via this forum.
Bugs
There are currently 4 open bugs for OpenRefine in Debian. Three of them are Debian specific. I believe I fixed Number 4 in version 3.8.7-2. Apparently I missed a link to the localizer.jar file which caused some problems with non-English language settings. I’m not 100% sure though, because the bug submitter never replied back. If you can reproduce the problem or confirm that it is solved in 3.8.7-2, that would be great.
Outlook
I believe next is OpenRefine 3.10. I’m also looking forward to OpenRefine 4. Do you have any estimates when it will replace the 3.x series? I have also been working on Jetty 12 in Debian but there were a couple of problems that prevented the complete switch from Jetty9 to 12, so this is still ongoing work and I keep you informed because it affects OpenRefine too of course.
I’m happy to answer any questions. Best,
Markus