openjdk: mark major version 12 through 16 as EOL

[mweinelt]

Mark EOL versions with knownVulnerabilities.

https://endoflife.date/java

Related: #170825

I don't consider #178025 fixed until these packages are removed.

Description of changes

Things done

• Built on platform(s)
  • x86_64-linux
  • aarch64-linux
  • x86_64-darwin
  • aarch64-darwin
• For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
• Tested, as applicable:
  • NixOS test(s) (look inside nixos/tests)
  • and/or package tests
  • or, for functions and "core" functionality, tests in lib/tests or pkgs/test
  • made sure NixOS tests are linked to the relevant packages
• Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
• Tested basic functionality of all binary files (usually in ./result/bin/)
• 22.05 Release Notes (or backporting 21.11 Release notes)
  • (Package updates) Added a release notes entry if the change is major or breaking
  • (Module updates) Added a release notes entry if the change is significant
  • (Module addition) Added a release notes entry if adding a new NixOS module
  • (Release notes changes) Ran nixos/doc/manual/md-to-db.sh to update generated release notes
• Fits CONTRIBUTING.md.

[mweinelt]

1 package removed:
minecraft-server (†1.17.1) @thoughtpolice @tomberek @costrouc @jyooru

[dotlambda]

Ofborg fails because the Darwin variants of openjdk don't pass version.
I wonder whether https://www.azul.com/products/azul-support-roadmap/ always coincides with https://endoflife.date/java. If not, would it make more sense to extend meta by knownVulnerabilities for each of the EOL versions separately?
cc @tricktron @marsam

[jyooru]

1 package removed: minecraft-server (†1.17.1)

I can't find the commit/PR where you've removed this.

If you're removing 1.17.1 due to this, you/I will also need to remove more under minecraftServers.

[mweinelt]

In versions.json 1.17 uses javaVersion 16, that's why it get's "removed" in a sense.

[jyooru]

Versions below 1.17 use Java 8 - why aren't they removed?

When you say removed, is it just marked as insecure or has it actually been removed?

[mweinelt]

The build job gets removed, because it has been transitively marked insecure.

[jyooru]

Oh, that makes sense.

[ajs124]

Versions below 1.17 use Java 8 - why aren't they removed?

see https://endoflife.date/java, 8 still has security support, because it's an LTS release

[wamserma]

Result of nixpkgs-review pr 170827 run on aarch64-linux 1