[announce] 10.0.2-1 ojdkbuild release
Alex Kashchenko
https://github.com/ojdkbuild/ojdkbuild/releases/tag/10.0.2-1
jdk10 is a short-term release, that is discontinued after this version.
This release contains changes from July 2018 CPU (
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html#AppendixJAVA
).
--
-Alex
Gayithri Rachepalli
Alex Kashchenko
On 10/16/2018 11:45 AM, Gayithri Rachepalli wrote:
> Hi,
>
>
> So, As of now we are using this OpenJdk 1.10.0 version. As you told do we
> go with openJDK 12 version if this OpenJDK 1.10.02 version discontinued?
"faster release cadence" that was started with jdk9 [1], short-term
releases are supported only for 6 months each. jdk9, 10 and 12 are
short-term releases.
jdk8 is a long-term and going to be supported until June 2023.
jdk11, that is going to be released in this github project in about 2
weeks, is also a long-term release.
>
> [...]
>
[1]
http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
--
-Alex
Gayithri Rachepalli
Alex Kashchenko
>
> Hi,
>
> Thanks for giving reply. We will go with openJDK 11 version.
>
> But can you please let us know what could be the difference between ORACLE
> JDK 11 and OPEN JDK 11.
Builds in this github project have minor differences from upstream
OpenJDK to stay closer to the version of OpenJDK that is shipped with
RHEL/CentOS . Generally these differences are not visible to end users.
One case when it can be visible is that these builds include a more
narrow set of Elliptic Curves used in SunEC crypto provider [1] (some
details are in this issue [2]).
> Because we are implementing once scratch project. We want to know the
> features difference between the above mentioned JDK's.
>
>
[1]
https://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#SunEC
[2] https://github.com/ojdkbuild/ojdkbuild/issues/11
--
-Alex
Bernd Eckenfels
Hello,
just a comment, it Looks like IcedTea Project also made this removal optional:
https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2392
I think thats a really bad solution in case it is for PKCS11 compatibility („align with NSS“). If it is for some Kind of conformance, it should be clearly documented especially as it narros down the selection to specifically misstrustd NIST curves.
Is that really the Version shipped with RHEL7? For 8 as well? (will check and report later on)
Gruss
Bernd
--
You received this message because you are subscribed to the Google Groups "ojdkbuild" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ojdkbuild+...@googlegroups.com.
To post to this group, send email to ojdk...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ojdkbuild/c65b5058-9834-4633-914a-1126c09797bb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Alex Kashchenko
> Hello,
>
> just a comment, it Looks like IcedTea Project also made this removal optional:
>
> https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2392
>
> I think thats a really bad solution in case it is for PKCS11 compatibility („align with NSS“). If it is for some Kind of conformance, it should be clearly documented especially as it narros down the selection to specifically misstrustd NIST curves.
except the bits added to issue 11 [1]. I don't think that it is
documented or explained anywhere.
In ojdkbuild NSS is used for SunEC provider the same way it is used on
RHEL and the set of available elliptic curves is the same as on RHEL.
> Is that really the Version shipped with RHEL7?
Script that removes the elliptic curves is not in RPM spec (they are
removed during the source tarball bundling) and this script is not
included with SRPM. Its variation can be seen in Fedora package [3].
> For 8 as well? (will check and report later on)
same logic is used in jdk11 on Fedora [4][5][6].
>
> Gruss
> Bernd
>
[1] https://github.com/ojdkbuild/ojdkbuild/issues/11
[2]
https://git.centos.org/blob/rpms!java-1.8.0-openjdk.git/95d8095737ad044d3508c26a50214ca0661eb599/SPECS!java-1.8.0-openjdk.spec#L892
[3]
https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/blob/ba397c7d37c7542579f116383e297cfed348e217/f/generate_singlerepo_source_tarball.sh#_116
[4]
https://src.fedoraproject.org/rpms/java-11-openjdk/blob/075824caed7dbc3d4a46497253065e21ec162a8b/f/generate_source_tarball.sh#_116
[5]
https://src.fedoraproject.org/rpms/java-11-openjdk/blob/075824caed7dbc3d4a46497253065e21ec162a8b/f/pr2126-11.patch
[6]
https://src.fedoraproject.org/rpms/java-11-openjdk/blob/075824caed7dbc3d4a46497253065e21ec162a8b/f/java-11-openjdk.spec#_911
--
-Alex
Bernd Eckenfels
Hello Alex,
Thanks for responding (and in case it was not clear, was not meant to critizie you). 😊
> In ojdkbuild NSS is used for SunEC provider the same way it is used on
> RHEL and the set of available elliptic curves is the same as on RHEL.
Hm… ok, I understood it differently (i.e. NSS used as an external Provider), but yes there might be a good reason to use NSS lib in the implementation in order to actually harmonize the native crypto Providers in RHEL – in that case the curves need to reflect the NSS ones. (this is however a major difference to openjdk in itself)
>> For 8 as well? (will check and report later on)
> I cannot comment on RHEL 8 before its release, but can confirm, that the
> same logic is used in jdk11 on Fedora [4][5][6].
Actually I meant if it is used in Java 8 and 11 for RHEL 7, Thanks for clarification.
I wonder (especially on Windows) if this is a good thing for ojdkbuild? I have the Impression most users use it as a compatible built for OpenJDK not Fedora (even when you clearly state otherwise).
Gruss
Bernd
Alex Kashchenko
>
> [...]
>
>> In ojdkbuild NSS is used for SunEC provider the same way it is used on
> > RHEL and the set of available elliptic curves is the same as on RHEL.
>
> Hm… ok, I understood it differently (i.e. NSS used as an external Provider), but yes there might be a good reason to use NSS lib in the implementation in order to actually harmonize the native crypto Providers in RHEL – in that case the curves need to reflect the NSS ones. (this is however a major difference to openjdk in itself)
memory leak in jdk PKCS11 code [1]. Thus SunEC provider was modified to
use NSS directly instead of the upstream EC impl [2], that is very close
to NSS EC impl, but not the same.
>>> For 8 as well? (will check and report later on)
>
>> I cannot comment on RHEL 8 before its release, but can confirm, that the
>> same logic is used in jdk11 on Fedora [4][5][6].
>
> Actually I meant if it is used in Java 8 and 11 for RHEL 7, Thanks for clarification.
>
> I wonder (especially on Windows) if this is a good thing for ojdkbuild?
to include all EC curves is not possible, because the curves definitions
are not included with RHEL/CentOS source tarball (removed during tarball
bundling, not patched out by usual build-time RPM patch).
> I have the Impression most users use it as a compatible built for OpenJDK not Fedora (even when you clearly state otherwise).
"RHEL-compatible" jdk-windows. But most users obviously just look for
Oracle JDK replacement.
For those users who care about the differences, I'll add some notes to
README about other OpenJDK windows builds (this article looks like a
good overview [3]) and about the differences (for jdk8 - this SO answer
[4]).
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1028966#c26
[2]
https://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/9da3ff5cd435/src/share/native/sun/security/ec/impl
[3] https://blog.joda.org/2018/09/time-to-look-beyond-oracles-jdk.html
[4] https://stackoverflow.com/a/52218632/314015
--
-Alex