Ubuntu 11.10 VM including OpenJDK Build Image

Wade Chandler hwadechandler-openjdk at yahoo.com
Thu Feb 23 04:09:48 UTC 2012


Thanks for all the communication Andrew.

On 02/22/2012 01:38 PM, Andrew Haley wrote:
> On 02/22/2012 05:18 PM, Wade Chandler wrote:
> Depends. That doesn't have to be the case; enterprise-scale build
> and dist networks. For any given platform and any given installer a
> packaged prebuilt binary can be included easily enough. Getting all
> the sub-components and building ones own JVM isn't exactly something
> someone writing business logic to use a JVM should be worried about
> doing unless they specifically want or need to.
> Absolutely not, no.  And grabbing binaries that are not fully
> supported from a web site isn't something that they should be doing
> either.
>
> IMO this can work if the site that hosts the builds (or its
> volunteers) does full testing and update support on the binaries they
> host.  Otherwise, people shouldn't use those binaries.  Sure, it'll be
> fine for experimentation.
Isn't this what we do with Netty, Spring, Tomcat, JBoss, GlassFish, 
Eclipse, NetBeans, and many other open source projects? Not trying to be 
smart, really wondering what the difference is. Perhaps it is just 
related to the TCK and whether it is considered Java. Is that the deal? 
I talk about that below.
>> I feel we are approaching this discussion from two different angles:
>> large scale enterprise versus small business and individual users;
>> commercial enterprise versus commercial consumer software. I'm
>> arguing the large scale enterprise approach excludes a lot of
>> developers in various ways.
> If there were a proposal on the table for a site that hosted fully
> tested, TCKd and supported binaries built from OpenJDK, and had the
> infrastructure to do updates where needed, that might make some sense.
> Otherwise, you're just adding risk.
>
> Consider, for example, the situation where a security flaw was found
> that affected the last N OpenJDK releases.  This site supports
> versions of OpenJDK going back M releases, so you now have to do
> max(N,M) patching and rebuild cycles.  Either that, or you leave
> binaries with a known security hole on the site, which would be
> criminal.  So what would you do?
>

I think this part tells me a lot that I haven't understood about 
OpenJDK, or at least I think I understand it, and you can correct me if not.

Essentially OpenJDK generally has an expectation of casual use and not 
production use depending on who one gets a build from per se; even from 
the OpenJDK project itself. It being a component in free OSs means it 
depends on the free OS, or commercial ones for that matter, as to 
whether some "licensed" TCK, has been run on it or not. So, there is no 
guarantee unless directly from say Canonical, Novell, Red Hat, etc that 
the version of OpenJDK one is using in a Linux distro is actually 
production quality. It may very well be a Linux distro is distributing a 
completely untested OpenJDK which just happens to pass the build which 
has some minimal guarantee it works, but will fail in many cases one 
wishes to run a Java application.

Perhaps this is being done for Fedora. I was under the impression from 
the recent push, or at least perceived push, from Oracle to get folks 
using the OpenJDK and not their builds distributed within an operating 
system that OpenJDK was going to become the new defacto standard and it 
would (and really thought was) having TCK run on that code. That doesn't 
mean something someone has modified for their distribution per se, but 
that any OpenJDK hosted and sanctioned build was actually being 
thoroughly tested; as it relates to the Java standard that is.

Being open source, and outside of the TCK, I kind of just expect unit 
and integration tests along with community testing much like other 
projects. Perhaps I'm missing some things here though, and I imagine I 
certainly am.

As it relates to keeping old binaries, I think older versions would be 
kept. It is exactly what Oracle does with the JRE/JDK. I don't think it 
is criminal. I think if you don't have information about what each 
release address then it is bad; again, I think a security bug severity 
is determined whether the code is used and too who it is used; some bugs 
only affect shared containers, others remote code, some native items, 
and others images ... They have a disclaimer that all those builds 
should not be used in production environments of course. However, I'm 
not thinking that a company, once it has its binary artifacts for its 
builds, would be coming back to OpenJDK and getting those time and time 
again.

More like, those binaries would be available on OpenJDK for a window in 
time, and even if not the exact version at product release time as 
inception, close enough for their development window, i.e. it wouldn't 
be a significant change necessarily, and after they have gotten a 
version they are going to distribute with, they will distribute it until 
they upgrade their own distributed copy based on their own tests 
functional and security per their domain.

Thanks again,

Wade

-- 

=================
Wade Chandler

Software Engineer and Consultant
NetBeans Contributor
NetBeans Dream Team Member

wadechandler.com
netbeans.org




More information about the discuss mailing list