Ubuntu 11.10 VM including OpenJDK Build Image
Lussier, Denis
denisl at openscg.com
Thu Feb 23 04:35:45 UTC 2012
On Wed, Feb 22, 2012 at 8:09 PM, Wade Chandler <
hwadechandler-openjdk at yahoo.com> wrote:
> As it relates to keeping old binaries, I think older versions would be
> kept. It is exactly what Oracle does with the JRE/JDK. I don't think it is
> criminal. I think if you don't have information about what each release
> address then it is bad; again, I think a security bug severity is
> determined whether the code is used and too who it is used; some bugs only
> affect shared containers, others remote code, some native items, and others
> images ... They have a disclaimer that all those builds should not be used
> in production environments of course. However, I'm not thinking that a
> company, once it has its binary artifacts for its builds, would be coming
> back to OpenJDK and getting those time and time again.
>
> More like, those binaries would be available on OpenJDK for a window in
> time, and even if not the exact version at product release time as
> inception, close enough for their development window, i.e. it wouldn't be a
> significant change necessarily, and after they have gotten a version they
> are going to distribute with, they will distribute it until they upgrade
> their own distributed copy based on their own tests functional and security
> per their domain.
>
>
I agree with Wade. This is why for the last two plus years OpenSCG.org
has been creating and distributing OpenJDK 6 Linux Binaries that work
across all flavors of Linux without requiring root to install or messing in
any way with the operating system. Just set $JAVA_HOME and away you
go.... Same way as the BIN packaging for Oracle's commercial JDK. One
size does NOT fit all. Do not get me wrong, I think making OpenJDK/IcedTea
a hardened part of Enterprise Linux Distro's is a great thing also.
I don't consider it a crime if users don't upgrade to the latest version, I
consider it their choice and their decision. OpenSCG doesn't run the TCK
tests, but, our binaries have been used by many folks for several years and
I've never had a problem reported in Linux (after my first few builds).
Note that OpenSCG's OpenJDK6 Windoze Binaries are sometimes problematic
when used with older version of Eclipse.
More information about the discuss
mailing list