Ubuntu 11.10 VM including OpenJDK Build Image

Thu Feb 23 10:09:53 UTC 2012

On 02/23/2012 04:09 AM, Wade Chandler wrote:
> Thanks for all the communication Andrew.
> 
> On 02/22/2012 01:38 PM, Andrew Haley wrote:
>> On 02/22/2012 05:18 PM, Wade Chandler wrote:
>> Depends. That doesn't have to be the case; enterprise-scale build
>> and dist networks. For any given platform and any given installer a
>> packaged prebuilt binary can be included easily enough. Getting all
>> the sub-components and building ones own JVM isn't exactly something
>> someone writing business logic to use a JVM should be worried about
>> doing unless they specifically want or need to.
>> Absolutely not, no.  And grabbing binaries that are not fully
>> supported from a web site isn't something that they should be doing
>> either.
>>
>> IMO this can work if the site that hosts the builds (or its
>> volunteers) does full testing and update support on the binaries they
>> host.  Otherwise, people shouldn't use those binaries.  Sure, it'll be
>> fine for experimentation.
> Isn't this what we do with Netty, Spring, Tomcat, JBoss, GlassFish, 
> Eclipse, NetBeans, and many other open source projects? Not trying to be 
> smart, really wondering what the difference is. Perhaps it is just 
> related to the TCK and whether it is considered Java. Is that the deal? 
> I talk about that below.

I think that Java is much more important and much more critical than
any of these things,  Also, a build of OpenJDK depends on a lot of
components.  A problem in any of these build-time dependencies can
break OpenJDK.  I don't think that's as likely in a pure Java project.

>> Consider, for example, the situation where a security flaw was found
>> that affected the last N OpenJDK releases.  This site supports
>> versions of OpenJDK going back M releases, so you now have to do
>> max(N,M) patching and rebuild cycles.  Either that, or you leave
>> binaries with a known security hole on the site, which would be
>> criminal.  So what would you do?
>>
> 
> I think this part tells me a lot that I haven't understood about 
> OpenJDK, or at least I think I understand it, and you can correct me if not.
> 
> Essentially OpenJDK generally has an expectation of casual use and not 
> production use depending on who one gets a build from per se; even from 
> the OpenJDK project itself.

Well, not exactly, but that depends on how well-tested it has been.

> It being a component in free OSs means it depends on the free OS, or
> commercial ones for that matter, as to whether some "licensed" TCK,
> has been run on it or not. So, there is no guarantee unless directly
> from say Canonical, Novell, Red Hat, etc that the version of OpenJDK
> one is using in a Linux distro is actually production quality.

Correct.  Unless extensive testing has been done, it's not production
quality.

> It may very well be a Linux distro is distributing a completely
> untested OpenJDK which just happens to pass the build which has some
> minimal guarantee it works, but will fail in many cases one wishes
> to run a Java application.

I hope not, but it's possible.  We still sometimes see failures with
real applications on fully tested builds.  It's unusual, but it
happens.

> Perhaps this is being done for Fedora. I was under the impression
> from the recent push, or at least perceived push, from Oracle to get
> folks using the OpenJDK and not their builds distributed within an
> operating system

I don't understand.  OpenJDK is distributed within an OS.  Where did
they say this?

> that OpenJDK was going to become the new defacto standard and it
> would (and really thought was) having TCK run on that code.

The TCK is run on a build.  It's up to whoever provided the build to
do that.  Unfortunately, it's possible to break Java if there's
something wrong (or different) with the environment in which it's run
from the one in which it was tested.  A Java that's built and tested
with the distro makes this much easier to control.

> That doesn't mean something someone has modified for their
> distribution per se, but that any OpenJDK hosted and sanctioned
> build was actually being thoroughly tested; as it relates to the
> Java standard that is.
> 
> Being open source, and outside of the TCK, I kind of just expect unit 
> and integration tests along with community testing much like other 
> projects. Perhaps I'm missing some things here though, and I imagine I 
> certainly am.

It'd be nice.  I don't know what the non-Fedora distros do.

Andrew.