From dl at cs.oswego.edu Thu Mar 1 11:59:20 2018 From: dl at cs.oswego.edu (Doug Lea) Date: Thu, 1 Mar 2018 06:59:20 -0500 Subject: OpenJDK Governing Board CFV: Vulnerability Group In-Reply-To: <20180228161326.D15F2179947@eggemoggin.niobe.net> References: <20180228161326.D15F2179947@eggemoggin.niobe.net> Message-ID: Vote: yes. Aside: Thanks for assembling a good list of initial members. -Doug On 02/28/2018 11:13 AM, mark.reinhold at oracle.com wrote: > (This is a call for votes, but only from members of the Governing Board.) > > I hereby propose the creation of the Vulnerability Group, with Andrew > Gross as the initial Lead. > > This Group will be a secure, private forum in which trusted members of > the OpenJDK Community can receive reports of vulnerabilities in OpenJDK > code bases, review them, collaborate on fixing them, and coordinate the > release of such fixes. > > This Group will be unusual in several respects, due to the sensitive > nature of its work: Membership will be more selective, there will be a > strict communication policy, and members (or their employers) will need > to sign a non-disclosure and license agreement. These requirements do, > strictly speaking, violate the OpenJDK Bylaws. Per our past discussions, > however, I trust that Governing Board members will approve the creation > of the Group with these exceptional requirements. > > The detailed proposal for the Group is here: > > http://cr.openjdk.java.net/~mr/ojvg/ > > The non-disclosure and license agreement (NDLA) is here: > > http://cr.openjdk.java.net/~mr/ojvg/ojvg-ndla-2018-01-30.pdf > > The proposed initial Lead of the Vulnerability Group is Andrew Gross, > who leads Oracle's internal Java Vulnerability Team. Andrew has over 25 > years experience in computer security including discovering and fixing > vulnerabilities, performing forensic analyses, tracking intruders, and > assisting government and law enforcement. He holds a Ph.D. in electrical > engineering from the University of California at San Diego. > > The suggested list of initial Group Members is: > > Martin Balao (Red Hat) > Aaron Bedra > Tasha Carl > Paul Cheeseman (IBM) > John Coomes (Twitter) > Andrew Gross (Oracle) > Andrew Haley (Red Hat) > Frances Ho (Oracle) > Paul Hohensee (Amazon) > Andrew Hughes (Red Hat) > Bernd Mathiske (Amazon) > Ramki Ramakrishna (Twitter) > Mark Reinhold (Oracle) > Simon Ritter (Azul) > Volker Simonis (SAP) > Gil Tene (Azul) > Dalibor Topic (Oracle) > Jesper Wilhelmsson (Oracle) > > (Organizational affiliations are not normally relevant when proposing a > new Group; they are shown here to demonstrate that a broad cross-section > of downstream maintainers will be represented.) > > Only current Governing Board Members [1] are eligible to vote on this > motion. Votes must be cast in the open by replying to this mailing list. > > Votes are due in two weeks, by 23:00 UTC on Wednesday, 14 March [2]. > > For Simple Majority voting instructions, see [3]. > > - Mark > > > [1] http://openjdk.java.net/census#gb > [2] https://time.is/2300_14_Mar_2018_in_UTC/GMT/EST/PST?OJVG_votes_due > [3] http://openjdk.java.net/groups/#new-group-vote > From John_Duimovich at ca.ibm.com Thu Mar 1 15:39:11 2018 From: John_Duimovich at ca.ibm.com (John Duimovich) Date: Thu, 1 Mar 2018 10:39:11 -0500 Subject: OpenJDK Governing Board CFV: Vulnerability Group In-Reply-To: <20180228161326.D15F2179947@eggemoggin.niobe.net> References: <20180228161326.D15F2179947@eggemoggin.niobe.net> Message-ID: Vote: yes From: mark.reinhold at oracle.com To: gb-discuss at openjdk.java.net Date: 2018/02/28 11:13 AM Subject: OpenJDK Governing Board CFV: Vulnerability Group Sent by: "gb-discuss" (This is a call for votes, but only from members of the Governing Board.) I hereby propose the creation of the Vulnerability Group, with Andrew Gross as the initial Lead. This Group will be a secure, private forum in which trusted members of the OpenJDK Community can receive reports of vulnerabilities in OpenJDK code bases, review them, collaborate on fixing them, and coordinate the release of such fixes. This Group will be unusual in several respects, due to the sensitive nature of its work: Membership will be more selective, there will be a strict communication policy, and members (or their employers) will need to sign a non-disclosure and license agreement. These requirements do, strictly speaking, violate the OpenJDK Bylaws. Per our past discussions, however, I trust that Governing Board members will approve the creation of the Group with these exceptional requirements. The detailed proposal for the Group is here: https://urldefense.proofpoint.com/v2/url?u=http-3A__cr.openjdk.java.net_-7Emr_ojvg_&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=C7RCUJQXBA0i7fnSu7P6kvzM1tE2SAFp_ZUckIpe1zQ&m=WR6pr9ezBHK0c8QEPzZIGZyQaiC0uZVAwgbdsiMZ-NI&s=VmLg2Zii54jcX7N9Jp3gvqrZgaJpTDhkiQG8bgrENdc&e= The non-disclosure and license agreement (NDLA) is here: https://urldefense.proofpoint.com/v2/url?u=http-3A__cr.openjdk.java.net_-7Emr_ojvg_ojvg-2Dndla-2D2018-2D01-2D30.pdf&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=C7RCUJQXBA0i7fnSu7P6kvzM1tE2SAFp_ZUckIpe1zQ&m=WR6pr9ezBHK0c8QEPzZIGZyQaiC0uZVAwgbdsiMZ-NI&s=OyNEXsysobJCNbdtuBl6e9Rvv3x305FTLzoJZsCASn8&e= The proposed initial Lead of the Vulnerability Group is Andrew Gross, who leads Oracle's internal Java Vulnerability Team. Andrew has over 25 years experience in computer security including discovering and fixing vulnerabilities, performing forensic analyses, tracking intruders, and assisting government and law enforcement. He holds a Ph.D. in electrical engineering from the University of California at San Diego. The suggested list of initial Group Members is: Martin Balao (Red Hat) Aaron Bedra Tasha Carl Paul Cheeseman (IBM) John Coomes (Twitter) Andrew Gross (Oracle) Andrew Haley (Red Hat) Frances Ho (Oracle) Paul Hohensee (Amazon) Andrew Hughes (Red Hat) Bernd Mathiske (Amazon) Ramki Ramakrishna (Twitter) Mark Reinhold (Oracle) Simon Ritter (Azul) Volker Simonis (SAP) Gil Tene (Azul) Dalibor Topic (Oracle) Jesper Wilhelmsson (Oracle) (Organizational affiliations are not normally relevant when proposing a new Group; they are shown here to demonstrate that a broad cross-section of downstream maintainers will be represented.) Only current Governing Board Members [1] are eligible to vote on this motion. Votes must be cast in the open by replying to this mailing list. Votes are due in two weeks, by 23:00 UTC on Wednesday, 14 March [2]. For Simple Majority voting instructions, see [3]. - Mark [1] https://urldefense.proofpoint.com/v2/url?u=http-3A__openjdk.java.net_census-23gb&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=C7RCUJQXBA0i7fnSu7P6kvzM1tE2SAFp_ZUckIpe1zQ&m=WR6pr9ezBHK0c8QEPzZIGZyQaiC0uZVAwgbdsiMZ-NI&s=WCZqQw1FZqFCUZmBdfQjfCLDYAkGNbewJbl5kvVv9bQ&e= [2] https://urldefense.proofpoint.com/v2/url?u=https-3A__time.is_2300-5F14-5FMar-5F2018-5Fin-5FUTC_GMT_EST_PST-3FOJVG-5Fvotes-5Fdue&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=C7RCUJQXBA0i7fnSu7P6kvzM1tE2SAFp_ZUckIpe1zQ&m=WR6pr9ezBHK0c8QEPzZIGZyQaiC0uZVAwgbdsiMZ-NI&s=Lj7_EWMF8OPHDQIbUuOZtuNaT9vTxC_1psuqtA3Agjo&e= [3] https://urldefense.proofpoint.com/v2/url?u=http-3A__openjdk.java.net_groups_-23new-2Dgroup-2Dvote&d=DwIBAg&c=jf_iaSHvJObTbx-siA1ZOg&r=C7RCUJQXBA0i7fnSu7P6kvzM1tE2SAFp_ZUckIpe1zQ&m=WR6pr9ezBHK0c8QEPzZIGZyQaiC0uZVAwgbdsiMZ-NI&s=V30QJzepY5_NDJOF_FDxZX3E_pN0y9uclvTfrjBmgOo&e= From georges.saab at oracle.com Thu Mar 1 16:47:49 2018 From: georges.saab at oracle.com (Georges Saab) Date: Thu, 1 Mar 2018 08:47:49 -0800 Subject: OpenJDK Governing Board CFV: Vulnerability Group In-Reply-To: <20180228161326.D15F2179947@eggemoggin.niobe.net> References: <20180228161326.D15F2179947@eggemoggin.niobe.net> Message-ID: Vote: yes > On Feb 28, 2018, at 8:13 AM, mark.reinhold at oracle.com wrote: > > (This is a call for votes, but only from members of the Governing Board.) > > I hereby propose the creation of the Vulnerability Group, with Andrew > Gross as the initial Lead. > > This Group will be a secure, private forum in which trusted members of > the OpenJDK Community can receive reports of vulnerabilities in OpenJDK > code bases, review them, collaborate on fixing them, and coordinate the > release of such fixes. > > This Group will be unusual in several respects, due to the sensitive > nature of its work: Membership will be more selective, there will be a > strict communication policy, and members (or their employers) will need > to sign a non-disclosure and license agreement. These requirements do, > strictly speaking, violate the OpenJDK Bylaws. Per our past discussions, > however, I trust that Governing Board members will approve the creation > of the Group with these exceptional requirements. > > The detailed proposal for the Group is here: > > http://cr.openjdk.java.net/~mr/ojvg/ > > The non-disclosure and license agreement (NDLA) is here: > > http://cr.openjdk.java.net/~mr/ojvg/ojvg-ndla-2018-01-30.pdf > > The proposed initial Lead of the Vulnerability Group is Andrew Gross, > who leads Oracle's internal Java Vulnerability Team. Andrew has over 25 > years experience in computer security including discovering and fixing > vulnerabilities, performing forensic analyses, tracking intruders, and > assisting government and law enforcement. He holds a Ph.D. in electrical > engineering from the University of California at San Diego. > > The suggested list of initial Group Members is: > > Martin Balao (Red Hat) > Aaron Bedra > Tasha Carl > Paul Cheeseman (IBM) > John Coomes (Twitter) > Andrew Gross (Oracle) > Andrew Haley (Red Hat) > Frances Ho (Oracle) > Paul Hohensee (Amazon) > Andrew Hughes (Red Hat) > Bernd Mathiske (Amazon) > Ramki Ramakrishna (Twitter) > Mark Reinhold (Oracle) > Simon Ritter (Azul) > Volker Simonis (SAP) > Gil Tene (Azul) > Dalibor Topic (Oracle) > Jesper Wilhelmsson (Oracle) > > (Organizational affiliations are not normally relevant when proposing a > new Group; they are shown here to demonstrate that a broad cross-section > of downstream maintainers will be represented.) > > Only current Governing Board Members [1] are eligible to vote on this > motion. Votes must be cast in the open by replying to this mailing list. > > Votes are due in two weeks, by 23:00 UTC on Wednesday, 14 March [2]. > > For Simple Majority voting instructions, see [3]. > > - Mark > > > [1] http://openjdk.java.net/census#gb > [2] https://time.is/2300_14_Mar_2018_in_UTC/GMT/EST/PST?OJVG_votes_due > [3] http://openjdk.java.net/groups/#new-group-vote From aph at redhat.com Thu Mar 1 17:06:04 2018 From: aph at redhat.com (Andrew Haley) Date: Thu, 1 Mar 2018 17:06:04 +0000 Subject: OpenJDK Governing Board CFV: Vulnerability Group In-Reply-To: <20180228161326.D15F2179947@eggemoggin.niobe.net> References: <20180228161326.D15F2179947@eggemoggin.niobe.net> Message-ID: <1fd08e38-c3b9-7136-1102-1498d9a8fe6a@redhat.com> Vote: yes On 28/02/18 16:13, mark.reinhold at oracle.com wrote: > (This is a call for votes, but only from members of the Governing Board.) > > I hereby propose the creation of the Vulnerability Group, with Andrew > Gross as the initial Lead. > > This Group will be a secure, private forum in which trusted members of > the OpenJDK Community can receive reports of vulnerabilities in OpenJDK > code bases, review them, collaborate on fixing them, and coordinate the > release of such fixes. > > This Group will be unusual in several respects, due to the sensitive > nature of its work: Membership will be more selective, there will be a > strict communication policy, and members (or their employers) will need > to sign a non-disclosure and license agreement. These requirements do, > strictly speaking, violate the OpenJDK Bylaws. Per our past discussions, > however, I trust that Governing Board members will approve the creation > of the Group with these exceptional requirements. > > The detailed proposal for the Group is here: > > http://cr.openjdk.java.net/~mr/ojvg/ > > The non-disclosure and license agreement (NDLA) is here: > > http://cr.openjdk.java.net/~mr/ojvg/ojvg-ndla-2018-01-30.pdf > > The proposed initial Lead of the Vulnerability Group is Andrew Gross, > who leads Oracle's internal Java Vulnerability Team. Andrew has over 25 > years experience in computer security including discovering and fixing > vulnerabilities, performing forensic analyses, tracking intruders, and > assisting government and law enforcement. He holds a Ph.D. in electrical > engineering from the University of California at San Diego. > > The suggested list of initial Group Members is: > > Martin Balao (Red Hat) > Aaron Bedra > Tasha Carl > Paul Cheeseman (IBM) > John Coomes (Twitter) > Andrew Gross (Oracle) > Andrew Haley (Red Hat) > Frances Ho (Oracle) > Paul Hohensee (Amazon) > Andrew Hughes (Red Hat) > Bernd Mathiske (Amazon) > Ramki Ramakrishna (Twitter) > Mark Reinhold (Oracle) > Simon Ritter (Azul) > Volker Simonis (SAP) > Gil Tene (Azul) > Dalibor Topic (Oracle) > Jesper Wilhelmsson (Oracle) > > (Organizational affiliations are not normally relevant when proposing a > new Group; they are shown here to demonstrate that a broad cross-section > of downstream maintainers will be represented.) > > Only current Governing Board Members [1] are eligible to vote on this > motion. Votes must be cast in the open by replying to this mailing list. > > Votes are due in two weeks, by 23:00 UTC on Wednesday, 14 March [2]. > > For Simple Majority voting instructions, see [3]. > > - Mark > > > [1] http://openjdk.java.net/census#gb > [2] https://time.is/2300_14_Mar_2018_in_UTC/GMT/EST/PST?OJVG_votes_due > [3] http://openjdk.java.net/groups/#new-group-vote > -- Andrew Haley Java Platform Lead Engineer Red Hat UK Ltd. EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671 From mark.reinhold at oracle.com Thu Mar 1 17:06:16 2018 From: mark.reinhold at oracle.com (mark.reinhold at oracle.com) Date: Thu, 01 Mar 2018 09:06:16 -0800 Subject: OpenJDK Governing Board CFV: Vulnerability Group In-Reply-To: <20180228161326.D15F2179947@eggemoggin.niobe.net> References: <20180228161326.D15F2179947@eggemoggin.niobe.net> Message-ID: <20180301090616.884079800@eggemoggin.niobe.net> 2018/2/28 8:13:26 -0800, mark.reinhold at oracle.com: > ... > > The suggested list of initial Group Members is: > > Martin Balao (Red Hat) > Aaron Bedra > Tasha Carl Correction, for the record: Tasha Carl will represent the London Java Community. - Mark From volker.simonis at gmail.com Thu Mar 8 17:57:44 2018 From: volker.simonis at gmail.com (Volker Simonis) Date: Thu, 8 Mar 2018 18:57:44 +0100 Subject: JDK submit repo In-Reply-To: References: Message-ID: On Tue, Mar 6, 2018 at 7:05 PM, Vladimir Kozlov wrote: > My understanding is currently it is not enough for *HotSpot* changes. You > still need to ask for sponsor to run additional Hotspot tests. > At FOSDEM 2018, the OpenJDK Lead Mark Reinhold answered my comment that it is still not possible for external committers to push HotSpot changes with the words: "Actually it is possible!" (see 7:51min of [1]) He further detailed: "If you are working on shared code and you run it trough the submission repo ... and all test pass you should be clear to push it." (see 8:16 min of [1]) So if that's not true it is, to put it mildly, at least disappointing. It then seems like Oracle now creates a "fake" submission forest before every FOSDEM (you may remember that we already had a different one before FOSDEM 2017 which could also not be used for submitting, i.e. pushing, real change) just to shine at the "OpenJDK Governing Board Q&A" [2] session. If the submission repo can neither be used for pushing changes directly nor for pushing them manually after the tests executed by the repo have passed, please remove it completely or rename to something like "run_some_random_tests_if_youd_like_to_burn_some_cpu_power_in_the_oracle_cloud-repo". There's really no reason why any developer should use it in that case! 1. If all the tests pass, I have to ask an Oracle developer anyway to run "some other" tests and push my change. So why should I use the submission forest in the first place? 2. If the tests don't pass, I get a cryptic, completely meaningless error mail. Again, I have to ask an Oracle developer to tell me what went wrong. I could have much more easily come to the same result by just asking an Oracle developer to push my change right from the start. He would have run it through "some internal tests" and told me right away what's wrong. In both cases neither I nor the Oracle sponsor gets any benefit from the current submission forest. So Mark, you in your role as OpenJDK Lead, could you please give an authoritative to the question what the submission forest is good for and remove it in the case it turns out to be useless? Thank you and best regards, Volker [1] https://video.fosdem.org/2018/UD2.208/gb_qa.mp4 [2] https://fosdem.org/2018/schedule/event/gb_qa/ > Regards, > Vladimir > > > On 3/6/18 6:51 AM, Lindenmaier, Goetz wrote: >> >> Hi, >> >> What is the status of the tests executed on the JDK submit repo? >> >> Can I push my change if it passes these tests? Or are there still >> tests missing that would be executed by Oracle engineers if they >> sponsor? Are these relevant? >> >> Best regards, >> Goetz. >> >> > From mark.reinhold at oracle.com Fri Mar 9 15:57:21 2018 From: mark.reinhold at oracle.com (mark.reinhold at oracle.com) Date: Fri, 9 Mar 2018 07:57:21 -0800 (PST) Subject: JDK submit repo In-Reply-To: References: Message-ID: <20180309155721.86FEB17B2B5@eggemoggin.niobe.net> 2018/3/8 9:57:44 -0800, volker.simonis at gmail.com: > On Tue, Mar 6, 2018 at 7:05 PM, vladimir.kozlov at oracle.com wrote: >> My understanding is currently it is not enough for *HotSpot* changes. You >> still need to ask for sponsor to run additional Hotspot tests. > > At FOSDEM 2018, the OpenJDK Lead Mark Reinhold answered my comment > that it is still not possible for external committers to push HotSpot > changes with the words: > > "Actually it is possible!" (see 7:51min of [1]) > > He further detailed: > > "If you are working on shared code and you run it trough the > submission repo ... and all test pass you should be clear to push it." > (see 8:16 min of [1]) The full context, for those who weren't there or who didn't watch the video, includes two other statements by me: (8:08) "Consult with your local HotSpot gatekeeper, Jesper or whomever" (8:23) "Jesper and I were chatting about this a couple of weeks ago; he plans to communicate this so that people understand." In other words, in real time I clarified my initial response ("actually, it is possible") to say that Jesper (or someone) would propose some concrete guidelines for how the submit repo is intended to be used. Jesper had in fact already addressed this issue prior to FOSDEM [1], noting that: 2018/1/24 5:21:40 -0800, jesper.wilhelmsson at oracle.com: > This is not a complete answer, but I'm working on it. > > Currently the set of tests run in JDK submit does not include all the > HotSpot tests that we run on all pushes in jdk/hs. My hope is that we > will be able to sync that going forward to make the JDK submit more > useful for HotSpot developers. > > Internally we do no longer use the JPRT pre-commit test system that > some may have heard of in the past. Instead we use post-commit > continuous integration (CI) that is running several tiers of > tests. This is one step closer to allowing non-Oracle Contributors to > push HotSpot code directly. Once the JDK submit runs all required > HotSpot CI tiers we will be almost there. > > 2018/1/24 0:24:19 -0800, volker.simonis at gmail.com: >> If the answer is "yes", there's still the problem that hotspot changes >> should go into jdk/hs but the submit repo mirrors jdk/jdk so what I've >> tested in the submit repo might be slightly different from what I will >> actually push. > > This is another problem. I'm trying to enable more frequent > integrations between jdk/jdk and jdk/hs, but currently there is up to a > week delay in getting changes from hs to jdk. Again it is a question of > when and where we run different HotSpot tiers. These weren't full guidelines, of course, but his message hopefully made it clear that further work was needed to get everything aligned -- more than you might assume given the very simple interface of the submit repo. Since FOSDEM we've made some additional internal changes that ensure that changes pushed to the submit repo will receive adequate testing, even if those changes affect shared HotSpot code. There remains the problem of the submit repo being a child of jdk/jdk rather than jdk/hs. To address that we'll shortly set up a second submit repo that's a child of jdk/hs. Once that's up and working then any HotSpot change, from any contributor, that passes the tests run against the submit-hs repo will be clear to go directly into jdk/hs (modulo any temporary gatekeeping restrictions, which will apply to everyone and be announced in advance). - Mark [1] http://mail.openjdk.java.net/pipermail/jdk-dev/2018-January/000579.html From volker.simonis at gmail.com Fri Mar 9 16:41:32 2018 From: volker.simonis at gmail.com (Volker Simonis) Date: Fri, 9 Mar 2018 17:41:32 +0100 Subject: JDK submit repo In-Reply-To: <20180309155721.86FEB17B2B5@eggemoggin.niobe.net> References: <20180309155721.86FEB17B2B5@eggemoggin.niobe.net> Message-ID: On Fri, Mar 9, 2018 at 4:57 PM, wrote: > 2018/3/8 9:57:44 -0800, volker.simonis at gmail.com: >> On Tue, Mar 6, 2018 at 7:05 PM, vladimir.kozlov at oracle.com wrote: >>> My understanding is currently it is not enough for *HotSpot* changes. You >>> still need to ask for sponsor to run additional Hotspot tests. >> >> At FOSDEM 2018, the OpenJDK Lead Mark Reinhold answered my comment >> that it is still not possible for external committers to push HotSpot >> changes with the words: >> >> "Actually it is possible!" (see 7:51min of [1]) >> >> He further detailed: >> >> "If you are working on shared code and you run it trough the >> submission repo ... and all test pass you should be clear to push it." >> (see 8:16 min of [1]) > > The full context, for those who weren't there or who didn't watch the > video, includes two other statements by me: > > (8:08) "Consult with your local HotSpot gatekeeper, Jesper or whomever" > > (8:23) "Jesper and I were chatting about this a couple of weeks ago; > he plans to communicate this so that people understand." > > In other words, in real time I clarified my initial response ("actually, > it is possible") to say that Jesper (or someone) would propose some > concrete guidelines for how the submit repo is intended to be used. > > Jesper had in fact already addressed this issue prior to FOSDEM [1], > noting that: > > 2018/1/24 5:21:40 -0800, jesper.wilhelmsson at oracle.com: >> This is not a complete answer, but I'm working on it. >> >> Currently the set of tests run in JDK submit does not include all the >> HotSpot tests that we run on all pushes in jdk/hs. My hope is that we >> will be able to sync that going forward to make the JDK submit more >> useful for HotSpot developers. >> >> Internally we do no longer use the JPRT pre-commit test system that >> some may have heard of in the past. Instead we use post-commit >> continuous integration (CI) that is running several tiers of >> tests. This is one step closer to allowing non-Oracle Contributors to >> push HotSpot code directly. Once the JDK submit runs all required >> HotSpot CI tiers we will be almost there. >> >> 2018/1/24 0:24:19 -0800, volker.simonis at gmail.com: >>> If the answer is "yes", there's still the problem that hotspot changes >>> should go into jdk/hs but the submit repo mirrors jdk/jdk so what I've >>> tested in the submit repo might be slightly different from what I will >>> actually push. >> >> This is another problem. I'm trying to enable more frequent >> integrations between jdk/jdk and jdk/hs, but currently there is up to a >> week delay in getting changes from hs to jdk. Again it is a question of >> when and where we run different HotSpot tiers. > > These weren't full guidelines, of course, but his message hopefully made > it clear that further work was needed to get everything aligned -- more > than you might assume given the very simple interface of the submit repo. > > Since FOSDEM we've made some additional internal changes that ensure that > changes pushed to the submit repo will receive adequate testing, even if > those changes affect shared HotSpot code. > > There remains the problem of the submit repo being a child of jdk/jdk > rather than jdk/hs. To address that we'll shortly set up a second submit > repo that's a child of jdk/hs. Once that's up and working then any > HotSpot change, from any contributor, that passes the tests run against > the submit-hs repo will be clear to go directly into jdk/hs (modulo any > temporary gatekeeping restrictions, which will apply to everyone and be > announced in advance). Depending of what "shortly" means this sounds very promising. I only hope it will be considerably before FOSDEM 2019 :) > > - Mark > > > [1] http://mail.openjdk.java.net/pipermail/jdk-dev/2018-January/000579.html From mark.reinhold at oracle.com Tue Mar 13 21:02:59 2018 From: mark.reinhold at oracle.com (mark.reinhold at oracle.com) Date: Tue, 13 Mar 2018 14:02:59 -0700 Subject: OpenJDK Governing Board CFV: Vulnerability Group In-Reply-To: <20180228161326.D15F2179947@eggemoggin.niobe.net> References: <20180228161326.D15F2179947@eggemoggin.niobe.net> Message-ID: <20180313140259.122763876@eggemoggin.niobe.net> Vote: yes - Mark