JDK 11.0.3 Update process
Andrew Haley
aph at redhat.com
Wed Feb 13 18:38:19 UTC 2019
On 2/13/19 6:30 PM, Volker Simonis wrote:
>> There are potentially some issues here. We may have to integrate
>> non-security fixes into the hidden CPU tree, and we may have to do
>> that in a way that people outside the VG cannot see. So yes, that's
>> highly desirable, but no promises.
>>
> Yes, but this should be only for the fairly rare cases, where a
> security fix has some dependency on a non-security change and pulling
> that non-security change in via jdk-updates/jdk11u would disclose
> something about the upcoming security change. Otherwise, I still think
> it would be advisable to do such changes in jdk-updates/jdk11u and
> regularly merge them into jdk-updates/jdk11u-sec.
Well, yes, but not if doing so impacts our ability to deliver the CPU in
a timely way. We'll try.
> Sorry if my insistence in doing as much as possible of the
> non-security work in in jdk-updates/jdk11u (and pulling it from there
> into jdk-updates/jdk11u-sec) seems stubborn. I understand that it may
> produce a little extra-overhead on the side of the
> jdk-updates/jdk11u-sec maintainers. On the other side, it makes the
> live for all the other down-stream consumers easier, leads to better
> test coverage for the update release and keeps the VG mailing list
> focused on vulnerability issues. Otherwise, it would be necessary to
> also communicate and discuss the non-security fixes done in the
> "closed" jdk-updates/jdk11u-sec over the VG mailing list.
Yes, I get that. But I will not tie the hands of the developers in the
critical path.
--
Andrew Haley
Java Platform Lead Engineer
Red Hat UK Ltd. <https://www.redhat.com>
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671
More information about the jdk-updates-dev
mailing list