JDK 11.0.3 Update process

Lindenmaier, Goetz goetz.lindenmaier at sap.com
Wed Feb 20 07:40:35 UTC 2019 

Hi Andrew, 
 
> Ok, let's put it another way; the next security update is on 2019-04-16.
> I need to know about a month before then whether I'm following the
> same process as for 7 (snapshot the tree, apply security patches,
> push them after unembargo and follow up with a release), or if we're
> doing something different, or if someone else is doing this.
For getting the security changes into the open repo after unembargo
this sounds good.  
To assure you can snapshot the tree 4 weeks in advance, it needs to
be stable at that point. I.e., we should stop pushing new changes 
even before that, say 8 weeks.  And it should be complete wrt. the
11.0.3-oracle changes at that point.

The security changes give an additional dimension to this, as they 
can not be handled in the open.  We would like to have a stable repo, 
and the same repo as you, for testing the security changes. We also 
need to release our OpenJDK deliverable, SapMachine, close to 
the Oracle release date.  And we would like to have the same changes
as you and as are tagged in the open with -ga when we release.
So we need to know in advance which non-security changes this are.
Having a stable version in jdk11u rather early should help with this.
Obviously, the security changes need to be communicated on the 
vulnerability list separately.
Thus, you can still snapshot the repo 4 weeks before the release date.
But it can be closed for new features ("new" in the meaning applicable for
a maintenance release) before that.

Actually, we would appreciate a lot if you could push your tree to the 
open right on the unembargo date - we could compare it to our internal 
SapMachine repo we use for testing the security changes - and if the two
agree build our release on the version you pushed.  If they don't agree, 
there might be a fix that was somehow lost and we could timely publish 
it to OpenJDK.  It would be bad though, if they would not agree on some
changes available in the open.

But actually, for 11.0.3, I think we should agree on how to handle the 
changes that can be done in the open, first.  For 11.0.4, we should look
at the security changes and how we, SAP, can help best with the security
patches.   

Best regards,
  Goetz.

PS: 
> (snapshot the tree, apply security patches,
> push them after unembargo and follow up with a release)
Didn't you only push them this week?

More information about the jdk-updates-dev mailing list