Mystery meat OpenJDK builds strike again

Sun May 26 22:25:05 UTC 2019

I am disappointed to see such trolling, bashing and telling fake news on a
technical mailing list.  Is this Azul's business model to promote their own
binary builds?

Such behavior propagates e.g. via twitter
https://twitter.com/jroper/status/1130678379403857920

I'm starting the discussion about version numbers and release information in a
new thread.

I am neither involved with any Docker image nor with any Debian backport.

Debian provides security support for its stable release (stretch, 9.x).
openjdk-11 isn't part of any released Debian version.

Ubuntu ships openjdk-8 as a supported package in Ubuntu 16.04 LTS and is
committed to provide security support for openjdk-8 in Ubuntu 18.04 LTS until
the EOL of Ubuntu 16.04 LTS (around April 2021).

Ubuntu 18.04 LTS initially shipped with OpenJDK 10 with the commitment to update
to OpenJDK 11 which now is available in the Ubuntu 18.04 LTS release (in the
security pocket).

There is no mystery meat, just security supported uploads for both Debian and
Ubuntu.

On 15.05.19 20:49, Gil Tene wrote:
> Umm…
> 
> Lumpy.local-43% docker run -it --rm openjdk:8 java -version
> openjdk version "1.8.0_212"
> OpenJDK Runtime Environment (build 1.8.0_212-8u212-b01-1~deb9u1-b01)
> OpenJDK 64-Bit Server VM (build 25.212-b01, mixed mode)
> Lumpy.local-44% date
> Wed May 15 11:41:12 PDT 2019
> 
> Look at the build number carefully… This was populated no later
> than March 27, 2019. 3 weeks before the actual 8u212 was released
> on April 16, 2019.

The Debian openjdk-8 source package is put together from the jdk8u,
aarch64-port/jdk8u-shenandoah and aarch32-port/jdk8u projects.  Certainly not
ideal, however these packages can only be made if all the sources are available,
or tagged.

I am happy to see that the aarch64-port tries to keep up with the jdk8u project
however this is a different story with the aarch32-port project:  The project
doesn't have *any* prerelease tags, plus the project updates it's release tags
only months after the jdk8u releases.  So blaming Debian for shipping what they
are able to ship and Azul holding back source releases yourself?   Ein Schelm
wer Böses dabei denkt ...

> Similarly:
> 
> Lumpy.local-46% docker run -it --rm openjdk:11 java -version
> openjdk version "11.0.3" 2019-04-16
> OpenJDK Runtime Environment (build 11.0.3+1-Debian-1bpo91)
> OpenJDK 64-Bit Server VM (build 11.0.3+1-Debian-1bpo91, mixed mode, sharing)
> Lumpy.local-47% date
> Wed May 15 11:43:12 PDT 2019
> 
> This one was populate dno later than April 3, 2 weeks before
> the actual 11.0.3 was released on April 16, 2019
> 
> If anyone was wondering about the importance of having version strings say
> "EA" (or some other "THIS IS NOT a RELEASED VERSION" warning) on any
> and all OpenJDK builds that are not an actual release build, the above shows
> you how bad things get when that practice is not followed.

Don't trust the label, just the content.  I agree that the java community is
much more label/version driven, however this is not a reason to discredit other
sane builds.

> Why Debian populated their repos with these builds is their business, and
> why docker chose to use those specific debian builds can be speculated
> about all we want. the details don't matter. The end result of these
> cumulative "reasonable" (according to some people) choices is that the
> default openjdk runs done by millions of people on docker right now are
> using "mystery meat", incomplete, and exposed builds while seeming to
> report (to the lay person) a Java version that would suggest a real 8u212
> or 11.0.3 (which one would expect has the security vulnerabilities in the
> April update addressed, the bug fixes included, etc.).

Again, I see this as an advertising or promotion email for the Azul binary
builds.  Fine, do so.  Both please use marketing lists and not the OpenJDK
technical lists.

Matthias