Mystery meat OpenJDK builds strike again

Mon May 27 16:23:00 UTC 2019

Sent from my iPad

On May 27, 2019, at 7:59 AM, Thomas Stüfe <thomas.stuefe at gmail.com<mailto:thomas.stuefe at gmail.com>> wrote:

Hi Gil,

On Mon, May 27, 2019 at 1:41 AM Gil Tene <gil at azul.com<mailto:gil at azul.com>> wrote:
Seriously?

You see factual reporting (directly documented and dated in the original posting) of the actual version numbers being used by official docker images, along with irrefutable proof that the packages used in those were built weeks before the respective OpenJDK 8u and 11u releases were complete, as “fake news”?

You think that alerting millions of unsuspecting people using exposed, insecure builds that falsely report their OpenJDK version (as one that includes e.g. critical security fixes) to the fact as “marketing”?

Did you try to contact Debian folks to give them opportunity to fix those security concerns before going public with them? Or did they not react in time?

Multiple times over ~4.5 years, and through multiple channels. The
“we don’t care”, “go away, vendor”, and “java and openjdk do versioning
wrong” reactions are the most common. Many were less polite than that.
The defensive tone of the email you see on this thread is about average.
The denial and deflection attempts you see there are also common.
Some people just don’t want help, at least not from some. And that’s fine.

There is an established way to coordinate activity around security issues in the
java community, with plenty of time to deal with them before publication, and a
coordinated embargo date before which they do not get discussed publicly.
Each java distribution is then free to include fixes to those issues after that date.
And since the binaries for fixed versions become widely available, CVE information
published, and source code for the fixes show up in at least some cases (e.g.
OpenJDK), the cats are out of theirs bags at that point.

As has happened many many times in the past, OpenJDK 8u chose the 8u212
release, and OpenJDK 11u the 11.0.3 release, as the ones that would include the
8u and 11u updates for issues revealed on April 16, 2019 (the coordinated
quarterly update date). All tagged builds with 8u212 mentioned prior to that date
were not releases, but things preparing to eventually become the 8u212 release.
By necessity, none of the non-release builds included any security fixes, as those
were all developed and integrated “in the dark”. Same goes for 11.0.3.

OpenJDK code is open source, and the process of developing an upcoming
quarterly update release is done mostly in the open (with exceptions, like
the security part, which is done in the dark but still with community
coordination). These are good things.

But these good things also mean that anyone, anywhere, can pick up source
code at any point, and are perfectly within their rights to build that code, call
it whatever version they want, give it to people, and even advertise and market
it as “stable” and attack anyone who dares to suggest anything is wrong with
their choices.

Does that mean that making a JDK from unreleased code and calling it 8u212
(with no “not really” disqualifier) a good idea? Probably not according to most
people. Certainly not IMO. But as noted before, I’ve given up on holding my
breath a long time ago.

Cheers, Thomas