Heads up: planned Harfbuzz update in jdk11u-dev
Severin Gehwolf
sgehwolf at redhat.com
Fri Feb 4 14:54:46 UTC 2022
On Tue, 2022-01-25 at 14:02 +0000, Lindenmaier, Goetz wrote:
> Hi Andrew Haley, Andrew Hughes, Matthias, Christoph, others...
>
> > While I take your point, I'll note that a Harfbuzz update doesn't seem
> > to meet any of the criteria required for backports
>
> I think updates to libraries that are not developed in OpenJDK are
> special. We are OpenJDK experts, not harfbuzz / siphash / jline etc.
> Tracking all changes to such components to identify needed
> ones would be a considerable additional effort. Andrew Hughes, thanks
> for fixing 8279541! We missed those fixes because we left out [2]
> in 11.0.11. It was the first time we left out such an update that
> was done by Oracle. We did it because of the C++11 issue.
>
> Other points why I think we should try to update harfbuzz
> * Updates fix errors
> * Oracle did it, openJDK should not stay behind
> * The default of the VM should be secure.
> > If people want a newer HarfBuzz, they can use --with-harfbuzz=system
> If someone needs something special the someone should
> go the hard way (use the system lib)
> * Severe CVEs might appear in harfbuzz in the future.
> If we need to make an update on short notice, or coming
> with the embargoed changes, others do not have the necessary
> time to upgrade their compilers. So better do it now with
> enough time.
>
> And yes, increasing the C++ version is a bad thing. But because of
> the points above I think we should try to resolve all downstream
> issues with C++11 and then update harfbuzz.
>
> > I have been wondering for some time about building
> > Vanillas with a more recent
> > version of GCC but still using the old libc for compatibility
> > and maybe this is the time to put that idea into effect.
> Andrew Haley, I appreciate this plan!
FYI: We are able to use GCC 8 for the Vanilla JDK 11 builds. GCC 8
supports C++11. Builds are still RHEL 6/7 based as before.
No objection for this harfbuzz update from our end.
Thanks,
Severin
More information about the jdk-updates-dev
mailing list