Heads up: planned Harfbuzz update in jdk11u-dev

Lindenmaier, Goetz goetz.lindenmaier at sap.com
Tue Jan 25 14:02:58 UTC 2022 

Hi Andrew Haley, Andrew Hughes, Matthias, Christoph, others...

> While I take your point, I'll note that a Harfbuzz update doesn't seem
> to meet any of the criteria required for backports

I think updates to libraries that are not developed in OpenJDK are
special.  We are OpenJDK experts, not harfbuzz / siphash / jline etc.
Tracking all changes to such components to identify needed
ones would be a considerable additional effort.  Andrew Hughes, thanks
for fixing 8279541! We missed those fixes because we left out [2]
in 11.0.11. It was the first time we left out such an update that
was done by Oracle. We did it because of the C++11 issue.

Other points why I think we should try to update harfbuzz
  * Updates fix errors
  * Oracle did it, openJDK should not stay behind
  * The default of the VM should be secure. 
    > If people want a newer HarfBuzz, they can use --with-harfbuzz=system
    If someone needs something special the someone should
    go the hard way (use the system lib)
  * Severe CVEs might appear in harfbuzz in the future.
    If we need to make an update on short notice, or coming
    with the embargoed changes, others do not have the necessary
    time to upgrade their compilers.  So better do it now with 
    enough time.
	
And yes, increasing the C++ version is a bad thing. But because of 
the points above I think we should try to resolve all downstream 
issues with C++11 and then update harfbuzz.

> I have been wondering for some time about building 
> Vanillas with a more recent
> version of GCC but still using the old libc for compatibility
> and maybe this is the time to put that idea into effect.
Andrew Haley, I appreciate this plan!

Best regards,
  Goetz.
	
[1] 8279541: Improve HarfBuzz
[2] https://bugs.openjdk.java.net/browse/JDK-8210782 Upgrade HarfBuzz to the latest 2.3.1
[3] https://openjdk.java.net/browse/JDK-8247872 Upgrade HarfBuzz to the latest 2.7.2
[4] https://bugs.openjdk.java.net/browse/JDK-8261169 Upgrade HarfBuzz to the latest 2.8.0 

I cited from 
http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2022-January/011454.html
http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2022-January/011498.html

> -----Original Message-----
> From: jdk-updates-dev <jdk-updates-dev-retn at openjdk.java.net> On
> Behalf Of Andrew Haley
> Sent: Tuesday, January 18, 2022 10:27 AM
> To: jdk-updates-dev at openjdk.java.net
> Subject: Re: Heads up: planned Harfbuzz update in jdk11u-dev
> 
> On 1/17/22 22:34, Langer, Christoph wrote:
> 
>  > Andrew, I principally agree with your point. We obviously should try
>  > to avoid changes that break existing build setups. However, OTOH, it
>  > would be very helpful if OpenJDK 11u can be updated to current
>  > harfbuzz versions. One of the main reasons is to be able to keep up
>  > with security fixes. I think we should really try to be creative to
>  > find a way how harfbuzz could be upgraded.
> 
> While I take your point, I'll note that a Harfbuzz update doesn't seem
> to meet any of the criteria required for backports: it is more of a
> convenience for maintainers. We could take the view that because
> Harfbuzz is not part of the core OpenJDK but is a separate library we
> don't have to be so strict, I suppose. But such a change must be
> reviewed and discussed in the usual way.
> 
> Let's investigate which targets will be adversely affected by this
> change, and make a decision based on what we find. I have been
> wondering for some time about building Vanillas with a more recent
> version of GCC but still using the old libc for compatibility (as
> Oracle do AFAIAA) and maybe this is the time to put that idea into
> effect.
> 
> --
> Andrew Haley  (he/him)
> Java Platform Lead Engineer
> Red Hat UK Ltd.
> <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fww
> w.redhat.com%2F&data=04%7C01%7Cgoetz.lindenmaier%40sap.com%
> 7C2eb3b871e88248bbe1e408d9da64bfa6%7C42f7676cf455423c82f6dc2d99791
> af7%7C0%7C0%7C637780948520259499%7CUnknown%7CTWFpbGZsb3d8eyJ
> WIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%
> 7C3000&sdata=%2BmVnFans4ljhy13PXSPHV7h7fpZxtxdNcCjy7p6PGV4
> %3D&reserved=0>
> https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fkeyb
> ase.io%2Fandrewhaley&data=04%7C01%7Cgoetz.lindenmaier%40sap.c
> om%7C2eb3b871e88248bbe1e408d9da64bfa6%7C42f7676cf455423c82f6dc2d
> 99791af7%7C0%7C0%7C637780948520259499%7CUnknown%7CTWFpbGZsb3
> d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
> %3D%7C3000&sdata=k0Q5%2FdT3yGtDkzQJWpDpBn08mJD7jNnG88hc2
> RuNW3I%3D&reserved=0
> EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671

More information about the jdk-updates-dev mailing list