[8u] TLS 1.3: fallback scheme for the new SunJSSE engine
Andrew Hughes
gnu.andrew at redhat.com
Sun Jun 7 17:21:32 UTC 2020
On 05/06/2020 16:03, Martin Balao wrote:
snip...
>
> One thing that came to my mind to address this problem was having an
> 'emergency 8u272 build' with all the security patches applied but
> without the TLS 1.3 engine. In case things go horribly wrong, we can ask
> our users to use that build until 8u282.
>
I don't think this is feasible. It seems to assume that the only change
in 8u272 will be the TLS 1.3 engine. The reality is that the period from
now until rampdown will be a mix of TLS 1.3 patches interleaved with
other backports, so one would have to cherry-pick out all the non-TLS
work and reapply it somewhere else.
My suggestion would be to follow the JFR route:
1. Now: Setup a TLS incubator tree and apply the patches there.
2. Monday, August 24th, 2020: Decide whether to merge the incubator tree
into 8u-dev before rampdown on Friday, 28th.
3. Assuming it is integrated, test TLS 1.3 in 8u272 during September.
The benefits of this are:
1. You can handle the commit policy for the incubator (just reviews, no
need for individual approvals)
2. One single approval can be used to merge TLS 1.3 in rampdown week.
3. Merging just before rampdown makes your proposal feasible, assuming
low traffic during rampdown.
Thanks,
--
Andrew :)
Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222
More information about the jdk8u-dev
mailing list