Version and Security
Paul Benedict
pbenedict at apache.org
Mon Jan 11 20:47:55 UTC 2016
I'd like to offer a suggestion. I am late to the game with this idea, but I
think it's worth mentioning. Right now I think the proposed encoding is too
complex and would like an alternative.
I don't think the JDK version string should include any special encoding
for security. I believe product versioning and security patch versioning
should be made clear by 2 different system properties. There should be an
additional "security patch level" property that corresponds to the version
(or date) of either OpenJDK and/or Oracle for whatever their statuses are.
Example strings:
java.version=9.0.1
openjdk.java.security.level=2016-01-02
oracle.java.security.level=2016-01-11
How to interpret this example:
Java 9.0.1 has all security patches from OpenJDK since 2016-01-02 and,
because my example is using an Oracle JDK, it includes their own
proprietary security patches up to 2016-01-11.
Cheers,
Paul
More information about the verona-dev
mailing list