Version and Security
Remi Forax
forax at univ-mlv.fr
Tue Jan 12 12:15:30 UTC 2016
Hi Paul,
while using dates to indicate the last security patch is interesting,
you want the version of the produced artifact to reflect the security patch level to ease the work of the ops.
Rémi
----- Mail original -----
> De: "Paul Benedict" <pbenedict at apache.org>
> À: verona-dev at openjdk.java.net
> Envoyé: Lundi 11 Janvier 2016 21:47:55
> Objet: Version and Security
>
> I'd like to offer a suggestion. I am late to the game with this idea, but I
> think it's worth mentioning. Right now I think the proposed encoding is too
> complex and would like an alternative.
>
> I don't think the JDK version string should include any special encoding
> for security. I believe product versioning and security patch versioning
> should be made clear by 2 different system properties. There should be an
> additional "security patch level" property that corresponds to the version
> (or date) of either OpenJDK and/or Oracle for whatever their statuses are.
>
> Example strings:
> java.version=9.0.1
> openjdk.java.security.level=2016-01-02
> oracle.java.security.level=2016-01-11
>
> How to interpret this example:
> Java 9.0.1 has all security patches from OpenJDK since 2016-01-02 and,
> because my example is using an Oracle JDK, it includes their own
> proprietary security patches up to 2016-01-11.
>
> Cheers,
> Paul
>
More information about the verona-dev
mailing list