From mark.reinhold at oracle.com Mon Nov 12 11:32:11 2018 From: mark.reinhold at oracle.com (mark.reinhold at oracle.com) Date: Mon, 12 Nov 2018 03:32:11 -0800 (PST) Subject: =?utf-8?q?OpenJDK_Committers=E2=80=99_Workshop=2C_4_February_2019?= Message-ID: <20181112113211.BCB3222F293@eggemoggin.niobe.net> OpenJDK Committers and other regular contributors traditionally meet each February, in the Free Java dev room at FOSDEM in Brussels. The Free Java room runs for just one day, however, so there?s not a lot of time for the focused discussions amongst OpenJDK contributors that many of us enjoyed at the first Workshop in Santa Clara, California last August. We therefore plan to hold a one-day OpenJDK Committers? Workshop on Monday, 4 February, the day after FOSDEM. This time there won?t be any prepared presentations, since presumably those will have been presented during FOSDEM. We?ll instead run the entire day as an unconference, with plenty of time to discuss both technical and community issues. The precise location is yet to be determined but it will be in Brussels, Belgium so as to be convenient for those attending FOSDEM. There will likely be a modest attendance fee to cover costs. Space may be limited, depending upon the venue. If that turns out to be the case then preference will be given to Committers with a strong record of past contributions, though some space will be made for new Committers who have a strong potential for ongoing future contributions. The Workshop is organized by: Andrew Haley (Red Hat) Doug Lea (SUNY Oswego) Liam Miller-Cushon (Google) Mark Reinhold (Oracle) Dalibor Topic (Oracle) Johan Vos (Gluon) For further information: http://openjdk.java.net/workshop - Mark From martijnverburg at gmail.com Mon Nov 12 14:09:11 2018 From: martijnverburg at gmail.com (Martijn Verburg) Date: Mon, 12 Nov 2018 14:09:11 +0000 Subject: Workshop Proposal: Increasing the public quality bar at OpenJDK Message-ID: Hi all, Workshop proposal: Increasing the quality bar for OpenJDK OpenJDK today has a Jtreg based regression test suite which is very useful but could be greatly enhanced by further tests and other test suites. Greater test coverage of varying types could reduce the amount of custom in-house testing (that all OpenJDK vendors currently have to go through) as well as raise the 'minimum' quality bar for all OpenJDK builds. It would be great to have a discussion on where the gaps are currently and how we could best fill those as a community. Length: short/long - not sure brief biography (or link to same): AdoptOpenJDK has explored several ideas including 3rd party containerized tests, performance tests, system tests and more. We can share our experiences and see if any of them could be applied to OpenJDK. Blog and microblog links: https://blog.adoptopenjdk.net/2018/02/adding-third-party-application-tests-adoptopenjdk : Cheers, Martijn From martijnverburg at gmail.com Mon Nov 12 14:15:32 2018 From: martijnverburg at gmail.com (Martijn Verburg) Date: Mon, 12 Nov 2018 14:15:32 +0000 Subject: Workshop topic: Timing of update project handovers Message-ID: Hi all, Workshop topic: Timing of update project handovers Now that the leadership of update projects can occur every 6 months (3 years for LTS's) there is a lot more external scrutiny (about the perceived stability) and decision making (including how many resources to commit to OpenJDK) that the ecosystem makes. One of the strong pieces of feedback that we've seen is that folks would like to understand which organization(s) are taking over an update project *before* the actual handover date. Would be great to have this discussed. Sample Qs: Q: Would it be possible to name the next update leader in advance? Q: If so, how early in advance could that be? Cheers, Martijn From martijnverburg at gmail.com Mon Nov 12 14:18:49 2018 From: martijnverburg at gmail.com (Martijn Verburg) Date: Mon, 12 Nov 2018 14:18:49 +0000 Subject: Workshop Topic: Logistics of update projects Message-ID: Hi all, Workshop topic: Logistics of update projects Now that the leadership of update projects can occur every 6 months (3 years for LTS's) there is some existing infrastructure at Oracle which may or may not be able to be used for the updates project once they transition leadership. Sample Qs: Q: Where will OpenJDK downloads of update projects be hosted? Q: Is there the possibility of shared build and test infrastructure for the update projects? Cheers, Martijn From volker.simonis at gmail.com Mon Nov 12 15:54:41 2018 From: volker.simonis at gmail.com (Volker Simonis) Date: Mon, 12 Nov 2018 16:54:41 +0100 Subject: Workshop topic: Timing of update project handovers In-Reply-To: References: Message-ID: Excellent topic! And there are plenty of other related questions. E.g. The handover between Oracle being the project lead and a potential future project lead is targeted to happen AFTER the final Oracle-led JDK Update release has been published (see [1] for the "OpenJDK 10 updates announcement"). The problem with this approach is that the "final update" is being cloned from jdk-updates/jdkXXu about 12 weeks BEFORE the "final update" gets integrated (e.g. the RDP2 and cutoff date for 11.0.2 was at October 28th but the release of 11.0.2 and its integration into jdk-updates/jdk11u will be mid January 2019 only). In this 12 weeks time frame, Oracle still serves as "gate-keeper" for jdkXXu although it will not be responsible for the release which the accumulated changes will be part of (e.g. Oracle said that "fixes pushed after the cutoff date (for 11.0.2) will be targeted to 11.0.3" [2]). This is kind of weird, because it means that after the cutoff-date of the second security update, which usually happens already about 4-6 weeks after the first GA release of the respective major Java version, Oracle will still keep the responsibility for that update project, although in fact all the changes collected there are intended for the next, third update, for which Oracle won't be responsible any more. I therefor think it would be reasonable, if the hand-over between Oracle and a potential future project lead will happen right after the cutoff date of the second security release (for jdk11u this would have meant end of October 2018). Of course the discussion for such a transition would have to start at least some weeks earlier (in practice this would probably be right after the first GA release of the corresponding LTS version). Notice, that Oracle could still commit the security fixes of its "final update" like any other "external" committer, even if another party runs the corresponding updates project by then. Regards, Volker [1] http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2018-May/000128.html [2] http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2018-October/000263.html On Mon, Nov 12, 2018 at 3:17 PM Martijn Verburg wrote: > > Hi all, > > Workshop topic: Timing of update project handovers > > Now that the leadership of update projects can occur every 6 months (3 > years for LTS's) there is a lot more external scrutiny (about the perceived > stability) and decision making (including how many resources to commit to > OpenJDK) that the ecosystem makes. > > One of the strong pieces of feedback that we've seen is that folks would > like to understand which organization(s) are taking over an update project > *before* the actual handover date. Would be great to have this discussed. > > Sample Qs: > > Q: Would it be possible to name the next update leader in advance? > Q: If so, how early in advance could that be? > > Cheers, > Martijn From bourges.laurent at gmail.com Mon Nov 12 18:27:07 2018 From: bourges.laurent at gmail.com (=?UTF-8?Q?Laurent_Bourg=C3=A8s?=) Date: Mon, 12 Nov 2018 19:27:07 +0100 Subject: Workshop attendees Message-ID: Hi, I am Laurent Bourges, openjdk commiter as bourgesl. I will attend to FOSDEM19 and the openjdk workshop. Laurent From openjdk at carl.pro Tue Nov 13 11:37:33 2018 From: openjdk at carl.pro (Tasha CARL) Date: Tue, 13 Nov 2018 12:37:33 +0100 Subject: Workshop topic: Managing Security Vulnerabilities in updates projects post-Oracle leadership Message-ID: <1542109053.2537261.1575180328.29B629E1@webmail.messagingengine.com> Dear list, Workshop proposal: "Managing Security Vulnerabilities in updates projects post-Oracle leadership" This session may need to be restricted (partly) to folks who are part of the vulnerability group. It would be good to discuss how some concrete workflows might work as of 2019: 1. How a vulnerability gets reported to the vulnerability group (e.g. through public email address, by a vulnerability group member, a public 0-day breach or something else). 2. Who takes responsibility/lead for providing the OpenJDK updates stream patch and any back porting. 3. How and where vulnerability group members can collaborate (concretely) on a fix. 4. How the vulnerability group members should communicate with their internal organisations and finally (at the right time) with the public. Best regards, Natasha CARL From openjdk at carl.pro Tue Nov 13 11:38:07 2018 From: openjdk at carl.pro (Tasha CARL) Date: Tue, 13 Nov 2018 12:38:07 +0100 Subject: Workshop attendees Message-ID: <1542109087.2537397.1575180872.56EE604B@webmail.messagingengine.com> Hi all, I would like to attend the workshop(s). Best regards, Natasha CARL (OJVG)