From gnu.andrew at redhat.com Wed Aug 1 15:41:36 2018 From: gnu.andrew at redhat.com (Andrew Hughes) Date: Wed, 1 Aug 2018 16:41:36 +0100 Subject: Question on the "Updates Project" processes In-Reply-To: <20180718230308.GB2306@vimes> References: <20180718230308.GB2306@vimes> Message-ID: On 19 July 2018 at 00:03, Rob McKenna wrote: > Hi Volker: > > On 18/07/18 15:50, Volker Simonis wrote: >> Hi Rob, >> >> yesterday you've pushed the security fixes for JDK 10.0.2 into the >> jdk10u repository [2] but I haven't seen a "Request for approval" for >> these changes as this has been requested for the corresponding >> security updates in the jdk8u project [3]. Aren't such approvals >> required any more for the new updates project? >> > > I'm in two minds about this. We've moved away from mailing list > approvals for the jdk-updates project and it seems redundant to add the > labels to these issues when they've already been through the critical > request process, but perhaps I need to rethink that. Leave that with me. > It also wouldn't be visible to many of us anyway, because the security issues are private. I've always found the actual review element rather redundant (and, given the time between review and approval, I expect it's often rubber-stamping work done privately). The main benefit has been to know that the patches are in the repository, so I'd be quite happy with a notification on this instead. -- Andrew :) Senior Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) Web Site: http://fuseyism.com Twitter: https://twitter.com/gnu_andrew_java PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 From Ken.Heatherly at csgi.com Thu Aug 23 13:31:15 2018 From: Ken.Heatherly at csgi.com (Ken Heatherly) Date: Thu, 23 Aug 2018 13:31:15 -0000 Subject: OpenJDK Patching Process Message-ID: All - Trying to get a handle on the OpenJDK patching process with recent changes to release methodology and cadence. With 6 month OpenJDK releases now happening, for what duration will the n-1 version of OpenJDK be patched once the n version is released for GA? For example, OpenJDK 11 is GA September 25, 2018. If a security issue is recognized on OpenJDK 10 in October 2018, will a critical patch be created for OpenJDK 10 to address, or will upgrade to Open JDK 11 be required in order to receive the critical update. Any guidance/direction is appreciated. Regards, Ken Heatherly All emails in this message string and any attachments are the confidential information of CSG Systems International, Inc. (CSG), or its affiliates and subsidiaries, and may contain privileged and/or confidential material. If you are not an intended recipient, please delete it immediately and notify the sender; unintended recipients are not authorized to read or otherwise use the information contained herein.