OpenJDK 8u272 Released

Andrew Hughes gnu.andrew at redhat.com
Wed Oct 21 16:00:10 UTC 2020 

On 16:52 Wed 21 Oct     , Volker Simonis wrote:
> Hi Andrew,
> 
> thanks for your great work. It's really much appreciated!
>

Why are comments like that always followed by a 'but...' ? :-)

> I have some process related questions though:
> 
>  - why are you posting the source code of an OpenJDK update release to
> a non-OpenJDK website before the original OpenJDK repositories have
> been updated with the corresponding changes? My feeling is that
> OpenJDK updates repositories should always be the main reference from
> where all other artifacts are derived from. And the OpenJDK
> infrastructure should be the primary and main source for artifacts
> produced by the OpenJDK project.
>

We have been publishing source bundles there since we took over
OpenJDK 6. If there is a location for source bundles on the OpenJDK
infrastructure we can use instead, I'd be happy to do so, but I'm not
currently aware of one.

> - I saw that you've posted a RFR for the 8u security changes early
> this morning and I wonder why this is necessary? First of all, these
> changes have already all been reviewed  on the VG list. Second, you've
> already posted this code anyway (to https://openjdk-sources.osci.io)
> and downstream distros will probably pick it from there and build it.
> So any changes made during review might only lead to confusion.
>

Oracle always had this RFR process for their updates and I guess we've
continued it. If people are happy for the 8u & 11u changes to be
pushed directly, I can do so. But that needs agreement first that this
is ok.

There is certainly no possibility of revising the patch set, as it
will already be used in builds by this point and the Mercurial tooling
we're using makes such changes to a set of changesets painful. Any
review comments would have to be in further patches on top. I do think
it is worthwhile having someone look over the whole set with fresh
eyes in case anything was missed.

I'm not going to discuss vulnerability group work here as it's not
appropriate.

I don't regard the source bundle release and the push to the
repositories as related. They are for different target audiences. The
master copy should be in the repositories once reviewed, but that is
primarily for developers to do further work on top of. The source
bundles are for distributors outside the vulnerability group that need
to build from them and should be available as soon as possible rather
than waiting for the RFR process to complete.

> From my point of view, the ideal workflow would be to push the changes
> to the OpenJDK update repos right after the embargo was lifted. After
> that anybody can use these repos as "golden master" and create source
> bundles, binararies, etc from them. Or am I missing something?
>

That might be better, but it would be a change for how we have done
things for the last decade. As I say, the repos, source bundles and
binary bundles all have different target audiences. I don't think it's
correct to assume everyone who wants the new release is able to build
their own from a repository.

Note that you may not have noticed this with previous releases because
Aleksey has been doing an excellent job of reviewing them almost
immediately.  I'm sure he'd appreciate the extra sleep if he's no
longer on the hook to do that late on unembargo days.

> Thank you and best regards,
> Volker
> 

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
OpenJDK Package Owner
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222

More information about the jdk8u-dev mailing list