Ubuntu 11.10 VM including OpenJDK Build Image
hwadechandler-openjdk at yahoo.com
Wed Feb 22 20:09:48 PST 2012
Thanks for all the communication Andrew.
On 02/22/2012 01:38 PM, Andrew Haley wrote:
> On 02/22/2012 05:18 PM, Wade Chandler wrote:
> Depends. That doesn't have to be the case; enterprise-scale build
> and dist networks. For any given platform and any given installer a
> packaged prebuilt binary can be included easily enough. Getting all
> the sub-components and building ones own JVM isn't exactly something
> someone writing business logic to use a JVM should be worried about
> doing unless they specifically want or need to.
> Absolutely not, no. And grabbing binaries that are not fully
> supported from a web site isn't something that they should be doing
> IMO this can work if the site that hosts the builds (or its
> volunteers) does full testing and update support on the binaries they
> host. Otherwise, people shouldn't use those binaries. Sure, it'll be
> fine for experimentation.
Isn't this what we do with Netty, Spring, Tomcat, JBoss, GlassFish,
Eclipse, NetBeans, and many other open source projects? Not trying to be
smart, really wondering what the difference is. Perhaps it is just
related to the TCK and whether it is considered Java. Is that the deal?
I talk about that below.
>> I feel we are approaching this discussion from two different angles:
>> large scale enterprise versus small business and individual users;
>> commercial enterprise versus commercial consumer software. I'm
>> arguing the large scale enterprise approach excludes a lot of
>> developers in various ways.
> If there were a proposal on the table for a site that hosted fully
> tested, TCKd and supported binaries built from OpenJDK, and had the
> infrastructure to do updates where needed, that might make some sense.
> Otherwise, you're just adding risk.
> Consider, for example, the situation where a security flaw was found
> that affected the last N OpenJDK releases. This site supports
> versions of OpenJDK going back M releases, so you now have to do
> max(N,M) patching and rebuild cycles. Either that, or you leave
> binaries with a known security hole on the site, which would be
> criminal. So what would you do?
I think this part tells me a lot that I haven't understood about
OpenJDK, or at least I think I understand it, and you can correct me if not.
Essentially OpenJDK generally has an expectation of casual use and not
production use depending on who one gets a build from per se; even from
the OpenJDK project itself. It being a component in free OSs means it
depends on the free OS, or commercial ones for that matter, as to
whether some "licensed" TCK, has been run on it or not. So, there is no
guarantee unless directly from say Canonical, Novell, Red Hat, etc that
the version of OpenJDK one is using in a Linux distro is actually
production quality. It may very well be a Linux distro is distributing a
completely untested OpenJDK which just happens to pass the build which
has some minimal guarantee it works, but will fail in many cases one
wishes to run a Java application.
Perhaps this is being done for Fedora. I was under the impression from
the recent push, or at least perceived push, from Oracle to get folks
using the OpenJDK and not their builds distributed within an operating
system that OpenJDK was going to become the new defacto standard and it
would (and really thought was) having TCK run on that code. That doesn't
mean something someone has modified for their distribution per se, but
that any OpenJDK hosted and sanctioned build was actually being
thoroughly tested; as it relates to the Java standard that is.
Being open source, and outside of the TCK, I kind of just expect unit
and integration tests along with community testing much like other
projects. Perhaps I'm missing some things here though, and I imagine I
As it relates to keeping old binaries, I think older versions would be
kept. It is exactly what Oracle does with the JRE/JDK. I don't think it
is criminal. I think if you don't have information about what each
release address then it is bad; again, I think a security bug severity
is determined whether the code is used and too who it is used; some bugs
only affect shared containers, others remote code, some native items,
and others images ... They have a disclaimer that all those builds
should not be used in production environments of course. However, I'm
not thinking that a company, once it has its binary artifacts for its
builds, would be coming back to OpenJDK and getting those time and time
More like, those binaries would be available on OpenJDK for a window in
time, and even if not the exact version at product release time as
inception, close enough for their development window, i.e. it wouldn't
be a significant change necessarily, and after they have gotten a
version they are going to distribute with, they will distribute it until
they upgrade their own distributed copy based on their own tests
functional and security per their domain.
Software Engineer and Consultant
NetBeans Dream Team Member
More information about the discuss