Ubuntu 11.10 VM including OpenJDK Build Image
denisl at openscg.com
Thu Feb 23 04:35:45 UTC 2012
On Wed, Feb 22, 2012 at 8:09 PM, Wade Chandler <
hwadechandler-openjdk at yahoo.com> wrote:
> As it relates to keeping old binaries, I think older versions would be
> kept. It is exactly what Oracle does with the JRE/JDK. I don't think it is
> criminal. I think if you don't have information about what each release
> address then it is bad; again, I think a security bug severity is
> determined whether the code is used and too who it is used; some bugs only
> affect shared containers, others remote code, some native items, and others
> images ... They have a disclaimer that all those builds should not be used
> in production environments of course. However, I'm not thinking that a
> company, once it has its binary artifacts for its builds, would be coming
> back to OpenJDK and getting those time and time again.
> More like, those binaries would be available on OpenJDK for a window in
> time, and even if not the exact version at product release time as
> inception, close enough for their development window, i.e. it wouldn't be a
> significant change necessarily, and after they have gotten a version they
> are going to distribute with, they will distribute it until they upgrade
> their own distributed copy based on their own tests functional and security
> per their domain.
I agree with Wade. This is why for the last two plus years OpenSCG.org
has been creating and distributing OpenJDK 6 Linux Binaries that work
across all flavors of Linux without requiring root to install or messing in
any way with the operating system. Just set $JAVA_HOME and away you
go.... Same way as the BIN packaging for Oracle's commercial JDK. One
size does NOT fit all. Do not get me wrong, I think making OpenJDK/IcedTea
a hardened part of Enterprise Linux Distro's is a great thing also.
I don't consider it a crime if users don't upgrade to the latest version, I
consider it their choice and their decision. OpenSCG doesn't run the TCK
tests, but, our binaries have been used by many folks for several years and
I've never had a problem reported in Linux (after my first few builds).
Note that OpenSCG's OpenJDK6 Windoze Binaries are sometimes problematic
when used with older version of Eclipse.
More information about the discuss