Version and Security

Remi Forax forax at
Tue Jan 12 12:15:30 UTC 2016

Hi Paul,
while using dates to indicate the last security patch is interesting,
you want the version of the produced artifact to reflect the security patch level to ease the work of the ops.


----- Mail original -----
> De: "Paul Benedict" <pbenedict at>
> À: verona-dev at
> Envoyé: Lundi 11 Janvier 2016 21:47:55
> Objet: Version and Security
> I'd like to offer a suggestion. I am late to the game with this idea, but I
> think it's worth mentioning. Right now I think the proposed encoding is too
> complex and would like an alternative.
> I don't think the JDK version string should include any special encoding
> for security. I believe product versioning and security patch versioning
> should be made clear by 2 different system properties. There should be an
> additional "security patch level" property that corresponds to the version
> (or date) of either OpenJDK and/or Oracle for whatever their statuses are.
> Example strings:
> java.version=9.0.1
> How to interpret this example:
> Java 9.0.1 has all security patches from OpenJDK since 2016-01-02 and,
> because my example is using an Oracle JDK, it includes their own
> proprietary security patches up to 2016-01-11.
> Cheers,
> Paul

More information about the verona-dev mailing list