[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Mystery meat OpenJDK builds strike again


You see factual reporting (directly documented and dated in the original posting) of the actual version numbers being used by official docker images, along with irrefutable proof that the packages used in those were built weeks before the respective OpenJDK 8u and 11u releases were complete, as “fake news”?

You think that alerting millions of unsuspecting people using exposed, insecure builds that falsely report their OpenJDK version (as one that includes e.g. critical security fixes) to the fact as “marketing”? 

And you consider pleas to use responsibly built and tested OpenJDK builds, with no mention of any vendor name at all, “trolling”?

This (the specific things documented at the start of this thread) was absolutely Mystery Meat masquerading as an actual release OpenJDK.  Facts are facts.

Blaming the messager and trying to attribute commercial motives to the calling out of inconvenient truths is a way of dealing with reality.

Sent from Gil's iPhone

> On May 26, 2019, at 3:25 PM, Matthias Klose <doko@ubuntu.com> wrote:
> I am disappointed to see such trolling, bashing and telling fake news on a
> technical mailing list.  Is this Azul's business model to promote their own
> binary builds?
> Such behavior propagates e.g. via twitter
> https://twitter.com/jroper/status/1130678379403857920
> I'm starting the discussion about version numbers and release information in a
> new thread.
> I am neither involved with any Docker image nor with any Debian backport.
> Debian provides security support for its stable release (stretch, 9.x).
> openjdk-11 isn't part of any released Debian version.
> Ubuntu ships openjdk-8 as a supported package in Ubuntu 16.04 LTS and is
> committed to provide security support for openjdk-8 in Ubuntu 18.04 LTS until
> the EOL of Ubuntu 16.04 LTS (around April 2021).
> Ubuntu 18.04 LTS initially shipped with OpenJDK 10 with the commitment to update
> to OpenJDK 11 which now is available in the Ubuntu 18.04 LTS release (in the
> security pocket).
> There is no mystery meat, just security supported uploads for both Debian and
> Ubuntu.
>> On 15.05.19 20:49, Gil Tene wrote:
>> Umm…
>> Lumpy.local-43% docker run -it --rm openjdk:8 java -version
>> openjdk version "1.8.0_212"
>> OpenJDK Runtime Environment (build 1.8.0_212-8u212-b01-1~deb9u1-b01)
>> OpenJDK 64-Bit Server VM (build 25.212-b01, mixed mode)
>> Lumpy.local-44% date
>> Wed May 15 11:41:12 PDT 2019
>> Look at the build number carefully… This was populated no later
>> than March 27, 2019. 3 weeks before the actual 8u212 was released
>> on April 16, 2019.
> The Debian openjdk-8 source package is put together from the jdk8u,
> aarch64-port/jdk8u-shenandoah and aarch32-port/jdk8u projects.  Certainly not
> ideal, however these packages can only be made if all the sources are available,
> or tagged.
> I am happy to see that the aarch64-port tries to keep up with the jdk8u project
> however this is a different story with the aarch32-port project:  The project
> doesn't have *any* prerelease tags, plus the project updates it's release tags
> only months after the jdk8u releases.  So blaming Debian for shipping what they
> are able to ship and Azul holding back source releases yourself?   Ein Schelm
> wer Böses dabei denkt ...
>> Similarly:
>> Lumpy.local-46% docker run -it --rm openjdk:11 java -version
>> openjdk version "11.0.3" 2019-04-16
>> OpenJDK Runtime Environment (build 11.0.3+1-Debian-1bpo91)
>> OpenJDK 64-Bit Server VM (build 11.0.3+1-Debian-1bpo91, mixed mode, sharing)
>> Lumpy.local-47% date
>> Wed May 15 11:43:12 PDT 2019
>> This one was populate dno later than April 3, 2 weeks before
>> the actual 11.0.3 was released on April 16, 2019
>> If anyone was wondering about the importance of having version strings say
>> "EA" (or some other "THIS IS NOT a RELEASED VERSION" warning) on any
>> and all OpenJDK builds that are not an actual release build, the above shows
>> you how bad things get when that practice is not followed.
> Don't trust the label, just the content.  I agree that the java community is
> much more label/version driven, however this is not a reason to discredit other
> sane builds.
>> Why Debian populated their repos with these builds is their business, and
>> why docker chose to use those specific debian builds can be speculated
>> about all we want. the details don't matter. The end result of these
>> cumulative "reasonable" (according to some people) choices is that the
>> default openjdk runs done by millions of people on docker right now are
>> using "mystery meat", incomplete, and exposed builds while seeming to
>> report (to the lay person) a Java version that would suggest a real 8u212
>> or 11.0.3 (which one would expect has the security vulnerabilities in the
>> April update addressed, the bug fixes included, etc.).
> Again, I see this as an advertising or promotion email for the Azul binary
> builds.  Fine, do so.  Both please use marketing lists and not the OpenJDK
> technical lists.
> Matthias

Reply to: