From owner-freebsd-java@FreeBSD.ORG Sun Jan 5 04:19:23 2014 Return-Path: Delivered-To: freebsd-java@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 0D2382C3; Sun, 5 Jan 2014 04:19:23 +0000 (UTC) Received: from misty.eyesbeyond.com (gerbercreations.com [71.39.140.16]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 85E6F1DD0; Sun, 5 Jan 2014 04:19:21 +0000 (UTC) Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) by misty.eyesbeyond.com (8.14.7/8.14.7) with ESMTP id s054JKE2059311; Sat, 4 Jan 2014 20:19:20 -0800 (PST) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.14.7/8.14.7/Submit) id s054JJVM059310; Sat, 4 Jan 2014 20:19:19 -0800 (PST) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Sat, 4 Jan 2014 20:19:19 -0800 From: Greg Lewis To: Matthew Seaman Subject: Re: open jdk7 marked "FORBIDDEN" Message-ID: <20140105041919.GA57795@misty.eyesbeyond.com> References: <21189.33585.949509.38005@jerusalem.litteratus.org> <52C58E85.8030501@freebsd.org> <1388798626990-5873612.post@n5.nabble.com> <52C7E24A.6010902@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <52C7E24A.6010902@FreeBSD.org> User-Agent: Mutt/1.5.22 (2013-10-16) Cc: freebsd-java@freebsd.org X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Jan 2014 04:19:23 -0000 On Sat, Jan 04, 2014 at 10:28:26AM +0000, Matthew Seaman wrote: > On 04/01/2014 01:23, ari wrote: > >> The 'nasty FreeBSD bug' is that running the latest OpenJDK 6 or 7 will > >> cause pretty much all version of FreeBSD back to 8.0 to instantly > >> reboot. This is actually a FreeBSD kernel bug. > > > >> Watch the freebsd-announce@... list -- there will be at least an Errata > >> notice for all supported releases. > > > > > > I understand the desire to protect people from bad effects, but this lockout > > of every Java port (since everything pretty much depends on openjdk) is > > quite extreme. Can we please have some more information about: > > > > * the nature of the bug > > * how far back do we have to revert openjdk7 to avoid the problem > > > > I've got a huge reliance on Java on production servers and this makes me > > very nervous. I also had planned an upgrade from FreeBSD 9.0 to 9.2 on a > > server today and this can't go ahead since I cannot install an updated > > openjdk. > > > > If this is an obscure bug which is in all versions of the openjdk against > > all versions of freebsd, could someone please revert the FORBIDDEN flag on > > these ports, since its only effect is to: > > > > * make users believe that FreeBSD is not a good platform for Java > > * stop users from upgrading from any previous versions of Java, or otherwise > > update systems > > > > If this is a serious problem only in the latest version of Java (eg. > > 1.7.0_45) then can we revert the port to a known working version? > > > > > > At any rate, more information would be great since I've already got 1.7.0_45 > > in production on a couple of machines and I need to know what to look out > > for. > > Yes, certainly. The important point here is that the bug is in certain > FreeBSD versions, not in Java. > > If you've got a java package that runs without causing the system to > panic then there's no reason not to carry on using it. > > The symptoms of the bug are that the OS will panic whenever one of the > latest versions of OpenJDK is run on a susceptible version of the OS. > If your machine can /build/ the latest OpenJDK without panicing (which > involves extensive use of Java to compile itself) then you're OK to > deploy that version to run your web applications or whatever (subject to > the usual sorts of testing you'ld do around updating any core component > of the business that provides your paychecks, of course). > > OpenJDK 7.45.18 or 7.45.18_1 would trigger the bug in susceptible > FreeBSD systems. 7.25.15_2 or earlier should be safe. "Safe" being a relative term since typically the updated Java version will contain security fixes as well. I didn't enumerate all the security fixes between 7u25 and 7u45 when doing the update, but I'm pretty certain it was not a list of zero length. I realise this potentially puts people in a poor situation. I'd definitely recommend running 7u45 if you can, and in particular please run 7.45.18_1, since the initial 7.45.18 update didn't pick up changes to how the unlimited strength security policies were installed. > FreeBSD 11-CURRENT (r259951), 10-STABLE (r260081), 10.0-RELEASE-rc4 > (r260122) and 9-STABLE (r260082) have been patched. Neither 8-STABLE > nor any of the supported 9.x- or 8.x-RELEASE branches have been patched > yet. As I said, the -RELEASE branches would be listed in an errata > notice or security advisory when a patch was applied. > > Disclaimer: this is just based on what I have been able to gather from > public mailing lists, my own experiences trying to build package sets > including OpenJDK and by spelunking through the SVN repository via > http://svnweb.freebsd.org/base/ It does not represent the official > position of the FreeBSD project. > > Cheers, > > Matthew > > -- > Dr Matthew J Seaman MA, D.Phil. > PGP: http://www.infracaninophile.co.uk/pgpkey -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org