From owner-freebsd-java@freebsd.org Sun Jul 12 19:31:39 2015 Return-Path: Delivered-To: freebsd-java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E562199B39F for ; Sun, 12 Jul 2015 19:31:38 +0000 (UTC) (envelope-from feld@feld.me) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id C3C4C1A87 for ; Sun, 12 Jul 2015 19:31:38 +0000 (UTC) (envelope-from feld@feld.me) Received: by mailman.ysv.freebsd.org (Postfix) id C0EA799B39D; Sun, 12 Jul 2015 19:31:38 +0000 (UTC) Delivered-To: java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BFABD99B39C for ; Sun, 12 Jul 2015 19:31:38 +0000 (UTC) (envelope-from feld@feld.me) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 918C81A84 for ; Sun, 12 Jul 2015 19:31:38 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 8525120FEF for ; Sun, 12 Jul 2015 15:31:37 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Sun, 12 Jul 2015 15:31:37 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=v8Zhb7vxQHTtEQuJVMQNo6H02+Y=; b=GCTyMS wBzMPNBOjVfr9tbFeGGiBhb9I/r6Lm4UoSrwO9LOWWNf8LFnJgpK8vqJkrJqCjTS ZSMGJ3JultzyPMHubAT76jHt1CVRRZi98RwS2/vfpYKK1dYXjHloe+/va6NdWwjT IaH4kTM3QtjmIQi9tQkRFXLykA9ve+9bOMfec= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=v8Zhb7vxQHTtEQu JVMQNo6H02+Y=; b=lMM+ucCq4XUaKjYWnGpIOcZZQygw0MF5nQVE9xDm1JEaU+H LyjCKDYYz8aIzz3F97CeSc3276UqbMfKYHqoBXXNlqfOGPWGTSsJPp85b/VzZYvQ IOG4V2XsKdGN913wt2ZyGq63nDS4USy7bySpld1n6SdZ1hBYS0j5lvK7xzhM= Received: by web3.nyi.internal (Postfix, from userid 99) id 5458D10995B; Sun, 12 Jul 2015 15:31:37 -0400 (EDT) Message-Id: <1436729497.3932791.321743777.380D37FD@webmail.messagingengine.com> X-Sasl-Enc: HA5FqncKXNCM0SEceIQhpPRFUQSBzT5THmw+neTV+Zbm 1436729497 From: Mark Felder To: Xin Li , ports-secteam@FreeBSD.org Cc: java@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae In-Reply-To: <55A2BB79.6030907@delphij.net> References: <1436722739.2838428.321692425.3A1ABDF2@webmail.messagingengine.com> <55A2BB79.6030907@delphij.net> Subject: Re: Eradication of old java Date: Sun, 12 Jul 2015 14:31:37 -0500 X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Jul 2015 19:31:39 -0000 On Sun, Jul 12, 2015, at 14:09, Xin Li wrote: > > On 7/12/15 10:38, Mark Felder wrote: > > How long before we start to eradicate old java from the ports tree? > > I'm actually in the process of updating a couple ports of mine to > > require Java 1.8 now that it is supported, vs 1.6 as users > > currently are being required to use. > > > > Java 6 was EoL last year, Java 7 in April this year. > > > > I'm considering doing a search of the ports tree to gather some > > info and see how many can just have the java requirement bumped. > > I think we should move this discussion to -java@ and/or maintainers -- > there is no known security issues and it's better to give it more > public exposure. > > My suggestion would be to deprecate both Java 6 and 7 now and remove > them after a few (3?) months if there is nobody volunteering to > maintain them. > > (IIRC Java 6 have some security settings that e.g. IPMI console > applications require, but I doubt if FreeBSD users actually use these > because such applications usually ships with some native binary blobs) > Is Java 6 and 7 still receiving updates through OpenJDK upstream? As far as I'm aware they are not, so the next batch of CVEs that come out put those users in a bad position. Can java@ team provide any details? From owner-freebsd-java@freebsd.org Mon Jul 13 05:16:33 2015 Return-Path: Delivered-To: freebsd-java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B444699B6E5 for ; Mon, 13 Jul 2015 05:16:33 +0000 (UTC) (envelope-from matthias@petermann-it.de) Received: from d2ux.org (static.140.151.9.5.clients.your-server.de [5.9.151.140]) by mx1.freebsd.org (Postfix) with ESMTP id 77A4C126B for ; Mon, 13 Jul 2015 05:16:32 +0000 (UTC) (envelope-from matthias@petermann-it.de) Received: from d2ux.org (unknown [10.0.0.4]) by d2ux.org (Postfix) with ESMTP id 4B4CB1FE448 for ; Mon, 13 Jul 2015 07:09:03 +0200 (CEST) Received: from d2ux.org ([10.0.0.4]) by d2ux.org (d2ux.org [10.0.0.4]) (amavisd-new, port 10024) with ESMTP id wBhd5N29TVtv for ; Mon, 13 Jul 2015 07:09:02 +0200 (CEST) Received: from nb1.local (p54B7E9FB.dip0.t-ipconnect.de [84.183.233.251]) by d2ux.org (Postfix) with ESMTPSA id B648F1FD73E for ; Mon, 13 Jul 2015 07:09:02 +0200 (CEST) Message-ID: <55A347C4.5060302@petermann-it.de> Date: Mon, 13 Jul 2015 07:08:20 +0200 From: Matthias Petermann User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: freebsd-java@freebsd.org Subject: Re: Eradication of old java References: <1436722739.2838428.321692425.3A1ABDF2@webmail.messagingengine.com> <55A2BB79.6030907@delphij.net> <1436729497.3932791.321743777.380D37FD@webmail.messagingengine.com> In-Reply-To: <1436729497.3932791.321743777.380D37FD@webmail.messagingengine.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 05:16:33 -0000 Hello, On 12.07.2015 21:31, Mark Felder wrote: > > On Sun, Jul 12, 2015, at 14:09, Xin Li wrote: >> On 7/12/15 10:38, Mark Felder wrote: >>> How long before we start to eradicate old java from the ports tree? >>> I'm actually in the process of updating a couple ports of mine to >>> require Java 1.8 now that it is supported, vs 1.6 as users >>> currently are being required to use. >>> >>> Java 6 was EoL last year, Java 7 in April this year. >>> >>> I'm considering doing a search of the ports tree to gather some >>> info and see how many can just have the java requirement bumped. >> I think we should move this discussion to -java@ and/or maintainers -- >> there is no known security issues and it's better to give it more >> public exposure. >> >> My suggestion would be to deprecate both Java 6 and 7 now and remove >> them after a few (3?) months if there is nobody volunteering to >> maintain them. >> >> (IIRC Java 6 have some security settings that e.g. IPMI console >> applications require, but I doubt if FreeBSD users actually use these >> because such applications usually ships with some native binary blobs) >> > Is Java 6 and 7 still receiving updates through OpenJDK upstream? As far > as I'm aware they are not, so the next batch of CVEs that come out put > those users in a bad position. > > Can java@ team provide any details? It looks like RedHat had taken over stewardship for OpenJDK 6 [1]and OpenJDK 7 [2]. I did not find a road map there but it can be assumed that they support it until EOL of their enterprise Linux distributions RHEL 5 (OpenJDK is the default Java there) and RHEL 6. Would be interesting to find out where updated sources are available (and if they maintain the original sources or provide source code patches or binary patches only?). Best regards, Matthias [1] http://www.redhat.com/en/about/press-releases/red-hat-reinforces-java-commitment-and-assumes-leadership-openjdk-6-community [2] http://www.redhat.com/en/about/press-releases/stewardship-openjdk-7-project-shifts-red-hat From owner-freebsd-java@freebsd.org Mon Jul 13 15:52:48 2015 Return-Path: Delivered-To: freebsd-java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id ED8ED99BD54 for ; Mon, 13 Jul 2015 15:52:48 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id D6C521CFE for ; Mon, 13 Jul 2015 15:52:48 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id D5B2899BD52; Mon, 13 Jul 2015 15:52:48 +0000 (UTC) Delivered-To: java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id D523199BD51; Mon, 13 Jul 2015 15:52:48 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx2.freebsd.org", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C3D7C1CFD; Mon, 13 Jul 2015 15:52:48 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx2.freebsd.org (Postfix) with ESMTP id E63922625; Mon, 13 Jul 2015 15:52:31 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Message-ID: <55A3DEBF.1070302@FreeBSD.org> Date: Mon, 13 Jul 2015 11:52:31 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Mark Felder , Xin Li , ports-secteam@FreeBSD.org CC: java@freebsd.org Subject: Re: Eradication of old java References: <1436722739.2838428.321692425.3A1ABDF2@webmail.messagingengine.com> <55A2BB79.6030907@delphij.net> <1436729497.3932791.321743777.380D37FD@webmail.messagingengine.com> In-Reply-To: <1436729497.3932791.321743777.380D37FD@webmail.messagingengine.com> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 15:52:49 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/12/2015 15:31, Mark Felder wrote: > > > On Sun, Jul 12, 2015, at 14:09, Xin Li wrote: >> >> On 7/12/15 10:38, Mark Felder wrote: >>> How long before we start to eradicate old java from the ports >>> tree? I'm actually in the process of updating a couple ports of >>> mine to require Java 1.8 now that it is supported, vs 1.6 as >>> users currently are being required to use. >>> >>> Java 6 was EoL last year, Java 7 in April this year. >>> >>> I'm considering doing a search of the ports tree to gather >>> some info and see how many can just have the java requirement >>> bumped. >> >> I think we should move this discussion to -java@ and/or >> maintainers -- there is no known security issues and it's better >> to give it more public exposure. >> >> My suggestion would be to deprecate both Java 6 and 7 now and >> remove them after a few (3?) months if there is nobody >> volunteering to maintain them. >> >> (IIRC Java 6 have some security settings that e.g. IPMI console >> applications require, but I doubt if FreeBSD users actually use >> these because such applications usually ships with some native >> binary blobs) >> > > Is Java 6 and 7 still receiving updates through OpenJDK upstream? > As far as I'm aware they are not, so the next batch of CVEs that > come out put those users in a bad position. > > Can java@ team provide any details? Both OpenJDK6 and OpenJDK7 are actively maintained. For example, there will be OpenJDK6 b36 soon: https://java.net/jira/browse/OPENJDK6-60 Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVo964AAoJEHyflib82/FGI3gH/iQvZpWi9A7J2RsnSoug7+r5 3ePT3ruKKeJ3B9h/85rUVx54tsZpw5p+X2tLNi1Fk7TdkPyn9P6SVD0UHytMbmNs /UxVy/P0+SFnA6qXeC18FcKQ8GJ1jfuBtCz9+DbaE1S+mBPHyxdR3zn3Dyf3eLhN dkveONKprS2NxQibvJMKBI/0xOT2YXpl2tZka/SZ61exTG6mTAXY9xm+AJwGJG4x 8TbVucqlYpc6bwMQN70FY8PAgYhqbskFx3+eDGMQTKe+NFqMILxCYw7MB/sQmths hO9wP13ztV61vJhgNUoKIeyZigd8E5RH3FQM1Xg27UMK0Y/O7tt4jNe3JYW6tG0= =GiO4 -----END PGP SIGNATURE----- From owner-freebsd-java@freebsd.org Mon Jul 13 15:54:09 2015 Return-Path: Delivered-To: freebsd-java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 4DBFD99BE02 for ; Mon, 13 Jul 2015 15:54:09 +0000 (UTC) (envelope-from feld@feld.me) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 2A60B1E69 for ; Mon, 13 Jul 2015 15:54:09 +0000 (UTC) (envelope-from feld@feld.me) Received: by mailman.ysv.freebsd.org (Postfix) id 293F999BE00; Mon, 13 Jul 2015 15:54:09 +0000 (UTC) Delivered-To: java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 105A999BDFF for ; Mon, 13 Jul 2015 15:54:09 +0000 (UTC) (envelope-from feld@feld.me) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D0C8C1E65 for ; Mon, 13 Jul 2015 15:54:08 +0000 (UTC) (envelope-from feld@feld.me) Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id 0F43320B0E for ; Mon, 13 Jul 2015 11:54:06 -0400 (EDT) Received: from web3 ([10.202.2.213]) by compute4.internal (MEProxy); Mon, 13 Jul 2015 11:54:07 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=feld.me; h=cc :content-transfer-encoding:content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-sasl-enc :x-sasl-enc; s=mesmtp; bh=frcMla6N+8ukEdUjsISaKP6dIlA=; b=Ech+l3 fYH3A0mGOtn4+XcA5Bg+gh+lKCHnPl72as5jJcRLan7Lv2cxu2VJc2odAp93Qw3+ 9RcekJVTuTLx5PzzEq06ICD/ZjCowASsG1RPTqy7SnRyq/Y1wxjIIrPpwna8aiss tSzqk8sApaXDvwCw4jlSCerxysjICj9SfmAJ0= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=frcMla6N+8ukEdU jsISaKP6dIlA=; b=Lju/MOlueqpdyGhqUZLQ+oa4Gy5ocJIQq8qTIa0xnHm38VS 4SghFcsIHk7Xli5N0GvVmQHbIQI2MEK+mEklD/7FrsETFNciaUPDjaM6+LIOKDEY IseoADirbJziaPV9Jtap91eRRO+b/CcldVN9GQ+ytEP+18llIFBohjA4DJVo= Received: by web3.nyi.internal (Postfix, from userid 99) id C6D4D101428; Mon, 13 Jul 2015 11:54:06 -0400 (EDT) Message-Id: <1436802846.1406670.322470913.69B2C944@webmail.messagingengine.com> X-Sasl-Enc: rDLteWhFPujms1JG46rtM6A9NeSv29fOeCz/39KeKhar 1436802846 From: Mark Felder To: "Jung-uk Kim" , Xin Li , ports-secteam@FreeBSD.org Cc: java@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-bfc056ae Subject: Re: Eradication of old java Date: Mon, 13 Jul 2015 10:54:06 -0500 In-Reply-To: <55A3DEBF.1070302@FreeBSD.org> References: <1436722739.2838428.321692425.3A1ABDF2@webmail.messagingengine.com> <55A2BB79.6030907@delphij.net> <1436729497.3932791.321743777.380D37FD@webmail.messagingengine.com> <55A3DEBF.1070302@FreeBSD.org> X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 15:54:09 -0000 On Mon, Jul 13, 2015, at 10:52, Jung-uk Kim wrote: > On 07/12/2015 15:31, Mark Felder wrote: > > > > > > On Sun, Jul 12, 2015, at 14:09, Xin Li wrote: > >> > >> On 7/12/15 10:38, Mark Felder wrote: > >>> How long before we start to eradicate old java from the ports > >>> tree? I'm actually in the process of updating a couple ports of > >>> mine to require Java 1.8 now that it is supported, vs 1.6 as > >>> users currently are being required to use. > >>> > >>> Java 6 was EoL last year, Java 7 in April this year. > >>> > >>> I'm considering doing a search of the ports tree to gather > >>> some info and see how many can just have the java requirement > >>> bumped. > >> > >> I think we should move this discussion to -java@ and/or > >> maintainers -- there is no known security issues and it's better > >> to give it more public exposure. > >> > >> My suggestion would be to deprecate both Java 6 and 7 now and > >> remove them after a few (3?) months if there is nobody > >> volunteering to maintain them. > >> > >> (IIRC Java 6 have some security settings that e.g. IPMI console > >> applications require, but I doubt if FreeBSD users actually use > >> these because such applications usually ships with some native > >> binary blobs) > >> > > > > Is Java 6 and 7 still receiving updates through OpenJDK upstream? > > As far as I'm aware they are not, so the next batch of CVEs that > > come out put those users in a bad position. > > > > Can java@ team provide any details? > > Both OpenJDK6 and OpenJDK7 are actively maintained. For example, > there will be OpenJDK6 b36 soon: > > https://java.net/jira/browse/OPENJDK6-60 > > Jung-uk Kim > So it is only Oracle's non-OpenJDK distribution of Java 6 and Java 7 that is ceasing public updates? From owner-freebsd-java@freebsd.org Mon Jul 13 15:59:59 2015 Return-Path: Delivered-To: freebsd-java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 8BCE799BF25 for ; Mon, 13 Jul 2015 15:59:59 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 708401CF for ; Mon, 13 Jul 2015 15:59:59 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: by mailman.ysv.freebsd.org (Postfix) id 6D36799BF20; Mon, 13 Jul 2015 15:59:59 +0000 (UTC) Delivered-To: java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6C9F099BF1F; Mon, 13 Jul 2015 15:59:59 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx2.freebsd.org", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 5ABFD1CE; Mon, 13 Jul 2015 15:59:59 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx2.freebsd.org (Postfix) with ESMTP id D190E2D2B; Mon, 13 Jul 2015 15:59:58 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Message-ID: <55A3E07E.7020300@FreeBSD.org> Date: Mon, 13 Jul 2015 11:59:58 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Mark Felder , Xin Li , ports-secteam@FreeBSD.org CC: java@freebsd.org Subject: Re: Eradication of old java References: <1436722739.2838428.321692425.3A1ABDF2@webmail.messagingengine.com> <55A2BB79.6030907@delphij.net> <1436729497.3932791.321743777.380D37FD@webmail.messagingengine.com> <55A3DEBF.1070302@FreeBSD.org> <1436802846.1406670.322470913.69B2C944@webmail.messagingengine.com> In-Reply-To: <1436802846.1406670.322470913.69B2C944@webmail.messagingengine.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 15:59:59 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/13/2015 11:54, Mark Felder wrote: > > > On Mon, Jul 13, 2015, at 10:52, Jung-uk Kim wrote: >> On 07/12/2015 15:31, Mark Felder wrote: >>> >>> >>> On Sun, Jul 12, 2015, at 14:09, Xin Li wrote: >>>> >>>> On 7/12/15 10:38, Mark Felder wrote: >>>>> How long before we start to eradicate old java from the >>>>> ports tree? I'm actually in the process of updating a >>>>> couple ports of mine to require Java 1.8 now that it is >>>>> supported, vs 1.6 as users currently are being required to >>>>> use. >>>>> >>>>> Java 6 was EoL last year, Java 7 in April this year. >>>>> >>>>> I'm considering doing a search of the ports tree to gather >>>>> some info and see how many can just have the java >>>>> requirement bumped. >>>> >>>> I think we should move this discussion to -java@ and/or >>>> maintainers -- there is no known security issues and it's >>>> better to give it more public exposure. >>>> >>>> My suggestion would be to deprecate both Java 6 and 7 now >>>> and remove them after a few (3?) months if there is nobody >>>> volunteering to maintain them. >>>> >>>> (IIRC Java 6 have some security settings that e.g. IPMI >>>> console applications require, but I doubt if FreeBSD users >>>> actually use these because such applications usually ships >>>> with some native binary blobs) >>>> >>> >>> Is Java 6 and 7 still receiving updates through OpenJDK >>> upstream? As far as I'm aware they are not, so the next batch >>> of CVEs that come out put those users in a bad position. >>> >>> Can java@ team provide any details? >> >> Both OpenJDK6 and OpenJDK7 are actively maintained. For >> example, there will be OpenJDK6 b36 soon: >> >> https://java.net/jira/browse/OPENJDK6-60 >> >> Jung-uk Kim >> > > So it is only Oracle's non-OpenJDK distribution of Java 6 and Java > 7 that is ceasing public updates? Correct. Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVo+B5AAoJEHyflib82/FGXr4H/1NIeeph6cinBHE7/JCGuTbD VuQXElscYN7HXQ+zWbBfE25fLuCrxjmgS/7+UcTMF8xEcIU15kQCP3mC3kWVOxt5 gzt5SwzgU2o2zinWJXfrnpYerdbbkqOf9bKIHVWQLQKZOTcStxAgWAlrKbMX6UCe Ji8Nkz/GN8Pzd7wtQ5PKUNAHoKg69ITTffaiK4xjGUMcLY8t1LJIMBGlJEFBhaqM 9Bw8WHNAwlAM1UDuOO3ANjmznPSjOlQkhSnWHnFyhsdoI78Sr5RuGl6Rh03mvqje H5ftkJbx+sKLgxKdRNWfkB6HpwfUe/8iNJy//Yo3MWNXWly4NSHyvB21yKgz3v8= =Phx1 -----END PGP SIGNATURE----- From owner-freebsd-java@freebsd.org Mon Jul 13 16:08:29 2015 Return-Path: Delivered-To: freebsd-java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 20BEF99C0A3 for ; Mon, 13 Jul 2015 16:08:29 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from mx2.freebsd.org (mx2.freebsd.org [8.8.178.116]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx2.freebsd.org", Issuer "Gandi Standard SSL CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 06FC47E6 for ; Mon, 13 Jul 2015 16:08:29 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Received: from hammer.pct.niksun.com (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx2.freebsd.org (Postfix) with ESMTP id 9F5B83140; Mon, 13 Jul 2015 16:08:28 +0000 (UTC) (envelope-from jkim@FreeBSD.org) Message-ID: <55A3E27C.1000200@FreeBSD.org> Date: Mon, 13 Jul 2015 12:08:28 -0400 From: Jung-uk Kim User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Thunderbird/31.7.0 MIME-Version: 1.0 To: Matthias Petermann , freebsd-java@freebsd.org Subject: Re: Eradication of old java References: <1436722739.2838428.321692425.3A1ABDF2@webmail.messagingengine.com> <55A2BB79.6030907@delphij.net> <1436729497.3932791.321743777.380D37FD@webmail.messagingengine.com> <55A347C4.5060302@petermann-it.de> In-Reply-To: <55A347C4.5060302@petermann-it.de> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Jul 2015 16:08:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 07/13/2015 01:08, Matthias Petermann wrote: > Hello, > > On 12.07.2015 21:31, Mark Felder wrote: >> >> On Sun, Jul 12, 2015, at 14:09, Xin Li wrote: >>> On 7/12/15 10:38, Mark Felder wrote: >>>> How long before we start to eradicate old java from the ports >>>> tree? I'm actually in the process of updating a couple ports >>>> of mine to require Java 1.8 now that it is supported, vs 1.6 >>>> as users currently are being required to use. >>>> >>>> Java 6 was EoL last year, Java 7 in April this year. >>>> >>>> I'm considering doing a search of the ports tree to gather >>>> some info and see how many can just have the java requirement >>>> bumped. >>> I think we should move this discussion to -java@ and/or >>> maintainers -- there is no known security issues and it's >>> better to give it more public exposure. >>> >>> My suggestion would be to deprecate both Java 6 and 7 now and >>> remove them after a few (3?) months if there is nobody >>> volunteering to maintain them. >>> >>> (IIRC Java 6 have some security settings that e.g. IPMI >>> console applications require, but I doubt if FreeBSD users >>> actually use these because such applications usually ships with >>> some native binary blobs) >>> >> Is Java 6 and 7 still receiving updates through OpenJDK upstream? >> As far as I'm aware they are not, so the next batch of CVEs that >> come out put those users in a bad position. >> >> Can java@ team provide any details? > > It looks like RedHat had taken over stewardship for OpenJDK 6 > [1]and OpenJDK 7 [2]. I did not find a road map there but it can be > assumed that they support it until EOL of their enterprise Linux > distributions RHEL 5 (OpenJDK is the default Java there) and RHEL > 6. Would be interesting to find out where updated sources are > available (and if they maintain the original sources or provide > source code patches or binary patches only?). OpenJDK6 sources are available from here: https://java.net/downloads/openjdk6/ AFAIK, OpenJDK7 does not release source tarballs yet but you can check out from the Mercurial repository. http://hg.openjdk.java.net/jdk7u Jung-uk Kim -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCAAGBQJVo+J2AAoJEHyflib82/FGCt4H/RnmdtjLVSKyZf0gI8XHb2Hw 6IkEyxBf4tUpr41ZzgZq981wJET/7yzbfUiq01cYw8yl0HgTGuv4GO4faLSAqLEc I4WPR1zLeFlPBIsYiZwwsUDK9X0hG5dtHfPg/rV1Ohktzz9oM4qTNquSPpnoXpvF BGs9OeNwhBY7jILAwW+C2+xpGXlienaR5KNeXefcb7Xq/7vqylD8c0/S9RTK2+am xgNVkIReSWoas75WqH7XvMkOW1yT4Mv9yR0gaBW8MZ4XHqnxEqFv3773w1OmEALA dma64HOofFkxqxA+I5luvPoYrP3zGrTiDs9K2Z9BK4+VrPSokS6JraESlQFp8W8= =lA5z -----END PGP SIGNATURE----- From owner-freebsd-java@freebsd.org Tue Jul 14 13:24:03 2015 Return-Path: Delivered-To: freebsd-java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 5CBA4999F91 for ; Tue, 14 Jul 2015 13:24:03 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 4A309F33 for ; Tue, 14 Jul 2015 13:24:03 +0000 (UTC) (envelope-from marquis@roble.com) Received: by mailman.ysv.freebsd.org (Postfix) id 472E8999F90; Tue, 14 Jul 2015 13:24:03 +0000 (UTC) Delivered-To: java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 45E35999F8F for ; Tue, 14 Jul 2015 13:24:03 +0000 (UTC) (envelope-from marquis@roble.com) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 3B4ABF31; Tue, 14 Jul 2015 13:24:02 +0000 (UTC) (envelope-from marquis@roble.com) Date: Tue, 14 Jul 2015 06:23:55 -0700 (PDT) From: Roger Marquis To: glewis@FreeBSD.org, jkim@FreeBSD.org, java@FreeBSD.org Subject: JDK/JRE security question User-Agent: Alpine 2.11 (BSF 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jul 2015 13:24:03 -0000 Esteemed JDK maintainers, Given all of the recent Java security news (not just javaws- or windows-related) it's surprising that the database does not show a FreeBSD jdk vulnerability for over 30 months. Is this accurate? If so thank you for the excellent work (and thank you even if not for the excellent work). If it's not necessarily accurate and considering Oracle's EOL of Java 6 and 7, do you have any recommendations for updating vuln.xml? Best, Roger Marquis From owner-freebsd-java@freebsd.org Sat Jul 18 02:44:23 2015 Return-Path: Delivered-To: freebsd-java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 77E899A3B4E for ; Sat, 18 Jul 2015 02:44:23 +0000 (UTC) (envelope-from glewis@eyesbeyond.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 5C99F1EE8 for ; Sat, 18 Jul 2015 02:44:23 +0000 (UTC) (envelope-from glewis@eyesbeyond.com) Received: by mailman.ysv.freebsd.org (Postfix) id 596AB9A3B4C; Sat, 18 Jul 2015 02:44:23 +0000 (UTC) Delivered-To: java@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 590079A3B4A for ; Sat, 18 Jul 2015 02:44:23 +0000 (UTC) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (gerbercreations.com [71.39.140.16]) by mx1.freebsd.org (Postfix) with ESMTP id 2242E1EE7; Sat, 18 Jul 2015 02:44:22 +0000 (UTC) (envelope-from glewis@eyesbeyond.com) Received: from misty.eyesbeyond.com (localhost.eyesbeyond.com [127.0.0.1]) by misty.eyesbeyond.com (8.14.9/8.14.9) with ESMTP id t6I2iLLp057705; Fri, 17 Jul 2015 19:44:22 -0700 (PDT) (envelope-from glewis@eyesbeyond.com) Received: (from glewis@localhost) by misty.eyesbeyond.com (8.14.9/8.14.9/Submit) id t6I2iLdA057675; Fri, 17 Jul 2015 19:44:21 -0700 (PDT) (envelope-from glewis@eyesbeyond.com) X-Authentication-Warning: misty.eyesbeyond.com: glewis set sender to glewis@eyesbeyond.com using -f Date: Fri, 17 Jul 2015 19:44:21 -0700 From: Greg Lewis To: Roger Marquis Cc: glewis@FreeBSD.org, jkim@FreeBSD.org, java@FreeBSD.org Subject: Re: JDK/JRE security question Message-ID: <20150718024421.GB12952@misty.eyesbeyond.com> References: <201507141324.t6EDO5aR080102@ginkgo.iagu.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <201507141324.t6EDO5aR080102@ginkgo.iagu.net> User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-java@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Porting Java to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 18 Jul 2015 02:44:23 -0000 On Tue, Jul 14, 2015 at 06:23:55AM -0700, Roger Marquis wrote: > Esteemed JDK maintainers, > > Given all of the recent Java security news (not just javaws- or > windows-related) it's surprising that the database does not show a > FreeBSD jdk vulnerability for over 30 months. Is this accurate? If so > thank you for the excellent work (and thank you even if not for the > excellent work). If it's not necessarily accurate and considering > Oracle's EOL of Java 6 and 7, do you have any recommendations for > updating vuln.xml? It is likely that there are vulnerabilities in the JDK that should be listed there. The Linux JDK as well one suspects. However, less than one might expect due to many of these occurring in the browser plugin which isn't included in OpenJDK. I'm not precisely sure where to start on such a list though. Perhaps something like this: http://www.cvedetails.com/vulnerability-list/vendor_id-93/product_id-19117/Oracle-JRE.html Although the internal build numbers there for OpenJDK6 don't correspond to the public release build numbers that have been used since Oracle stopped doing public releases and RedHat took over source code maintenance. So getting the correct version for that may be tricky. -- Greg Lewis Email : glewis@eyesbeyond.com Eyes Beyond Web : http://www.eyesbeyond.com Information Technology FreeBSD : glewis@FreeBSD.org