Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 4 Jan 2014 20:19:19 -0800
From:      Greg Lewis <glewis@eyesbeyond.com>
To:        Matthew Seaman <matthew@freebsd.org>
Cc:        freebsd-java@freebsd.org
Subject:   Re: open jdk7 marked "FORBIDDEN"
Message-ID:  <20140105041919.GA57795@misty.eyesbeyond.com>
In-Reply-To: <52C7E24A.6010902@FreeBSD.org>
References:  <21189.33585.949509.38005@jerusalem.litteratus.org> <52C58E85.8030501@freebsd.org> <1388798626990-5873612.post@n5.nabble.com> <52C7E24A.6010902@FreeBSD.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 04, 2014 at 10:28:26AM +0000, Matthew Seaman wrote:
> On 04/01/2014 01:23, ari wrote:
> >> The 'nasty FreeBSD bug' is that running the latest OpenJDK 6 or 7 will
> >> cause pretty much all version of FreeBSD back to 8.0 to instantly
> >> reboot.  This is actually a FreeBSD kernel bug.
> > 
> >> Watch the freebsd-announce@... list -- there will be at least an Errata
> >> notice for all supported releases.
> > 
> > 
> > I understand the desire to protect people from bad effects, but this lockout
> > of every Java port (since everything pretty much depends on openjdk) is
> > quite extreme. Can we please have some more information about:
> > 
> > * the nature of the bug
> > * how far back do we have to revert openjdk7 to avoid the problem
> > 
> > I've got a huge reliance on Java on production servers and this makes me
> > very nervous. I also had planned an upgrade from FreeBSD 9.0 to 9.2 on a
> > server today and this can't go ahead since I cannot install an updated
> > openjdk.
> > 
> > If this is an obscure bug which is in all versions of the openjdk against
> > all versions of freebsd, could someone please revert the FORBIDDEN flag on
> > these ports, since its only effect is to:
> > 
> > * make users believe that FreeBSD is not a good platform for Java
> > * stop users from upgrading from any previous versions of Java, or otherwise
> > update systems
> > 
> > If this is a serious problem only in the latest version of Java (eg.
> > 1.7.0_45) then can we revert the port to a known working version?
> > 
> > 
> > At any rate, more information would be great since I've already got 1.7.0_45
> > in production on a couple of machines and I need to know what to look out
> > for.
> 
> Yes, certainly.  The important point here is that the bug is in certain
> FreeBSD versions, not in Java.
> 
> If you've got a java package that runs without causing the system to
> panic then there's no reason not to carry on using it.
> 
> The symptoms of the bug are that the OS will panic whenever one of the
> latest versions of OpenJDK is run on a susceptible version of the OS.
> If your machine can /build/ the latest OpenJDK without panicing (which
> involves extensive use of Java to compile itself) then you're OK to
> deploy that version to run your web applications or whatever (subject to
> the usual sorts of testing you'ld do around updating any core component
> of the business that provides your paychecks, of course).
> 
> OpenJDK 7.45.18 or 7.45.18_1 would trigger the bug in susceptible
> FreeBSD systems.  7.25.15_2 or earlier should be safe.

"Safe" being a relative term since typically the updated Java version will
contain security fixes as well.  I didn't enumerate all the security fixes
between 7u25 and 7u45 when doing the update, but I'm pretty certain it was
not a list of zero length.

I realise this potentially puts people in a poor situation.  I'd definitely
recommend running 7u45 if you can, and in particular please run 7.45.18_1,
since the initial 7.45.18 update didn't pick up changes to how the unlimited
strength security policies were installed.

> FreeBSD 11-CURRENT (r259951), 10-STABLE (r260081), 10.0-RELEASE-rc4
> (r260122) and 9-STABLE (r260082) have been patched.  Neither 8-STABLE
> nor any of the supported 9.x- or 8.x-RELEASE branches have been patched
> yet. As I said, the -RELEASE branches would be listed in an errata
> notice or security advisory when a patch was applied.
> 
> Disclaimer: this is just based on what I have been able to gather from
> public mailing lists, my own experiences trying to build package sets
> including OpenJDK and by spelunking through the SVN repository via
> http://svnweb.freebsd.org/base/  It does not represent the official
> position of the FreeBSD project.
> 
> 	Cheers,
> 
> 	Matthew
> 
> -- 
> Dr Matthew J Seaman MA, D.Phil.
> PGP: http://www.infracaninophile.co.uk/pgpkey

-- 
Greg Lewis                          Email   : glewis@eyesbeyond.com
Eyes Beyond                         Web     : http://www.eyesbeyond.com
Information Technology              FreeBSD : glewis@FreeBSD.org



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140105041919.GA57795>