Closed smlambert closed 2 months ago
"becoming more deeply reproducible" - For April, Temurin Linux releases built with Adoptium Devkit that the project has started building and publishing
Related: https://github.com/adoptium/github-release-scripts/pull/152, https://github.com/adoptium/temurin-build/issues/3468
https://github.com/adoptium/temurin-build/issues/3468#issuecomment-1706753618
This will thus enable other users/3rd parties to exactly reproduce Temurin binaries "identically", and thus perform a "trusted validation" reproducible build in their own environment.
JDK21 and above on Linux for x64, aarch64, ppc64le and s390x have been built using an openjdk devkit.
JDK22 s390x patch (built from jdk-22.0.1.1+1_adopt tag)
For these posts, we use PMC as the author.
CAcerts was updated on March 13th, details in https://github.com/adoptium/temurin-build/pull/3697#issuecomment-1994007189 - therefore this is the first CPU with this update since January.
@tellison Would you prefer me to inline your summary of changes into the blog post or just link to that comment?
@andrew-m-leonard Are there any updates to the SBoM since January that are worth calling out here since the last CPU/PSU release?
EDIT: Noting that make_command_args
now as a bit of a prefix on it:
make product-images legacy-jre-image test-image static-libs-image
mkdir /home/jenkins/workspace/build-scripts/jobs/release/jobs/jdk21u/jdk21u-release-linux-x64-temurin/workspace/./build//straceOutput && strace -o /home/jenkins/workspace/build-scripts/jobs/release/jobs/jdk21u/jdk21u-release-linux-x64-temurin/workspace/./build//straceOutput/outputFile -ff -e trace=open,openat,execve make product-images legacy-jre-image test-image static-libs-image"
There's the new components
section with the data presumably from the strace output, although it seems to have the final character of the package names truncated so I'm a little reluctant to call that out in the post at the moment (I'll raise an issue) e.g.
"name" : "glibc-common-2.17-326.el7_9.x86_6",
"value" : "glibc-common-2.17-326.el7_9.x86_6"
},
{
"name" : "pyparsing-1.5.6-9.el7.noarc",
"value" : "pyparsing-1.5.6-9.el7.noarc"
},
@tellison Would you prefer me to inline your summary of changes into the blog post or just link to that comment?
Inline please. There are previous examples of the cacerts update section in earlier release blogs to follow.
@tellison Would you prefer me to inline your summary of changes into the blog post or just link to that comment?
Inline please. There are previous examples of the cacerts update section in earlier release blogs to follow.
Thanks - looks like the last one might have been January 2023 so I'll follow that format
Note: Release notes pages do not seem to be loading properly at the moment
@andrew-m-leonard Are there any updates to the SBoM since January that are worth calling out here since the last CPU/PSU release?
EDIT: Noting that
make_command_args
now as a bit of a prefix on it:* **21.0.2+13:** `make product-images legacy-jre-image test-image static-libs-image` * **21.0.3+9:** `mkdir /home/jenkins/workspace/build-scripts/jobs/release/jobs/jdk21u/jdk21u-release-linux-x64-temurin/workspace/./build//straceOutput && strace -o /home/jenkins/workspace/build-scripts/jobs/release/jobs/jdk21u/jdk21u-release-linux-x64-temurin/workspace/./build//straceOutput/outputFile -ff -e trace=open,openat,execve make product-images legacy-jre-image test-image static-libs-image"`
There's the new
components
section with the data presumably from the strace output, although it seems to have the final character of the package names truncated so I'm a little reluctant to call that out in the post at the moment (I'll raise an issue) e.g."name" : "glibc-common-2.17-326.el7_9.x86_6", "value" : "glibc-common-2.17-326.el7_9.x86_6" }, { "name" : "pyparsing-1.5.6-9.el7.noarc", "value" : "pyparsing-1.5.6-9.el7.noarc" },
The strace stuff is new, but there are some fixes and updates to that before we talk about it, and I hadn't noticed the missing last character, thanks!
The strace stuff is new, but there are some fixes and updates to that before we talk about it, and I hadn't noticed the missing last character, thanks!
Do you want it in the blog post? I've done a draft with it in that I'm about to put up, but can remove it if desired. Feel free to let me know in a comment when I put the PR in (next couple of minutes)
The following table summarizes security vulnerabilities fixed in this release cycle. The affected Temurin version streams are noted by an 'X' in the table. Each line shows the Common Vulnerabilities and Exposures (CVE) vulnerability database reference and Common Vulnerability Scoring System (CVSS) v3.1 base score provided by the OpenJDK Vulnerability Group. Note that defense-in-depth issues are not assigned CVEs.
CVE Identifier | Component | CVSS Score | v8 | v11 | v17 | v21 | v22 |
---|---|---|---|---|---|---|---|
CVE-2024-21094 | hotspot/compiler | Low (3.7) | X | X | X | X | |
CVE-2024-21085 | core-libs/java.util | Low (3.7) | X | X | |||
CVE-2024-21011 | hotspot/runtime | Low (3.7) | X | X | X | X | X |
CVE-2024-21068 | hotspot/compiler | Low (3.7) | X | X | X | X | X |
CVE-2024-21012 | core-libs/java.net | Low (3.7) | X | X | X | X |
Thanks Shelley - added to PR, and added a retrospective note to log where this is sourced from and get that into the releasing guide/checklist
Yes, I originally thought to create a PR template to lay down the outline of a release blog post, plus a GH workflow that could generate the specific content, but then my brain melted and I mistakenly added an issue template instead of a PR template.
my brain melted
I can very much empathise with that feeling :-)
Create a blog post to highlight the new and noteworthy of the April 2024 CPU, that also includes release notes.