AdoptOpenJDK GA releases for OpenJDK GA releases

[jupaintoux]

Hello,

For security reasons, I need to use the AdoptOpenJDK releases of OpenJDK GA versions. I am opening this support request because I do not understand how AdoptOpenJDK makes any difference between a GA version and a "normal" version.

As an example, we have at a time the version "jdk-11.0.5+10" released in the JDK11u repository and a few weeks later this version is also tagged as "jdk-11.0.5-ga". The difference between the "jdk-11.0.5+10" and the "jdk-11.0.5-ga" is that security fixes are included in the GA version. Indeed, according to this page (https://wiki.openjdk.java.net/display/JDKUpdates/JDK11u), the difference between a given JDK version and its "equivalent" GA version is that "embargoed security fixes are added in private".

My problem is that there is no way to distinct those two versions on AdoptOpenJDK.net as we will have only one line for "jdk-11.0.5+10".

Thanks for your help

[jerboaa]

I don't understand the question. jdk-11.0.5+10 and jdk-11.0.5-ga is one and the same: http://mail.openjdk.java.net/pipermail/jdk-updates-dev/2019-October/002025.html

http://hg.openjdk.java.net/jdk-updates/jdk11u/tags => look for jdk-11.0.5+10 both point to revision 6385eb06af94.

[jerboaa]

The -ga tag is for convenience of downstream builders (like AdoptOpenJDK) so that they know which build number is the final, GA, version.

[jupaintoux]

Hello,

It is not what I understand from the link I provided but I may be wrong [https://wiki.openjdk.java.net/display/JDKUpdates/JDK11u] : "At the end of the month prior to the release month, the jdk11u repository is declared frozen so embargoed security fixes can be added in private during the final few weeks.". What does "in private" mean for you ?

Later in the same page is given the delivery timelines for next versions. For OpenJDK 11.0.6, we have: "Tuesday, December 24 2019: Last tag before code freeze Tuesday, January 14 2020: GA; OpenJDK 11.0.6 released (tag: jdk-11.0.6-ga)" If it was exactly the same code, why would it take three weeks ? Adding a tag is an operation which should take a few seconds... That is why I thought that those three weeks were used to add the security fixes "in private".

Thanks for your help

[jerboaa]

Hello,

It is not what I understand from the link I provided but I may be wrong [https://wiki.openjdk.java.net/display/JDKUpdates/JDK11u] : "At the end of the month prior to the release month, the jdk11u repository is declared frozen so embargoed security fixes can be added in private during the final few weeks.". What does "in private" mean for you ?

Later in the same page is given the delivery timelines for next versions. For OpenJDK 11.0.6, we have: "Tuesday, December 24 2019: Last tag before code freeze Tuesday, January 14 2020: GA; OpenJDK 11.0.6 released (tag: jdk-11.0.6-ga)" If it was exactly the same code, why would it take three weeks ? Adding a tag is an operation which should take a few seconds... That is why I thought that those three weeks were used to add the security fixes "in private".

Thanks for your help

This is an upstream OpenJDK 11u question, rather than an AdoptOpenJDK question, I'd think. I'll answer this question with my upstream OpenJDK 11u hat on. An example probably works best. I'll explain on the JDK 11.0.5 release:

The JDK 11.0.5 release consists of non-security related fixes (those which don't have a CVE associated with it) and, well, security fixes. Security fixes are subject to embargo. That is, any participant in the OpenJDK 11u updates project may not release security fixes until a certain deadline. For 11.0.5 you'll notice that there have been "Early Access" binaries available which correspond to build tags in the jdk-updates/jdk11u tree. In the JDK 11.0.5 case, there were EA builds 1 to 9. jdk-11.0.5+9 the last publicly available EA tag was added on September 25, 2019. Between the last public EA tag and the final GA tag, work must happen in private due to embargo. Adding security patches happens in private building on jdk-11.0.5+9. So does tagging jdk-11.0.5+10 (or GA). The results get pushed publicly around the unembargo time.

For AdoptOpenJDK this currently means builds happen after the GA tags have been pushed.

[jupaintoux]

That is perfectly clear ! Thanks for your explanation.

PS: to prevent people from being confused as I did, may I just suggest to add "something" on the AdoptOpenJDK website next to the GA JDK versions to make it visible that a version is GA, for instance "jdk-11.0.5+10 (GA)" ?