Closed nobletrout closed 2 years ago
The bot picked up the 18.0.1
release in https://github.com/docker-library/openjdk/commit/8a2f76391892edf7552ac3cb3273573d935bdc7c, but I don't see any others yet. Once the rest are available via their respective upstream location, they will be updated by the bot (see versions.sh
for where it scrapes them).
For the process to get them to Docker Hub, see the readme.
So, the script scrapes the page https://jdk.java.net/17/ and that still lists 17.0.2. So while this might be offtopic for this forum – any ideas on why this might be, and if there would be some channel to ping to make Oracle update it? Bug report?
[edit: I did send a bug report through that channel, don't know if that will help but can't hurt... Also tried the e-mail address listed at the above linked page "for difficulty downloading", but that just bounced.]
@yosifkit is the 18.0.1 update hanging on this Pull Request which has one error in the tests? https://github.com/docker-library/official-images/pull/12273
https://github.com/docker-library/official-images/runs/6104395307?check_suite_focus=true
So, the script scrapes the page https://jdk.java.net/17/ and that still lists 17.0.2. So while this might be offtopic for this forum – any ideas on why this might be, and if there would be some channel to ping to make Oracle update it? Bug report?
[edit: I did send a bug report through that channel, don't know if that will help but can't hurt... Also tried the e-mail address listed at the above linked page "for difficulty downloading", but that just bounced.]
Thanks skagedal for sending in the bug report to Oracle to be able to scrape 17.0.3. Just wondering if there is any option to switch to 17.0.3 for openjdk before Oracle fixes the bug that it lists 17.0.2 as latest version? CVE-2022-21449 especially is a severe vulnerability and it would be great if this can be fixed soon in the openjdk docker image
So, the script scrapes the page https://jdk.java.net/17/ and that still lists 17.0.2. So while this might be off topic for this forum – any ideas on why this might be, and if there would be some channel to ping to make Oracle update it? Bug report?
[edit: I did send a bug report through that channel, don't know if that will help but can't hurt... Also tried the e-mail address listed at the above linked page "for difficulty downloading", but that just bounced.]
@skagedal I tried to send a complaint about https://jdk.java.net/17/ linking only to 17.0.2 and not 17.0.3 via "Contact us" on the page https://www.oracle.com/java/technologies/downloads/
Hi again
I got the following answer from Oracle:
Currently, Oracle only publishes the first two updates to a major JDK version (e.g., 17.0.1, 17.0.2). Control of the version is then turned over to the community. The JDK 17 Updates project[0] handles patches, etc. from that point on. There's also a downloads section[0] that gives a recommendation for a public build of the JDK. Since JDK 17 is in the hands of the community, there are several versions from various companies available[1]. If you have support from any of these, that might be the best place to obtain a copy (e.g., Red Hat for RHEL). Hope this helps,
[0] https://wiki.openjdk.java.net/display/JDKUpdates/JDK+17u [1] https://whichjdk.com/
(I got the response after contacting Andrew Gross in the OpenJDK Vulnerability Group, who sent out this message: https://mail.openjdk.java.net/pipermail/vuln-announce/2022-April/000015.html )
😾
So, for OpenJDK 8 and 11 that come from https://adoptopenjdk.net/upstream.html, we are just waiting for an update there. Those vanilla builds are provided by the OpenJDK 8 and 11 updates lead (https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246) :heart:.
Currently, Oracle only publishes the first two updates to a major JDK version (e.g., 17.0.1, 17.0.2). Control of the version is then turned over to the community.
Given that response from Oracle for OpenJDK 17, it looks like we will either need a vanilla build similar to those provided for 8 and 11 or that we will have to deprecate the 17 images :scream: (which I'd rather not have to do) and instead point users to Adoptium Eclipse Temurin 17.
@theRealAph, (:bowing_man: apologies for the ping) do you know if there are plans for similar vanilla builds for OpenJDK 17u?
https://adoptium.net/ (which seems to be the successor for adoptopenjdk.net) now offers 17.0.3 for download.
Perhaps one fix could be to take AWS corretto base image in use.
We use in one service openjdk base image "openjdk:8". That has java version:
openjdk version "1.8.0_322"
OpenJDK Runtime Environment (build 1.8.0_322-b06)
OpenJDK 64-Bit Server VM (build 25.322-b06, mixed mode)
I tested "amazoncorretto:8" base image and the Java version is now:
openjdk version "1.8.0_332"
OpenJDK Runtime Environment Corretto-8.332.08.1 (build 1.8.0_332-b08)
OpenJDK 64-Bit Server VM Corretto-8.332.08.1 (build 25.332-b08, mixed mode)
Based on information from https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19 it seems that version "8u322" is affected. But corretto has version "1.8.0_332" so build version is different.
Is my assumption correct that correctto base image is not affected by "CVE-2022-21449". Right?
looks like you guys need to adjust this version check to be 18 or something like that? https://github.com/docker-library/openjdk/blob/master/versions.sh#L148
https://adoptium.net/ (which seems to be the successor for adoptopenjdk.net) now offers 17.0.3 for download.
We do not use builds from AdoptOpenJDK -- the builds we use just happen to be hosted on the AdoptOpenJDK website/GitHub:
See also https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/issues/23 and https://github.com/docker-library/openjdk/issues/485#issuecomment-1013318164.
At least it's communicated now? http://jdk.java.net/17/ :see_no_evil: :facepalm:
@GoeLin apologies for the ping :bow: :pray: It appears that you're the lead for the OpenJDK 17u project?
Do you happen to know if there are or will be "vanilla" builds of 17u hosted anywhere that we could consume here? (The alternative is that the openjdk
image drops support for 17 entirely - not the end of the word given there are other options available, but also not super ideal. :sweat_smile:)
For context, we've been using https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries and https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries for 11u and 8u (respectively), and Oracle's now dropped their 17u builds from jdk.java.net because we've reached the end of the time period they're will to provide those. :see_no_evil:
looks like 11.0.15 is available now, still waiting on 8u332 and 17.0.3
Re: 11.0.15, see https://github.com/docker-library/openjdk/commit/87352133c6e7e03310f992ca2827aa06df225f27 and https://github.com/docker-library/official-images/pull/12294
Edit: looking at https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/commit/5bdd5427099ae6ab659341ea9fed7ee68fef9af3, it appears 8u332 is in progress :crossed_fingers:
Hi @tianon, the OpenJDK project does not supply binaries, but you find builds at adoptium/temurin17-binaries: https://github.com/adoptium/temurin17-binaries/releases/tag/jdk-17.0.2%2B8
Also check this wiki page for infos on the jdk17u project: https://wiki.openjdk.java.net/display/JDKUpdates/JDK+17u
Best regards, Goetz.
Thanks @GoeLin -- that's extremely helpful.
It's unfortunate, but that means we are dropping OpenJDK 17 from this project: https://github.com/docker-library/openjdk/pull/495
Users who need 17 should seek alternatives (and frankly already should've been on alternatives if they care about being well-supported), such as Eclipse Temurin, SapMachine, Amazon Corretto, etc.
I've also opened https://github.com/docker-library/docs/pull/2142 to hopefully make it significantly more clear what this image is (and thus what it is not).
Hi @tianon, The adoptium/temurin builds (or Eclipse Temurin) are the direct successors of the AdoptOpenJDK builds. The project is moving into eclipse. So if you use those builds, there is no big change in "officiality" of the OpenJDK builds. I assume you need to do so for 11 at some point, too. Please contact Temurin people about this. Thanks, Goetz.
It's definitely been an unfortunate source of confusion that these builds are hosted by the AdoptOpenJDK project for us -- we use https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries and https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries which are "vanilla" OpenJDK builds created by Red Hat under Andrew Haley's direction (see also https://github.com/docker-library/openjdk/issues/485#issuecomment-1013318164 for a longer-form explanation). We have not been publishing Temurin as openjdk
(the "Temurin" builds are published under eclipse-temurin
instead).
Closing as this is now likely as "fixed" as it is going to be -- if your specific need is not resolved here, please look into the alternatives linked at the top of https://hub.docker.com/_/openjdk.
Please see this security advisory from OpenJDK.
Multiple versions of openjdk have vulnerabilities that are patched in the latest JDK: