Closed nobletrout closed 2 years ago
yosifkit
commented
2 years ago The bot picked up the 18.0.1 release in https://github.com/docker-library/openjdk/commit/8a2f76391892edf7552ac3cb3273573d935bdc7c, but I don't see any others yet. Once the rest are available via their respective upstream location, they will be updated by the bot (see versions.sh for where it scrapes them).
For the process to get them to Docker Hub, see the readme.
skagedal
commented
2 years ago So, the script scrapes the page https://jdk.java.net/17/ and that still lists 17.0.2. So while this might be offtopic for this forum – any ideas on why this might be, and if there would be some channel to ping to make Oracle update it? Bug report?
[edit: I did send a bug report through that channel, don't know if that will help but can't hurt... Also tried the e-mail address listed at the above linked page "for difficulty downloading", but that just bounced.]
areguru
commented
2 years ago @yosifkit is the 18.0.1 update hanging on this Pull Request which has one error in the tests? https://github.com/docker-library/official-images/pull/12273
https://github.com/docker-library/official-images/runs/6104395307?check_suite_focus=true
Davidswinkels
commented
2 years ago So, the script scrapes the page https://jdk.java.net/17/ and that still lists 17.0.2. So while this might be offtopic for this forum – any ideas on why this might be, and if there would be some channel to ping to make Oracle update it? Bug report?
[edit: I did send a bug report through that channel, don't know if that will help but can't hurt... Also tried the e-mail address listed at the above linked page "for difficulty downloading", but that just bounced.]
Thanks skagedal for sending in the bug report to Oracle to be able to scrape 17.0.3. Just wondering if there is any option to switch to 17.0.3 for openjdk before Oracle fixes the bug that it lists 17.0.2 as latest version? CVE-2022-21449 especially is a severe vulnerability and it would be great if this can be fixed soon in the openjdk docker image
areguru
commented
2 years ago So, the script scrapes the page https://jdk.java.net/17/ and that still lists 17.0.2. So while this might be off topic for this forum – any ideas on why this might be, and if there would be some channel to ping to make Oracle update it? Bug report?
[edit: I did send a bug report through that channel, don't know if that will help but can't hurt... Also tried the e-mail address listed at the above linked page "for difficulty downloading", but that just bounced.]
@skagedal I tried to send a complaint about https://jdk.java.net/17/ linking only to 17.0.2 and not 17.0.3 via "Contact us" on the page https://www.oracle.com/java/technologies/downloads/
areguru
commented
2 years ago Hi again
I got the following answer from Oracle:
Currently, Oracle only publishes the first two updates to a major JDK version (e.g., 17.0.1, 17.0.2). Control of the version is then turned over to the community. The JDK 17 Updates project[0] handles patches, etc. from that point on. There's also a downloads section[0] that gives a recommendation for a public build of the JDK. Since JDK 17 is in the hands of the community, there are several versions from various companies available[1]. If you have support from any of these, that might be the best place to obtain a copy (e.g., Red Hat for RHEL). Hope this helps,
[0] https://wiki.openjdk.java.net/display/JDKUpdates/JDK+17u [1] https://whichjdk.com/
(I got the response after contacting Andrew Gross in the OpenJDK Vulnerability Group, who sent out this message: https://mail.openjdk.java.net/pipermail/vuln-announce/2022-April/000015.html )
nobletrout
commented
2 years ago 😾
yosifkit
commented
2 years ago So, for OpenJDK 8 and 11 that come from https://adoptopenjdk.net/upstream.html, we are just waiting for an update there. Those vanilla builds are provided by the OpenJDK 8 and 11 updates lead (https://github.com/docker-library/openjdk/issues/320#issuecomment-494050246) :heart:.
Currently, Oracle only publishes the first two updates to a major JDK version (e.g., 17.0.1, 17.0.2). Control of the version is then turned over to the community.
Given that response from Oracle for OpenJDK 17, it looks like we will either need a vanilla build similar to those provided for 8 and 11 or that we will have to deprecate the 17 images :scream: (which I'd rather not have to do) and instead point users to Adoptium Eclipse Temurin 17.
@theRealAph, (:bowing_man: apologies for the ping) do you know if there are plans for similar vanilla builds for OpenJDK 17u?
ghost
commented
2 years ago https://adoptium.net/ (which seems to be the successor for adoptopenjdk.net) now offers 17.0.3 for download.
jussiseppala
commented
2 years ago Perhaps one fix could be to take AWS corretto base image in use.
We use in one service openjdk base image "openjdk:8". That has java version:
openjdk version "1.8.0_322"
OpenJDK Runtime Environment (build 1.8.0_322-b06)
OpenJDK 64-Bit Server VM (build 25.322-b06, mixed mode)I tested "amazoncorretto:8" base image and the Java version is now:
openjdk version "1.8.0_332"
OpenJDK Runtime Environment Corretto-8.332.08.1 (build 1.8.0_332-b08)
OpenJDK 64-Bit Server VM Corretto-8.332.08.1 (build 25.332-b08, mixed mode)Based on information from https://openjdk.java.net/groups/vulnerability/advisories/2022-04-19 it seems that version "8u322" is affected. But corretto has version "1.8.0_332" so build version is different.
Is my assumption correct that correctto base image is not affected by "CVE-2022-21449". Right?
nobletrout
commented
2 years ago looks like you guys need to adjust this version check to be 18 or something like that? https://github.com/docker-library/openjdk/blob/master/versions.sh#L148
tianon
commented
2 years ago https://adoptium.net/ (which seems to be the successor for adoptopenjdk.net) now offers 17.0.3 for download.
We do not use builds from AdoptOpenJDK -- the builds we use just happen to be hosted on the AdoptOpenJDK website/GitHub:
See also https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries/issues/23 and https://github.com/docker-library/openjdk/issues/485#issuecomment-1013318164.
tianon
commented
2 years ago At least it's communicated now? http://jdk.java.net/17/ :see_no_evil: :facepalm:
tianon
commented
2 years ago @GoeLin apologies for the ping :bow: :pray: It appears that you're the lead for the OpenJDK 17u project?
Do you happen to know if there are or will be "vanilla" builds of 17u hosted anywhere that we could consume here? (The alternative is that the openjdk image drops support for 17 entirely - not the end of the word given there are other options available, but also not super ideal. :sweat_smile:)
For context, we've been using https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries and https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries for 11u and 8u (respectively), and Oracle's now dropped their 17u builds from jdk.java.net because we've reached the end of the time period they're will to provide those. :see_no_evil:
nobletrout
commented
2 years ago looks like 11.0.15 is available now, still waiting on 8u332 and 17.0.3
tianon
commented
2 years ago Re: 11.0.15, see https://github.com/docker-library/openjdk/commit/87352133c6e7e03310f992ca2827aa06df225f27 and https://github.com/docker-library/official-images/pull/12294
Edit: looking at https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/commit/5bdd5427099ae6ab659341ea9fed7ee68fef9af3, it appears 8u332 is in progress :crossed_fingers:
GoeLin
commented
2 years ago Hi @tianon, the OpenJDK project does not supply binaries, but you find builds at adoptium/temurin17-binaries: https://github.com/adoptium/temurin17-binaries/releases/tag/jdk-17.0.2%2B8
Also check this wiki page for infos on the jdk17u project: https://wiki.openjdk.java.net/display/JDKUpdates/JDK+17u
Best regards, Goetz.
tianon
commented
2 years ago Thanks @GoeLin -- that's extremely helpful.
It's unfortunate, but that means we are dropping OpenJDK 17 from this project: https://github.com/docker-library/openjdk/pull/495
Users who need 17 should seek alternatives (and frankly already should've been on alternatives if they care about being well-supported), such as Eclipse Temurin, SapMachine, Amazon Corretto, etc.
tianon
commented
2 years ago I've also opened https://github.com/docker-library/docs/pull/2142 to hopefully make it significantly more clear what this image is (and thus what it is not).
GoeLin
commented
2 years ago Hi @tianon, The adoptium/temurin builds (or Eclipse Temurin) are the direct successors of the AdoptOpenJDK builds. The project is moving into eclipse. So if you use those builds, there is no big change in "officiality" of the OpenJDK builds. I assume you need to do so for 11 at some point, too. Please contact Temurin people about this. Thanks, Goetz.
tianon
commented
2 years ago It's definitely been an unfortunate source of confusion that these builds are hosted by the AdoptOpenJDK project for us -- we use https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries and https://github.com/AdoptOpenJDK/openjdk11-upstream-binaries which are "vanilla" OpenJDK builds created by Red Hat under Andrew Haley's direction (see also https://github.com/docker-library/openjdk/issues/485#issuecomment-1013318164 for a longer-form explanation). We have not been publishing Temurin as openjdk (the "Temurin" builds are published under eclipse-temurin instead).
tianon
commented
2 years ago Closing as this is now likely as "fixed" as it is going to be -- if your specific need is not resolved here, please look into the alternatives linked at the top of https://hub.docker.com/_/openjdk.
Please see this security advisory from OpenJDK.
Multiple versions of openjdk have vulnerabilities that are patched in the latest JDK: