Closed tianon closed 2 years ago
FYI to affected maintainers:
clojure
: @Quantisan @cap10morganconvertigo
: @nicolas-albert @opicciottojetty
: @gregw @lachlan-roberts @olamy @joakimejruby
: @jruby @headius @enebomaven
: @carlossgtomcat
: @tianon @yosifkittomee
: @lordofthejars @otaviojava @jgallimore @scriptmonkeyI would also suggest taking a look at https://github.com/docker-library/docs/pull/2142 (which explains better why this isn't something we really can fix for this repository :disappointed:).
Thanks for the heads-up, @tianon! So it sounds like we downstream maintainers need to select one of the other images to base ours on? What a mess (looking at you, Oracle).
Thanks for creating this issue.
It will also help on our side when we eventually get the "what happened to openjdk-17 images?" questions. We can now point them here.
Ugh, ok. So it looks like we should be able to switch to coretto or temurin without any major impact. I expect there's going to be concerns from downstream users but I can point them back here.
To clarify... this only affects 17+ correct? It will be a much less risky change if I can leave 11 and 8 on openjdk images.
Just in time before our major release 👍 I switch convertigo base to tomcat:9-jdk17-temurin. We already use Temurin for our Eclipse based studio without issues. Thanks for the mention !
To clarify... this only affects 17+ correct? It will be a much less risky change if I can leave 11 and 8 on openjdk images.
Yeah, that's correct - just the builds provided by Oracle (which is anything other than 8 and 11). However, as you might've seen with the vanilla builds of 8 and 11, they're not updated on an extreme priority (understandably, given they're vanilla builds provided with no expectation of support), so maybe just keep that in mind. :slightly_smiling_face:
@tianon Are these are the security vulnerabilities in 17.0.2 that are motivating a quick push to 17.0.3?
@cap10morgan I'm not sure what you mean in this context :sweat_smile:
I do believe that 17.0.3 contains security updates, but this PR (and the openjdk
official image) will not be receiving 17.0.3. :grimacing: :see_no_evil:
@tianon Yeah I get that openjdk won't get 17.0.3. But it seemed like there was some urgency to update to 17.0.3 (more than just the usual "oh there's a new patch release out"), so just wanted to clarify if this was the source of the urgency. But perhaps I misunderstood.
FYI to affected maintainers:
tomee
: @lordofthejars @otaviojava @jgallimore @scriptmonkey
Thank you for tagging us in this PR! It would seem that TomEE will be moving to Temurin.
@cap10morgan CVE-2022-21449 might be a good reason to make 17.0.3 available soon, but it's unclear to me if it affects only Oracle builds.
@syphr42 I don't think they do only affect Oracle builds. It's just that Oracle is alone in not releasing a fixed version.
@tianon Yeah I get that openjdk won't get 17.0.3. But it seemed like there was some urgency to update to 17.0.3 (more than just the usual "oh there's a new patch release out"), so just wanted to clarify if this was the source of the urgency. But perhaps I misunderstood.
Oh, it was the description of https://github.com/docker-library/openjdk/issues/493 that sent me down this "it's motivated by fixing some security vulns" rabbit hole. Sorry, should have commented over there. :)
There no longer exist "official" (or even semi-official) vanilla builds of OpenJDK 17 suitable for our use or for publishing as "OpenJDK" (https://jdk.java.net/17/).
https://github.com/docker-library/openjdk/issues/493#issuecomment-1109591179