惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Security Archives - TechRepublic
Security Archives - TechRepublic
罗磊的独立博客
T
The Blog of Author Tim Ferriss
The GitHub Blog
The GitHub Blog
Apple Machine Learning Research
Apple Machine Learning Research
The Register - Security
The Register - Security
J
Java Code Geeks
V2EX - 技术
V2EX - 技术
Vercel News
Vercel News
N
News and Events Feed by Topic
腾讯CDC
P
Proofpoint News Feed
N
News | PayPal Newsroom
www.infosecurity-magazine.com
www.infosecurity-magazine.com
爱范儿
爱范儿
O
OpenAI News
酷 壳 – CoolShell
酷 壳 – CoolShell
月光博客
月光博客
Martin Fowler
Martin Fowler
Engineering at Meta
Engineering at Meta
D
Docker
Y
Y Combinator Blog
博客园 - 聂微东
G
Google Developers Blog
S
Security @ Cisco Blogs
Simon Willison's Weblog
Simon Willison's Weblog
S
Schneier on Security
H
Hackread – Cybersecurity News, Data Breaches, AI and More
S
SegmentFault 最新的问题
云风的 BLOG
云风的 BLOG
阮一峰的网络日志
阮一峰的网络日志
C
CXSECURITY Database RSS Feed - CXSecurity.com
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
C
CERT Recently Published Vulnerability Notes
I
Intezer
G
GRAHAM CLULEY
有赞技术团队
有赞技术团队
Attack and Defense Labs
Attack and Defense Labs
V
Visual Studio Blog
博客园 - Franky
博客园 - 三生石上(FineUI控件)
W
WeLiveSecurity
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hugging Face - Blog
Hugging Face - Blog
Scott Helme
Scott Helme
T
Troy Hunt's Blog
Hacker News - Newest:
Hacker News - Newest: "LLM"
L
LINUX DO - 最新话题
C
Cybersecurity and Infrastructure Security Agency CISA

Adoptium Blog

Eclipse Temurin 8u492, 11.0.31, 17.0.19, 21.0.11, 25.0.3 and 26.0.1 Available Exploring Packaging Changes to Temurin JDK on AIX, Linux ppc64le and Linux s390x Eclipse Temurin 26 Available Celebrating Technical Achievements: 2025 Q4 Engineering milestones and community contributions Eclipse Temurin 8u482, 11.0.30, 17.0.18, 21.0.10 and 25.0.2 Available Adoptium's Plan to End Support for Solaris and Windows 32-bit Platforms Eclipse Temurin 8u472, 11.0.29, 17.0.17, 21.0.9 and 25.0.1 Available Eclipse Temurin 25 Available Eclipse Temurin JDK 24 enables JEP 493 Eclipse Temurin 8u462, 11.0.28, 17.0.16, 21.0.8 and 24.0.2 Available AQAvit in 2025 Eclipse Temurin 8u452, 11.0.27, 17.0.15, 21.0.7 and 24.0.1 Available Eclipse Temurin 24 Available Eclipse Temurin 8u442, 11.0.26, 17.0.14, 21.0.6 and 23.0.2 Available Eclipse Temurin 8u432, 11.0.25, 17.0.13, 21.0.5 and 23.0.1 Available Eclipse Temurin 23 Available Eclipse Temurin Reproducible Verification Builds for Secure Supply Chain Validation Eclipse Temurin 8u422, 11.0.24, 17.0.12, 21.0.4 and 22.0.2 Available Important Update: Removal of CentOS 7 Eclipse Temurin Images External audit of Temurin build and distribution processes The Scope of AQAvit Eclipse Temurin 8u412, 11.0.23, 17.0.11, 21.0.3 and 22.0.1 Available Eclipse Temurin 21 and 22 Available on RISC-V Eclipse Temurin 22 Available AQAvit Graduation Ceremony Tagged early access builds for all releases Eclipse Temurin 8u402, 11.0.22, 17.0.10 and 21.0.2 Available SLSA build level 3 compliance on Linux and macOS for Eclipse Temurin Eclipse Temurin 8u392, 11.0.21, 17.0.9 and 21.0.1 Available Reproducible Comparison Builds Eclipse Temurin 21 release delay Eclipse Temurin 11.0.20.1, 17.0.8.1 now available Early access builds for JDK21+ Eclipse Temurin 8u382, 11.0.20, 17.0.8 and 20.0.2 Available Peeling the Big Onion - Stripping out layers of indirection from test frameworks AdoptOpenJDK.jfrog.io has been deprecated! Adoptium Automated Deployment Of Nagios Eclipse Temurin 8u372, 11.0.19, 17.0.7 and 20.0.1 Available Adoptium Infrastructure Management With Nagios Eclipse Temurin 8u362, 11.0.18, 17.0.6 and 19.0.2 Available EMT4J – An Easier Upgrade for Java Applications Secure Software Development Framework (SSDF) at Adoptium SLSA level 2 compliance for Eclipse Temurin A month after EclipseCon - Adoptium Community day summary, and more. Adoptium Welcomes Rivos A Short Exploration of Java Class Pre-Initialization Adoptium Welcomes Google Eclipse Temurin 19 Available Availability of JDK 8u352-b05 Early Access Build Eclipse Temurin 8u342, 11.0.16, 17.0.4 and 18.0.2 Available Verifying GPG signatures for Temurin downloads Reproducible Builds at Eclipse Adoptium Eclipse Temurin Linux (RPM/DEB) installer packages Eclipse Temurin JREs are back! Eclipse Temurin 8u312, 11.0.13, and 17.0.1 Available Creating your own runtime using jlink Eclipse Temurin 17 Available Using Jlink in Dockerfiles instead of a JRE Adoptium Celebrates First Release Adoptium to Promote Broad Range of Compatible OpenJDK Builds Eclipse Adoptium Welcomes You
A Summary of the July 2022 Retrospectives
Shelley Lambert · 2022-08-24 · via Adoptium Blog

Introduction

As most of our large consumer base already knows, Eclipse Adoptium is the community 'build, distribution and verification' project for the upstream OpenJDK project. We serve up millions of binaries per week, as can be seen in the download trends in our dashboard. We deliver these binaries in the most transparent manner. There is no 'mystery meat' in our recipe. In the spirit of such great transparency, this post serves to share our insights of the post mortem analysis of our most recent release activities.

We follow a strict regime of continuous improvement at the project, which means after each of our release cycles, conducting thorough retrospectives on what went well, what did not go well, and what actions are needed to improve in the future.

Goals and Metrics

All good retrospective activities start with "what were we trying to achieve"? During the July Critical Patch Update (CPU), we were targeting to deliver 42 different 'products', which is essentially the platform/version combinations of Eclipse Temurin that we build, test and distribute at the project.

Based on download numbers, we have divided these products into 'primary' and 'secondary' platforms. We focus our efforts on the primary platforms first to get these into the hands of our users as quickly as possible. Currently, x64 Linux, x64 Windows and x64 Mac are the leading downloaded platforms, so they are categorized as 'primary' platforms. The remaining platforms are categorized as 'secondary' platforms. Within the secondary platforms, some may even be considered 'best effort' platforms which as the name suggests are put at the bottom of the priority list.

To keep our goals simple, we aim to release the primary platforms within 2 days of the final OpenJDK source code being available. For secondary platforms, our target is to release within 7 days of the source code availability. These are summarized in a release status issue to communicate on-going status to the community. The July release activities were tracked in adoptium/issues/153.

For the original GA tags for July, you can find our 'scorecard' on how we did. 64.3% were released within the targeted timeframes, 37.7% were not released within targets. Of the ones that were not released within targets, 7 of them missed the targets by more than 5 days, which I will retrospectively refer to as "the Sickest Seven". For a detailed breakdown of these targets per platform and version, see adoptium/issues/157.

The Sickest Seven

As issue 157 describes, 7 of the 42 products released badly missed the target goals (by 5 or more days).

Let's look at the Sickest Seven, and determine next actions for improvement. From the initial July release activity, the Sickest Seven (7 products that took more than 5 business days over the 2 or 7 day target to publish), plus the two outliers from the respins:

PlatformVersionDays over TargetUnderlying Reasons / NotesActions to Improve
x64 MacJDK 814Owners need to treat as urgent, onboarding difficulties, slow connectivityClarify requirements with owners and improve access to TCK machines
x64 MacJDK 1827Owners need to treat as urgent, onboarding difficulties, slow connectivityClarify requirements with owners and improved access to TCK machines
aarch64 MacJDK 176Bottlenecked on having only 1 machine for TCK2nd machine now added to temurin-compliance project
aarch64 MacJDK 116Bottlenecked on having only 1 machine for TCK2nd machine now added to temurin-compliance project
arm32 LinuxJDK 811Unclear, possibly slow to add an owner to it, also short-handed, team vacationsClose follow-up to ensure ownership early
x86 SolarisJDK 810Delayed on packaging issueIssue now fixed, temurin-build/3061
sparcv9 SolarisJDK 820Considered a best effort platform with limited resources, team would/should prioritize this lastNo specific action here, no respins would mean these lower priority platforms get released quicker, if the community wants this platform sooner, they will be encouraged to contribute resources

What is encouraging about this list is that most of these issues have actionable responses, many of them completed during the release, as evident in our improved times for the respins.

New Features Need New Tests

A project that is changing, is a project that is going to occasionally break. This is will always be the case, but how do we pro-actively protect ourselves in the tug-of-war between adding new features and remaining stable and secure? The answer is of course 'testing'. While we have an ever-evolving suite of tests for verifying the OpenJDK binaries we produce via the AQAvit project, we additionally need to be better at adding tests to verify the changes we are making to our own build and distribution scripts.

Several changes went in ahead of the July CPU that introduced delays during the release. 2 of the changes are enhancements as part of our Secure Software Development Framework (SSDF) activities, GPG signing and the addition of SBOM artifacts. These features introduce new artifacts that can be downloaded alongside of the JDK binaries.

During the release, there were some initial missteps when not all of the new artifacts were published. While this was easily rectified, it prompted the team to add checks for ensuring we are publishing the expected set of artifacts.

A Windows compiler upgrade was also attempted prior to the release, there were unwanted side-effects, in this case a missing runtime library. These went unnoticed because we had no tests for verifying the full set to be produced, and other testing did not spot the missing libraries either, because our test machines have the compiler installed in order to compile native test material. The immediate action was to revert the change, until the core issue is addressed. To future-proof against similar problems, we will be adding smoke tests to be run in a stripped down environment.

Respins

We have covered the issues introduced in our repositories that caused minor delays, now let's look at changes in the upstream OpenJDK repositories that resulted in the need to respin every JDK version of this release, a costly activity.

Let's look at the last 2 years and the set of unique issues identifying the need for OpenJDK to respin in the table below.

Patch Release timeProblem DescriptionSymptom / Problem typeAffected release(s)Fixed release(s)Root causeIntroduced by CVE fixFirst ChanceWhen FoundSuggested action
August 2022JDK-8290832: It is no longer possible to change "user.dir" in the JDK8Crash8u3428u345JDK-8194154NoEarly access builds testingDeployment/Field/Product integrationRun gradle application build to exercise the code path
August 2022JDK-8291665: C2: assert compiling SSLEngineInputRecord::decodeInputRecordCrash/OOM11.0.16, 17.0.4, 18.0.211.0.16.1, 17.0.4.1, 18.0.2.1JDK-8279219NoEarly access builds testingDeployment/Field/Product integrationRun wildfly deployment with TLS endpoint? / Load testing
February 2022JDK-8218546: Unable to connect to https://google.com using java.net.HttpClientJDK-8280695 / Functional issue11.0.1411.0.14.1JDK-8213189NoEarly access builds testingDeployment/Field/Product integration---
November 2020JDK-8250861: Potential JVM crashUnclear8u272, 11.0.98u275, 11.0.9.1UnknownYesRegression testing on Spark?Deployment/Field/Product integration testingAdding regression testing on Spark??
August 2020JDK-8249677: Regression in ForkJoinPool behaviorACC Exception / Functional issue8u2628u265JDK-8237117YesCode reviewDeployment/Field/Product integrationRun lucene-solr 8.2.0 application which seemed to have discovered this issue

For the JDK 8u345 respin, the issue described in JDK-8290832 points to its root cause JDK-8194154, which describes the crash that would occur when changing the "user.dir" property. While changing user.dir is discouraged, some applications still do it, notably Gradle. This is an interesting dilemma, where the feature is highly discouraged, but still possible, and therefore it is used in the field by some number of applications.

For the JDK 11.0.16.1, JDK 17.0.4.1 and JDK 18.0.2.1 respins, these could have potentially been found within the AQAvit testing if we had the Wildfly testing enabled. This highlights the fact that we need to be testing with a broad set of external applications, especially ones that are used widely. We are actively incorporating a set of tests in the AQAvit suite for this purpose in our external test category, but need to progress this work.

For the 2 of the 5 that were introduced by CVE patches, it would be good to understand what level of testing the OpenJDK Vulnerability Group (OJVG) does with these CVE patches ahead of releasing them into the OpenJDK codebase, and assess what needs to be changed in order to identify these issues before delivery to avoid the churn of a respin.

Since our Eclipse Foundation project is not a member of the OJVG, we do not have access to these patches ahead of the final code being available. As such, it was less likely that we would have been able to catch these failures, as we did not have weeks to soak these changes and see the intermittent issues. The first time we have a chance to build and test with these CVE patches is the day the final code is made available, which is Day 1 of our release period.

On Day 1 of our release period, we run 9 required top-level targets for AQAvit verification. For JDK-8249677, if we add our extended.external test target as a 10th required target, we may not have seen it, as the lucene-solr application tag is at releases/lucene-solr/8.11.1 and the issue was reported on 8.2.0. This is yet a third case where our external test group may be of great value once we graduate it into the set of required AQAvit test targets (note to self: time to push this activity up the priority list).

In any event, in order for us to have access to these patches earlier we would need to join the OJVG. While there has been an effort for Eclipse Foundation to join the OJVG, Oracle has denied the request. From the Adoptium Steering Committee Minutes 2022-August-25, Oracle have indicated that a reason for declining is that there is a perceived lack of contributions to OpenJDK from members of the Adoptium community.

Side note, in the August 25th Steering Committee meeting, it was pointed out that there is a list of contributions including those related to reproducible builds in the reproducible builds blog post. One could argue that the OJVG would benefit from having Eclipse Adoptium as an additional member that could assist in testing these patches more heavily and across a very broad range of platforms to boot.

In absence of membership, we will have to look at soak testing our release builds a bit longer, balancing the benefits against the increased time it would take us to release products.

Positive Takeaways

While most of this blog post has been spent analyzing what could be improved, it is important to remember that many things went well and how we have continuously improved our deliveries. This past release is no exception. Even during this release, we were able to improve the speed with which we delivered the respun products for late changes in OpenJDK.

Release activity% tarballs published within target
Initial July release64.3%
JDK 8u345 respin63.6%
JDK 11.0.16.1+1 respin90.9%
JDK 17.0.4.1+1 respin72.7%
JDK 18.0.2.1+1 respin100%

We have continued to improve the way we communicate the progress of the release to the community, and the automation related to all of the steps required to deliver the Eclipse Temurin builds. Let's celebrate these good things. I look forward to further refinements outlined in adoptium/issues/155 and invite any and all to participate at the project to help develop and deliver them. One additional plug for support, if you want to help but have no spare time for project work, you can also directly sponsor the project. We typically focus these funds to help ensure we have sufficient machine resources to reduce bottlenecks in our pipelines.