| |||||||||||||
Recent Java vulnerabilitiesRecent Java vulnerabilitiesPosted Feb 14, 2013 15:20 UTC (Thu) by gnu_andrew (subscriber, #49515)Parent article: Recent Java vulnerabilities
"bug fixes do not automatically propagate from one to the other (in either direction), since they are developed independently"
Sorry, but the latter does not follow from the former. Yes, the patches don't propagate automatically between different repositories, but that's true for most FOSS projects with multiple branches. It doesn't follow that they are "developed independently". I even explicitly stated in an e-mail response to you that the same patches were applied to the Oracle JDK and OpenJDK, albeit a week apart.
I think you may be confusing the reference implementation (which is represented by http://hg.openjdk.java.net/jdk7/jdk7 and never changes, not even for security updates; it's a reference for TCK testing but not meant for actual use) with OpenJDK, the 7 updates tree of which is http://hg.openjdk.java.net/jdk7u/jdk7u/ and in active use.
There are some proprietary parts of Oracle's JDK, such as the web plugin, JavaFX and various graphics components, which mean they also have their own security issues. However, the vast majority of the code is shared, as far as I'm aware.
If you're going to ask such questions on a public mailing list (and the Fedora java list is an odd choice, over any of the OpenJDK mailing lists) then it would be courteous if you would be upfront about what you intend to then do with the information.
Thanks.
(Log in to post comments)
Recent Java vulnerabilities Posted Feb 14, 2013 15:44 UTC (Thu) by jake (editor, #205) [Link]
> "bug fixes do not automatically propagate from one to the other
> (in either direction), since they are developed independently"
Is it possible that "they" is not completely clear here? When editing, I thought it meant the two projects (Java SE and OpenJDK) were developed independently. But, you see to be reading it that the *bug fixes* were developed independently. Is that right? Certainly, we could clarify "they" here ...
> I even
The next sentence:
That said, one week after Oracle released its fixes to Java, OpenJDK 7 was updated to reflect all of the fixes.
seems to say that. Is that not making sense or incorrect somehow?
thanks,
jake
Recent Java vulnerabilities Posted Feb 18, 2013 17:35 UTC (Mon) by gnu_andrew (subscriber, #49515) [Link]
I think I was reading it as the specific bug fixes, but either way, it's false. To the best of my knowledge (obviously limited by Oracle's JDK being proprietary), Oracle's JDK is a downstream of OpenJDK, just as IcedTea is (the variant the distros package). The same bug fixes were used by Oracle, passed onto Red Hat for inclusion in their RPMs and posted to OpenJDK as far as I'm aware (and withstanding any mistakes made in the process).
You can actually see how Oracle use OpenJDK by looking at the codebase. The makefiles refer to directory paths including the word 'closed' which are used by Oracle on non-OpenJDK builds to include their proprietary add-ons.
The second sentence seems to contradict the one before, at least in my reading, but you're right that what I said is mentioned; my apologies.
I think the main general takeaway point is not about process or even Java, but that users should avoid having browser plugins enabled that they don't need (and browsers should allow their use to be whitelisted to specific sites). This would reduce the risk of the issues described
|
|||||||||||||