[OT] Oracle Java 11 discussion?

Discussion:

Berneburg, Cris J. - US

2018-10-15 17:53:21 UTC

Hi Folks

What has anyone been thinking about the upcoming Oracle Java 11 release / support stuff? Frankly, I'm confused by it all and am still trying to wrap my brain around it. I have concerns about the potential implications for my little project, and also wonder about Tomcat at large.

No JRE - huh? How do we run Java apps w/o a Java runtime? Wouldn't installing a JDK in production be kind of a security issue? I can imagine security departments not being thrilled about that. Does Tomcat support being run on an OpenJRE?

Are there any implications for Tomcat?

I am imagining spending all my time being taken up by Java upgrades with subsequent builds, regression testing, red tape, and deployments, without delivering any actual new value to our customer. :-\

--
Cris Berneburg
CACI Lead Software Engineer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Tony Esposito

2018-10-15 18:03:41 UTC

Permalink

Hi Cris,
For what it's worth, I am not a big fan of these frequent releases of Java by Oracle. One can barely get one's head around Java version 'X' then Java version 'Y' is out...

Tony

-----Original Message-----
From: Berneburg, Cris J. - US [mailto:***@caci.com]
Sent: Monday, October 15, 2018 12:53 PM
To: ***@tomcat.apache.org
Subject: [OT] Oracle Java 11 discussion?

Hi Folks

What has anyone been thinking about the upcoming Oracle Java 11 release / support stuff? Frankly, I'm confused by it all and am still trying to wrap my brain around it. I have concerns about the potential implications for my little project, and also wonder about Tomcat at large.

No JRE - huh? How do we run Java apps w/o a Java runtime? Wouldn't installing a JDK in production be kind of a security issue? I can imagine security departments not being thrilled about that. Does Tomcat support being run on an OpenJRE?

Are there any implications for Tomcat?

I am imagining spending all my time being taken up by Java upgrades with subsequent builds, regression testing, red tape, and deployments, without delivering any actual new value to our customer. :-\

--
Cris Berneburg
CACI Lead Software Engineer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Mark Thomas

2018-10-15 18:37:17 UTC

Permalink

Post by Berneburg, Cris J. - US
Hi Folks
What has anyone been thinking about the upcoming Oracle Java 11 release / support stuff? Frankly, I'm confused by it all and am still trying to wrap my brain around it. I have concerns about the potential implications for my little project, and also wonder about Tomcat at large.
No JRE - huh? How do we run Java apps w/o a Java runtime? Wouldn't installing a JDK in production be kind of a security issue? I can imagine security departments not being thrilled about that. Does Tomcat support being run on an OpenJRE?

The argument for a JRE vs a JDK is that the JDK includes a compiler. The
only reason Tomcat can run on a JRE and still support JSPs (which
require compilation) is that Tomcat includes a Java compiler. I don't
think the security argument holds much water.

OpenJDK is very close to the Oracle JDK these days. I regularly run
Tomcat's unit tests with the latest OpenJDK and have yet to find an
issue that is OpenJDK specific.

Tomcat runs happily (and is supported) on a JRE.

If the JRE has passed the Java TCK then Tomcat should run on it. I don't
think there is an official Tomcat position but my expectation is if a
Tomcat bug (as opposed to a Java bug) appears when running on any Java
implementation that has passed the TCK then the Tomcat team would treat
that as a Tomcat bug and fix it. The caveat is that any such fix is a
lot easier if we have access to that particular version of Java and a
platform to run it on.

Post by Berneburg, Cris J. - US
Are there any implications for Tomcat?

Not directly. Jakarta EE will need to make a decision about minimum Java
versions and the like for the next round of spec updates. I expect
they'll settle on Java 11 but that discussion hasn't really started yet.

I'd be more concerned that Oracle are starting to charge for production
usage. That alone would be enough for me to switch to OpenJDK.

I haven't yet got around to installing a Java 11 GA release. I'm still
using one of the final EA releases. I'm currently intending to only
install OpenJDK for Java 11 onwards. I'm not expecting this to cause me
any issues.

Post by Berneburg, Cris J. - US
I am imagining spending all my time being taken up by Java upgrades with subsequent builds, regression testing, red tape, and deployments, without delivering any actual new value to our customer. :-\

I'd plan to stick to the LTS releases.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Johan Compagner

2018-10-15 21:04:29 UTC

Permalink

Post by Mark Thomas
I'd be more concerned that Oracle are starting to charge for production
usage. That alone would be enough for me to switch to OpenJDK.

Isnt that already the case?

You can't download any installer of java 11 from Oracle that can be used in
production, only for development and demos

There is no jre at all any more also from openjdk

And open jdk doesnt have an installer at all, so it is all up to the
package managers to get it (rpm/yum) so good luck on Windows with that....
(There is really just unzipping and setting paths you're self)

Java on the desktop is really dead now (and we have quite a few customers
using that through webstart)

Johan

Christopher Schultz

2018-10-18 15:24:34 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Johan,

Post by Johan Compagner

Post by Mark Thomas
I'd be more concerned that Oracle are starting to charge for
production usage. That alone would be enough for me to switch to
OpenJDK.

Isnt that already the case?

Umm... yes.

Post by Johan Compagner
You can't download any installer of java 11 from Oracle that can be
used in production, only for development and demos

Sure you can. You just have to pay them.

Post by Johan Compagner
There is no jre at all any more also from openjdk

There is little difference between a JRE and a JDK. One just comes
with a compiler.

Post by Johan Compagner
And open jdk doesnt have an installer at all, so it is all up to
the package managers to get it (rpm/yum) so good luck on Windows
with that.... (There is really just unzipping and setting paths
you're self)

I've never installed Java any other way, so that's not really an issue
for me. Only recently have package-managers bothered to support
versions that are not insanely old. Now that I'll be switching to
OpenJDK, using a package-manager is going to look more attractive to me.

Post by Johan Compagner
Java on the desktop is really dead now (and we have quite a few
customers using that through webstart)

Webstart is also dead. But let's be honest, Java on the desktop was
never really alive in the first place. The only tools I can think of
written in Java are mostly for developers. Yeah, there are a few
specialty things but mostly they come with their own JVMs, now (e.g.
Eclipse... which is also a developer tool). It's a huge waste of a
download, but what are you gonna do?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvIpbIACgkQHPApP6U8
pFj0YA/7Btq4+JoBkqajBov98cAKsD1ld531HDc4VGRZJFuIjPXBZaWHCr/lQROk
tDBGE7VSA29KdzUk3zH/411vY8aaSFHYR4qDBAyVjHOz6lSvXkLmz/NP8WUu49q5
GCi2oZOjzZAaHzZGScwARED31XSI8Lxx4Qsz1LTIGXqoiDTSFMIpcVCGNagoe3SG
4k8YLUUm4ywIJfweLA9uZmf5yFayQg8xcAyiUfWVe961IeTMbKVspusZi7jq6Vk7
P5a5x6+0hQkV5OyNFRTDMX8Fa0ffewB8tEJi/EhIoKmKk4q5Y77S8TrSGI3C7TWr
ecsNtO0ijqPNQtBxcusnrRGTmJ/86VU+lar0UuMnz2a6NGk+vYcfs4bzcxb18jBN
cRqFkb6ziovgjqY30j1b3/S25PmUAVI8tuoki+NFap0XeysXahQTiEIhq6XH8ycg
Vib/0GvBb2lJW7YnLlzK7Rd5Ow/flCgyaiS9YxRBQDnQTUm27RS0GVB0+rPZEJbf
rU+XBFGnK+x6QDFJ3MOdKLrVFbXVrv0gRr1MVTDOC0eJkbqHX0iw9wob5rym1UzN
fUSaZh3O8rcmHsvBrs43SuA2cJSGqtQmLomrZTGUF0pNl/tCLl6ClaX5RewDSLng
jf3Yihlp82YSkjn/K1Vrd9u6RDrCYyLgYAbV9FIHx44NtlkQhYY=
=Y2Tj
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Johan Compagner

2018-10-18 16:20:25 UTC

Permalink

Post by Christopher Schultz

Post by Johan Compagner
There is no jre at all any more also from openjdk

There is little difference between a JRE and a JDK. One just comes
with a compiler.

not really,
until java 10 we had also desktop integration

like java -jar assignments and jnlp association for starting a webstart
application

so for windows it really integrated also into the registry.

but thats pretty much all gone now, maybe if you pay oracle?

Post by Christopher Schultz

Post by Johan Compagner
Java on the desktop is really dead now (and we have quite a few
customers using that through webstart)

Webstart is also dead. But let's be honest, Java on the desktop was
never really alive in the first place.

Not for us!
we have a lot of customers that all use our webstart client to run there
own created applications in it..

Those users are end users like crm systems and so on. Not developers

Besides that also a lot of companies have i think in house stuff that run
like that.

Yes applets are dead for a long time, but Webstart applications are fine
and is a good way to get desktop applications that are auto updateable
But thats pretty much killed now
The weird thing is people say now use jlink that is the replacement for
it.. Huh?? what??

Igal Sapir

2018-10-15 22:01:02 UTC

Permalink

Post by Mark Thomas

I asked Gil Tene about this a couple of weeks ago. Gil is a co-founder
of Azul Systems, an OpenJDK committer, and on the Executive Committee of
the JCP. My understanding from him is that there is no JDK development
outside of the OpenJDK. The Oracle developers that work on the JDK
commit directly to OpenJDK. Oracle might add some other things when
they package their edition of the JDK for distribution, but the JDK
itself is the same one from OpenJDK.

The main problem with the rapid release cycle and six month support is
that due to late adoption, many of the bugs in a given Java release are
only discovered after more than six months of the release date. That
means that the free support will end while bugs and vulnerabilities are
being discovered, forcing many organizations to pay for support.

Azul Systems provide their own packaging of the OpenJDK, under the name
Azul Zulu [1]. They offer a longer support than the Oracle one, and add
a Medium Term Support period. I've been planning to test it out but
haven't gotten a chance to do so yet.

Post by Mark Thomas
Tomcat runs happily (and is supported) on a JRE.
If the JRE has passed the Java TCK then Tomcat should run on it. I don't
think there is an official Tomcat position but my expectation is if a
Tomcat bug (as opposed to a Java bug) appears when running on any Java
implementation that has passed the TCK then the Tomcat team would treat
that as a Tomcat bug and fix it. The caveat is that any such fix is a
lot easier if we have access to that particular version of Java and a
platform to run it on.

Post by Berneburg, Cris J. - US
Are there any implications for Tomcat?

Not directly. Jakarta EE will need to make a decision about minimum Java
versions and the like for the next round of spec updates. I expect
they'll settle on Java 11 but that discussion hasn't really started yet.
I'd be more concerned that Oracle are starting to charge for production
usage. That alone would be enough for me to switch to OpenJDK.
I haven't yet got around to installing a Java 11 GA release. I'm still
using one of the final EA releases. I'm currently intending to only
install OpenJDK for Java 11 onwards. I'm not expecting this to cause me
any issues.

Post by Mark Thomas

I'd plan to stick to the LTS releases.

+1

Igal

[1] https://www.azul.com/downloads/zulu/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Berneburg, Cris J. - US

2018-10-17 16:43:49 UTC

Permalink

Thanks Igal

mt> OpenJDK is very close to the Oracle JDK these days. I regularly run
mt> Tomcat's unit tests with the latest OpenJDK and have yet to find an
mt> issue that is OpenJDK specific.

is> I asked Gil Tene about this a couple of weeks ago. Gil is a co-
is> founder of Azul Systems, an OpenJDK committer, and on the Executive
is> Committee of the JCP. My understanding from him is that there is no
is> JDK development outside of the OpenJDK. The Oracle developers that
is> work on the JDK commit directly to OpenJDK. Oracle might add some
is> other things when they package their edition of the JDK for
is> distribution, but the JDK itself is the same one from OpenJDK.

Good to know.

is> The main problem with the rapid release cycle and six month support
is> is that due to late adoption, many of the bugs in a given Java
is> release are only discovered after more than six months of the release
is> date. That means that the free support will end while bugs and
is> vulnerabilities are being discovered, forcing many organizations to
is> pay for support.

Or frequent Java installations.

RAMBLE: Too bad there can't be an Apache OpenJRE umbrella project, with specific Apache OpenJRE [version X] sub-projects, that maintain JRE [version X]'s indefinitely. One source (Apache) for all the different JRE's for the Java community at large, rather than depending on a bunch of different companies. The OpenJRE source code could pull from the OpenJDK repository. A potential issue could be back-porting bug fixes from later versions into earlier ones when the source code base has shifted drastically, making merges difficult.

--
Cris Berneburg
CACI Lead Software Engineer

B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�]�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[

Christopher Schultz

2018-10-18 15:29:05 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cris,

Post by Berneburg, Cris J. - US
Thanks Igal
mt> OpenJDK is very close to the Oracle JDK these days. I regularly
run mt> Tomcat's unit tests with the latest OpenJDK and have yet to
find an mt> issue that is OpenJDK specific.
is> I asked Gil Tene about this a couple of weeks ago. Gil is a
co- is> founder of Azul Systems, an OpenJDK committer, and on the
Executive is> Committee of the JCP. My understanding from him is
that there is no is> JDK development outside of the OpenJDK. The
Oracle developers that is> work on the JDK commit directly to
OpenJDK. Oracle might add some is> other things when they package
their edition of the JDK for is> distribution, but the JDK itself
is the same one from OpenJDK.
Good to know.
is> The main problem with the rapid release cycle and six month
support is> is that due to late adoption, many of the bugs in a
given Java is> release are only discovered after more than six
months of the release is> date. That means that the free support
will end while bugs and is> vulnerabilities are being discovered,
forcing many organizations to is> pay for support.
Or frequent Java installations.
RAMBLE: Too bad there can't be an Apache OpenJRE umbrella project,
with specific Apache OpenJRE [version X] sub-projects, that
maintain JRE [version X]'s indefinitely. One source (Apache) for
all the different JRE's for the Java community at large, rather
than depending on a bunch of different companies. The OpenJRE
source code could pull from the OpenJDK repository. A potential
issue could be back-porting bug fixes from later versions into
earlier ones when the source code base has shifted drastically,
making merges difficult.

I know it's not exactly what you meant, but...

http://harmony.apache.org/

You could always resurrect that project :)

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvIpsAACgkQHPApP6U8
pFioUw/9FjG/PEHYjQq7e47Z0DOUQQBmtkepPKaeCaFSIUVMkE2nIFeqBmbGfSpu
iiXgYh4WfjBgoOGd8ZrFmfUNpHRuSK8g1OVM9iteJ9kCIOB0lXpjuQ3Z7i9Y0i9r
4z1b/KA+jzfDnG0AiBDyusio45Lcn2ztMsZA9ITJRvUUDHsjAZkGKhnmeSx5wBl1
RPdQJm4f4AicMJNuVxLedUbra0D2mXxOJtlAmMc05q9l2wvHi7hv1oHYKbJrn2zo
9cu4kjhkAAylJZ2bV3TN7M2cWuoQubdbDzmdRcKYGyEEpryRwOUHENPrOWXbi4xn
UHsXZQw9IIVt/TsruqbpFAbqffTHsIfBg34tfLCabXQA6J5vXf7yvQEt5NskyhVp
qNj+q1E6lYhAt0WGjR5GS70q5Mt/lMNVuwwGrV15/o1rbxyV96KIelIqdv9XMB6F
CCH73KFtdXV0yOPewWszwVRo9VF+IF6TOH5Mg0jefb2ECj2i3op+M0s486Gonhzb
wV9+NFHzEyZnCKGnijZdbrNYrQM3Deiq6ykGwcELewRUk164VYRVDY1L7NdUta/A
YCcgGLardkmrr6xwkP1P8BnT0t5b9bIxNA+d2JHyKvS4uUmNX7L+zc4xfoTgMAg8
MgTH9pYfl6KfLylKBD709kKm3SSx+eQY7pkDkwTjpN0XMawzvW8=
=NliJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Berneburg, Cris J. - US

2018-10-19 13:54:14 UTC

Permalink

Hey Chris

cjb> RAMBLE: Too bad there can't be an Apache OpenJRE umbrella project,
cjb> with specific Apache OpenJRE [version X] sub-projects, that maintain
cjb> JRE [version X]'s indefinitely. One source (Apache) for all the
cjb> different JRE's for the Java community at large, rather than depending
cjb> on a bunch of different companies.

cs> I know it's not exactly what you meant, but...
cs> http://harmony.apache.org/
cs> You could always resurrect that project :)

Actually, that does sound like what I was thinking. However, Harmony being dead since 2011 means that there hasn't been much demand for it. I wonder if Oracle's new policies for Java 11 will foster a resurgence of interest in keeping older Java versions alive, or perhaps one version in particular...

"Java 8 Forever!" I dunno, it kinda has the same ring to it as "Windows XP Forever!"

--
Cris Berneburg
CACI Lead Software Engineer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-m

Berneburg, Cris J. - US

2018-10-17 16:28:49 UTC

Permalink

Thanks Mark

mt> The argument for a JRE vs a JDK is that the JDK includes
mt> a compiler. The only reason Tomcat can run on a JRE and
mt> still support JSPs (which require compilation) is that
mt> Tomcat includes a Java compiler. I don't think the
mt> security argument holds much water.

I had not thought of that, and you're right (literally technically speaking).

RAMBLE: However, if I try to look at it from a point of view of a large bureaucracy, of which I am largely ignorant, I would not be surprised if there is a policy against dev kits and IDE's on production servers for security sake. Tomcat (whisper: with built-in compiler) is approved, but is the JDK allowed? Guess I can ask. Yeah, it's potentially a "distinction without a difference". Well, unless there are other tools in the JDK that can pose security risks in addition to the Java compiler.

mt> OpenJDK is very close to the Oracle JDK these days. I
mt> regularly run Tomcat's unit tests with the latest OpenJDK
mt> and have yet to find an issue that is OpenJDK specific.
mt>
mt> Tomcat runs happily (and is supported) on a JRE.
mt>
mt> If the JRE has passed the Java TCK then Tomcat should run
mt> on it. I don't think there is an official Tomcat position
mt> but my expectation is if a Tomcat bug (as opposed to a
mt> Java bug) appears when running on any Java implementation
mt> that has passed the TCK then the Tomcat team would treat
mt> that as a Tomcat bug and fix it.

All good to know.

cjb> I am imagining spending all my time being taken up by
cjb> Java upgrades with subsequent builds, regression testing,
cjb> red tape, and deployments

mt> I'd plan to stick to the LTS releases.

Meh, not my call. Whatever the Powers That Be decide for the production environment, I'll probably match that in dev. If they decide LT$ is the way to go, using the JDK will cost nothing for my dev environment anyway. But if OpenJDK and frequent updates are selected ... phooey.

--
Cris Berneburg
CACI Lead Software Engineer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-m

Igal Sapir

2018-10-17 17:23:37 UTC

Permalink

Cris,

Post by Berneburg, Cris J. - US
Thanks Mark
mt> The argument for a JRE vs a JDK is that the JDK includes
mt> a compiler. The only reason Tomcat can run on a JRE and
mt> still support JSPs (which require compilation) is that
mt> Tomcat includes a Java compiler. I don't think the
mt> security argument holds much water.
I had not thought of that, and you're right (literally technically speaking).
RAMBLE: However, if I try to look at it from a point of view of a large
bureaucracy, of which I am largely ignorant, I would not be surprised if
there is a policy against dev kits and IDE's on production servers for
security sake. Tomcat (whisper: with built-in compiler) is approved, but
is the JDK allowed? Guess I can ask. Yeah, it's potentially a
"distinction without a difference". Well, unless there are other tools in
the JDK that can pose security risks in addition to the Java compiler.

As Mark pointed out Jasper compiles JSP into Java bytecode and it has been
like that for years. Every other popular web technology works in a similar
way, be it ASP.NET, PHP, NodeJS, etc. so I really don't think that that's
an issue.

There is only a security vulnerability if a bad actor can inject code, or
upload malicious source code that will be compiled by your application, but
again, that has been the case since the beginning so deploying over JDK
doesn't change that.

I'm sure that there is a way to build OpenJDK without the javac component,
or at least it can be achieved with minor changes if needed.

Igal

p.s. So happy to see that you finally moved from Tomcat 6 to 8.5. Perhaps
you can share that experience in a separate thread and let others know if
you ran into any major problems during that process.

Post by Berneburg, Cris J. - US
mt> OpenJDK is very close to the Oracle JDK these days. I
mt> regularly run Tomcat's unit tests with the latest OpenJDK
mt> and have yet to find an issue that is OpenJDK specific.
mt>
mt> Tomcat runs happily (and is supported) on a JRE.
mt>
mt> If the JRE has passed the Java TCK then Tomcat should run
mt> on it. I don't think there is an official Tomcat position
mt> but my expectation is if a Tomcat bug (as opposed to a
mt> Java bug) appears when running on any Java implementation
mt> that has passed the TCK then the Tomcat team would treat
mt> that as a Tomcat bug and fix it.
All good to know.
cjb> I am imagining spending all my time being taken up by
cjb> Java upgrades with subsequent builds, regression testing,
cjb> red tape, and deployments
mt> I'd plan to stick to the LTS releases.
Meh, not my call. Whatever the Powers That Be decide for the production
environment, I'll probably match that in dev. If they decide LT$ is the
way to go, using the JDK will cost nothing for my dev environment anyway.
But if OpenJDK and frequent updates are selected ... phooey.
--
Cris Berneburg
CACI Lead Software Engineer
---------------------------------------------------------------------

Berneburg, Cris J. - US

2018-10-19 13:39:26 UTC

Permalink

Thanks Igal

is> p.s. So happy to see that you finally moved from Tomcat 6 to 8.5.
is> Perhaps you can share that experience in a separate thread and let
is> others know if you ran into any major problems during that process.

Will do. So far we've only run into 3 minor issues.

--
Cris Berneburg
CACI Lead Software Engineer

Т��ХF�V�7V'67&�&R�R��âW6W'2�V�7V'67&�&TF��6B�6�R��&pФf�"FF�F��6��G2�R�

Johan Compagner

2018-10-17 17:54:01 UTC

Permalink

Op wo 17 okt. 2018 18:29 schreef Berneburg, Cris J. - US <

Post by Berneburg, Cris J. - US
RAMBLE: However, if I try to look at it from a point of view of a large
bureaucracy, of which I am largely ignorant, I would not be surprised if
there is a policy against dev kits and IDE's on production servers for
security sake. Tomcat (whisper: with built-in compiler) is approved, but
is the JDK allowed? Guess I can ask. Yeah, it's potentially a
"distinction without a difference". Well, unless there are other tools in
the JDK that can pose security risks in addition to the Java compiler.

Java 11 I guess will be picked up by the package managers in Linux I guess
(like yum).

And if you look how they did it now with java 8 based on openjdk, then you
have the option to o install only the runtime or development package (and a
lot others, they split it up more)

Christopher Schultz

2018-10-18 15:34:53 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Cris,

Post by Berneburg, Cris J. - US
Thanks Mark
mt> The argument for a JRE vs a JDK is that the JDK includes mt> a
compiler. The only reason Tomcat can run on a JRE and mt> still
support JSPs (which require compilation) is that mt> Tomcat
includes a Java compiler. I don't think the mt> security argument
holds much water.
I had not thought of that, and you're right (literally technically speaking).
RAMBLE: However, if I try to look at it from a point of view of a
large bureaucracy, of which I am largely ignorant, I would not be
surprised if there is a policy against dev kits and IDE's on
production servers for security sake. Tomcat (whisper: with
built-in compiler) is approved, but is the JDK allowed? Guess I
can ask. Yeah, it's potentially a "distinction without a
difference". Well, unless there are other tools in the JDK that
can pose security risks in addition to the Java compiler.

Hard and fast rule: no compilers.

Well, except for EJC, Perl, Python, PHP, *sh, and a host of other
things capable of running code.

It's a checkbox security "feature" that is all of meaningless,
ineffective, and inconvenient. These days, most servers have all the
code you'd already ever need to "compile" and run an exploit even if
there were no compiler there. All you need is a nice, vulnerable
pre-existing binary.

https://crypto.stanford.edu/~blynn/rop/

Post by Berneburg, Cris J. - US
mt> OpenJDK is very close to the Oracle JDK these days. I mt>
regularly run Tomcat's unit tests with the latest OpenJDK mt> and
have yet to find an issue that is OpenJDK specific. mt> mt> Tomcat
runs happily (and is supported) on a JRE. mt> mt> If the JRE has
passed the Java TCK then Tomcat should run mt> on it. I don't think
there is an official Tomcat position mt> but my expectation is if a
Tomcat bug (as opposed to a mt> Java bug) appears when running on
any Java implementation mt> that has passed the TCK then the Tomcat
team would treat mt> that as a Tomcat bug and fix it.
All good to know.
cjb> I am imagining spending all my time being taken up by cjb>
Java upgrades with subsequent builds, regression testing, cjb> red
tape, and deployments
mt> I'd plan to stick to the LTS releases.
Meh, not my call. Whatever the Powers That Be decide for the
production environment, I'll probably match that in dev. If they
decide LT$ is the way to go, using the JDK will cost nothing for
my dev environment anyway. But if OpenJDK and frequent updates
are selected ... phooey.

They will decide to stick with Java 8, even though it's EOL. The
decision will be made because (a) "there are some incompatibilities
with Java 11 which are hairy to untangle" and (b) "Java 8 hasn't
caused a breach, yet, so we'll probably be fine".

Good luck!

I'm having trouble convincing a partner vendor to move from Java *6*
up to Java 8. *facepalm*

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvIqB0ACgkQHPApP6U8
pFjKkg//QQ+ewAy0pyGGFvYtTeqQszqp1/ovQf5d1Tbv4NsDUH9iUtssW2PMb0Sa
/4NnBgtef9og0o4idn6ZH/2+I+bNx9/9Sp3Hpurosi7IKAuVCDo0IO97ccUqpaBd
OEy0giHx8ook91UOxHyCF9XFoAkJn1+DU41qw0pSSqIhAjPNXarRN3Fq3LzG3JEw
6q5yx3/chKuSpGw5ERhda7l7Sevlph0WGqz96Im7lW1Jmz+MQb/4Cigk9pmrhvw9
spJYE75Mp53CN2EWD2Z5k+Br60yL/XecT1VxXgMpVj8azMUMPtPCEUiwEJEy839A
vdeN6DDWbcjwNcyo9EOWt4yVI5t2cx7uc9eGtqrQTEREKHcrn+7ltKkr8bwRE7nz
EUiTC3uamhdCu6nRfiniSefCL3JXPZOXyeD0zUZBSK2HqWNEpWbFP8cAIHOhHHgY
w0qAOl52wDY+VeIw75raGk4AmjP/z4OpShLjp7Z6QD+mHhVkqQXQTuEmh6qptjQ7
SYEoOqqNurPK+T4R2pvYxQtydBqNi5dOQQ2G2dz7Wogq8imFEGYp+h0M2KDkXGyi
bLWv+AXQhJ+kdydbwbk1e7pH6zsxdGXwNCnU09bUhFSg4QoHqi3ngEkL5yL0mXz9
WQPYOnJcWgUrnEXwGhj3NKPMw2ivIAhz8ZvFEOsyOVwuWdEpjhg=
=lc0c
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Berneburg, Cris J. - US

2018-10-19 14:34:33 UTC

Permalink

Chris

cjb> large bureaucracy [...] I would not be
cjb> surprised if there is a policy against dev kits and IDE's on
cjb> production servers for security sake. Tomcat (whisper: with built-in
cjb> compiler) is approved, but is the JDK allowed? Guess I can ask.
cjb> Yeah, it's potentially a "distinction without a difference".

cs> Hard and fast rule: no compilers. [...] It's a checkbox security
cs> "feature" that is all of meaningless, ineffective, and inconvenient.

Yeah, I was thinking similar things from inference.

cs> These days, most servers have all the code you'd already ever need
cs> to "compile" and run an exploit even if there were no compiler there.
cs> All you need is a nice, vulnerable pre-existing binary.

That's kinda scary. I suppose the attitude is that as long as there are security updates still being published, that conforms to policy and is therefore OK. Actually, what else can be done once any software has been released into the wild?

mt> I'd plan to stick to the LTS releases.

cjb> Meh, not my call. Whatever the Powers That Be decide for the
cjb> production environment, I'll probably match that in dev.

cs> They will decide to stick with Java 8, even though it's EOL. The
cs> decision will be made because (a) "there are some incompatibilities
cs> with Java 11 which are hairy to untangle" and (b) "Java 8 hasn't
cs> caused a breach, yet, so we'll probably be fine".

Interesting theory... Care to make a friendly wager on that, say lunch and/or a beer? Wait, do you have some sort of inside info? Wager rescinded! ;-)

My question would be how long after the 2019 EOL will Java 8 still be approved for use, be it official policy or unofficial inertia. Well, at least until the next major vulnerability is discovered and then everyone scrambles to cover their behinds and upgrade Java.

cs> I'm having trouble convincing a partner vendor to move from
cs> Java *6* up to Java 8. *facepalm*

"Ha ha" (said the guy who is still in the process of upgrading from TC 6.0 to 8.5).

--
Cris Berneburg
CACI Lead Software Engineer

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-m