Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [openj9-dev] Security Update Policy

> Of course for a company most interesting is the question: „If I put this thing into production in version X,
> how long will there be security/critical updates available (in a sufficiently short timeframe).“ This is something
> that needs an answer before making decisions. I understand that this is a little behind the horizon for you right now J
> (From a management point of view, ) even an answer like: “it’s open source, go fix it yourself and we will happily
> accept security patches” would be kind of acceptable. Maybe not driving decision towards OpenJ9, but still acceptable :D

It's a perfectly reasonable question to ask; thanks for helping us push the conversation forward.

Note that "this thing" is actually OpenJDK with Eclipse OpenJ9 so, from our standpoint, support for security updates and
other kinds of fixes will necessarily be a joint effort: 1) OpenJDK providing that support for class libraries, and 2) OpenJ9
for the JVM technology. The first part happens at our "Extensions" projects, e.g. [1], which is a mirror of OpenJDK along
with the small number of patches needed to replace Hotspot with OpenJ9. The second part happens at the main OpenJ9
repo [2].

Every quarter, we try to put out the most current version of each part as our Eclipse OpenJ9 release, with the hopeful
release dates listed in the issue I linked to in the previous note [3].

I'm not sure if that improves on "it’s open source, go fix it yourself and we will happily accept security patches".

What do you think :) ?

Of course, Eclipse OpenJ9 is an open source project and you're very welcome to submit fixes for any kind of problem.
Just reporting a problem is a valuable contribution to our community, however, so please let us know at our Github
repo about anything you find that doesn't work the way you think it should, and for our part, we'll endeavour to
seriously investigate all such reported issues.

Specifically for security related issues, though, I have to refer you to the Eclipse Foundation's Security Policy [4]. For
hopefully obvious reasons, that page documents the proper way to report as-yet-undisclosed security problems
against any Eclipse Foundation project (like OpenJ9 or OMR). Similarly, security vulnerabilities found in OpenJDK
classes should be reported to the OpenJDK Vulnerability group [5].


[1] also jdk10, soon for jdk11, etc.

Back to the top