Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How can I get early access to Oracle Java updates, so I can test my RIA and avoid fire-drills when these updates are made public?

Having had our application stop working when customers installed the 7u45 update, we're wondering what more we can do in the future to be ready for these updates up-front and avoid release-day support nightmares.

(Per the Java version numbering scheme, the next Critical Patch Update, planned for January 14, will be 7u51. The next Limited Update (date unknown) will be 7u60.)

I've poked around the Oracle and OpenJDK websites, and not found anything particularly useful. The main Oracle page for Java SE has an Early Access Downloads section. It has three links that have potential, but don't pan out:

  • https://jdk7.java.net/, which still talks about 7u40 -- no mention of 7u45, let alone 7u51 or 7u60.

  • http://openjdk.java.net/projects/jdk7u/, which says "We're open for fixes for 7u60 in the jdk7u-dev forest", but doesn't appear to provide any pre-built binaries. It's also not clear to me whether the deployment components (applet plug-in and webstart), the main source of our past compatibility issues, are even part of OpenJDK to begin with.

  • The Java Compatibility and Performance Program sounds like just what I want, but nobody knows how to sign up for it.

An answer to the second question I linked above points to an OpenJDK bug report that was filed back in August. (It has a "CAP" label, which might stand for "Compatibility and Performance"?) So clearly some people are able to test their applications against these updates. Any pointers on how to join that club are much appreciated!

like image 949
Matt McHenry Avatar asked Oct 17 '13 20:10

Matt McHenry


People also ask

What is the latest Oracle Java version?

What is the latest Java version? As of March 2022, Java 18 is the latest released Java version.

Is it safe to use Java Oracle?

As long as its downloaded from Oracle's official Java website, its fine. With that said however, be aware that sites or applications that make use of Java may not be themselves 100% secure.


1 Answers

OpenJDK Bug System

According to this post on the jdk7u-dev mailing list, the OpenJDK bug system may provide a subset of the answer.

The mailing list post says that bugs with the CPU-critical-request label are under consideration for inclusion in the next CPU and bugs with the CPU-critical-approved label have been approved for inclusion in the next CPU. However in practice, it seems that they're using more-specific labels. For the 7u51 update planned for January 2014, the labels appear to be CPU14_01-critical-request and CPU14_01-critical-approved.

You can browse the full set of labels to make your own educated guesses about labels for subsequent CPUs. You can also see bugs whose "fix version" is 7u51.

Java Platform Group, Product Managment blog

The Java Platform Group, Product Management blog looks to be another avenue for partial information. In this comment to the "Updated Security Baseline (7u45) impacts Java 7u40 and before with High Security settings" entry, Erik Costlow of Oracle says:

One of the reasons we created this blog is that it gives us a way of providing as much information as we can, even more than it already done on the various OpenJDK mailing lists.

There are some changes that we can't provide advance notice about, and my hope is to keep that to a minimum. For other changes, not only are we posting about them here, I am actually going out into other projects and not only telling them, but (as appropriate) making contributions. See https://issues.apache.org/bugzilla/show_bug.cgi?id=55542 for an example.

Oracle Programs

The Java Compatibility and Performance Program is dead, according to my Oracle account manager. Access to an analogous program for CPUs is tightly controlled (even within Oracle) due to the risk of vulnerabilities being reverse-engineered. (I am not a member and do not plan to pursue it further.) OpenJDK is Oracle's preferred method of compatibility testing, even though it is known not to be bit-for-bit identical to what will be in the next CPU.

Oracle also refers us to the Security Track at JavaOne 2013, in particular the "One Year of Security Enhancements in the JRE" talk, whose slides are available online. Those slides, in turn, say that the blog mentioned above will give "as much advanced notice as possible".

like image 100
Matt McHenry Avatar answered Oct 23 '22 15:10

Matt McHenry