On 16/05/2022 21:13, Jiri Vanek wrote:
Not necessarily. In small project, sure, bundled libraries will get
rotten, but project like OpenJDK, where 99% of its builds uses the in
tree copies, can not allow itself to have security holes in them.
Not true. Popular packages like freetype, fontconfig, zlib are always
getting patched in Fedora soon. OpenJDK will only receive a patch in 2-3
months when a new patch version is released.
This is probably main issue we are aware about. Especially the system configuration will be a hard issue, if solvable at all.
This will make the user's eyes bleed.
However IIRC, those features do nor work properly in java event hose days, as java have to support all what lies below, and it simply can not, so the intree libraries come to play.
OpenJDK 17 respects system configuration after adding the following
lines to the ~/.bashrc file:
export _JAVA_OPTIONS="-Dawt.useSystemAAFontSettings=lcd
-Dswing.aatext=true
-Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel
-Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel"
Note that we had to patch jdk in past to work properly after changes in the system libraries. And that is not easy task.
Someone needs to grab the font patches from the JetBrains JRE fork and
upstream them.
But the current configuration of OpenJDK 17 on Fedora 36 also looks good
after changing _JAVA_OPTIONS as mentioned above.
The bundling was always bad, but is necessary evil.
No. I don't think so. Bundling is always evil and should be avoided as
much as possible.
See eg rsync - the bundled zlib is there because it is technically not possible to use dynamic one.
"technically not possible" vs. "we just don't want to do additional work".
Unluckily, the negatives are multiplying for years. Although we are not happy with the change, it must be done if JDKs should remain maintained and healthy in Fedora.
I've been using OpenJDK on Fedora for ages with NetBeans and even IDEA
and everything works great.
Right, but downstream works well too. If such vulnerability occurs, be sure we will patch RPMs asap, and also upstream project - maybe without release - will react to.
And maybe not and OpenJDK will be vulnerable for months until the next
release is out.
I'm aware of some codecs, which are built in Fedora, then the binary is sent to .. cisco(?), and if passed, they are repacked into all live fedoras.
Fedora builds openh264 from sources for each supported Fedora release
and then submits RPMs to Cisco, because due to the legal reasons only
Cisco can redistribute it.
As super cornercase of this may be packing of some firmwares as binary blobs.
Firmware is executed directly on the hardware and provided by manufacturers.
All software must be built from sources. No blobs are allowed.
Right, you need fesco exception.
I hope this exception is never granted.
First - our burden. We ahve to certify each binary. This is quite long and lenghty process. Onl once it is certified, we can release it (with small unwritten exception in rawhide)
Just stop doing TCK certification. Most of Fedora users don't need
"certified binaries".
Future of java looks pointing pretty stright forward to such changes, so we have to move to.
There are no future after such destructive changes.
Actually just a opposite. This is future of java and without it java in fedora my diminish and fade away. I personally really do not like this change, and I agree with all rebukes taken here. But current OpenJDK maintainers (which are the same for last decade) do not see other way.
If it will really go bad, we will withdraw and continue fighting.
The Java stack on Fedora is almost dead. We've already lost 99% of
popular Java applications: NetBeans, Eclipse, IDEA, etc.
This is wrong. The JDK will be always build from sources in koji. The main reduce of load will be that webuilt once in koji, in oldest Fedora, and repack to newer.
Rebuilding prebuilt binaries != building from sources. This is strictly
prohibited.
Quite a few packages are dleivered as blobs... Still. Be sure we are NOT going to do that > In additon there are many excludes in various binary drivers.
Lie. Fedora doesn't have any binary drivers in repositories. All Fedora
packages (except linux-firmware) are built from sources without network
access.
To keep Fedora competitive, this is currenlty necessary step.
Fedora currently has the best OpenJDK builds.
--
Sincerely,
Vitaly Zaitsev (vitaly@xxxxxxxxxxxxxx)
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
