You are viewing a plain text version of this content. The canonical link for it is here.
Posted to derby-dev@db.apache.org by Rory O'Donnell <ro...@oracle.com> on 2021/06/14 18:20:05 UTC
Re: [External] : Re: JDK 17 is now in Rampdown Phase One
Hi Rick,
Excellent feedback , I suggest you send this information to the
security-dev [1] mailing list to demonstrate the impact
it is having on you and others. Make sure to subscribe first.
Rgds,Rory
[1] security-dev@openjdk.java.net <ma...@openjdk.java.net>
On 14/06/2021 16:43, Rick Hillegas wrote:
> Hi Rory,
>
> Copying the Tomcat developer community since this issue probably
> affects them as well.
>
> When I tried to build Derby with the Rampdown Phase One build of open
> JDK 17 (17-ea+26-2439), I saw many warnings related to the deprecation
> of Security Manager classes and methods, undoubtedly the consequence
> of JEP 411 (https://openjdk.java.net/jeps/411). Derby, like Tomcat,
> embraced the Security Manager early on. Permissions checks were
> rototilled across the whole code base. Our distributions ship with
> several template policy files, which we encourage users to customize
> for their environments. The "Configuring Java Security" section of our
> Security Guide explains how to do this
> (https://urldefense.com/v3/__https://db.apache.org/derby/docs/10.15/security/index.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh9kcdocM$
> ).
>
> My build only reported the first 100 warnings. It is likely that there
> are many more.
>
> Having read the summary of JEP 411, I understand the motivation for
> this change. However, I don't understand how applications like Tomcat
> and Derby are supposed to respond to the new blizzard of deprecation
> warnings. For instance, is there a replacement for the deprecated
> AccessController.doPrivileged() method? Or are we supposed to simply
> disable this deprecation check? Is there some security expert whom we
> should contact about this change and how to mitigate its effects?
>
> Thanks,
> -Rick
>
>
> On 6/14/21 2:18 AM, Rory O'Donnell wrote:
>>
>> Hi Rick,
>> *
>> Per the JDK 17 schedule , we are in Rampdown Phase One [1].*
>>
>> **Please advise if you find any issues while testing the latest Early
>> Access builds**.**
>>
>> * Schedule:
>> o *2021/06/10 Rampdown Phase One*
>> o 2021/07/15 Rampdown Phase Two
>> o 2021/08/05 Initial Release Candidate
>> o 2021/08/19 Final Release Candidate
>> o 2021/09/14 General Availability
>>
>> The overall feature set is frozen. No further JEPs will be targeted
>> to this release.
>>
>> **
>>
>> * Important JEPs have been integrated – Attention Required!
>> * *JEP 411: **Deprecate the Security Manager for
>> Removal*<https://openjdk.java.net/jeps/411>
>> o Deprecate, for removal, most Security Manager related classes
>> and methods.
>> o Warning message at startup if the Security Manager is enabled on
>> the command line.
>> o Warning message at run time if a Java application or library
>> installs a Security Manager dynamically.
>> o Deprecation is in concert with the legacy Applet API (JEP 398).
>> * *JEP 407: **Remove RMI Activation*<https://openjdk.java.net/jeps/407>
>> o Removal the Remote Method Invocation (RMI) Activation mechanism,
>> while preserving the rest of RMI.
>> o It was deprecated for removal by JEP
>> 385<https://openjdk.java.net/jeps/385>in Java SE 15.
>> * *JEP 403: **Strongly Encapsulate JDK
>> Internals*<https://openjdk.java.net/jeps/403>
>> o Strongly encapsulate all internal elements of the JDK, except
>> for critical internal APIs such as /sun.misc.Unsafe/.
>> o It will no longer be possible to relax the strong encapsulation
>> of internal elements via a single command-line option.
>>
>> * Other features integrated in JDK 17:
>> o *JEP 306: **Restore Always-Strict Floating-Point
>> Semantics*<https://openjdk.java.net/jeps/306>
>> o JEP 356: Enhanced Pseudo-Random Number
>> Generators<https://openjdk.java.net/jeps/356>
>> o JEP 382: New macOS Rendering
>> Pipeline<https://openjdk.java.net/jeps/382>
>> o JEP 391: macOS/AArch64 Port<https://openjdk.java.net/jeps/391>
>> o JEP 398: Deprecate the Applet API for
>> Removal<https://openjdk.java.net/jeps/398>
>> o *JEP 406: **Pattern Matching for switch
>> (Preview)*<https://openjdk.java.net/jeps/406>
>> o JEP 409: Sealed Classes<https://openjdk.java.net/jeps/409>
>> o JEP 410: Remove the Experimental AOT and JIT
>> Compiler<https://openjdk.java.net/jeps/410>
>> o JEP 412: Foreign Function & Memory API
>> (Incubator)<https://openjdk.java.net/jeps/412>
>> o *JEP 414: **Vector API (Second
>> Incubator)*<https://openjdk.java.net/jeps/414>
>> o *JEP 415: **Context-Specific Deserialization
>> Filters*<https://openjdk.java.net/jeps/415>
>>
>> *OpenJDK 17 Early Access build 26 is available at
>> **https://urldefense.com/v3/__https://jdk.java.net/17*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhLKySzR0$
>> <https://urldefense.com/v3/__https://jdk.java.net/17__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhY2EWmz8$
>> >
>>
>> * These early-access , open-source builds are provided under the
>> o GNU General Public License, version 2, with the Classpath
>> Exception<https://openjdk.java.net/legal/gplv2+ce.html>
>>
>> * Release Notes are available at
>> https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>> <https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>> >
>>
>> * Changes in recent builds that maybe of interest:
>> * *Build 26:*
>> o JDK-8268241: deprecate JVM TI Heap functions 1.0
>> o JDK-8266846: Add java.time.InstantSource
>> o JDK-8248268: Support KWP in addition to KW
>> o JDK-8204686: Dynamic parallel reference processing support for
>> Parallel GC
>> o JDK-8259530: Generated docs contain MIT/GPL-licenced works
>> without reproducing the licence [*Reported by Apache Maven*]
>> o JDK-8266766: Arrays of types that cannot be an annotation member
>> do not yield exceptions [*Reported by ByteBuddy*]
>> o JDK-8266598: Exception values for
>> AnnotationTypeMismatchException are not always informative
>> [*Reported by ByteBuddy*]
>> * *Build 25*
>> o JDK-8266653: Change update mode for JDK rpm/deb installers as it
>> breaks "yum update" for JDK11+
>> o JDK-8263202: Update Hebrew/Indonesian/Yiddish ISO 639 language
>> codes to current
>> o JDK-8229517: Support for optional asynchronous/buffered logging
>> o JDK-8182043: Access to Windows Large Icons
>>
>>
>> *OpenJDK 18 Early Access build 1 is now available at
>> **https://urldefense.com/v3/__https://jdk.java.net/18*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhzhYMGcc$
>> <https://urldefense.com/v3/__https://jdk.java.net/18__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhWHowDJ4$
>> >
>>
>> * These early-access , open-source builds are provided under the
>> o GNU General Public License, version 2, with the Classpath
>> Exception <https://openjdk.java.net/legal/gplv2+ce.html>
>> * Issues addressed in this build - here
>> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/compare/jdk-18*2B0...jdk-18*2B1__;JSU!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhH5huF_4$
>> >
>>
>> *Other Topics which might be of Interest: *
>>
>> **
>>
>> * Java Cryptographic Roadmap [2] has been updated.
>> * Inside Java Newscast #6 [3]
>> o a closer look at the list of JEPs of JDK 17 as well as the
>> development process
>> * Inside Java Newscast #7 [4]
>> o discusses in greater detail `pattern matching for switch`,
>> previewed in JDK 17
>>
>> Rgds,Rory
>>
>> [1]
>> https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html
>> <https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html>
>>
>> [2]
>> https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>> <https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>> >
>> [3]
>> https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>> <https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>> >
>> [4]
>> https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>> <https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>> >
>>
>
--
Rgds, Rory O'Donnell
Quality Engineering Manager
Oracle EMEA, Dublin, Ireland
Re: [External] : Re: JDK 17 is now in Rampdown Phase One
Posted by Rory Odonnell <ro...@oracle.com>.
Many thanks Rick, glad to hear all is well again!
Reds,Rory
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Rick Hillegas <ri...@gmail.com>
Sent: Friday, June 18, 2021 7:19:09 PM
To: Rory Odonnell <ro...@oracle.com>; derby-dev@db.apache.org <de...@db.apache.org>; dev@tomcat.apache.org <de...@tomcat.apache.org>
Cc: Dalibor Topic <da...@oracle.com>; Balchandra Vaidya <ba...@oracle.com>; Deepak Damodaran <de...@oracle.com>
Subject: Re: [External] : Re: JDK 17 is now in Rampdown Phase One
Hi Rory,
Derby builds and tests cleanly against Open JDK 17-ea+26-2439 after
suppressing the deprecation warnings introduced by JEP 411. Our
experience is documented in a security-dev@openjdk.java.net email thread
titled "blizzard of deprecation warnings related to JEP 411" and in
comments dated between 2021-06-15 and 2021-06-18 on
https://urldefense.com/v3/__https://issues.apache.org/jira/browse/DERBY-7110__;!!GqivPVa7Brio!McghnfCCxtVZFIPEzbD7Uxb10QRjioV2hX5tYh3mbMhBIjtXLOkYmBVY53aFPl8BDjs$ .
On 6/14/21 11:20 AM, Rory O'Donnell wrote:
> Hi Rick,
>
> Excellent feedback , I suggest you send this information to the
> security-dev [1] mailing list to demonstrate the impact
> it is having on you and others. Make sure to subscribe first.
>
> Rgds,Rory
>
> [1] security-dev@openjdk.java.net <ma...@openjdk.java.net>
>
> On 14/06/2021 16:43, Rick Hillegas wrote:
>> Hi Rory,
>>
>> Copying the Tomcat developer community since this issue probably
>> affects them as well.
>>
>> When I tried to build Derby with the Rampdown Phase One build of open
>> JDK 17 (17-ea+26-2439), I saw many warnings related to the
>> deprecation of Security Manager classes and methods, undoubtedly the
>> consequence of JEP 411 (https://openjdk.java.net/jeps/411). Derby,
>> like Tomcat, embraced the Security Manager early on. Permissions
>> checks were rototilled across the whole code base. Our distributions
>> ship with several template policy files, which we encourage users to
>> customize for their environments. The "Configuring Java Security"
>> section of our Security Guide explains how to do this
>> (https://urldefense.com/v3/__https://db.apache.org/derby/docs/10.15/security/index.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh9kcdocM$
>> ).
>>
>> My build only reported the first 100 warnings. It is likely that
>> there are many more.
>>
>> Having read the summary of JEP 411, I understand the motivation for
>> this change. However, I don't understand how applications like Tomcat
>> and Derby are supposed to respond to the new blizzard of deprecation
>> warnings. For instance, is there a replacement for the deprecated
>> AccessController.doPrivileged() method? Or are we supposed to simply
>> disable this deprecation check? Is there some security expert whom we
>> should contact about this change and how to mitigate its effects?
>>
>> Thanks,
>> -Rick
>>
>>
>> On 6/14/21 2:18 AM, Rory O'Donnell wrote:
>>>
>>> Hi Rick,
>>> *
>>> Per the JDK 17 schedule , we are in Rampdown Phase One [1].*
>>>
>>> **Please advise if you find any issues while testing the latest
>>> Early Access builds**.**
>>>
>>> * Schedule:
>>> o *2021/06/10 Rampdown Phase One*
>>> o 2021/07/15 Rampdown Phase Two
>>> o 2021/08/05 Initial Release Candidate
>>> o 2021/08/19 Final Release Candidate
>>> o 2021/09/14 General Availability
>>>
>>> The overall feature set is frozen. No further JEPs will be targeted
>>> to this release.
>>>
>>> **
>>>
>>> * Important JEPs have been integrated – Attention Required!
>>> * *JEP 411: **Deprecate the Security Manager for
>>> Removal*<https://openjdk.java.net/jeps/411>
>>> o Deprecate, for removal, most Security Manager related classes
>>> and methods.
>>> o Warning message at startup if the Security Manager is enabled on
>>> the command line.
>>> o Warning message at run time if a Java application or library
>>> installs a Security Manager dynamically.
>>> o Deprecation is in concert with the legacy Applet API (JEP 398).
>>> * *JEP 407: **Remove RMI
>>> Activation*<https://openjdk.java.net/jeps/407>
>>> o Removal the Remote Method Invocation (RMI) Activation mechanism,
>>> while preserving the rest of RMI.
>>> o It was deprecated for removal by JEP
>>> 385<https://openjdk.java.net/jeps/385>in Java SE 15.
>>> * *JEP 403: **Strongly Encapsulate JDK
>>> Internals*<https://openjdk.java.net/jeps/403>
>>> o Strongly encapsulate all internal elements of the JDK, except
>>> for critical internal APIs such as /sun.misc.Unsafe/.
>>> o It will no longer be possible to relax the strong encapsulation
>>> of internal elements via a single command-line option.
>>>
>>> * Other features integrated in JDK 17:
>>> o *JEP 306: **Restore Always-Strict Floating-Point
>>> Semantics*<https://openjdk.java.net/jeps/306>
>>> o JEP 356: Enhanced Pseudo-Random Number
>>> Generators<https://openjdk.java.net/jeps/356>
>>> o JEP 382: New macOS Rendering
>>> Pipeline<https://openjdk.java.net/jeps/382>
>>> o JEP 391: macOS/AArch64 Port<https://openjdk.java.net/jeps/391>
>>> o JEP 398: Deprecate the Applet API for
>>> Removal<https://openjdk.java.net/jeps/398>
>>> o *JEP 406: **Pattern Matching for switch
>>> (Preview)*<https://openjdk.java.net/jeps/406>
>>> o JEP 409: Sealed Classes<https://openjdk.java.net/jeps/409>
>>> o JEP 410: Remove the Experimental AOT and JIT
>>> Compiler<https://openjdk.java.net/jeps/410>
>>> o JEP 412: Foreign Function & Memory API
>>> (Incubator)<https://openjdk.java.net/jeps/412>
>>> o *JEP 414: **Vector API (Second
>>> Incubator)*<https://openjdk.java.net/jeps/414>
>>> o *JEP 415: **Context-Specific Deserialization
>>> Filters*<https://openjdk.java.net/jeps/415>
>>>
>>> *OpenJDK 17 Early Access build 26 is available at
>>> **https://urldefense.com/v3/__https://jdk.java.net/17*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhLKySzR0$
>>> <https://urldefense.com/v3/__https://jdk.java.net/17__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhY2EWmz8$
>>> >
>>>
>>> * These early-access , open-source builds are provided under the
>>> o GNU General Public License, version 2, with the Classpath
>>> Exception<https://openjdk.java.net/legal/gplv2+ce.html>
>>>
>>> * Release Notes are available at
>>> https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>>> <https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>>> >
>>>
>>> * Changes in recent builds that maybe of interest:
>>> * *Build 26:*
>>> o JDK-8268241: deprecate JVM TI Heap functions 1.0
>>> o JDK-8266846: Add java.time.InstantSource
>>> o JDK-8248268: Support KWP in addition to KW
>>> o JDK-8204686: Dynamic parallel reference processing support for
>>> Parallel GC
>>> o JDK-8259530: Generated docs contain MIT/GPL-licenced works
>>> without reproducing the licence [*Reported by Apache Maven*]
>>> o JDK-8266766: Arrays of types that cannot be an annotation member
>>> do not yield exceptions [*Reported by ByteBuddy*]
>>> o JDK-8266598: Exception values for
>>> AnnotationTypeMismatchException are not always informative
>>> [*Reported by ByteBuddy*]
>>> * *Build 25*
>>> o JDK-8266653: Change update mode for JDK rpm/deb installers as it
>>> breaks "yum update" for JDK11+
>>> o JDK-8263202: Update Hebrew/Indonesian/Yiddish ISO 639 language
>>> codes to current
>>> o JDK-8229517: Support for optional asynchronous/buffered logging
>>> o JDK-8182043: Access to Windows Large Icons
>>>
>>>
>>> *OpenJDK 18 Early Access build 1 is now available at
>>> **https://urldefense.com/v3/__https://jdk.java.net/18*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhzhYMGcc$
>>> <https://urldefense.com/v3/__https://jdk.java.net/18__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhWHowDJ4$
>>> >
>>>
>>> * These early-access , open-source builds are provided under the
>>> o GNU General Public License, version 2, with the Classpath
>>> Exception <https://openjdk.java.net/legal/gplv2+ce.html>
>>> * Issues addressed in this build - here
>>> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/compare/jdk-18*2B0...jdk-18*2B1__;JSU!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhH5huF_4$
>>> >
>>>
>>> *Other Topics which might be of Interest: *
>>>
>>> **
>>>
>>> * Java Cryptographic Roadmap [2] has been updated.
>>> * Inside Java Newscast #6 [3]
>>> o a closer look at the list of JEPs of JDK 17 as well as the
>>> development process
>>> * Inside Java Newscast #7 [4]
>>> o discusses in greater detail `pattern matching for switch`,
>>> previewed in JDK 17
>>>
>>> Rgds,Rory
>>>
>>> [1]
>>> https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html
>>> <https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html>
>>>
>>> [2]
>>> https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>>> <https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>>> >
>>> [3]
>>> https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>>> <https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>>> >
>>> [4]
>>> https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>>> <https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>>> >
>>>
>>
>
Re: [External] : Re: JDK 17 is now in Rampdown Phase One
Posted by Rory Odonnell <ro...@oracle.com>.
Many thanks Rick, glad to hear all is well again!
Reds,Rory
Get Outlook for iOS<https://aka.ms/o0ukef>
________________________________
From: Rick Hillegas <ri...@gmail.com>
Sent: Friday, June 18, 2021 7:19:09 PM
To: Rory Odonnell <ro...@oracle.com>; derby-dev@db.apache.org <de...@db.apache.org>; dev@tomcat.apache.org <de...@tomcat.apache.org>
Cc: Dalibor Topic <da...@oracle.com>; Balchandra Vaidya <ba...@oracle.com>; Deepak Damodaran <de...@oracle.com>
Subject: Re: [External] : Re: JDK 17 is now in Rampdown Phase One
Hi Rory,
Derby builds and tests cleanly against Open JDK 17-ea+26-2439 after
suppressing the deprecation warnings introduced by JEP 411. Our
experience is documented in a security-dev@openjdk.java.net email thread
titled "blizzard of deprecation warnings related to JEP 411" and in
comments dated between 2021-06-15 and 2021-06-18 on
https://urldefense.com/v3/__https://issues.apache.org/jira/browse/DERBY-7110__;!!GqivPVa7Brio!McghnfCCxtVZFIPEzbD7Uxb10QRjioV2hX5tYh3mbMhBIjtXLOkYmBVY53aFPl8BDjs$ .
On 6/14/21 11:20 AM, Rory O'Donnell wrote:
> Hi Rick,
>
> Excellent feedback , I suggest you send this information to the
> security-dev [1] mailing list to demonstrate the impact
> it is having on you and others. Make sure to subscribe first.
>
> Rgds,Rory
>
> [1] security-dev@openjdk.java.net <ma...@openjdk.java.net>
>
> On 14/06/2021 16:43, Rick Hillegas wrote:
>> Hi Rory,
>>
>> Copying the Tomcat developer community since this issue probably
>> affects them as well.
>>
>> When I tried to build Derby with the Rampdown Phase One build of open
>> JDK 17 (17-ea+26-2439), I saw many warnings related to the
>> deprecation of Security Manager classes and methods, undoubtedly the
>> consequence of JEP 411 (https://openjdk.java.net/jeps/411). Derby,
>> like Tomcat, embraced the Security Manager early on. Permissions
>> checks were rototilled across the whole code base. Our distributions
>> ship with several template policy files, which we encourage users to
>> customize for their environments. The "Configuring Java Security"
>> section of our Security Guide explains how to do this
>> (https://urldefense.com/v3/__https://db.apache.org/derby/docs/10.15/security/index.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh9kcdocM$
>> ).
>>
>> My build only reported the first 100 warnings. It is likely that
>> there are many more.
>>
>> Having read the summary of JEP 411, I understand the motivation for
>> this change. However, I don't understand how applications like Tomcat
>> and Derby are supposed to respond to the new blizzard of deprecation
>> warnings. For instance, is there a replacement for the deprecated
>> AccessController.doPrivileged() method? Or are we supposed to simply
>> disable this deprecation check? Is there some security expert whom we
>> should contact about this change and how to mitigate its effects?
>>
>> Thanks,
>> -Rick
>>
>>
>> On 6/14/21 2:18 AM, Rory O'Donnell wrote:
>>>
>>> Hi Rick,
>>> *
>>> Per the JDK 17 schedule , we are in Rampdown Phase One [1].*
>>>
>>> **Please advise if you find any issues while testing the latest
>>> Early Access builds**.**
>>>
>>> * Schedule:
>>> o *2021/06/10 Rampdown Phase One*
>>> o 2021/07/15 Rampdown Phase Two
>>> o 2021/08/05 Initial Release Candidate
>>> o 2021/08/19 Final Release Candidate
>>> o 2021/09/14 General Availability
>>>
>>> The overall feature set is frozen. No further JEPs will be targeted
>>> to this release.
>>>
>>> **
>>>
>>> * Important JEPs have been integrated – Attention Required!
>>> * *JEP 411: **Deprecate the Security Manager for
>>> Removal*<https://openjdk.java.net/jeps/411>
>>> o Deprecate, for removal, most Security Manager related classes
>>> and methods.
>>> o Warning message at startup if the Security Manager is enabled on
>>> the command line.
>>> o Warning message at run time if a Java application or library
>>> installs a Security Manager dynamically.
>>> o Deprecation is in concert with the legacy Applet API (JEP 398).
>>> * *JEP 407: **Remove RMI
>>> Activation*<https://openjdk.java.net/jeps/407>
>>> o Removal the Remote Method Invocation (RMI) Activation mechanism,
>>> while preserving the rest of RMI.
>>> o It was deprecated for removal by JEP
>>> 385<https://openjdk.java.net/jeps/385>in Java SE 15.
>>> * *JEP 403: **Strongly Encapsulate JDK
>>> Internals*<https://openjdk.java.net/jeps/403>
>>> o Strongly encapsulate all internal elements of the JDK, except
>>> for critical internal APIs such as /sun.misc.Unsafe/.
>>> o It will no longer be possible to relax the strong encapsulation
>>> of internal elements via a single command-line option.
>>>
>>> * Other features integrated in JDK 17:
>>> o *JEP 306: **Restore Always-Strict Floating-Point
>>> Semantics*<https://openjdk.java.net/jeps/306>
>>> o JEP 356: Enhanced Pseudo-Random Number
>>> Generators<https://openjdk.java.net/jeps/356>
>>> o JEP 382: New macOS Rendering
>>> Pipeline<https://openjdk.java.net/jeps/382>
>>> o JEP 391: macOS/AArch64 Port<https://openjdk.java.net/jeps/391>
>>> o JEP 398: Deprecate the Applet API for
>>> Removal<https://openjdk.java.net/jeps/398>
>>> o *JEP 406: **Pattern Matching for switch
>>> (Preview)*<https://openjdk.java.net/jeps/406>
>>> o JEP 409: Sealed Classes<https://openjdk.java.net/jeps/409>
>>> o JEP 410: Remove the Experimental AOT and JIT
>>> Compiler<https://openjdk.java.net/jeps/410>
>>> o JEP 412: Foreign Function & Memory API
>>> (Incubator)<https://openjdk.java.net/jeps/412>
>>> o *JEP 414: **Vector API (Second
>>> Incubator)*<https://openjdk.java.net/jeps/414>
>>> o *JEP 415: **Context-Specific Deserialization
>>> Filters*<https://openjdk.java.net/jeps/415>
>>>
>>> *OpenJDK 17 Early Access build 26 is available at
>>> **https://urldefense.com/v3/__https://jdk.java.net/17*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhLKySzR0$
>>> <https://urldefense.com/v3/__https://jdk.java.net/17__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhY2EWmz8$
>>> >
>>>
>>> * These early-access , open-source builds are provided under the
>>> o GNU General Public License, version 2, with the Classpath
>>> Exception<https://openjdk.java.net/legal/gplv2+ce.html>
>>>
>>> * Release Notes are available at
>>> https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>>> <https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>>> >
>>>
>>> * Changes in recent builds that maybe of interest:
>>> * *Build 26:*
>>> o JDK-8268241: deprecate JVM TI Heap functions 1.0
>>> o JDK-8266846: Add java.time.InstantSource
>>> o JDK-8248268: Support KWP in addition to KW
>>> o JDK-8204686: Dynamic parallel reference processing support for
>>> Parallel GC
>>> o JDK-8259530: Generated docs contain MIT/GPL-licenced works
>>> without reproducing the licence [*Reported by Apache Maven*]
>>> o JDK-8266766: Arrays of types that cannot be an annotation member
>>> do not yield exceptions [*Reported by ByteBuddy*]
>>> o JDK-8266598: Exception values for
>>> AnnotationTypeMismatchException are not always informative
>>> [*Reported by ByteBuddy*]
>>> * *Build 25*
>>> o JDK-8266653: Change update mode for JDK rpm/deb installers as it
>>> breaks "yum update" for JDK11+
>>> o JDK-8263202: Update Hebrew/Indonesian/Yiddish ISO 639 language
>>> codes to current
>>> o JDK-8229517: Support for optional asynchronous/buffered logging
>>> o JDK-8182043: Access to Windows Large Icons
>>>
>>>
>>> *OpenJDK 18 Early Access build 1 is now available at
>>> **https://urldefense.com/v3/__https://jdk.java.net/18*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhzhYMGcc$
>>> <https://urldefense.com/v3/__https://jdk.java.net/18__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhWHowDJ4$
>>> >
>>>
>>> * These early-access , open-source builds are provided under the
>>> o GNU General Public License, version 2, with the Classpath
>>> Exception <https://openjdk.java.net/legal/gplv2+ce.html>
>>> * Issues addressed in this build - here
>>> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/compare/jdk-18*2B0...jdk-18*2B1__;JSU!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhH5huF_4$
>>> >
>>>
>>> *Other Topics which might be of Interest: *
>>>
>>> **
>>>
>>> * Java Cryptographic Roadmap [2] has been updated.
>>> * Inside Java Newscast #6 [3]
>>> o a closer look at the list of JEPs of JDK 17 as well as the
>>> development process
>>> * Inside Java Newscast #7 [4]
>>> o discusses in greater detail `pattern matching for switch`,
>>> previewed in JDK 17
>>>
>>> Rgds,Rory
>>>
>>> [1]
>>> https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html
>>> <https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html>
>>>
>>> [2]
>>> https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>>> <https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>>> >
>>> [3]
>>> https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>>> <https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>>> >
>>> [4]
>>> https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>>> <https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>>> >
>>>
>>
>
Re: [External] : Re: JDK 17 is now in Rampdown Phase One
Posted by Rick Hillegas <ri...@gmail.com>.
Hi Rory,
Derby builds and tests cleanly against Open JDK 17-ea+26-2439 after
suppressing the deprecation warnings introduced by JEP 411. Our
experience is documented in a security-dev@openjdk.java.net email thread
titled "blizzard of deprecation warnings related to JEP 411" and in
comments dated between 2021-06-15 and 2021-06-18 on
https://issues.apache.org/jira/browse/DERBY-7110.
On 6/14/21 11:20 AM, Rory O'Donnell wrote:
> Hi Rick,
>
> Excellent feedback , I suggest you send this information to the
> security-dev [1] mailing list to demonstrate the impact
> it is having on you and others. Make sure to subscribe first.
>
> Rgds,Rory
>
> [1] security-dev@openjdk.java.net <ma...@openjdk.java.net>
>
> On 14/06/2021 16:43, Rick Hillegas wrote:
>> Hi Rory,
>>
>> Copying the Tomcat developer community since this issue probably
>> affects them as well.
>>
>> When I tried to build Derby with the Rampdown Phase One build of open
>> JDK 17 (17-ea+26-2439), I saw many warnings related to the
>> deprecation of Security Manager classes and methods, undoubtedly the
>> consequence of JEP 411 (https://openjdk.java.net/jeps/411). Derby,
>> like Tomcat, embraced the Security Manager early on. Permissions
>> checks were rototilled across the whole code base. Our distributions
>> ship with several template policy files, which we encourage users to
>> customize for their environments. The "Configuring Java Security"
>> section of our Security Guide explains how to do this
>> (https://urldefense.com/v3/__https://db.apache.org/derby/docs/10.15/security/index.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh9kcdocM$
>> ).
>>
>> My build only reported the first 100 warnings. It is likely that
>> there are many more.
>>
>> Having read the summary of JEP 411, I understand the motivation for
>> this change. However, I don't understand how applications like Tomcat
>> and Derby are supposed to respond to the new blizzard of deprecation
>> warnings. For instance, is there a replacement for the deprecated
>> AccessController.doPrivileged() method? Or are we supposed to simply
>> disable this deprecation check? Is there some security expert whom we
>> should contact about this change and how to mitigate its effects?
>>
>> Thanks,
>> -Rick
>>
>>
>> On 6/14/21 2:18 AM, Rory O'Donnell wrote:
>>>
>>> Hi Rick,
>>> *
>>> Per the JDK 17 schedule , we are in Rampdown Phase One [1].*
>>>
>>> **Please advise if you find any issues while testing the latest
>>> Early Access builds**.**
>>>
>>> * Schedule:
>>> o *2021/06/10 Rampdown Phase One*
>>> o 2021/07/15 Rampdown Phase Two
>>> o 2021/08/05 Initial Release Candidate
>>> o 2021/08/19 Final Release Candidate
>>> o 2021/09/14 General Availability
>>>
>>> The overall feature set is frozen. No further JEPs will be targeted
>>> to this release.
>>>
>>> **
>>>
>>> * Important JEPs have been integrated – Attention Required!
>>> * *JEP 411: **Deprecate the Security Manager for
>>> Removal*<https://openjdk.java.net/jeps/411>
>>> o Deprecate, for removal, most Security Manager related classes
>>> and methods.
>>> o Warning message at startup if the Security Manager is enabled on
>>> the command line.
>>> o Warning message at run time if a Java application or library
>>> installs a Security Manager dynamically.
>>> o Deprecation is in concert with the legacy Applet API (JEP 398).
>>> * *JEP 407: **Remove RMI
>>> Activation*<https://openjdk.java.net/jeps/407>
>>> o Removal the Remote Method Invocation (RMI) Activation mechanism,
>>> while preserving the rest of RMI.
>>> o It was deprecated for removal by JEP
>>> 385<https://openjdk.java.net/jeps/385>in Java SE 15.
>>> * *JEP 403: **Strongly Encapsulate JDK
>>> Internals*<https://openjdk.java.net/jeps/403>
>>> o Strongly encapsulate all internal elements of the JDK, except
>>> for critical internal APIs such as /sun.misc.Unsafe/.
>>> o It will no longer be possible to relax the strong encapsulation
>>> of internal elements via a single command-line option.
>>>
>>> * Other features integrated in JDK 17:
>>> o *JEP 306: **Restore Always-Strict Floating-Point
>>> Semantics*<https://openjdk.java.net/jeps/306>
>>> o JEP 356: Enhanced Pseudo-Random Number
>>> Generators<https://openjdk.java.net/jeps/356>
>>> o JEP 382: New macOS Rendering
>>> Pipeline<https://openjdk.java.net/jeps/382>
>>> o JEP 391: macOS/AArch64 Port<https://openjdk.java.net/jeps/391>
>>> o JEP 398: Deprecate the Applet API for
>>> Removal<https://openjdk.java.net/jeps/398>
>>> o *JEP 406: **Pattern Matching for switch
>>> (Preview)*<https://openjdk.java.net/jeps/406>
>>> o JEP 409: Sealed Classes<https://openjdk.java.net/jeps/409>
>>> o JEP 410: Remove the Experimental AOT and JIT
>>> Compiler<https://openjdk.java.net/jeps/410>
>>> o JEP 412: Foreign Function & Memory API
>>> (Incubator)<https://openjdk.java.net/jeps/412>
>>> o *JEP 414: **Vector API (Second
>>> Incubator)*<https://openjdk.java.net/jeps/414>
>>> o *JEP 415: **Context-Specific Deserialization
>>> Filters*<https://openjdk.java.net/jeps/415>
>>>
>>> *OpenJDK 17 Early Access build 26 is available at
>>> **https://urldefense.com/v3/__https://jdk.java.net/17*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhLKySzR0$
>>> <https://urldefense.com/v3/__https://jdk.java.net/17__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhY2EWmz8$
>>> >
>>>
>>> * These early-access , open-source builds are provided under the
>>> o GNU General Public License, version 2, with the Classpath
>>> Exception<https://openjdk.java.net/legal/gplv2+ce.html>
>>>
>>> * Release Notes are available at
>>> https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>>> <https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>>> >
>>>
>>> * Changes in recent builds that maybe of interest:
>>> * *Build 26:*
>>> o JDK-8268241: deprecate JVM TI Heap functions 1.0
>>> o JDK-8266846: Add java.time.InstantSource
>>> o JDK-8248268: Support KWP in addition to KW
>>> o JDK-8204686: Dynamic parallel reference processing support for
>>> Parallel GC
>>> o JDK-8259530: Generated docs contain MIT/GPL-licenced works
>>> without reproducing the licence [*Reported by Apache Maven*]
>>> o JDK-8266766: Arrays of types that cannot be an annotation member
>>> do not yield exceptions [*Reported by ByteBuddy*]
>>> o JDK-8266598: Exception values for
>>> AnnotationTypeMismatchException are not always informative
>>> [*Reported by ByteBuddy*]
>>> * *Build 25*
>>> o JDK-8266653: Change update mode for JDK rpm/deb installers as it
>>> breaks "yum update" for JDK11+
>>> o JDK-8263202: Update Hebrew/Indonesian/Yiddish ISO 639 language
>>> codes to current
>>> o JDK-8229517: Support for optional asynchronous/buffered logging
>>> o JDK-8182043: Access to Windows Large Icons
>>>
>>>
>>> *OpenJDK 18 Early Access build 1 is now available at
>>> **https://urldefense.com/v3/__https://jdk.java.net/18*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhzhYMGcc$
>>> <https://urldefense.com/v3/__https://jdk.java.net/18__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhWHowDJ4$
>>> >
>>>
>>> * These early-access , open-source builds are provided under the
>>> o GNU General Public License, version 2, with the Classpath
>>> Exception <https://openjdk.java.net/legal/gplv2+ce.html>
>>> * Issues addressed in this build - here
>>> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/compare/jdk-18*2B0...jdk-18*2B1__;JSU!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhH5huF_4$
>>> >
>>>
>>> *Other Topics which might be of Interest: *
>>>
>>> **
>>>
>>> * Java Cryptographic Roadmap [2] has been updated.
>>> * Inside Java Newscast #6 [3]
>>> o a closer look at the list of JEPs of JDK 17 as well as the
>>> development process
>>> * Inside Java Newscast #7 [4]
>>> o discusses in greater detail `pattern matching for switch`,
>>> previewed in JDK 17
>>>
>>> Rgds,Rory
>>>
>>> [1]
>>> https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html
>>> <https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html>
>>>
>>> [2]
>>> https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>>> <https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>>> >
>>> [3]
>>> https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>>> <https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>>> >
>>> [4]
>>> https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>>> <https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>>> >
>>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [External] : Re: JDK 17 is now in Rampdown Phase One
Posted by Rick Hillegas <ri...@gmail.com>.
Hi Rory,
Derby builds and tests cleanly against Open JDK 17-ea+26-2439 after
suppressing the deprecation warnings introduced by JEP 411. Our
experience is documented in a security-dev@openjdk.java.net email thread
titled "blizzard of deprecation warnings related to JEP 411" and in
comments dated between 2021-06-15 and 2021-06-18 on
https://issues.apache.org/jira/browse/DERBY-7110.
On 6/14/21 11:20 AM, Rory O'Donnell wrote:
> Hi Rick,
>
> Excellent feedback , I suggest you send this information to the
> security-dev [1] mailing list to demonstrate the impact
> it is having on you and others. Make sure to subscribe first.
>
> Rgds,Rory
>
> [1] security-dev@openjdk.java.net <ma...@openjdk.java.net>
>
> On 14/06/2021 16:43, Rick Hillegas wrote:
>> Hi Rory,
>>
>> Copying the Tomcat developer community since this issue probably
>> affects them as well.
>>
>> When I tried to build Derby with the Rampdown Phase One build of open
>> JDK 17 (17-ea+26-2439), I saw many warnings related to the
>> deprecation of Security Manager classes and methods, undoubtedly the
>> consequence of JEP 411 (https://openjdk.java.net/jeps/411). Derby,
>> like Tomcat, embraced the Security Manager early on. Permissions
>> checks were rototilled across the whole code base. Our distributions
>> ship with several template policy files, which we encourage users to
>> customize for their environments. The "Configuring Java Security"
>> section of our Security Guide explains how to do this
>> (https://urldefense.com/v3/__https://db.apache.org/derby/docs/10.15/security/index.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh9kcdocM$
>> ).
>>
>> My build only reported the first 100 warnings. It is likely that
>> there are many more.
>>
>> Having read the summary of JEP 411, I understand the motivation for
>> this change. However, I don't understand how applications like Tomcat
>> and Derby are supposed to respond to the new blizzard of deprecation
>> warnings. For instance, is there a replacement for the deprecated
>> AccessController.doPrivileged() method? Or are we supposed to simply
>> disable this deprecation check? Is there some security expert whom we
>> should contact about this change and how to mitigate its effects?
>>
>> Thanks,
>> -Rick
>>
>>
>> On 6/14/21 2:18 AM, Rory O'Donnell wrote:
>>>
>>> Hi Rick,
>>> *
>>> Per the JDK 17 schedule , we are in Rampdown Phase One [1].*
>>>
>>> **Please advise if you find any issues while testing the latest
>>> Early Access builds**.**
>>>
>>> * Schedule:
>>> o *2021/06/10 Rampdown Phase One*
>>> o 2021/07/15 Rampdown Phase Two
>>> o 2021/08/05 Initial Release Candidate
>>> o 2021/08/19 Final Release Candidate
>>> o 2021/09/14 General Availability
>>>
>>> The overall feature set is frozen. No further JEPs will be targeted
>>> to this release.
>>>
>>> **
>>>
>>> * Important JEPs have been integrated – Attention Required!
>>> * *JEP 411: **Deprecate the Security Manager for
>>> Removal*<https://openjdk.java.net/jeps/411>
>>> o Deprecate, for removal, most Security Manager related classes
>>> and methods.
>>> o Warning message at startup if the Security Manager is enabled on
>>> the command line.
>>> o Warning message at run time if a Java application or library
>>> installs a Security Manager dynamically.
>>> o Deprecation is in concert with the legacy Applet API (JEP 398).
>>> * *JEP 407: **Remove RMI
>>> Activation*<https://openjdk.java.net/jeps/407>
>>> o Removal the Remote Method Invocation (RMI) Activation mechanism,
>>> while preserving the rest of RMI.
>>> o It was deprecated for removal by JEP
>>> 385<https://openjdk.java.net/jeps/385>in Java SE 15.
>>> * *JEP 403: **Strongly Encapsulate JDK
>>> Internals*<https://openjdk.java.net/jeps/403>
>>> o Strongly encapsulate all internal elements of the JDK, except
>>> for critical internal APIs such as /sun.misc.Unsafe/.
>>> o It will no longer be possible to relax the strong encapsulation
>>> of internal elements via a single command-line option.
>>>
>>> * Other features integrated in JDK 17:
>>> o *JEP 306: **Restore Always-Strict Floating-Point
>>> Semantics*<https://openjdk.java.net/jeps/306>
>>> o JEP 356: Enhanced Pseudo-Random Number
>>> Generators<https://openjdk.java.net/jeps/356>
>>> o JEP 382: New macOS Rendering
>>> Pipeline<https://openjdk.java.net/jeps/382>
>>> o JEP 391: macOS/AArch64 Port<https://openjdk.java.net/jeps/391>
>>> o JEP 398: Deprecate the Applet API for
>>> Removal<https://openjdk.java.net/jeps/398>
>>> o *JEP 406: **Pattern Matching for switch
>>> (Preview)*<https://openjdk.java.net/jeps/406>
>>> o JEP 409: Sealed Classes<https://openjdk.java.net/jeps/409>
>>> o JEP 410: Remove the Experimental AOT and JIT
>>> Compiler<https://openjdk.java.net/jeps/410>
>>> o JEP 412: Foreign Function & Memory API
>>> (Incubator)<https://openjdk.java.net/jeps/412>
>>> o *JEP 414: **Vector API (Second
>>> Incubator)*<https://openjdk.java.net/jeps/414>
>>> o *JEP 415: **Context-Specific Deserialization
>>> Filters*<https://openjdk.java.net/jeps/415>
>>>
>>> *OpenJDK 17 Early Access build 26 is available at
>>> **https://urldefense.com/v3/__https://jdk.java.net/17*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhLKySzR0$
>>> <https://urldefense.com/v3/__https://jdk.java.net/17__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhY2EWmz8$
>>> >
>>>
>>> * These early-access , open-source builds are provided under the
>>> o GNU General Public License, version 2, with the Classpath
>>> Exception<https://openjdk.java.net/legal/gplv2+ce.html>
>>>
>>> * Release Notes are available at
>>> https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>>> <https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$
>>> >
>>>
>>> * Changes in recent builds that maybe of interest:
>>> * *Build 26:*
>>> o JDK-8268241: deprecate JVM TI Heap functions 1.0
>>> o JDK-8266846: Add java.time.InstantSource
>>> o JDK-8248268: Support KWP in addition to KW
>>> o JDK-8204686: Dynamic parallel reference processing support for
>>> Parallel GC
>>> o JDK-8259530: Generated docs contain MIT/GPL-licenced works
>>> without reproducing the licence [*Reported by Apache Maven*]
>>> o JDK-8266766: Arrays of types that cannot be an annotation member
>>> do not yield exceptions [*Reported by ByteBuddy*]
>>> o JDK-8266598: Exception values for
>>> AnnotationTypeMismatchException are not always informative
>>> [*Reported by ByteBuddy*]
>>> * *Build 25*
>>> o JDK-8266653: Change update mode for JDK rpm/deb installers as it
>>> breaks "yum update" for JDK11+
>>> o JDK-8263202: Update Hebrew/Indonesian/Yiddish ISO 639 language
>>> codes to current
>>> o JDK-8229517: Support for optional asynchronous/buffered logging
>>> o JDK-8182043: Access to Windows Large Icons
>>>
>>>
>>> *OpenJDK 18 Early Access build 1 is now available at
>>> **https://urldefense.com/v3/__https://jdk.java.net/18*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhzhYMGcc$
>>> <https://urldefense.com/v3/__https://jdk.java.net/18__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhWHowDJ4$
>>> >
>>>
>>> * These early-access , open-source builds are provided under the
>>> o GNU General Public License, version 2, with the Classpath
>>> Exception <https://openjdk.java.net/legal/gplv2+ce.html>
>>> * Issues addressed in this build - here
>>> <https://urldefense.com/v3/__https://github.com/openjdk/jdk/compare/jdk-18*2B0...jdk-18*2B1__;JSU!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhH5huF_4$
>>> >
>>>
>>> *Other Topics which might be of Interest: *
>>>
>>> **
>>>
>>> * Java Cryptographic Roadmap [2] has been updated.
>>> * Inside Java Newscast #6 [3]
>>> o a closer look at the list of JEPs of JDK 17 as well as the
>>> development process
>>> * Inside Java Newscast #7 [4]
>>> o discusses in greater detail `pattern matching for switch`,
>>> previewed in JDK 17
>>>
>>> Rgds,Rory
>>>
>>> [1]
>>> https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html
>>> <https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html>
>>>
>>> [2]
>>> https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>>> <https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$
>>> >
>>> [3]
>>> https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>>> <https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$
>>> >
>>> [4]
>>> https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>>> <https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$
>>> >
>>>
>>
>