Patch cycle for openjdk

Asked by Matt Bearup on 2015-09-15

My team is required to adhere to strict patching policies, so we have two questions regarding patch release expectations:
1. Going through the patch release history I noticed that for Java7u71 there was a 9 day delay between Oracle releasing their patch and the OpenJDK package being updated. 1-3 days seems ok but 9 days is a bit scary. Is there any kind of SLA or expected delay for package release?
2. Is there any scenario where Oracle releases a java security patch and Canonical has no expectation of releasing a patched package within a few days? For example, Oracle's policy is to release quarterly updates, and Canonical mostly follows this. If Oracle releases an out of band security patch, will Canonical pick this up within a few days or wait for the next quarterly release?

Fundamentally I want to confirm that, by depending on this version of OpenJDK, my team doesn't get in a situation where we fall out of patch compliance because an updated package is not released within a reasonable timeframe.

Thanks,

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu openjdk-7 Edit question
Assignee:
No assignee Edit question
Last query:
2015-09-15
Last reply:
2015-10-30
Manfred Hampl (m-hampl) said : #1

I assume that only the OpenJDK team https://launchpad.net/~openjdk can answer this question. You might try contacting them directly.

Matt Bearup (mbearup) said : #2

Yeah I tried contacting the maintainer but never received a response. I guess I could try joining the dev distro list?

Seth Arnold (seth-arnold) said : #3

Hello Matt,

The Ubuntu security team does not provide any SLA for openjdk or other packages.

Our openjdk packages are based on Icedtea's distribution; their releases may lag behind Oracle's releases, and our releases necessarily lag behind theirs.

While we do our best to provide updates in a timely fashion for packages in main, we cannot provide SLA-style assurance about when, or indeed if, packages will be updated for any given issue. We prioritize our work with a view to the entirety of packages that we're currently supporting and may come to a different prioritization than your organization or governing body would prefer.

Thanks

Jamie Strandboge (jdstrand) said : #4

"1. Going through the patch release history I noticed that for Java7u71 there was a 9 day delay between Oracle releasing their patch and the OpenJDK package being updated. 1-3 days seems ok but 9 days is a bit scary. Is there any kind of SLA or expected delay for package release?"

Ubuntu does not distribute Oracle's version of OpenJDK and instead use the IcedTea distribution of OpenJDK. Linux distributions that use IcedTea do this because it provides a way to collaborate on a common Linux distribution of the OpenJDK since Oracle's support lifetimes and Linux support lifetimes differ. In more concrete terms, the IcedTea project is committed to providing security support to OpenJDK versions that Oracle no longer supports, such as OpenJDK 6 and 7. In this manner, the IcedTea project will backport any relevant security patches from Oracle's supported OpenJDK to supported IcedTea versions. This means that there will occasionally be a delay between Oracle's new release and IcedTea's releases.

"2. Is there any scenario where Oracle releases a java security patch and Canonical has no expectation of releasing a patched package within a few days? For example, Oracle's policy is to release quarterly updates, and Canonical mostly follows this. If Oracle releases an out of band security patch, will Canonical pick this up within a few days or wait for the next quarterly release?"

Canonical will provide security support to OpenJDK outside of the quarterly releases as appropriate.

Can you help with this problem?

Provide an answer of your own, or ask Matt Bearup for more information if necessary.

To post a message you must log in.