On 10/05/2022 15:29, Ben Cotton wrote: Strongly -1. Bundled versions are always outdated and may be even vulnerable. Using bundled freetype, fontconfig and harfbuzz will result in ugly fonts (without system configuration support, including subpixel rendering, hinting, etc). https://docs.fedoraproject.org/en-US/packaging-guidelines/#packaging-stat... -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On Tue, 10 May 2022 19:36:22 +0200 Florian Weimer <fweimer(a)redhat.com&gt; wrote: In this case upstream might actually get there first because this CVE is not yet fixed in Fedora (https://bugzilla.redhat.com/show_bug.cgi?id=2068066). Of course, this is unusual. Paul.

On Mon, May 16, 2022 at 9:54 PM Andrew Hughes <gnu.andrew(a)redhat.com&gt; wrote: I don't know if you're going to gain any sympathy for stating this, considering how badly the Fedora Java ecosystem has fallen apart in the span of five years. Both in the wider Red Hat world and within Fedora itself, Java has received less and less love, to the point that it has been brutally starved. It has gotten so bad that Debian (!!!) beat us to newer Java and we had to *beg* for this to be fixed. So much for Features and First, eh? Once, long ago, we were the leader in the Linux Java ecosystem, but ironically as Red Hat's influence in OpenJDK grew, investment in Fedora dwindled. We've also lost most of our Java based apps to even test OpenJDK with. What the heck are we supposed to do to test and give karma? We lost Eclipse last year, and we lost IntellJ and NetBeans several years ago. Azureus was removed a year ago, too. The larger Java community stopped encouraging the development of desktop apps more than seven years ago, and with it all the things people would normally be able to use with it are gone. Red Hat encourages web apps because it aligns well with the JBoss middleware stack that they still sell subscriptions for, and even *those* aren't in Fedora. The Red Hat Java team has done *nothing* that I can see to advocate for Java in the larger Fedora community, nor have they tried to appeal to people to make applications like Microsoft does with .NET. Even with all the poison a decade ago heaped at Mono and .NET, we actually still have a better shot of reviving interest in C# on Linux because the .NET ecosystem still tries to make native applications and cross-platform ones at that. GtkSharp is amazingly somehow not completely dead, and there have been efforts to plug it into .NET MAUI. If that happened, tons of .NET applications would be easily available to Linux users. So tell me, if we actually *did* this, what are *you* planning to do to make open source Java more attractive? What are you going to do to help drive growth in developing the next generation of Java applications so that the ecosystem doesn't fall apart even further than it already has? What are you going to do to make Java in Fedora successful? Sorry, no. Bundling libraries upstream was always a bad idea, a legacy of the bad old days where code dependency managers didn't exist. Even for C/C++ code, dependency managers exist. Notably Conan is quite popular. If we wanted to, we could map Conan dependencies to RPM packaged content. I don't know how any of this Change benefits Fedora, when it reeks of reducing investment even further. From where I stand, I see no "Benefit to Fedora". -- 真実はいつも一つ！/ Always, there's only one truth!

On Mon, 16 May 2022 at 23:18, Neal Gompa <ngompa13(a)gmail.com&gt; wrote: I am pretty sure that was a very very tiny period of time of 2 to 3 years. Over the 25 years I have worked on RHL and then Fedora.. we have nearly always been a far follower on Java. For a good period of time from 2004->2012, there were regular flaming mailing threads about "Java in Fedora sucks", "Java only wants exceptions to standard policies", "Fedora's java is broken on X". It took a LOT of work to get Java into a 'working state' but it is like 'welding' plastic to steel.. You constantly find yourself remelting parts or adding more glue until what you have is more 'stuff which keeps them stuck together' versus 'tools which work'. The investment when it was done back then was done by volunteers (they might have been @redhat.com but they weren't doing it as their main tasks) who frankly one after another burned out over the toxic reaction they got. [That said it was a two way street of toxic reactions...] For the last 7 years, there has been a dwindling number of people who basically got mostly 'this is bull$hit, fix it the way I want it' reactions from Fedora community members. For some reason, various people in the community have assumed that Red Hat pays people to work on Fedora primarily and Java secondary which was never the case. Why is this their job to do that? They, like N% of Fedora packagers, are volunteers who just have @redhat.com addresses. They have limited time, resources and ability to keep the packages in Fedora. They, like many other volunteers, are finding that 'free' time is getting smaller, and are trying to come up with ways to keep it in. If other people want it to be promoted and attractive, they need to do the marketing work to do so. The alternatives I am seeing here are: 1. This is done this way (if the build system will even allow that without more horrible hacks). 2. OpenJDK is taken out and a different external repo is given a nod like the ones we do for flatpak and such. 3. OpenJDK is taken out, and the various new people step up and put in a IcedTea replacement that 'mostly' works and deals with the trademark issues, and the marketing to get it seen and used. Staying the same is not an option and is off the table. -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren

These are all excellent ideas. Do you also have an idea on how to get this going (except "it would have to be someone ....“)? The current packagers are booked up maintaining the software, I suspect. Additional people are needed, and cooperation between the "old" and the "new" has to build up. -- Peter Boy https://fedoraproject.org/wiki/User:Pboy pboy(a)fedoraproject.org Timezone: CET (UTC+1) / CEST (UTC+2) Fedora Server Edition Working Group member Fedora docs team contributor Java developer and enthusiast

Hi, "jiri vanek" <jvanek(a)redhat.com&gt; writes: That's completely fair. One (OpenJDK) has been open source in various forms for 15 years. The other has been (re-designed and made) open source for around 5 years now. 10 years is an eternity, and has both positive and negative implications for the late-comer. So there are definitely going to be huge differences, in terms of ownership models, community contributions, availability, usage, how the ecosystem works and user experience. Could you share more? Are your concerns around the .NET SDK/Runtime packages themselves or packaging external applications that need to be built using the SDK/Runtime? What would make you revise your opinion? Thanks, Omair -- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0

On 5/17/22 08:33, Stephen Smoogen wrote: If I understand correctly, the main problem with the Java ecosystem is that it is based on redistribution of binaries, not source code. The focus is on building binaries that can be run on as many systems as possible, rather than on providing source code that users compile themselves. This makes a huge amount of sense in the enterprise software world, but is diametrically opposed to the open source distribution model. Nowadays, the problem of redistributing Linux binaries is solved via containers (including Flatpak/Snap/AppImage/etc), but those both predate Java and are not useful for those targeting Windows (as many enterprise projects do). The result is a culture clash. Rebuilding from source isn’t a matter of reusing the upstream release tarball or Cargo/pip/etc package, but of finding whatever VCS commit upstream used and building that manually. OpenJDK is designed to produce native images that can be redistributed, rather than be a system-wide installation that other software depends on. Packaging Java software for any distribution (not just Fedora) means going against the grain of various upstreams, and that is a significant amount of work. That said, I don’t think the answer is “give up”. A much better approach would be for the work to be shared between Fedora, Debian, and other distributions. I believe that this is both doable and necessary. This isn’t specific to Java, by the way. JavaScript has similar problems, and I believe .NET does as well. In the case of JavaScript, the problem is hidden by the heavy use of transpilers, which result in the shipping of JavaScript that isn’t actually source code (in the sense of “preferred form for making modifications”). I would be fine with either dropping TCK certification or only certifying a subset of the packages. Fedora users almost certainly do not need it, and the trademark problems can be worked around. AdoptOpenJDK did so a while back, so there is precedent. -- Sincerely, Demi Marie Obenour (she/her/hers)

We had that discussion some time ago. The essence is: Your description is not accurate. We have - as for years - a very stable and current and highly usable JRE / JDK. Many application program disappeared as RPM. This is not particularly important for the use of Java programs. Since any jar / was /ear program runs on any JRE, it pretty much does not matter where the jar comes from. All Fedora-specific issues are managed by the JRE/JDK. However, I too would be happier if we had more programs in RPM form. See above, there are so many Java progs, just not as RPM (and this does not affect comfort and usability in case of Java). We didn’t lost Eclipse, we switched from RPM to another distribution method. The same with Netbeans. Maybe (we have much more alternatives today, so a single technique relatively shrinks), but that wouldn’t be a Fedora issue. I agree, that’s an issue in Fedora, too. Technically, everything is highly developed and of high quality. But, IMHO, the "ensemble around", which is essential for long-term success, is considerably neglected. I have tried to get involved on several occasions, but have thrown in the towel in discouragement. I am still ready to get involved, if I could find an on-boarding route. Basically, you could ask these questions to anyone here, and perhaps to yourself as well. It must be achieved to develop an initiative that bundles the existing technical expertise with new ideas and new people and drives the project forward not only technically, but also the "ensemble around". But how? I don’t know. At least not with accusations and clever speeches alone. -- Peter Boy https://fedoraproject.org/wiki/User:Pboy pboy(a)fedoraproject.org CET (UTC+1) / CEST (UTC+2) Fedora Server Edition Working Group member Fedora docs team contributor Java developer and enthusiast

On 5/18/22 14:40, Felix Schwarz wrote: I tend to agree. No flatpak ide ever proeprly fored for me, especially becasue of impossibility to use any custom jdk or thrd party servers (including in fedora packed ones) proeprly. On the other side, huge java projecs (like eclipse or netbeasn) are so complex and so impossibel to pack properly, that wgeted tarball remmains win win. Even in time of those ides packed,the tarballs freom web was quite a lot better. J:( -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

You neglect the reality. One alternative installation source is flatpak, that is gaining approval among more and more Fedora developers, and more and more are switching to it. There may still be initial difficulties, but this is a clear trend. Meanwhile, this is also an accepted Fedora repository. Not that I think that's great, but it's the reality. Another way is to run software as a „black box“ container. If I run CoreOS or Silverblue I would primarily look in container repositories, not any dnf find … Or you just download the jar or Linux installation tar from the project. They usually contain a shell script to invoke the jre and provide a class path. That’s all you need for a java app. So Fedora (= Fedora users) can use it as they could for years. There is nothing lost. But circumstances and the nature of management and maintenance are changing. 20 years ago we had no virtualization and no containers, no generic package managers as flatpack, snap, etc. And Java development was much more about using ant and source code libraries instead of maven and depository dependencies. -- Peter Boy https://fedoraproject.org/wiki/User:Pboy pboy(a)fedoraproject.org Timezone: CET (UTC+1) / CEST (UTC+2) Fedora Server Edition Working Group member Fedora docs team contributor Java developer and enthusiast

On 5/18/22 17:31, Neal Gompa wrote: I'm still new to silverblue, so I don not parse. What does it use if not system java please? I would say this is one fo the strengths of the java.

I personally heavily agree:((( The modularity was great idea, but worst implementation ever. And for java it was indeed death blow which will take years to fix. J. -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On Wed, May 18, 2022 at 12:28 PM jiri vanek <jvanek(a)redhat.com&gt; wrote: My experience with trying to keep Java packages in Fedora alive does not allow me to agree with you. I tried to keep Java ecosystem from disintegrating *twice* and both times I was discouraged by Red Hat employees. That's not a valid argument, though, is it? If you have the choice between doing something that is 1) hard or 2) forbidden, then you don't really have a choice, do you? Redistributing binary blobs or pre-compiled JAR files is not something we can do with Fedora RPM packages. Of course it would be much simpler if we could just take JAR files from Maven Central and wrap them in an RPM, but that is forbidden in Fedora for good reason. And that does not even account for the packages in Fedora that contain some amount of Java support code or tools that happen to be written in Java, and so rely on at least some parts of the Java ecosystem (javac, maybe maven or ant) to be available as RPMs during package builds. Fabio

On 20/05/2022 14:03, Jiri Vanek wrote: From https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs: -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

Hello! My apologies, I had accidentally dropped out of computer world for a while, and here a world spins ahead! Thanx a lot for many valuable feedback! see the clarifications of most concerns: ty, fixed: "We already made a heavy testing of the behavior, and user should not face negative experience. Still I'm not sure if this testing can ever be enough, considering all the use-cases we do not know. " Not necessarily. In small project, sure, bundled libraries will get rotten, but project like OpenJDK, where 99% of its builds uses the in tree copies, can not allow itself to have security holes in them. It already happened in past that we have switched to the in-tree library because the CVE there was already fixed, and moved back to system library once the fix landed to live Fedora. This is probably main issue we are aware about. Especially the system configuration will be a hard issue, if solvable at all. However IIRC, those features do nor work properly in java event hose days, as java have to support all what lies below, and it simply can not, so the intree libraries come to play. Note that we had to patch jdk in past to work properly after changes in the system libraries. And that is not easy task. Please take my last three sentences with bit of reserve, a better upstream engineer then me should comment. right, should. So strictly from law of guidelines, there is no rule to stop this change. The bundling was always bad, but is necessary evil. See eg rsync - the bundled zlib is there because it is technically not possible to use dynamic one. Java is in the border - yes, you can use the dynamic libraries (and it really took several excellent engineers a decade to manage), but it have pros and cons. Unluckily, the negatives are multiplying for years. Although we are not happy with the change, it must be done if JDKs should remain maintained and healthy in Fedora. s Right, but downstream works well too. If such vulnerability occurs, be sure we will patch RPMs asap, and also upstream project - maybe without release - will react to. Unluckily, I'm unable to comment on the demanglers, can you elaborate more? And it already happeed in past, that jdk swithced to bundled version for a while, and back to dynamic once the library was fixed in live Fedora. I'm aware of some codecs, which are built in Fedora, then the binary is sent to .. cisco(?), and if passed, they are repacked into all live fedoras. As super cornercase of this may be packing of some firmwares as binary blobs. Right, you need fesco exception. I believe this are two things. First - our burden. We ahve to certify each binary. This is quite long and lenghty process. Onl once it is certified, we can release it (with small unwritten exception in rawhide) So with repacked portabel build as described in https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs will allow us to certify once (and even stop hoping for that small exception in rawhide). Considering 4 jdks in 3 maintianed fedoras, that is incredible work. If it reduced to 4 we will manage again. Second - I can understand that you certify your libray, but if others bundle it, then it is theirs choice, and they are on thier own, arent they? Also you highlight crypto lib, we are not going to embed any crypto library. Crypto is loaded in runtime, and build time have no idea about future system in this case. Can you please elaborate more if still needed? that link to FreeType. As explained above. This is knwon issue. I was naively considereding it as minor, as it nearly non-fixable, and to my half blind eyes some subixels and shadows says nothing. (/me on non patched fluxbox, which I guess explains all). This is also how I wrote it to the https://fedoraproject.org/wiki/Changes/JdkInTreeLibsAndStdclibStatic#User... and https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs#Side_ef... . As I realy ahve only vague knowledge of what you are speaking about, can you please ehnace those two paragraphs? This is holy grail we have been pursuing for last 10 years. But now we gave up. To keep java alive in Fedora, we have to take this one step back. No, no and no:) Please see the linked https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs no, no and no again, Please see the linked https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs In long run, we will build in koji once, and repack this to all live fedoras. There alre already prcednets, and even worse things - like packing blobish binary driver, are here. I guess you noticed, that it was clarified already in the discussion. Thanx a lot for highlighting this though. As described above, keeping dynamic jdk proeprly working requires huge maintainance. In addition, jdks are expected to be static (only distribution rpms do differently, and thats why developers often unpack 3rd party static jdk to develop on), and have futures like generating standalone binary native images and so, which are impossible with dynamic linking. Future of java looks pointing pretty stright forward to such changes, so we have to move to. Fedora 36 and Fedora rawhide (37) by just tagging the F35 build into the newer Fedora koji tags too, instead of rebuilding for each Fedora version. Exactly. With one addition - the jdk will be indeed portable, you should be able to bring it to most of the system,and it should work. Still glibc limitations remains here. To stand on the safe ground, "usual" non distribution providers of openjdk simply builds on oldest possible supported system. Also there si one more advantage - the native images you produce form suchjdk will be trully portable. Unlike now, when they are simply unusable. I know distro-based people dont like this. But that si current state of world. By hart I'm distribution person living on Fedora since Core 4 with few steps to other distros, but as java developer I;m rather distributing final self contianed blob to custommmer so he have everything in place. So despite being java maintainer for decade, I' have to unpack and use 3rd party jdk much more often then I would like. Right. Thanx for describing it. applications, and/or highlight bugs in newly rebased GCC toolchain....Detecting bugs early in both applications and GCC toolchain, via builds in rawhide... Right you are, and it is already described in https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs#Rawhide... We are very well aware of this benefit, and we will do our best to keep it running - eg to build portbales also in rawhide, although not to repack them. Just for this single - but huge - case. We deeply agree with your description of rawhide and gcc bumps. Thanx a lot for highligting it. Actually just a opposite. This is future of java and without it java in fedora my diminish and fade away. I personally really do not like this change, and I agree with all rebukes taken here. But current OpenJDK maintainers (which are the same for last decade) do not see other way. If it will really go bad, we will withdraw and continue fighting. in providing JDK packages at all if they are built that way. Where you are right with the interpreters/jits not being exempt, I'm afraid yo do not see current flow of java - to self contained native images, and to share OpenJDK marketpalce. Even if wesomhow will be able to pathc jdk to live with system libraries, which is already close to impossible, and drop all features which allows generate portable images, the problem with the certification will persists. It isnot in human powers to maintain 4 JDKS in 3 Fedoras. This is wrong. The JDK will be always build from sources in koji. The main reduce of load will be that webuilt once in koji, in oldest Fedora, and repack to newer. In additon there are many excludes in various binary drivers. It is not as simple. You are right that to call it java yoou must pass tck. But unluckily even IcedTea had to pass TCK. Maybe it is possible to patch out all "java" from it, but I doubt jdk will remain working and usefull,. Quite a few packages are dleivered as blobs... Still. Be sure we are NOT going to do that. We will continue to build from sources, in koji, and with luck only repack build form latest stable Fedora to all, You are right, that the https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs is the key, but by aproving this, the whole chain isnotyet there. Especially if we found that the static jdks are really not viable, then this (https://fedoraproject.org/wiki/Changes/JdkInTreeLibsAndStdclibStatic) proposal will be reverted, and the https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs cacneled. But to be able to move forward, we have to try. If we dont, it will not know we are no wrong track, and thus be unabel to try to figure backup plan. Yes, jdk 19 will be added to all fedoras. But not as new package - it will replace jdk18 inside java-latest-openjdk. jdk19 is STS, simialrly as jdk18 was. Once next LTS is out jdk-21 in 2024, I hope we wil finally drop jdk8, so we wills stay in 4 jdks. That will unluckily not help. there would remain previous JDK in older Fedoras. In addition, EOLed one. To call build of OpenJDK java, each binary ahve to pas TCK(as mentioned in thread). And you have to do it on each binary you produce. So with dynamic lining in fedoras, I have to certifie 12+ builds. And update once they pass (with small exception in rawhide). With portable build, I can build once, TCK it eg on super custom opensuse, and still do update (from this binary) to all Fedoras. TCK - are testing if all public apis forks as expected. Despite some tck are really weird, and to pass we eg have to have balck background and shadows disabled and so, the TCK are pretty good testsuite. Corenrcases are in other testssuites, which we run too. As our build is based on OpenJDK with Hotspot, we do not need to prove it, but must provide once asked. Also the "one would have thought that any time a dependency got an update it would invalidate certification too, even right down to any glibc update, or even kernel update " is close to reality. But we really have to pass the binary on ANY system. Including the one before release. So luckily not. I'm not sure I follow. Why would we need to remove OpenJDK from fedora to comply? The only issue I see is the Rawhide. But considering it is not officially released.. It should be ok. Each build we pass to updates, we are bound to prove it passes TCK. As we control environment, we are usually able to do so. Runing them is mandatory. The results reporting is on demand. The simple rename is not so easy. I "m afraid that striping all "java" from bnaries and thus from sources is maybe possbel to be done, but human impossible to maintian, and will leave JDK mostly not working, and for sure useless and incomaptible with other javas. One of the side steps of this proposal is to be more compatible with other javas. Yes, we can no longer maintian it. And I must contradict you - Seeing all the dependencies, we really need them all. Loosing any one, wiould kill java ecosystemin Fedora. We rebuild so often that this one is irrelevant. Well, yes. But except GCC which we will try to support as writen above, and in https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs#Rawhide... But please not, that that is very common troubles for us. We do adapt to fedora changes - eg crypto policies or so - but the bumps of libraries are unnecessary burden. As those usully need bigger patching upstream. But please takeme with reserve - a more upstream/native libs development included persn should elaborate. in last decade, we proved one thing - each fedora change like crypto policies or so, when finally tuned in JDK, was possible to backport to older fedoras. However changes due to shared libs, not. Interesting point of view. Tyvm for it! If the binary is identical, then what can go wrong? Already now tests portable comunity builds on all live fedoras, and a distribution-specific issue is so rare, that I think there was none even on long run. Still I see yor point and possible issues you suggests out. Trhough tuccrent plan, your assumption "F36, and rawhide need to be updated to a JDK built on F35." is correct. However the "t F36 gets released with an immediately obsolete JDK, to be replaced with an untested (in the general sense, didn't go through OS beta and such)" should not be correct. There is ususaly no need to update immediately. It is actually even not desired. And here is few weeks where original builder Fedora is still alive, and we can stay on it for a while. But sooner or later the new "untested" from your point of view Jdk will get there. The onl assurance it careful testing of Openjdk maintianers. To make your sleep a bit easier,: gJobsAllOtool | grep -e f35 -e f34 -e f36 | wc -l 2736 We run 2736 testsuites jenkins jobs on Fedoras. From those, gJobsAllOtool | grep -e f35 -e f34 -e f36 | grep tck | wc -l 197 197 are TCK (which each includes over 100k of tests) jenkins jobs, as there are several architectures, and even several variants of JDK which we wish to esnure. I expect the testing burden to drop to 1/2, without actually loosing necessary coveragein matrix, after the whole https://fedoraproject.org/wiki/MoveFedoraJDKsToBecomePortableJDKs is alive. Interesting idea. Tyvm for it! No, I was considering simply latest live one. But no imediate repack is needed once it is eoled. We can stay for a bit on eoled one, or not update from new oldest. In all cases the heavy testing will preceded In your description. It is indeed a bit of confusing Well and there are many reasons to do so, as jdk is designed to be like this. for 10 years we tried to go against the main stream, and we managed a lot. But to keep peace and compatibility and proper developer's support, we have to move with mian stream now. The divergences we keep in rpms are right now blocking devloeprs to use system jdsk as proper JDKs and are enforcing them to download Amazon, Azul, Oracle, etc. blobs... To keep Fedora competitive, this is currenlty necessary step. I hope I addressed all, Thanx a lot for contributions! J. -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

I'm unable to enumerate number of bugs we solved, or even dropped as unsolvable due to dynamic nature of distribution-correct JDK. They indeed did it once, and had pretty hard time fromthat. Now they TCK propelry. We ahve claim the comaptibility. Tck run in the paralel mode 24h per os and arch and jdk. And there are tricky issues, and even more tricky failures. So both human and hw cycles are heavily under preassure Interesting idea. Not sure if legally possible but worthy of shot.

Demi Marie Obenour wrote: This abuse of trademarks to make Free Software not really free is an alarming pattern. See also Firefox. Kevin Kofler

Jiri Vanek wrote: Unfortunately, your mail does not clarify all that much for me. I actually see several contradictions, e.g.: vs. so "putting [the binary] onto some other system", "eg on super custom opensuse", is exactly what you want to be able to do. There will necessarily be a delay between a security hole being fixed in a commonly used library such as zlib or freetype and the fix making it into an OpenJDK release. And in the case you describe (where the system version is not fixed yet when OpenJDK upstream is), switching to the bundled version is the wrong thing to do, you need to get the security update to the Fedora library pushed out as quickly as possible, so everything benefits from the security fix. (Maybe you or another OpenJDK maintainer needs provenpackager privileges for that.) SHOULD still means you need to justify why you want to do otherwise. I do not see a valid reason in this case. In the rsync case, it is actually also disputed whether this is really necessary (I doubt that there is really no better way to solve their problem), but at least there is a concrete issue there, which (IIRC) is wire compatibility of checksums of compressed blocks. I have not seen any issues with the dynamic builds over years of using Fedora OpenJDK RPMs for production use. And that is a lot of work you are trying to commit to, in the same mail where you are stating that you already have a hard time keeping up with the workload in the current state. I do not see how you can realistically get this done without significant delays for security fixes in the bundled libraries, especially if you are going to wait for TCK results for each and every security backport to a bundled library. And as I wrote above, that is entirely the wrong way to go at it. OpenH264 is actually *not* part of Fedora, as Red Hat is not allowed to ship it under the patent license, only Cisco is. So it gets built on the Fedora Koji in an unpublished tag, shipped from there to Cisco, and Cisco releases it in a third-party repository that is enabled by default in the Fedora repository configuration (but can be disabled by the user, e.g., I have it disabled because the FFmpeg H.264 decoder and the x264 encoder, both from RPM Fusion, are simply the better H.264 implementations). That is a very special arrangement that is due to patent issues. I do not see how OpenJDK qualifies for such a special arrangement, and even if it does, what you want is exactly the opposite of what OpenH264 is doing: You want to get a build *into* Fedora repositories that is not built in the respective Koji buildroot (it may be built in Koji, but you want to build it once for all Fedora releases, so not in the release's buildroot), whereas OpenH264 is actually built *in* the release's Koji buildroot and then shipped *elsewhere*. This is an exception specific to firmware (it is treated as content, not code), which explicitly does *not* apply to anything running on the CPU in kernel space or user space. And I sure hope it would not be granted, as I do not see a valid rationale for such a blatant guideline violation at all. Andrew Hughes says you actually do not have to certify each binary, so logically one of you must be mistaken. At that point, I do not see the value of keeping Java alive in Fedora at all. Better work with Adoptium to get their builds into an RPM repository (hosted by them), if this kind of vanilla all-bundled builds are what you want. And maybe if you orphan the Fedora RPM, someone might pick it up. As a Fedora packager and OpenJDK user, I might even sign up to comaintain, though the time I can spend on it is limited. I think the whole Java SIG needs to be restarted from scratch anyway, as there is very little left from the Java ecosystem that was once packaged in Fedora. OpenJDK is almost the last piece that is remaining. Fedora does *not* package binary driver blobs. We do package binary firmware blobs. The distinction between a driver and a firmware is that the driver runs on the CPU, the firmware runs on the peripheral. (Then there is the early boot firmware that runs before the OS (UEFI/BIOS) or gets loaded at early boot to fix CPU bugs (CPU microcode), those are special cases.) OpenJDK is *not* firmware. (And for that matter, it is not a driver either.) I have been developing in Java for a living for more than 8 years now. I have never needed any other JDK than the OpenJDK RPMs from the Fedora repository. So I have no idea what developers you are talking about. I take it that those "standalone binary native images" really just bundle a static java binary with the bytecode into an executable? And what if I want to build the code on Fedora for a customer running Windows, can I do that with this feature? It does not sound like I can. Where I work, some of us developers run GNU/Linux (several different distributions, I run Fedora) and some run Windows, the customers typically all run Windows (though of course we could easily support customers running GNU/Linux, as we do have all the JNI libraries and wrapper scripts in place for us GNU/Linux-using developers). The ability to build once and run anywhere is one of the reasons we are using Java to begin with. In any case, we have never used this feature at work so far. I was not even aware that it exists at all. We deliver Java code in 2 ways: 1. as JARs in a ZIP or tarball (for anything that needs to run on the customer's infrastructure), or 2. as a web service in Tomcat hosted on our servers (which run Debian and the OpenJDK and Tomcat from the standard Debian repositories). For JARs we deliver to our customers, we require a systemwide JRE installation (and we can point them to the Adoptium Windows binaries if they need a specific recommendation – as I wrote above, the customers typically run Windows). Well yes, that is what I do for the JNI shared objects we ship, too (and mock is a great tool for that). But if you want such a build, then use a non-distro OpenJDK build, not a distro one. Has it not already? OpenJDK is essentially the last piece that is left and your proposal would make that package entirely uninteresting and pointless too (by making it no different from Adoptium Temurin and the like). Maybe at this point withdrawing would be the most honest thing to do? IMHO, we need either new people willing to bring the Java ecosystem (and that includes Maven, Eclipse and its platform, NetBeans and its platform, etc.) back to Fedora, following Fedora rules and guidelines, and not constantly trying to work around them (see the module-only packages in the past, and now this proposal and its followups), or we need to admit failure and just drop Java from Fedora altogether (and focus on getting a third-party repository delivering Adoptium Temurin binaries up ASAP as a replacement / upgrade path). As I wrote above, if it is not feasible (with the available manpower) to maintain OpenJDK properly in Fedora, then it needs to be dropped. Building once in Koji, extracting it, and then resending the resulting blob to Koji for all releases is not how the Fedora workflow works and still violates the "no prebuilt binaries" rule, even if the binary technically has been built in some Koji buildroot at some point. At most, you may be able to build in Koji and then get that exact build *tagged* for the different releases (so you do not send blobs to Koji, you just tell Koji that the build output tagged, say, f35-updates, should also get tagged with f36-updates and f37), but I believe this is a kind of hackery we also stopped doing long ago. As I explained above, Fedora does not ship binary drivers. I am only aware of exceptions of this kind having been granted (in the past) for huge data files. Maybe also firmware. But by definition, these are not CPU executables and hence building them on different Fedora releases will (or at least should) produce identical results. This is not the case for OpenJDK executables. Also, those have been handled using the tagging approach I have described above, so that really the exact same RPMs are used on all releases, and then the files had even been hardlinked on the master mirror and on mirrors that support it. Otherwise, there would have been no benefit from doing this at all for those huge data files. And as far as I can tell, we also no longer do this. E.g., the huge 0ad-data is built separately for each release: https://koji.fedoraproject.org/koji/packageinfo?packageID=14763 (Disclaimer: The following is not legal advice, I am not a lawyer.) I do not see why you would have to rename, e.g., the java and javac executables or the java.* and javax.* packages. To my knowledge, legal reviews have ruled several times in similar cases that this kind of executable or package names is part of an API and not trademarkable. (I do not know whether this has ever been tested in court.) The Oracle proprietary license places several restrictions on what you can do with the java.* and javax.* packages, but we use OpenJDK under the GPL, not under that license, so I do not see why those non-free license restrictions would affect us in any way. So I think it would be enough to just rename, e.g., java-11-openjdk to openjdk-11 (and you could still Obsolete and Provide java-11-openjdk for an upgrade path) and remove the word "Java" from Summary and Description. (Disclaimer: The following is not legal advice, I am not a lawyer.) You do not need to strip any mentions of Java that are required for interoperability (see, e.g., Sega v. Accolade). Nor do you need to strip any uses of the trademark that are not user-visible at all. What is still left from it other than OpenJDK to begin with? But yes, of course, retiring OpenJDK would also require retiring all other remaining Java packages. That is obvious. Which developers? The divergences are sure not blocking me. If some Java developers (or even end users) want the blobs, then they should just use the blobs. Nothing is stopping them. I see no value whatsoever in providing the same kind of static all-bundled builds disguised as native Fedora packages. Kevin Kofler

Yo are right. Then probably the only precedent I have is shmi.

On 16/05/2022 21:13, Jiri Vanek wrote: Not true. Popular packages like freetype, fontconfig, zlib are always getting patched in Fedora soon. OpenJDK will only receive a patch in 2-3 months when a new patch version is released. This will make the user's eyes bleed. OpenJDK 17 respects system configuration after adding the following lines to the ~/.bashrc file: export _JAVA_OPTIONS="-Dawt.useSystemAAFontSettings=lcd -Dswing.aatext=true -Dswing.defaultlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel -Dswing.crossplatformlaf=com.sun.java.swing.plaf.gtk.GTKLookAndFeel" Someone needs to grab the font patches from the JetBrains JRE fork and upstream them. But the current configuration of OpenJDK 17 on Fedora 36 also looks good after changing _JAVA_OPTIONS as mentioned above. No. I don't think so. Bundling is always evil and should be avoided as much as possible. "technically not possible" vs. "we just don't want to do additional work". I've been using OpenJDK on Fedora for ages with NetBeans and even IDEA and everything works great. And maybe not and OpenJDK will be vulnerable for months until the next release is out. Fedora builds openh264 from sources for each supported Fedora release and then submits RPMs to Cisco, because due to the legal reasons only Cisco can redistribute it. Firmware is executed directly on the hardware and provided by manufacturers. All software must be built from sources. No blobs are allowed. I hope this exception is never granted. Just stop doing TCK certification. Most of Fedora users don't need "certified binaries". There are no future after such destructive changes. The Java stack on Fedora is almost dead. We've already lost 99% of popular Java applications: NetBeans, Eclipse, IDEA, etc. Rebuilding prebuilt binaries != building from sources. This is strictly prohibited. Lie. Fedora doesn't have any binary drivers in repositories. All Fedora packages (except linux-firmware) are built from sources without network access. Fedora currently has the best OpenJDK builds. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 17/05/2022 14:36, Stephen Smoogen wrote: I've never called people liars in this thread. Just said that the quoted statement isn't true, i.e. lies. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 18/05/2022 13:47, Dominik 'Rathann' Mierzejewski wrote: Saying "lie" means "not true". -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 18/05/2022 17:04, Stephen Smoogen wrote: The Oxford English Dictionary gives the following answer: lie (noun) - an intentionally false statement used with reference to a situation involving deception or founded on a mistaken impression -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 20/05/2022 14:46, Dominik 'Rathann' Mierzejewski wrote: we don't know for sure. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On Wednesday, 18 May 2022 15:41:17 BST Vitaly Zaitsev via devel wrote: In English, "lie" means "a statement made by someone knowing it is not true". It carries with it the idea that the person making the false statement knew it was false, but claimed it was true anyway. "Incorrect" or "not true" do not carry the implication that the person making the statement knew it was false. -- Simon Farnsworth

On 5/17/22 08:11, Vitaly Zaitsev via devel wrote: I don’t think this was a lie. Whether or not it was accurate, there was no malicious intent. -- Sincerely, Demi Marie Obenour (she/her/hers)

On Tue, May 17, 2022 at 04:20:56PM +0200, Tomasz Torcz wrote: At its heart the certification is a "sticker" that asserts our JDK has passed the TCK test suite. IOW, saying that we don't need certification of JDK is effectively saying that we don't need to do testing of JDK in Fedora. Comprehensive testing of software is something that very much does benefit Fedora and its users, and we could do with a whole lot more of it in general. Further elsewhere in this thread it has been clearly said that users of JDKs do indeed value the certification as a sign of quality. So I don't think we can credibly claim that certification is not needed. The challenege is how to make the certification managable for the maintainers, while also having the packaging process be amenable to Fedora processes. Eliminating testing of JDK is not a desirable solution. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On Tue, May 17, 2022 at 11:09 AM Daniel P. Berrangé <berrange(a)redhat.com&gt; wrote: I agree here. I don't know what the problems are with the TCK, though. Is it something we can solve with automation? Is it something we need more upstream engagement on? I'm not sure what we need. I've asked a couple of times in this thread, I'm waiting for a response from the proposal owners. I'm also closely tracking the efforts around Project Wakefield, and I'd rather not lose an opportunity to have that in Fedora ASAP because we've stopped building for multiple Fedora releases. -- 真実はいつも一つ！/ Always, there's only one truth!

On Wed, May 18, 2022 at 11:55 AM jiri vanek <jvanek(a)redhat.com&gt; wrote: At this point, I'd rather have an OpenJDK in Fedora than not. If that means switching to bundled libraries, then fine. But all bundled libraries need to be documented in the spec file and that information needs to be kept up to date. Can we do this without going down the route of building only once at one distribution tag and tagging the binary into everything else? -- 真実はいつも一つ！/ Always, there's only one truth!

On 5/18/22 18:22, Fabio Valentini wrote: thanx for this understanidng:( This would of course help, but I would rahter keep 4 different jdks packed once, then 1 jdk packed 4 times. Still we will need to maintain usually 1, but very opften two system jdks, and we will need to continue maintain java-latest-openjdk as we need it to bootsrap next main jdk. Also we need java-lates-opnjdk live in release, not jsut in buidlroot, so we can tune integration of future jdk fluently. We are going to fix known issue. Unless the known issues are solved, we can not continue. All except debuginfo are somehow solvable. Can you please enumerate what parts of known issues toruel syou most? that would be super valuable information. I rate them all moreover in same level, as anoying, but really fixable (not jsut workaround-able) for common benefit. We have the issues which led to this proposal since jdk 11 appeared in fedora. The issue was unluckily not getting away, and was jsut getting worse, until this proposal occured. nope, but the multiplying of JDK employees is unluckily nor following multiplying of JDKs... -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On 5/18/22 18:32, Vitaly Zaitsev via devel wrote: wait, what? What do you mean? And waht give you this impression? Or are you already in the follwoing year, when the attempt will be doen to build each JDK in koji just once, and ship it to al llive fedoras? -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On 5/20/22 14:57, Vitaly Zaitsev via devel wrote: thanx. shim? -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On Sat, May 21, 2022 at 7:28 AM Jiri Vanek <jvanek(a)redhat.com&gt; wrote: Shim is technically built on Fedora infrastructure as shim-unsigned. Microsoft signs that binary and the shim package has those binaries as sources in that package. OpenJDK is not that strict, and frankly I don't think we'd want to do more than just that package that way. It's a massive pain and it's pretty evident that this arrangement causes us serious problems too, since it locks the Fedora community out of fixing issues at that level. -- 真実はいつも一つ！/ Always, there's only one truth!

On 21/05/2022 13:22, Jiri Vanek wrote: Built on Koji from sources as shim-unsigned, then uploaded to Microsoft for signing. This is a special legal case, just like openh264 and Cisco. Both of them built from sources on Fedora infra. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 5/23/22 20:40, Kevin Fenzi wrote: Thanx for bringing up additional details! super correct. We are testing also upstream. note that RH is maintainer of ojdk 11 and 8, so we have to. But that is much easier, as the usptream is static within intree libraries. And we have to run also for 17 and 18/19 as we need this reference run, to be sure that downstream is guilty, not vanilla jdk. Thus we test the (source x build) just once. And we can test the binary on some known system where we always pass. But in downstream, new issues usually appear due to the dynamic linking and nature of system where only it can be installed. Also for dowstram, each sources are built N times, so N times tested in thsoe N systems - usually each with its psecific failures. As I described in another reply, it is both human and hw. Hw to run all those swarm of builds on all platforms, and humans to verify the issue and to fix it. TCK are very complex, and you need at least three machines in distributed system to run them. At least two of those slaves are not trivial (krb master and system where tck are running). Generally saying, I have autoamtion to prepare that all, but second part is reproducibility. If the "non mine" setup run will fail for some reason, can I rerun it? Can I debug it? I'm finding this very hard in 3rd party hw clusters. I replied it already in that thread, but happy to repeat: It will help, but less then it seems so. Now we can drop 8. Soem legacy applciations will be unhappy, as EOL of jdk8 is in some 4 years, so fedora will suffer a bit. But it will be nice 12 TCK runs down. but we can not droop 11, as it is system jdk in f35 Similarly, we couldn't introduce fresh jdk17 directly to f36 as system JDK. It needs it time to be tuned before being proposed as system jdk. And we can not drop java-latest-openjdk, becasue it is necessary to boot next system JDK. Yes, in 8 months, we would be able to drop 11. And live for 1 year only on latest and 17. Which is putting load for one year to 1/2. But the cost of not having 11 (and 8) will be felt by fedora users more, then having static jdk from repos. Unluckily, with new future system jdk, we will need to boostrap it by latest, keep it as secondary jdk at least for one , better two, fedora cycles, so again we will be in 3 jdks x 3 systems. Sure, we do not need to backport newest future system jdk to older fedoras, but usually the users want us to do so. tbh, I do not have strong preference on it. it is like 51 for backport, and 49 for not. Even with knwoledge of TCK burden. If currently we have 4 jdks on 3 fedoras with 3 primary architectures=> 36 TCK With this shortage, we would have 2 jdks on 2 fedoras with 3 primary architectures=> 12 tck in minimum. That sound like a reasonable drop, but only for very short period of time, duriong which we will nee to have capcity reserved for ppreparation of next system jdk: 3 jdks on 3 fedoras with 3 primary architectures=> 27 avarage, With much more stress about possible integration issues and with - imo(!) - considerable negative imapct to fedora. TYVM!

On Tue, May 24, 2022 at 5:03 PM Jiri Vanek <jvanek(a)redhat.com&gt; wrote: Is this based on user requests, or is this only what you *think* users of OpenJDK on Fedora need? Speaking for myself, I have never used anything other than the default "system JDK" for running Java applications on Fedora. What would you think about the following scenario: - Fedora X defaults to new OpenJDK LTS N - Fedora X keeps OpenJDK LTS N-1 so it's possible to revert the change - Fedora X+1 drops OpenJDK N-1, since the newer OpenJDK N was already the default for one release - do not backport OpenJDK n to Fedora X-1 and X-2 - keep java-latest-openjdk, as you seen to need this for bootstrapping new OpenJDK releases You could even drop java-latest-openjdk from all branches but rawhide, since it's only needed for bootstrapping there. This should pretty dramatically reduce the size of your test matrix. Applying the current numbers: - Fedora Rawhide: java-17-openjdk (default), java-latest-openjdk - Fedora 36: java-17-openjdk (default), java-11-openjdk (in case the default needs to be switched back), java-latest-openjdk - Fedora 35: java-11-openjdk, java-latest-openjdk Would this reduced set of supported OpenJDK versions, but keeping the "latest" version, address this "considerable negative impact"? Fabio

On Wed, May 25, 2022 at 9:17 AM Jiri Vanek <jvanek(a)redhat.com&gt; wrote: What about only making the older JDKs use bundled static libraries, and the latest LTS and STS versions continue to use dynamic? That would significantly cut down TCK versions and allow you to focus dynamic support where it matters (latest Java runtime code). -- 真実はいつも一つ！/ Always, there's only one truth!

On Wed, May 25, 2022 at 9:38 AM Jiri Vanek <jvanek(a)redhat.com&gt; wrote: I did think of that, that's why I figured doing the latest STS and LTS, because it ensures the STS->LTS bootstrap is going to be reasonable. It can also be coupled with switching the system JDK to the latest LTS. -- 真実はいつも一つ！/ Always, there's only one truth!

On Wed, 2022-05-25 at 15:40 +0200, Fabio Valentini wrote: Wouldn't the upgrade approach leave the installed JDK as default? Just asking since I have the default installed on F36 (17) and I also have the latest(18) which I didn't explicitly install. Just asking Stephen

On Tue, May 24, 2022 at 04:57:54PM +0200, Jiri Vanek wrote: Well, I meant test the _dynamic_ build that Fedora does now... Would it help to have some cloud resources to do this in? We could definitely get you access to some ec2 instances to setup a test cluster for testing fedora builds. ok, sorry I missed a previous reply on this. ;) So, what would you then think about just: 1. having some cloud resources to setup a tck test env that you could manage better than some ci somewhere and use to test fedora builds. and 2. switching fedora to the static system libraries so you didn't need to keep the dynamic ones in sync. but then trying to see if that reduces your workload to a sustainable level and avoid the 'build once, certify' thing that is going to end up being a lot of trouble. kevin

On 5/21/22 13:51, Vitaly Zaitsev via devel wrote: I repeat, aprox 21st time - I will never ever use blob. I will always build from sources in koji. The goal is to go as shim and cisco - to build in koji, certify, and repack. J. -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

Once upon a time, Vitaly Zaitsev <vitaly(a)easycoding.org&gt; said: Can you PLEASE stop with the personal attacks? -- Chris Adams <linux(a)cmadams.net&gt;

On 24/05/2022 21:00, Jiri Vanek wrote: 1. Stop doing TCK certification. Most Fedora OpenJDK users don't need certified binaries. All they need is a working and well packaged OpenJDK. 2. Reduce the number of OpenJDK branches in the repositories. I think the latest LTS version will be enough. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On Wed, 25 May 2022 at 09:04, Jiri Vanek <jvanek(a)redhat.com&gt; wrote: So could it be shipped instead as a icedtea? The reason I am asking is that I think we need to look seriously at the alternatives and see how much work the community is going to need to do. 1. Fedora no longer ships a trademarked 'coffee-themed language'. Instead it adds an external repository where your team is able to focus on what they can deliver. 2. Fedora no longer ships a trademarked 'coffee-themed language'. Instead, a volunteer driven SIG puts in an icedtea back into into Fedora instead. 3. Fedora no longer ships a trademarked 'coffee-themed language'. Instead people wanting it will need to find an external place which builds it. 4. Fedora ships a trademarked 'coffee-themed language' that is static. However this doesn't decrease the workload enough and we need to move to 1-3 in 2 to 3 years. -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren

On Wed, 25 May 2022 at 09:34, Jiri Vanek <jvanek(a)redhat.com&gt; wrote: By icedtea I was assuming a cleanout of trademarks like Firefox and Mozilla is done in Debian. This was not how the previous icedtea was done but it may be what needs to be reviewed. It does require a legal review and that would be something for this team to ask the Board and internal Red Hat to do. If the licenses for how the coffee-themed language requires a TCK no matter what, then I would say that JDK is not open/free in a way that is easily distributable and that would be another thing Fedora board needs to deal with. In either case it is not you or your team's fault here... and people saying so need to back off. -- Stephen Smoogen, Red Hat Automotive Let us be kind to one another, for most of us are fighting a hard battle. -- Ian MacClaren

On Wed, 2022-05-25 at 15:03 +0200, Jiri Vanek wrote: 100%, though I am not one, I understand as much from the TCK itslef. As a user of the JDK as Fedora Linux currently ships it, I can say I am very grateful for the efforts being made to accomodate it. I have also suggested this, but in historical context JDK 6 hung around about 10 years longer than expected I think due in large part to the inertia built by it's prolific use in enterprise systems. This will undoubtably hold true for JDK 8 as well, since it is currently the preferred choice by most. Technically speaking WRT JDK releases, some fall by the wayside (jdk 9 and jdk 10 are two recent). Regards, Stephen Snow just some dude who can program ... whatever

The rename will really not help. On 5/25/22 18:01, Vitaly Zaitsev via devel wrote: -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On 26/05/2022 00:02, Demi Marie Obenour wrote: Yes. Google won a lawsuit against Oracle in the Supreme Court. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

Also, it may be good to take a look at what AdoptOpenJDK is doing with the Eclipse Foundation based Adoptium Project, specifically the Eclipse Temurin subproject https://projects.eclipse.org/proposals/eclipse-temurin-compliance which is going to handle the compliance requirements. In this scenerio the Eclipse Foundation is the license holder and the Adoptium project submits to the Temurin project to get certified. Maybe Fedora could use something similar with RH, who are signatories on the OCTLA/TCK as well as supporters of the Eclipse Asoptium project. Just another thought on it. On Thu, 2022-05-26 at 12:55 +0200, Vitaly Zaitsev via devel wrote: What law suit, and how does it apply to our situation? Regards, Stephen Snow

On 5/26/22 11:06, Stephen Smoogen wrote: I would suggest phrasing that slightly differently: the version being distributed could very well be fully compliant (would pass the TCK if tested), but may not have been tested. -- Kevin P. Fleming He/Him/His Principal Program Manager, RHEL Red Hat US/Eastern Time Zone

So my take on the TCK is that Red Hat signed the OCTLA and Fedora Community get's to test their OpenJDK against it as a subequence. I didn't think Fedora the project, had any legal except what Red Hat provides, maybe I'm mistaken though so someone should clarify if they know for sure. Not only that, if we (Fedora Project) were the signatories, we would need auditing internally and externally to comply with requirements of the OCTLA from what I understand, which I imagine we do not have, nor want to entertain since it would require significant dedicated support likely. Basically anytime you use the TCK you need the paper trail. I still think the original proposal has some merrit at least of raisng the point of the workload required to maintain Fedora Lunix's java development stack. A rethink here would be good overall and really the technical build issues Jiri Vanik presented need to be overcome and should be the projects focus, not legal. Perhaps Fedora Project lead could discuss this with RH legal to get their perspective. I'm sure they're aware of the arrangement as it has been used by Fedora, and Fedora is not listed as signatory, and someone had to sign the agreement to get the TCK in the first place. From that POV, to me as OpenJDK is still GPL3 released, and Fedora Project get's to use Red Hat's TCK to verify certification of compliance, so win win. Red Hat needs it for their own OpenJDK, which we no doubt have some involvement with, so again win win. Regards, Stephen Snow On Thu, 2022-05-26 at 11:38 -0400, Stephen Smoogen wrote:

On 5/26/22 10:40, drago01 wrote: For Fedora? Yes. Fedora includes lots of untested (in the formal, TCK sense) software. It does not include non-FLOSS software (except maybe in very specific circumstances such as firmware). -- ======================================================================== Google Where SkyNet meets Idiocracy ========================================================================

On Thu, May 26, 2022 at 07:31:45PM +0200, drago01 wrote: I've been following this circular thread from the outset (And I do make use of Fedora's JDK packages), but one thing I don't recall seeing is a specific (or even general) example of the sort of failures/problems that have come from linking against system libraries vs just using the bundled ones. Relatedly, I think it would also be very valuable to know if these problems are mostly one-off (eg a major release of the jdk or dependent library lands in rawhide and breakage ensues), or occur throughout a specific release cycle (eg F35 gets libfoo 1.2.1 -> 1.2.2 for a critical security update which leads to a failure to pass TCK, or quarterly java-1.8.x -> 1.8.y update cycle leads to a TCK failure due to fedora's bundled library libfoo version) I mean, it's been strongly implied (if not outright stated) that resolving these unspecified TCK failures, caused by using non-bundled libraries, is the real burden, not the act of running the TCK for each build -- but is the TCK (or upstream JDK) really that _brittle_? - Solomon -- Solomon Peachy pizza at shaftnet dot org (email&xmpp) @pizza:shaftnet dot org (matrix) High Springs, FL speachy (libra.chat)

On 26/05/2022 20:29, Stephen Snow wrote: OpenJDK is a native ELF binary, not a JAR. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 26/05/2022 19:31, drago01 wrote: Bundled libraries are always outdated and even vulnerable. We should avoid bundling as much as possible. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 27/05/2022 15:30, Peter Boy wrote: But it's true. One of my packages had a bundled library with 6 critical vulnerabilities (outdated for 5 years). The upstream developers said they didn't care because they needed their app to run under Ubuntu 12.04 LTS. Fixed it manually by switching to the packaged version. Another package had bundled OpenSSL, which was 3 years out of date. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

Really sorry, but such a statement is simply intellectual bullshit. Unfortunately, it is not possible to formulate this in a more friendly yet unambiguous way. And in this thread in particular, the many allegations, unclouded by any expertise but made all the more decisively, are simply annoying - and a huge waste of everyone’s time in the long run. With technically correct workflow, there is at least a time x where the included libs are not outdated and where vulnerability is unknown at worst. How someone comes up with "always" is beyond me. And whether to include a lib in a package is a tradeoff between various pros and cons. Depending on the circumstances, the result is different. The Change proposal correctly includes several reasons for consideration. And no viable argument has yet been put forward as to why the consideration given is *necessarily* incorrect. Several conceivable alternatives would also be viable. But as long as no one is directly affected in a negative way and no one comes forward to do the work involved with an alternative, .... -- Peter Boy https://fedoraproject.org/wiki/User:Pboy pboy(a)fedoraproject.org Timezone: CET (UTC+1) / CEST (UTC+2) Fedora Server Edition Working Group member Fedora docs team contributor Java developer and enthusiast

On 28/05/2022 19:31, drago01 wrote: Most upstreams don't care about bundled libraries. They bundle them once and then forget. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On Sat, 28 May 2022 20:52:51 +0200, you wrote: But most != all as you claimed. There is no indication that the JDK is such a thing - in fact given the packagers are struggling that is a good indication that the JDK is being regularly updated.

On 29/05/2022 02:57, Gerald Henriksen wrote: Every 3 months in a patch release. I don't think maintainers will manually backport patches to the bundled libraries. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 5/26/22 14:17, Stephen Snow wrote: That is just correct summary. That is exactly what wea re doing. We certify with RH signatories. J.

On 18/05/2022 19:14, Michael Catanzaro wrote: Yes. And maintainers must include and keep up to date this information in SPECs: https://docs.fedoraproject.org/en-US/packaging-guidelines/#bundling -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On 5/18/22 18:01, Neal Gompa wrote: I deeply appreciate your understanding. If we do only this dirst part, then the TCK burden would not be lifted. Still it make maintaneace much more easy. -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On Wed, May 18, 2022 at 12:33 PM jiri vanek <jvanek(a)redhat.com&gt; wrote: The runtime libraries for integrating into Wayland are evolving at a fast pace. Moreover, if you build only once on the oldest distribution and tag up, it becomes even more difficult to take advantage of improvements to Wayland components in the distribution. My gut feeling is that changing OpenJDK to not rely on system libraries will make this considerably harder because we will have to wait for upstream to sync up and then pull it down. Additionally, depending on what their CI target is, it may wind up being even more difficult because older distributions *cannot* build some newer libraries because of missing build or runtime components. I've been dealing with that enough with KDE Plasma in Fedora and EPEL that I'm concerned we'd be in trouble with Wakefield on Fedora with this proposal. -- 真実はいつも一つ！/ Always, there's only one truth!

Once upon a time, Daniel P. Berrangé <berrange(a)redhat.com&gt; said: In this thread it was claimed (I believe by a packager) that TCK is important to Java users, but I haven't seen any users say that. I'm not a Java user... I had never heard of TCK. I just went searching, and I don't see anything right off that shows that Fedora's OpenJDK is certified in any way. How would I even know? -- Chris Adams <linux(a)cmadams.net&gt;

Once upon a time, Stephen Snow <s40w5s(a)gmail.com&gt; said: That's a list of organizations that have signed the agreement (which notably for this discussion, does not include Fedora). I don't see a list of "passed the test", nor do I see something on the Fedora packages that says "passed the test". The claim was made that this test is important for Java users, yet I can't find any indication that Fedora's (or anybody's for that matter) pass it. Testing is great and important, but saying that users care about the results of the testing is hard to understand when the test results appear to be undocumented. -- Chris Adams <linux(a)cmadams.net&gt;

V Wed, May 18, 2022 at 08:09:06AM -0400, Stephen Snow napsal(a): Is that (OpenJDK) still a free software? I mean the rights to modify and redistribute? If it isn't, is it suitable for Fedora? Or is too big to fail like the case of Firefox which we cannot call Firefox if we patch it. -- Petr

On 18/05/2022 14:09, Stephen Snow wrote: That means that OpenJDK is no longer a free software and can't be distributed by Fedora at all. CC: Fedora Legal team. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

You can not put uncertified JDK to fedora. And we can no longer properly support certified dynamic builds. We realy do no like this change, but we do not see another way.

On 5/18/22 18:34, Vitaly Zaitsev via devel wrote: Who shold hire them. You? Me? Fedoraproject? -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On Mon, May 16, 2022 at 09:13:32PM +0200, Jiri Vanek wrote: This mail appears to have copied in quoted text from many differnt messages in this thread, with no attribution of the author. This is very confusing and disruptive for following the conversation :-( Ideally please reply inline to the original mails. If we consider Fedora koji tag inheritance, to a limited degree we do implicitly already have the ability to build once and have it deployed on multiple Fedora versions. It just only applies to Fedora versions that arrive after the original build. eg if you built a package in Rawhide today, and never rebuilt it again for the next year, the one binary RPM would end up shipped to users in Fedora 37, 38 and 39. To some extent this does happen - on my Fedora 36 install, I've got about 40 packages with an fc35 dist-tag in the RPM release, and 2 with an fc34 dist-tag. In practice the mass rebuilds happen frequently enough to kill off inheritance across releases for most packages. Then for any non-trivial app there is usually a need for bug fix releases, which again kill off the inheritance. The point is that, AFAICT, there's no hard Fedora rule that forbids us having one binary RPM build shipped to multiple Fedora relases. (Or if there is such a rule, we're not enforcing it). It is just the practicalities of mass rebuilds and bug fix releases that mean it ends up being quite an exceptional case to share binaries across releases. Lets say we have a single JDK build that was done in Fedora 35 a year ago, and thus now present in F35, F36 & F37-rawhide. If a bug fix is needed, we can't simply build in current F35 build roots, since they include all subsequent F35 updates. We have a record of all the packages there were in the original F35 rawhide build root though. It would conceptually be viable to populate a build root with that original deps set, do a bug fix build, and tag that result into all subsequent releases. We don't have a way to actually put that into practice, which I guess motivates some of the re-packaging hoops the JDK proposal is wanting to jump through. Perhaps we can come up with a more supportable way to achieve this goal instead. NB, I'm assuming the shared libs that JDK depends on don't do ELF soname changes. I presume this is where the desire for static linking starts to come into play. Again static linking is not something totally excluded by Fedora - it just requires a good justification to be made I wonder if it is possible to have the best of both worlds with two streams. What if new major JDKs were *only* added to rawhide, not existing releases. IOW, Fedora 35 would be frozen with the set of JDK major versions that existed at time of F35 branching off rawhide. Thereafter it only gets bug fix releases of existing major versions. In addition the certification is only done for the initial new major version build in rawhide, not subsequent bug fix builds. This would let the main Fedora JDK packages be fairly normal in terms of maintenence approach, and reduce the JDK certification process burden. Separate from that, have a module stream for portable JDK. The module build root populated with the oldest current Fedora stable release, minus any updates. Builds can be done static linked, and the module results made available to all Fedora streams. Every bug fix build goes through ceritfication, and adding new JDK major versions doesnt have combinatorial expansion of certification. Of course the obvious problem here is how to explain to users which JDK they should be preferring. If we just tell people to always use the portable version, then having the "regular" distro strweam version is kinda pointless and vica-verca. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

On 5/10/22 6:29 AM, Ben Cotton wrote: I'm very confused on why this reduces certification burden. In our crypto libraries this is exactly the kind of behavior we would *NOT* want packages to do because it increases our certification and support burden. bob

On Tue, May 10, 2022 at 11:51 PM Neal Gompa <ngompa13(a)gmail.com&gt; wrote: I agree, I don't think there's positives for the user experience here. And I don't understand what actual problem this change is trying to solve? Are people really installing OpenJDK RPM packages, taking the "/usr/bin/java" binary, and putting it onto some other system? Unless that's really the case (and I don't think that should even ever be supported for distro packages), I don't see a reason to change how we build OpenJDK. Also, I am particularly concerned with this statement from the linked follow-up change: "After this change is in air, we will certificate each binary only once, and redistribute." I cannot see how Fedora RPM packages for OpenJDK can redistributing pre-built binaries would ever be considered acceptable. Fabio

On 11/05/2022 10:44, Daniel P. Berrangé wrote: This is so bad. The final death of Java on Fedora. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

On Wed, May 18, 2022 at 9:49 AM Mario Torre <neugens(a)redhat.com&gt; wrote: I make my own IntelliJ packages for my own use that rips out their Java runtime and uses Fedora's OpenJDK. :) -- 真実はいつも一つ！/ Always, there's only one truth!

Just to repeat i one more times, and maybe a bit more loudly - the rendering seems to be SAME for both static and dynamic linking. Please anybody who complains in this thread, can yo have any proof that dynamic linking really makes yor eyes bleed?? J. On 5/18/22 15:48, Mario Torre wrote: -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On 01:07 Wed 11 May , Kevin Kofler via devel wrote: I expect JDK users would disagree with you. JDKs from other vendors (Amazon, Azul, Oracle, etc.) are built in exactly this way. We (and likely other GNU/Linux distributions) are the exception here. It's not a trademark issue [0], but one of user confidence in what is being provided. The "OpenJDK" name can be used as long as it's OpenJDK code that is being built, and not, say, the OpenJDK libraries combined with a non-OpenJDK virtual machine. I think the alternative would be that we reduced testing in a similar way e.g. only run the TCK on the latest released Fedora for each JDK. [0] https://openjdk.java.net/legal/openjdk-trademark-notice.html -- Andrew :) Pronouns: he / him or they / them Senior Free Java Software Engineer OpenJDK Package Owner Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222

Andrew Hughes wrote: I *am* a JDK user. I use the JDK and JRE for work. I have been using the Fedora-provided OpenJDK RPMs all this time, and I have never encountered any issue caused by how they are built. In fact, quite the opposite: Our servers' Let's Encrypt certificates just worked out of the box with the Fedora-provided OpenJDK (due to the use of the system root CA list) whereas Windows JDK builds had required workarounds for quite a while until Oracle finally fixed their CA list. In my experience, the packages are 100% compatible with other OpenJDK builds, including the proprietary Oracle JDK, and the fact that they pass the TCK actually more or less proves that they are. Use of system libraries is exactly what I expect from a distribution package of OpenJDK. And that difference is the entire point of building distribution packages of OpenJDK at all. I see very little value in a "Fedora" OpenJDK build over just using Adoptium Temurin binaries if they are built the exact same way. Well, there is the ease of installing and updating due to being packaged in an RPM, but an RPM repository could also be provided by Red Hat through Adoptium. I expect from a package in the Fedora repository to follow Fedora guidelines and best practices, which includes using system libraries wherever possible, and being built on the Fedora release for which it is shipped (or for the initial version in a new Fedora release, on a Rawhide no older than the latest mass rebuild). I think reducing TCK runs would be an acceptable compromise. After all, that is where the bottleneck lies. Maybe you could also run the TCK asynchronously *after* the security update went out (or while it is queued), and try to fix in a later update any regressions that unexpectedly show up? Kevin Kofler

On 5/17/22 00:10, Fabio Valentini wrote: Well yes. Taht is of course option to support only system jdk and be done with that. We will need to continue t build - but never release- -latest- package, so we are able to bootsrap next system jdk (21 or what) Note one super huge bad side effect - the new system jdk will be totally untested, including integration. Thus saying, I woudl ratehr support 4 static different fully jdks tested, then 1 jdk build 4times, which is fully untested Thanx! J. -- Jiri Vanek Mgr. Principal QA Software Engineer Red Hat Inc. +420 775 39 01 09

On Tue, May 10, 2022 at 09:29:35AM -0400, Ben Cotton wrote: Reading this whole doc is really key, because it is clear that (if approved) further changes are going to follow this one in Fedora 38. So the decision on whether to approve this first feature really needs to consider the acceptability of the overall plan, not just this first step in isolation. It would be useful to have more details about how the certification is taking place for JDK in Fedora today, so we have a better understanding of how it is impacting the maintainer currently. When is certification currently done, what rules need to be followed, etc. IIUC, the Java certification is intended to identify any non-compliant behaviour between JDK builds. Is this statement indicating that Fedora builds are not passing the certification, or that we're introducing regressions into JDK after the certification is done (eg through later 3rd party RPM updates), or is the breadth of JDK cert coverage simply insufficient to detect enough problems upfront ? According to the doc we currently have jdk8, jdk11, jdk17 and jdk18, across 3 Fedora releases (35, 36, 37-rawhde). So 12 build streams effectively. IIUC, it is implied that when a new JDK comes out (jdk19 next), it would be added immediately to all Fedora streams (35, 36, 37rawhide). If separate builds for done for each release, it sounds like it is meaning JDK certification is needed for each release separate. So a new jdk19 would need certifying separately for (35, 36, 37-rawhide) One way to reduce this burden is to not introduce new JDKs to all existing Fedora streams, only add it to rawhide so certification is only needed once. Having said that I'm still not clear on the real impact of the certification. Presumably thue certification is not re-done in each JDK RPM re-build, nor on every RPM re-build of a library it depends on. If so, then do we really need to do certification for every Fedora release stream when adding a new JDK. Can we do a build for 35, certify it, and then do what is effectively no-change import and rebuild for 36/37-rawhide and just consider the 35-certification to cover those streams. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|

Hi, Daniel P. Berrangé <berrange(a)redhat.com&gt; writes: As I understand it, the certification (TCK) is only done on a binary level, and only applies to the OpenJDK package itself. It's not a one-time thing when a new version of the OpenJDK is added; it needs to be re-done on every single rebuild and/or update of OpenJDK. AFAIK, even if you rebuild the exact same sources with the exact same toolchain with the exact same compiler flags, you still can't claim TCK certification status from one build carries over to the next. If we import a binary (RPM) from one Fedora version to the other, then we can continue claiming that the original binary is still certified. Please note that it has been more than 5 years since I was last involved with Java, so things might have changed. I might also be mis-remembering something. But hopefully that gives some context on why the certification (TCK) burden is so huge. Omair -- PGP Key: B157A9F0 (http://pgp.mit.edu/) Fingerprint = 9DB5 2F0B FD3E C239 E108 E7BD DF99 7AF8 B157 A9F0

* Daniel P. Berrangé: I think most TCK users do not control an entire operating system like Fedora does. Is there an actual contractual requirement for Fedora to distribute OpenJDK builds only after they have passed the TCK? That's just impossible with the Fedora build system, and we would have to remove OpenJDK from Fedora to comply. Or maybe there is something we can do to with the OpenJDK vendor strings to escape TCK testing requirements. That would still be unfortunate because some Java software looks at these strings and alters its behavior, so everyone loses because of the reduced test coverage, but it's probably better than shipping no OpenJDK at all. If running the TCK is optional, then the TCK testing could be restricted to a single Fedora release, plus testing of the RC of a new Fedora release. Fedora couldn't claim TCK compliance, of course, but it does not look like we currently do anyway: <https://fedoraproject.org/wiki/Java> <https://fedoraproject.org/w/index.php?title=Special%3ASearch&search=T... “TCK” isn't mentioned on docs.fedoraproject.org, either. Thanks, Florian

On 16/05/2022 16:33, Andrew Hughes wrote: If current maintainers can't continue maintaining the well-packaged OpenJDK, I think it's time to retire it. It would be better not to have OpenJDK on Fedora than to have statically linked blobs with ugly fonts that make the user's eyes bleed. 1. You can always send a PR to the system library package with CVE fix. 2. You do not need to rebuild OpenJDK after the system library update is installed. You can focus on building only one major LTS version, but against system libraries. -- Sincerely, Vitaly Zaitsev (vitaly(a)easycoding.org)

Once upon a time, Andrew Hughes <gnu.andrew(a)redhat.com&gt; said: That would also mean that the JDKs would lag any other Fedora system-wide changes, such as compiler/library updates, build options that affect security, etc. I think that's a bad idea. How would this actually be implemented at new release time? For example, let's say F34, F35, and rawhide were all getting a JDK built on F34. When F36 comes out (and then later F34 is EOLed)... how would that work? F35, F36, and rawhide need to be updated to a JDK built on F35... which would mean that F36 gets released with an immediately obsolete JDK, to be replaced with an untested (in the general sense, didn't go through OS beta and such) build. Or would rawhide get a build built on (oldest+1) rather than (oldest)? So F36 would be tested and released with a build built on (but not released for) F35, until F34 goes EOL and F35 gets updated? This would seem to be a very confusing way of doing things. -- Chris Adams <linux(a)cmadams.net&gt;

On Mon, May 16, 2022 at 8:27 PM Samuel Sieb <samuel(a)sieb.net&gt; wrote: I'm pretty sure we don't even include the Java logo for historical reasons. Our OpenJDK originates from the IcedTea project[1], and while most of that project is gone now, one consequence of that is that our Java runtime has always been considered fully functional without the Java TCK approval and we have been used to not using 100% code from Sun/Oracle even after we finally got the TCK to run it against. That said, I'm concerned that validating against the Java TCK is considered so burdensome that this proposal is even being seriously bandied about. Has there been any upstream discussions about this? [1]: https://web.archive.org/web/20080716054009/http://fedoraproject.org/wiki/... (As an aside, apparently this page was lost at some point in the past few years, our wiki doesn't have this page) -- 真実はいつも一つ！/ Always, there's only one truth!