February 2013


The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new set of security releases are now available for the OpenJDK 7 series: 2.1.6, 2.2.6 & 2.3.7. These contain the following security fixes:

In addition, IcedTea includes the usual IcedTea patches to allow builds against system libraries and to support more estoric architectures.

If you find an issue with one of these releases, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the releases can be found below.

What’s New?

New in release 2.3.7 (2013-02-20)

New in release 2.2.6 (2013-02-20)

New in release 2.1.6 (2013-02-20)

The tarballs can be downloaded from:

SHA256 checksums:

  • e6a65923acb29b87b9f8492adc6f00152b489441e788b64e2869301cc7fa29ba icedtea-2.1.6.tar.gz
  • 90adf40e725d7a301c3e23efdb75fcb992b0e645d8be0250cd4d058d85488f33 icedtea-2.2.6.tar.gz
  • 378f67f6f84bfb6c705f600b47b68a61b18d67648dd7eaf8498b152587695940 icedtea-2.3.7.tar.gz

Each tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using my public key. See details below.

The following people helped with these releases:

  • Elliott Baron (production of reproducer for S8006439)
  • Severin Gehwolf (production of reproducer for S8006777)
  • Andrew John Hughes (application of security fixes & backports, creation & testing of bug fixes, reproducer testing, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${version}.tar.gz

where ${version} is the version of IcedTea being used.

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-${version}/configure [--enable-zero --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new set of security releases are now available for the OpenJDK 6 series: 1.11.8 & 1.12.3. These contain the following security fixes:

Full details of each release can be found below.

What’s New?

New in release 1.11.8 (2013-02-19)

New in release 1.12.3 (2013-02-19)

The tarballs can be downloaded from:

SHA256 checksums:

  • 62620b5544d5e1df7508d7c777fb78532c75eec43b99c8c7d1a3c84f352c1ea3 icedtea6-1.11.8.tar.gz
  • db9dc14fa537fb22616fcd9e5b80758aa7baa66e0b6f8adfe3d5e80414574b4c icedtea6-1.12.3.tar.gz

The tarballs are accompanied by digital signatures available at the above ‘sig’ link. This is produced using my public key. See details below.

The following people helped with these releases:

  • Severin Gehwolf (production of reproducer for 8006777)
  • Andrew John Hughes (application of security fixes & backports, creation & testing of bug fixes, reproducer testing, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${version}.tar.gz
$ cd icedtea-${version}

where ${version} is the version you’ve downloaded.

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

These releases update our older OpenJDK7 support to include the latest security updates just released:

In addition, IcedTea includes the usual IcedTea patches to allow builds against system libraries and to support more estoric architectures.

If you find an issue with one of these releases, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below.

Note that this will be the last release in the 2.2.x series with 2.4.0 being imminent. The 2.1.x series will unfortunately have to be supported until the ARM32 port is moved to a newer release, but we hope this won’t be for much longer.

What’s New?

New in release 2.1.5 (2013-02-13)

New in release 2.2.5 (2013-02-13)

The tarballs can be downloaded from:

SHA256 checksums:

  • f8144e370379371d5d4db6955b43b371f4fa8a99a9dca404995a12af21d46974 icedtea-2.1.5.tar.gz
  • cf79e99c1a8ad8d0dcc1ef66c30a776d159ab4a64290d9c1affa0e304ba2e7b5 icedtea-2.2.5.tar.gz

Each tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using my public key. See details below.

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${version}.tar.gz

where ${version} is the version of IcedTea being used.

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-${version}/configure [--enable-zero --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

This release updates our OpenJDK7 support to include the latest security updates just released:

This release has been delayed because the original patches supplied to us by Oracle introduced a number of regressions which were not resolved until fixes were made available over a week later in the OpenJDK 7u-dev repository. Most notably, building with OpenJDK6 was broken and we felt it unwise to ship in this state.

The regressions are as follows:

  • S8002068: Build broken: corba code changes unable to use new JDK 7 classes
  • S8004341: Two JCK tests fails with 7u11 b06
  • S8005615: Java Logger fails to load tomcat logger implementation (JULI)

Given the delay, we have also taken the opportunity to sync the repository with the upstream 7u-dev repository at the tag “jdk7u13-b20″. Oracle have continually omitted providing branches for security releases. Only the releases developed in the open (u2, u4 and u6) have branches and apparently the goal of 7u to ‘develop updates’ does not include developing ‘security updates’ as one would naturally assume. However, it has become clear that there must be such a branch internally as the security patches are pulled into the 7u repository and merged with its current state. Thus, although it is not possible to work on top of 7u13-b20 in the 7u trees (as the merge and later fixes are piled on top), we can pull just that tag and retrieve just the changesets we need without the ones destined for u8/u12/u14/whatever it’s called next week.

In short, examining the changesets resulting from “hg in -r jdk7u13-b20″ showed that there was no major changes in there, just a few fixes believed to be included
in u10 and upstream versions of the security patches. So we’ve included these changesets in this release in the hope of bringing something closer to u13 in IcedTea7 2.3.6, though obviously we can’t make any guarantees about how the two compare as the code of u13 is proprietary.

In addition, IcedTea includes the usual IcedTea patches to allow builds against system libraries and to support more estoric architectures.

If you find an issue with one of these releases, please report it to our bug database under the appropriate component. Development discussion takes place on the distro-pkg-dev OpenJDK mailing list and patches are always welcome.

Full details of the release can be found below. Note that 2.3.5 was tagged in the forest and used by Fedora, but ended up being a forest-only release after the regressions were found.

What’s New?

New in release 2.3.6 (2013-02-12)

  • Security fixes
  • Backports
    • S7057320: test/java/util/concurrent/Executors/AutoShutdown.java failing intermittently
    • S7083664: TEST_BUG: test hard code of using c:/temp but this dir might not exist
    • S7107613: scalability blocker in javax.crypto.CryptoPermissions
    • S7107616: scalability blocker in javax.crypto.JceSecurityManager
    • S7146424: Wildcard expansion for single entry classpath
    • S7160609: [macosx] JDK crash in libjvm.dylib ( C [GeForceGLDriver+0x675a] gldAttachDrawable+0×941)
    • S7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar
    • S7162488: VM not printing unknown -XX options
    • S7169395: Exception throws due to the changes in JDK 7 object tranversal and break backward compatibility
    • S7175616: Port fix for TimeZone from JDK 8 to JDK 7
    • S7176485: (bf) Allow temporary buffer cache to grow to IOV_MAX
    • S7179908: Fork hs23.3 hsx from hs22.2 for jdk7u7 and reinitialize build number
    • S7184326: TEST_BUG: java/awt/Frame/7024749/bug7024749.java has a typo
    • S7185245: Licensee source bundle tries to compile JFR
    • S7185471: Avoid key expansion when AES cipher is re-init w/ the same key
    • S7186371: [macosx] Main menu shortcuts not displayed (7u6 regression)
    • S7187834: [macosx] Usage of private API in macosx 2d implementation causes Apple Store rejection
    • S7188114: (launcher) need an alternate command line parser for Windows
    • S7189136: Fork hs23.5 hsx from hs23.4 for jdk7u9 and reinitialize build number
    • S7189350: Fix failed for CR 7162144
    • S7190550: REGRESSION: Some closed/com/oracle/jfr/api tests fail to compile becuse of fix 7185245
    • S7193219: JComboBox serialization fails in JDK 1.7
    • S7193977: REGRESSION:Java 7′s JavaBeans persistence ignoring the “transient” flag on properties
    • S7195106: REGRESSION : There is no way to get Icon inf, once Softreference is released
    • S7195301: XML Signature DOM implementation should not use instanceof to determine type of Node
    • S7195931: UnsatisfiedLinkError on PKCS11.C_GetOperationState while using NSS from jre7u6+
    • S7197071: Makefiles for various security providers aren’t including the default manifest.
    • S7197652: Impossible to run any signed JNLP applications or applets, OCSP off by default
    • S7198146: Another new regression test does not compile on windows-amd64
    • S7198570: (tz) Support tzdata2012f
    • S7198640: new hotspot build – hs23.6-b04
    • S7199488: [TEST] runtime/7158800/InternTest.java failed due to false-positive on PID match.
    • S7199645: Increment build # of hs23.5 to b02
    • S7199669: Update tags in .hgtags file for CPU release rename
    • S7200720: crash in net.dll during NTLM authentication
    • S7200742: (se) Selector.select does not block when starting Coherence (sol11u1)
    • S7200762: [macosx] Stuck in sun.java2d.opengl.CGLGraphicsConfig.getMaxTextureSize(Native Method)
    • S8000285: Deadlock between PostEventQueue.noEvents, EventQueue.isDispatchThread and SwingUtilities.invokeLater
    • S8000286: [macosx] Views keep scrolling back to the drag position after DnD
    • S8000297: REGRESSION: closed/java/awt/EventQueue/PostEventOrderingTest.java fails
    • S8000307: Jre7cert: focusgained does not get called for all focus req when do alt + tab
    • S8000822: Fork hs23.7 hsx from hs23.6 for jdk7u11 and reinitialize build number
    • S8001124: jdk7u ProblemList.txt updates (10/2012)
    • S8001242: Improve RMI HTTP conformance
    • S8001808: Create a test for 8000327
    • S8001876: Create regtest for 8000283
    • S8002068: Build broken: corba code changes unable to use new JDK 7 classes
    • S8002091: tools/launcher/ToolsOpts.java test started to fail since 7u11 b01 on Windows
    • S8002114: fix failed for JDK-7160951: [macosx] ActionListener called twice for JMenuItem using ScreenMenuBar
    • S8002225: (tz) Support tzdata2012i
    • S8003402: (dc) test/java/nio/channels/DatagramChannel/SendToUnresovled.java failing after 7u11 cleanup issues
    • S8003403: Test ShortRSAKeyWithinTLS and ClientJSSEServerJSSE failing after 7u11 cleanup
    • S8003948: NTLM/Negotiate authentication problem
    • S8004175: Restricted packages added in java.security are missing in java.security-{macosx, solaris, windows}
    • S8004302: javax/xml/soap/Test7013971.java fails since jdk6u39b01
    • S8004341: Two JCK tests fails with 7u11 b06
    • S8005615: Java Logger fails to load tomcat logger implementation (JULI)
  • Bug fixes
    • Fix build using Zero’s HotSpot so all patches apply again.
    • PR1295: jamvm parallel unpack failure

The tarball can be downloaded from:

SHA256 checksums:

  • f55f2f2e5cdfa8b0429eaa56b4ecba7d63c701e867dbb636883c03cd8e64f4f9 icedtea-2.3.6.tar.gz

Each tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using my public key. See details below.

The following people helped with these releases:

  • Andrew John Hughes (application of security fixes & backports, creation & testing of bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-2.3.6.tar.gz

Full build requirements and instructions are in INSTALL:

$ mkdir icedtea-build
$ cd icedtea-build
$ ../icedtea-2.3.6/configure [--enable-zero --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

This pair of releases for IcedTea6 is provided to fix a number of regressions introduced by the recent security releases (1.11.6 & 1.12.1). These patches were not included in the initial set of security patches from Oracle, but only became available when they pushed the changes to the OpenJDK Mercurial repositories.

The fixes are as follows:

  • S8004341: Two JCK tests fails with 7u11 b06
  • S8005615: Java Logger fails to load tomcat logger implementation (JULI)

We’ve also taken this opportunity to provide bug fixes for a couple of build issues which have been reported in the interim between this release and the last.

Full details of each release can be found below.

What’s New

New in release 1.11.7 (2013-02-11)

  • Backports
    • S8004341: Two JCK tests fails with 7u11 b06
    • S8005615: Java Logger fails to load tomcat logger implementation (JULI)
  • Bug fixes
    • PR1297: cacao and jamvm parallel unpack failures

New in release 1.12.2 (2013-02-11)

  • Backports
    • S8004341: Two JCK tests fails with 7u11 b06
    • S8005615: Java Logger fails to load tomcat logger implementation (JULI)
  • Bug fixes
    • PR1297: cacao and jamvm parallel unpack failures
    • PR1301: PR1171 causes builds of Zero to fail

The tarballs can be downloaded from:

SHA256 checksums:

  • 5a2c5a72a1cab0f2f1a9aa69cbfa462412816d4821426183c6e964cec5171543 icedtea6-1.11.7.tar.gz
  • 897a8834b8ddd6891f0eef46c0f799d11cbecf168c4383cfb26d0dad80328794 icedtea6-1.12.2.tar.gz

The tarballs are accompanied by digital signatures available at the above ‘sig’ link. This is produced using my public key. See details below.

The following people helped with these releases:

  • Andrew John Hughes (application of backports, creation & testing of bug fixes, release management)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-${version}.tar.gz
$ cd icedtea-${version}

where ${version} is the version you’ve downloaded.

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

Many thanks to Omair Majid for preparing the 1.12.1 release while I was still returning home from FOSDEM. Much appreciated!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new security release is now available for the OpenJDK 6 series: 1.12.1. Regarding 7, we’ve hit bootstrapping issues that we’re trying to work around so it can still be built with OpenJDK 6, but if you fancy rolling your own using an earlier build of 7, the forests are already up-to-date for 2.3 as is the IcedTea7 2.3 repository.

The update contains the following security fixes:

Full details can be found below.

What’s New?

New in release 1.12.1 (2012-02-04)

The tarball can be downloaded from:

SHA256 checksum:

  • 8e73a3939ba8c2cca888defc6c90811c959273a9bc7bd1352338a72cefcf1157 icedtea6-1.12.1.tar.gz

The tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using Omair’s public key. See details below.

  • PGP Key: 66484681 (http://pgp.mit.edu/)
  • Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681

The following people helped with these releases:

  • Andrew John Hughes (applying all security patches & backports, release testing)
  • Omair Majid (identification of ordering issues with security patches, porting security patches to 1.12)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-1.12.1.tar.gz
$ cd icedtea-1.12.1

Full build requirements and instructions are in INSTALL:

$ ./configure [--with-parallel-jobs --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools, along with additional features such as a PulseAudio sound driver and support for alternative virtual machines.

A new security release is now available for the OpenJDK 6 series: 1.11.6. An update for the recent release, 1.12.1, will follow shortly,as will updates for 7: 2.1.5, 2.2.5, 2.3.5 and eventually a 2.4.1. (2.4.0 will sadly have to now be just another tag release). Regarding 7, we’ve hit bootstrapping issues that we’re trying to work around so it can still be built with OpenJDK 6, but if you fancy rolling your own using an earlier build of 7, the forests are already up-to-date for 2.3 and the IcedTea7 2.3 repository will be as well, shortly (allowing Classpath JDK builds too).

The update contains the following security fixes:

Full details can be found below.

What’s New?

New in release 1.11.6 (2012-02-03)

The tarball can be downloaded from:

SHA256 checksum:

  • 1d4efe74bf8902c6682512ddb3cf71620e4fe107d1fb364b71453b551860fcca icedtea6-1.11.6.tar.gz

Each tarball is accompanied by a digital signature available at the above ‘sig’ link. This is produced using my public key. See details below.

The following people helped with these releases:

  • Andrew John Hughes (applying all security patches & backports, release management)
  • Omair Majid (identification of ordering issues with security patches)

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea-1.11.6.tar.gz
$ cd icedtea-1.11.6

Full build requirements and instructions are in INSTALL:

$ ./configure [--with-parallel-jobs --enable-pulse-java
--enable-systemtap ...]
$ make

Happy hacking!

Or the blog that wanted to be a talk… ;-)

Disclaimer: as usual for this blog, these are my personal thoughts, and not necessarily those of Red Hat.

The History

IcedTea started at Red Hat in the summer of 2007 as a means to deal with the requirements of building the new OpenJDK source code base on GNU/Linux platforms using only Free Software build tools. The OpenJDK source code was (and still is, to a large extent) built on a completely different set of inherent assumptions to those held by a GNU/Linux distribution packager; it was designed to produce a set of binaries which Sun could ship and which would run on as many platforms as possible with as few dependencies as possible. In contrast, a packager wants to make use of existing packages as much as possible, because this reduces the support footprint of the package. In fact, not bundling libraries is a requirement on some distributions, such as Fedora, one of Red Hat’s primary targets. It also didn’t matter too much to Sun what tools were used to build the JDK, as long as they were available and didn’t impact on the end result; the binaries. In contrast, distribution builds need to work with tools available within the distro and often without network access.

When OpenJDK first shipped, a proprietary JDK was required to build and some parts were still in process of being opened up, and so were provided by proprietary binary blobs. Red Hat did an admirable job of fixing things, within the auspices of IcedTea, within a month of the first OpenJDK source code drop, so that OpenJDK could be built and run with Free Software tools, using parts of GNU Classpath to replace some of the plugs. This was packaged in Fedora and provided an early version of what would become OpenJDK 7 to its users.

The Progress of Time

The situation has changed in the four and a half years since IcedTea first appeared, both in terms of OpenJDK and IcedTea itself. When OpenJDK started, code was provided simply as tarballs. There were no source code repositories and no bug tracker. The first of those changed by December 2007 when the Mercurial repositories were first populated. We’re still waiting on the latter, though there has been a Bugzilla experiment in the interim. Thus, IcedTea was setup as a place to do work on OpenJDK because there was no other place. Now, that there is, with its own groups, projects, repositories and bylaws, and with the proprietary plugs long a thing of the past, we have to question whether IcedTea is still required.

A number of issues arise when we start to consider dropping IcedTea and moving work upstream:

  • IcedTea still contains a lot of local patches. Progress is being made on getting these into OpenJDK, but it’s still a very slow process. A patch that is ok for the users of IcedTea needs to be reconsidered and often even rewritten for adoption in OpenJDK. A large amount of work was done in that area prior to the first release of IcedTea 2.x (the OpenJDK 7 series); notably, the system library patches were written to become build options rather than a one-way transition to using the system versions. However, the origin and need for some patches is hard to trace, and of course, work continues so new patches are needed all the time.
  • IcedTea is now home to a number of other sub-projects;

    • it has support for replacing HotSpot with CACAO or JamVM
    • it has its own fork of the jtreg testsuite so it can be built easily and used to test the build
    • it has a PulseAudio sound driver
    • it includes a plugin and web start implementation which aren’t present in OpenJDK; this started in IcedTea itself, but was split off into its own repositories and development cycle (IcedTea-Web), so it wasn’t tied to IcedTea releases.
    • It includes an ARM32 port which, for licensing reasons, can probably never go upstream.
  • Working in OpenJDK requires signing a contributor agreement with Oracle and working with a team overwhelmingly dominated by Oracle employees, where occasional things happen behind closed doors (though the new governing bylaws and IBM’s involvement seem to have reduced this a little). Some people just feel a lot more comfortable putting their patch in IcedTea instead, which is much more akin to a traditional FOSS development project.

The Future

With the advent of OpenJDK 8 later this year, it comes time again, as with 7, to consider whether and how IcedTea should continue. In that respect,I’d like to use this blog to ask people for their thoughts on the matter, in particular how they see their ability to work with IcedTea as opposed to OpenJDK.

From my perspective, I think we could move to a situation, on a technical basis, where we work primarily with OpenJDK itself, with the odd patch that needs to be applied locally. My main concerns are with release management. IcedTea has followed a traditional path of updating existing releases with security updates and providing new releases with feature improvements. In the case of the work on 7, these have mirrored the upstream 7u project as close as possible. However, the situation upstream leaves a lot to be desired. Security updates are not applied to the last 7u release tree, instead being applied to the next in-development version. This leaves open the question of how do we get these security fixes out to users if we don’t have IcedTea? Moreover, the release process lacks transparency, and releases such as u10 have just been withdrawn with little explanation. If, for 8, we were to work closer to upstream, this would need to change.

I do see IcedTea continuing in some form, at the very least for things like CACAO & JamVM. If it continues as a patch provider, then I strongly suggest we start afresh from OpenJDK and only apply what patches are needed, with solid written reasoning for each one, rather than dragging along the baggage from 6 and 7.

Thoughts?

Update: It appears a question mark is too subtle for most people… :) So I changed the title.