Hi, I am currently evaluating the possibility of building a java application server intended for critical production use from scratch using HLFS and JDK-1.5.0 from the BLFS and MySQL from the BLFS. There might be an advantage in building the JDK from scratch as potential buffer overflow holes in the Sun JVM could be prevented from being exploited by compiling the JDK with the a stack smashing protected compiler. This might be useful as the only service this machine would offer would be a java application running on this jvm. So a remote attack would only be successfull if the attacker could exploit 1) A bug in the Java application itself. 2) A bug in the JVM of sun. 3) A Bug in the Linux kernel. 4) Maybe also a bug in the glibc. This is why I figure that (besides an exessivly auditing of the source code of the java application), building a HDLS system and compiling the JVM from scratch with a SSP-Compiler might be a useful measure to improve security.
However, I have trouble determining if the JDK-1.5.0 build from scratch is really intended for critical production use, or for research purposes only: The downloaded source code from Sun is labeled as jdk-1.5.0. Also the each and every source code file within the .zip archive is dated 2004-10-19. Which is roughly the release date of JDK 1.5.0_00. So I have the following questions: 1) Is the JDK build from scratch described in http://www.linuxfromscratch.org/blfs/view/svn/general/jdk.html a build of 1.5.0_00 or 1.5.0_04? 2) Is it possible to obtain a patch set from Sun to patch the JDK-source-code from 1.5.0_00 to 1.5.0_04? 3) Do you think it is sane to deploy a mission critical java application on a HLFS + self compiled JDK? Thanks, Mike. ___________________________________________________________ Gesendet von Yahoo! Mail - Jetzt mit 1GB Speicher kostenlos - Hier anmelden: http://mail.yahoo.de -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
