Michael Meyer wrote: > Hi, > > I am currently evaluating the possibility of building > a java application server intended for critical > production use from scratch using HLFS and JDK-1.5.0 > from the BLFS and MySQL from the BLFS. There might be > an advantage in building the JDK from scratch as > potential buffer overflow holes in the Sun JVM could > be prevented from being exploited by compiling the JDK > with the a stack smashing protected compiler. This > might be useful as the only service this machine would > offer would be a java application running on this jvm. > So a remote attack would only be successfull if the > attacker could exploit > 1) A bug in the Java application itself. > 2) A bug in the JVM of sun. > 3) A Bug in the Linux kernel. > 4) Maybe also a bug in the glibc. > This is why I figure that (besides an exessivly > auditing of the source code of the java application), > building a HDLS system and compiling the JVM from > scratch with a SSP-Compiler might be a useful measure > to improve security. > > However, I have trouble determining if the JDK-1.5.0 > build from scratch is really intended for critical > production use, or for research purposes only: The > downloaded source code from Sun is labeled as > jdk-1.5.0. Also the each and every source code file > within the .zip archive is dated 2004-10-19. Which is > roughly the release date of JDK 1.5.0_00. > > So I have the following questions: > 1) Is the JDK build from scratch described in > http://www.linuxfromscratch.org/blfs/view/svn/general/jdk.html > a build of 1.5.0_00 or 1.5.0_04?
1.5.0 with 1 patch from 1.5.0_02. > 2) Is it possible to obtain a patch set from Sun to > patch the JDK-source-code from 1.5.0_00 to 1.5.0_04? No. I've be proding and probing around for this one for a while. I've managed to extract a whoping 6 of ~120 Linux specific patches IIRC for 5.0, from the 6.0 sources. 6 is about as useful as...well I've not bothered with it in a long while. This situation will hopefully get better as we move into 6.0. I'm still going to try to get at the patches, but finding the right person at Sun to complain to is the probably the first uncompleted step. :-) > 3) Do you think it is sane to deploy a mission > critical java application on a HLFS + self compiled > JDK? Sun doesn't. I guess it depends on your definition of sane. I suppose most important is to review the changelogs from the binary releases, and decide wether an SPP build is better than any security changes...not to mention functionality changes. I'd guess the answer you'll find is no. -- DJ Lucas -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
