Re: [External] : Re: JDK 17 is now in Rampdown Phase One

[Rick Hillegas]

Hi Rory,

Derby builds and tests cleanly against Open JDK 17-ea+26-2439 after 
suppressing the deprecation warnings introduced by JEP 411. Our 
experience is documented in a security-...@openjdk.java.net email thread 
titled "blizzard of deprecation warnings related to JEP 411" and in 
comments dated between 2021-06-15 and 2021-06-18 on 
https://issues.apache.org/jira/browse/DERBY-7110.

On 6/14/21 11:20 AM, Rory O'Donnell wrote:
Hi Rick,

Excellent feedback , I suggest you send this information to the 
security-dev [1] mailing list to demonstrate the impact
it is having on you and others. Make sure to subscribe first.

Rgds,Rory

[1] security-...@openjdk.java.net <mailto:security-...@openjdk.java.net>

On 14/06/2021 16:43, Rick Hillegas wrote:
Hi Rory,

Copying the Tomcat developer community since this issue probably 
affects them as well.

When I tried to build Derby with the Rampdown Phase One build of open 
JDK 17 (17-ea+26-2439), I saw many warnings related to the 
deprecation of Security Manager classes and methods, undoubtedly the 
consequence of JEP 411 (https://openjdk.java.net/jeps/411). Derby, 
like Tomcat, embraced the Security Manager early on. Permissions 
checks were rototilled across the whole code base. Our distributions 
ship with several template policy files, which we encourage users to 
customize for their environments. The "Configuring Java Security" 
section of our Security Guide explains how to do this 
(https://urldefense.com/v3/__https://db.apache.org/derby/docs/10.15/security/index.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh9kcdocM$ 
).

My build only reported the first 100 warnings. It is likely that 
there are many more.

Having read the summary of JEP 411, I understand the motivation for 
this change. However, I don't understand how applications like Tomcat 
and Derby are supposed to respond to the new blizzard of deprecation 
warnings. For instance, is there a replacement for the deprecated 
AccessController.doPrivileged() method? Or are we supposed to simply 
disable this deprecation check? Is there some security expert whom we 
should contact about this change and how to mitigate its effects?

Thanks,
-Rick


On 6/14/21 2:18 AM, Rory O'Donnell wrote:

Hi Rick,
*
Per the JDK 17 schedule , we are in Rampdown Phase One [1].*

**Please advise if you find any issues while testing the latest 
Early Access builds**.**

 * Schedule:
     o *2021/06/10       Rampdown Phase One*
     o 2021/07/15        Rampdown Phase Two
     o 2021/08/05        Initial Release Candidate
     o 2021/08/19        Final Release Candidate
     o 2021/09/14        General Availability

The overall feature set is frozen. No further JEPs will be targeted 
to this release.

**

 * Important JEPs have been integrated – Attention Required!
 * *JEP 411: **Deprecate the Security Manager for
   Removal*<https://openjdk.java.net/jeps/411>
     o Deprecate, for removal, most Security Manager related classes
       and methods.
     o Warning message at startup if the Security Manager is enabled on
       the command line.
     o Warning message at run time if a Java application or library
       installs a Security Manager dynamically.
     o Deprecation is in concert with the legacy Applet API (JEP 398).
 * *JEP 407: **Remove RMI 
Activation*<https://openjdk.java.net/jeps/407>
     o Removal the Remote Method Invocation (RMI) Activation mechanism,
       while preserving the rest of RMI.
     o It was deprecated for removal by JEP
       385<https://openjdk.java.net/jeps/385>in Java SE 15.
 * *JEP 403: **Strongly Encapsulate JDK
   Internals*<https://openjdk.java.net/jeps/403>
     o Strongly encapsulate all internal elements of the JDK, except
       for critical internal APIs such as /sun.misc.Unsafe/.
     o It will no longer be possible to relax the strong encapsulation
       of internal elements via a single command-line option.

 * Other features integrated in JDK 17:
     o *JEP 306: **Restore Always-Strict Floating-Point
       Semantics*<https://openjdk.java.net/jeps/306>
     o JEP 356: Enhanced Pseudo-Random Number
       Generators<https://openjdk.java.net/jeps/356>
     o JEP 382: New macOS Rendering
       Pipeline<https://openjdk.java.net/jeps/382>
     o JEP 391: macOS/AArch64 Port<https://openjdk.java.net/jeps/391>
     o JEP 398: Deprecate the Applet API for
       Removal<https://openjdk.java.net/jeps/398>
     o *JEP 406: **Pattern Matching for switch
       (Preview)*<https://openjdk.java.net/jeps/406>
     o JEP 409: Sealed Classes<https://openjdk.java.net/jeps/409>
     o JEP 410: Remove the Experimental AOT and JIT
       Compiler<https://openjdk.java.net/jeps/410>
     o JEP 412: Foreign Function & Memory API
       (Incubator)<https://openjdk.java.net/jeps/412>
     o *JEP 414: **Vector API (Second
       Incubator)*<https://openjdk.java.net/jeps/414>
     o *JEP 415: **Context-Specific Deserialization
       Filters*<https://openjdk.java.net/jeps/415>

*OpenJDK 17 Early Access build 26 is available at 
**https://urldefense.com/v3/__https://jdk.java.net/17*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhLKySzR0$ 
<https://urldefense.com/v3/__https://jdk.java.net/17__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhY2EWmz8$ 
>

 * These early-access , open-source builds are provided under the
     o GNU General Public License, version 2, with the Classpath
Exception<https://openjdk.java.net/legal/gplv2+ce.html>

 * Release Notes are available at
https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$ 
<https://urldefense.com/v3/__https://jdk.java.net/17/release-notes__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhyLFhj5g$ 
>

 * Changes in recent builds that maybe of interest:
 * *Build 26:*
     o JDK-8268241: deprecate JVM TI Heap functions 1.0
     o JDK-8266846: Add java.time.InstantSource
     o JDK-8248268: Support KWP in addition to KW
     o JDK-8204686: Dynamic parallel reference processing support for
       Parallel GC
     o JDK-8259530: Generated docs contain MIT/GPL-licenced works
       without reproducing the licence [*Reported by Apache Maven*]
     o JDK-8266766: Arrays of types that cannot be an annotation member
       do not yield exceptions [*Reported by ByteBuddy*]
     o JDK-8266598: Exception values for
       AnnotationTypeMismatchException are not always informative
       [*Reported by ByteBuddy*]
 * *Build 25*
     o JDK-8266653: Change update mode for JDK rpm/deb installers as it
       breaks "yum update" for JDK11+
     o JDK-8263202: Update Hebrew/Indonesian/Yiddish ISO 639 language
       codes to current
     o JDK-8229517: Support for optional asynchronous/buffered logging
     o JDK-8182043: Access to Windows Large Icons


*OpenJDK 18 Early Access build 1 is now available at 
**https://urldefense.com/v3/__https://jdk.java.net/18*__;Kg!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhzhYMGcc$ 
<https://urldefense.com/v3/__https://jdk.java.net/18__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhWHowDJ4$ 
>

 * These early-access , open-source builds are provided under the
     o GNU General Public License, version 2, with the Classpath
       Exception <https://openjdk.java.net/legal/gplv2+ce.html>
 * Issues addressed in this build - here
<https://urldefense.com/v3/__https://github.com/openjdk/jdk/compare/jdk-18*2B0...jdk-18*2B1__;JSU!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhH5huF_4$ 
>

*Other Topics which might be of Interest: *

**

 * Java Cryptographic Roadmap [2] has been updated.
 * Inside Java Newscast #6 [3]
     o a closer look at the list of JEPs of JDK 17 as well as the
       development process
 * Inside Java Newscast #7 [4]
     o discusses in greater detail `pattern matching for switch`,
       previewed in JDK 17

Rgds,Rory

[1] 
https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html 
<https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html><https://mail.openjdk.java.net/pipermail/jdk-dev/2021-June/005690.html> 

[2] 
https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$ 
<https://urldefense.com/v3/__https://java.com/en/jre-jdk-cryptoroadmap.html__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBhXr9f42k$ 
>
[3] 
https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$ 
<https://urldefense.com/v3/__https://inside.java/2021/06/10/insidejava-newscast-006/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh1WZe32A$ 
>
[4] 
https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$ 
<https://urldefense.com/v3/__https://inside.java/2021/06/13/podcast-017/__;!!GqivPVa7Brio!Ir7H5RCIuIIcRhganretmYcvHoP432X-jV4dVUNlqO1EmvYkTvkdZvEBdtBh15gIS5s$ 
>