OpenJDK Plans Private Vulnerability Group
OpenJDK Plans Private Vulnerability Group
Written by Kay Ewbank   
Wednesday, 30 August 2017

The OpenJDK group is considering setting up a private group with a secure, private forum for discussing security vulnerabilities.

According to the proposal document, the forum would be somewhere:

"in which trusted members of the OpenJDK Community can receive reports of vulnerabilities in OpenJDK code bases, review them, collaborate on fixing them, and coordinate the release of such fixes."


openjdk

In an email about the proposal to the OpenJDK Mailing List,  Oracle's Mark Reinhold said that the group would be unusual in several respects, due to the sensitive nature of its work:

"Membership will be more selective, there will be a strict communication policy, and members (or their employers) will need to sign a non-disclosure and license agreement."

One potential problem is that the private nature contravenes the OpenJDK Bylaws. However, Reinhold said that the Governing Board has discussed this, and that he expects that the Board will approve the creation of this Group with these exceptional requirements.

The need for the forum is due to the fact that there is currently no organized discussion of vulnerabilities in the OpenJDK Community. The proposal for the forum says that:

"Each non-Oracle vendor organization that ships binary products based upon OpenJDK code bases (e.g., Red Hat, IBM, SAP, and Canonical) handles security vulnerabilities mostly on its own, with occasional help via private communication with Oracle."

This is inefficient, and what private communication does occur is focused more on distributing fixes than on developing fixes. In addition, this technique doesn't make use of external contributors who have knowledge and qualifications and who could help to analyze and fix vulnerabilities.

Suggesting that the creation of a private forum in OpenJDK for the discussion of vulnerabilities would help the entire Java community invest in security in a coordinated fashion, the document points out that other open development communities have good examples to base the OpenJDK forum on, including the Security Team of the Eclipse Foundation and the Security Group of the WebKit Project.

 

 openjdk

More Information

OpenJDK Vulnerability Group Proposal

Related Articles

Java 9 Slips Again

No Vote For Java Module System

JDK 9 Release Slips Again 

JDK Delivery Date Update

Jigsaw In JDK

JDK 9 Update

JDK 9 Early Access Now Available

Java JDK 9 Proposals

Jigsaw Shelved Until Java 9

Java 8 Launched With Supporting Line-Up

 

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on, Twitter, FacebookGoogle+ or Linkedin.

 

Banner


N Queens Completion Is NP Complete
31/08/2017

The problem of putting eight queens on the chess board so as no queen attacks another is a solved problem, as is placing n queens on an nxn board. However if you place some queens on the board and ask [ ... ]



Facebook's New AI Lab In Montreal
19/09/2017

Facebook is opening its fourth artificial intelligence research lab in Montreal. FAIR Montreal will start with ten researchers, growing to 30 in the coming year and Joelle Pineau has been appoint [ ... ]


More News

 

 
 

 

blog comments powered by Disqus

Last Updated ( Wednesday, 30 August 2017 )
 
 

   
Banner
RSS feed of news items only
I Programmer News
Copyright © 2017 i-programmer.info. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.