Initial impressions *matter*. For example, my local Mac updater reports I am on Java 8_121... and yet for reasons I have yet to get around to debugging, my maven is using Java 8 77. I'm someone who can figure that out without a lot of difficulty. I can tell you from tons of experience onboarding new devs to ODL, expecting that in general is to high a bar.
I get that we have in the past sometimes hit insurmountable bugs in the JVM that could only be fixed in the most recent JDK... some realities are beyond are capacity to change... but the cert situation is an unforced error where we are trading a trivial monetary savings for producing potentially a lot of initial bad experienes for prospective developers... most of whom will *not* complain, and will *not* come back, and will simply tell their friends ODL is broken out of the box. *Not* keeping a cert compatible with all versions of Java 1.8 until we've moved on definitively from Java 1.8 (ie: ODL no longer supports Java 1.8 at all, much as we've deprecated Java 1.7) is deeply penny wise and pound foolish. Ed On Tue, Mar 28, 2017 at 8:37 AM, Thanh Ha <[email protected]> wrote: > On Mon, Mar 27, 2017 at 11:32 PM, Ed Warnicke <[email protected]> wrote: > >> Anil, >> >> Thats nice... but at the end of the day, here's the net-net... a large >> subset of the world's first experience trying to do ODL development is >> going to be that we are inexplicably broken in a cryptic way. I strongly >> recommend we get a cert that is supported by *any* Oracle JDK 1.8, and wait >> for Oracle JDK 1.8 to be deprecated for use for ODL development (typically >> something that happens after 1.8 itself has EOLed) *before* using a Let's >> Encrypt Cert. >> >> Initial exposure matters tremendously, and a first experience of "It's >> broken" is not what we want. >> >> Ed >> > > FWIW I don't think using expired versions of Java is good practice either. > Oracle releases regular critical security patches [1] for a reason. > According to [0] JDK8 Update 77 was expired on April 19, 2016. Users of > Oracle's JDK should have received warnings that a new version is available > and to update. > > As someone who used Mac and Windows in the past, I can understand it's > annoying to receive those update popups and the temptation is to ignore it > but as developers working on next generation network technology I don't > think it's unreasonable that we also follow good security practices and > keep our tools up to date. > > Regards, > Thanh > > [0] http://www.oracle.com/technetwork/java/javase/8u77- > relnotes-2944725.html > [1] https://www.oracle.com/technetwork/topics/security/alerts-086861.html >
_______________________________________________ Discuss mailing list [email protected] https://lists.opendaylight.org/mailman/listinfo/discuss
