[
https://issues.apache.org/jira/browse/SUREFIRE-1588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16673072#comment-16673072
]
ASF GitHub Bot commented on SUREFIRE-1588:
------------------------------------------
mirabilos commented on issue #197: SUREFIRE-1588 Patch (Java7)
URL: https://github.com/apache/maven-surefire/pull/197#issuecomment-435371608
> Why this issue does not exist on Windows?
The issue is caused by a bad backport of some new security features from
OpenJDK via JDK 10 to JDK 8 in Debian, by the Ubuntu-employed maintainer and
the Debian security team.
There are a couple new checks for JAR files, and one of them triggers the
issue. According to someone who analysed the OpenJDK upstream changes, the
OpenJDK team later disabled that new check by default, but this did not get
backported to Debian.
So I expect that OpenJDK itself will enable the new check some time in the
future, at which point it will fail everywhere. For now, it only fails on
Debian and derivatives, and it’s extremely unlucky that this change was
forcefully pushed even onto stable release users prematurely, under the
umbrella of security fixes and “a deliberate upstream change”.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
> Surefire manifest jar classloading broken on latest Debian/Ubuntu Java8
> -----------------------------------------------------------------------
>
> Key: SUREFIRE-1588
> URL: https://issues.apache.org/jira/browse/SUREFIRE-1588
> Project: Maven Surefire
> Issue Type: Bug
> Affects Versions: 2.22.1
> Reporter: Cservenak, Tamas
> Priority: Major
>
> See issue [1], but in short: latest Java8 on Ubuntu/Debian/Mint family of
> Linuxes (am on Mint, Ubuntu derivative) contains this patch [3], and eforces
> Manifest class path entries to be relative, as defined in [2].
> Hence, surefire booter and rest of Maven classpath, that uses absolute URLs
> are simply discarded.
> Example error:
> {noformat}
> # Created at 2018-10-30T21:34:43.339
> Error: Could not find or load main class
> org.apache.maven.surefire.booter.ForkedBooter{noformat}
> using the new property
> {{-Djdk.net.URLClassPath.disableClassPathURLCheck=debug}} clearly shows that
> all the entries from the surefire JAR are simply ignored.
>
> [1] [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911925]
> [2]
> https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#classpath
> [3] [https://hg.openjdk.java.net/jdk/jdk/rev/27135de165ac]
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
