Many of them took a long time (as late as last year, I was still seeing "fix something which breaks in Java 9" in library changelogs), and sometimes the compatibility with Java 9 was only available on a newer major release of the library, which sometimes required upgrades to major releases of other libraries, and so on, and to make it even more painful some of these major releases dropped support for older Java releases like Java 7, which some of your clients might be using. > and so many shops decided to wait until the "LTS" Java 11 came along to make the jumpĮven if they didn't decide to wait, they had to wait until all libraries they depend on made the jump. Don't think that if the vendor calls something LTS and ships updates that include some fixes you're actually getting some fully-maintained JDK.īTW, AdoptOpenJDK is not affiliated or involved with OpenJDK, and is made by an IBM team that is exceptionally uninvolved and unfamiliar with OpenJDK compared to all other OpenJDK distributions (Oracle, Red Hat, SAP, Azul, Bellsoft, and Amazon). The only version that is fully and freely maintained is the current one, and it also offers the cheapest upgrade process and the best performance. Important production software should use either the current version (free) or buy an LTS service for an old version from some trusted vendor. "Free LTS" offerings are only recommended for legacy hobby projects. no "free LTS" offers patches for, say, CMS or Nashorn, and multiple other components that exist in 11 or 8 but not in 16). Free offerings that call themselves LTS are just builds of the OpenJDK Updates project, that backports fixes from mainline, and so only includes fixes for the intersection of the old version and the current one (i.e. If we define LTS to at least include long-term maintenance in the form of bug and security fixes of the entire JDK, then no one offers a free LTS. Different vendors can call LTS whatever they like, and what that actually entails depends on the vendor. OpenJDK (the source of most JDK distributions) has no concept of LTS (e.g., you'll find no mention of LTS here: ). ![]() Sadly, while Java is otherwise careful to enforce various standards, anyone is free to call whatever they like LTS. Depending on the OS, credentials can include other information, like PID. None of these are defined by POSIX but the capability is supported one way or another on all the extant Unix systems.) Years later OpenBSD eventually adopted the SO_PEERCRED approach, which is what Linux uses, and made getpeereid a wrapper, because sometimes it's not worth swimming upstream. (At the time OpenBSD provided getpeereid for querying peer credentials, but Postgres only supported SO_PEERCRED and some other mechanisms. I submitted a patch many years ago so this would work on OpenBSD. I'm pretty sure Postgres supports this that is, you can configure Postgres to allow user foo to access DB bar without a password, token, or signed cert. for temporary files, etc), though it's a tad more leg work so unfortunately people rarely use that pattern.īut all Unix systems also support querying credentials over Unix domain sockets, where "credentials" basically means the UID and GID of the peer, which permits supporting user- or group-based authentication without passwords. In fact, using directories this way is almost always the superior option (e.g. That's perfectly portable, presumably even to Windows, and also avoids umask races. You can just create a directory with the restrictive permissions and then bind the socket into that directory. Interestingly, on Linux you can fchmod the descriptor before calling bind, which is better than temporarily changing the umask around bind as it's not thread friendly-the umask is global so would effect whatever files are being opened in other threads at that moment.īut you don't need to rely on the permissions of the socket file inode itself. (I always forget how AIX, macOS, FreeBSD, NetBSD, and OpenBSD behave.) But even on Linux there's the classic race condition if your umask isn't set correctly when you invoke bind. The Linux kernel obeys access permissions on the file inode, but Solaris doesn't. This is dependent on the operating system. Unix domain sockets have filesystem-based access controls
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |