maven-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SUREFIRE-1588) Surefire manifest jar classloading broken on latest Debian/Ubuntu Java8
Date Fri, 02 Nov 2018 13:01:00 GMT

    [ https://issues.apache.org/jira/browse/SUREFIRE-1588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16673072#comment-16673072
] 

ASF GitHub Bot commented on SUREFIRE-1588:
------------------------------------------

mirabilos commented on issue #197: SUREFIRE-1588 Patch (Java7)
URL: https://github.com/apache/maven-surefire/pull/197#issuecomment-435371608
 
 
   > Why this issue does not exist on Windows?
   
   The issue is caused by a bad backport of some new security features from OpenJDK via JDK
10 to JDK 8 in Debian, by the Ubuntu-employed maintainer and the Debian security team.
   
   There are a couple new checks for JAR files, and one of them triggers the issue. According
to someone who analysed the OpenJDK upstream changes, the OpenJDK team later disabled that
new check by default, but this did not get backported to Debian.
   
   So I expect that OpenJDK itself will enable the new check some time in the future, at which
point it will fail everywhere. For now, it only fails on Debian and derivatives, and it’s
extremely unlucky that this change was forcefully pushed even onto stable release users prematurely,
under the umbrella of security fixes and “a deliberate upstream change”.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Surefire manifest jar classloading broken on latest Debian/Ubuntu Java8
> -----------------------------------------------------------------------
>
>                 Key: SUREFIRE-1588
>                 URL: https://issues.apache.org/jira/browse/SUREFIRE-1588
>             Project: Maven Surefire
>          Issue Type: Bug
>    Affects Versions: 2.22.1
>            Reporter: Cservenak, Tamas
>            Priority: Major
>
> See issue [1], but in short: latest Java8 on Ubuntu/Debian/Mint family of Linuxes (am
on Mint, Ubuntu derivative) contains this patch [3], and eforces Manifest class path entries
to be relative, as defined in [2].
> Hence, surefire booter and rest of Maven classpath, that uses absolute URLs are simply
discarded.
> Example error:
> {noformat}
> # Created at 2018-10-30T21:34:43.339
> Error: Could not find or load main class org.apache.maven.surefire.booter.ForkedBooter{noformat}
> using the new property {{-Djdk.net.URLClassPath.disableClassPathURLCheck=debug}} clearly
shows that all the entries from the surefire JAR are simply ignored.
>  
> [1] [https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=911925]
> [2] https://docs.oracle.com/javase/8/docs/technotes/guides/jar/jar.html#classpath
> [3] [https://hg.openjdk.java.net/jdk/jdk/rev/27135de165ac]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message