Remove OpenJDK 17

[tianon]

There no longer exist "official" (or even semi-official) vanilla builds of OpenJDK 17 suitable for our use or for publishing as "OpenJDK" (https://jdk.java.net/17/).

#493 (comment)

[tianon]

FYI to affected maintainers:

• clojure: @Quantisan @cap10morgan
• convertigo: @nicolas-albert @opicciotto
• jetty: @gregw @lachlan-roberts @olamy @joakime
• jruby: @jruby @headius @enebo
• maven: @carlossg
• tomcat: @tianon @yosifkit
• tomee: @lordofthejars @otaviojava @jgallimore @scriptmonkey

I would also suggest taking a look at docker-library/docs#2142 (which explains better why this isn't something we really can fix for this repository 😞).

[cap10morgan]

Thanks for the heads-up, @tianon! So it sounds like we downstream maintainers need to select one of the other images to base ours on? What a mess (looking at you, Oracle).

[joakime]

Thanks for creating this issue.

It will also help on our side when we eventually get the "what happened to openjdk-17 images?" questions.
We can now point them here.

[headius]

Ugh, ok. So it looks like we should be able to switch to coretto or temurin without any major impact. I expect there's going to be concerns from downstream users but I can point them back here.

[headius]

To clarify... this only affects 17+ correct? It will be a much less risky change if I can leave 11 and 8 on openjdk images.

[nicolas-albert]

Just in time before our major release 👍
I switch convertigo base to tomcat:9-jdk17-temurin.
We already use Temurin for our Eclipse based studio without issues.
Thanks for the mention !

[tianon]

To clarify... this only affects 17+ correct? It will be a much less risky change if I can leave 11 and 8 on openjdk images.

Yeah, that's correct - just the builds provided by Oracle (which is anything other than 8 and 11). However, as you might've seen with the vanilla builds of 8 and 11, they're not updated on an extreme priority (understandably, given they're vanilla builds provided with no expectation of support), so maybe just keep that in mind. 🙂

[cap10morgan]

@tianon Are these are the security vulnerabilities in 17.0.2 that are motivating a quick push to 17.0.3?

[tianon]

@cap10morgan I'm not sure what you mean in this context 😅

I do believe that 17.0.3 contains security updates, but this PR (and the openjdk official image) will not be receiving 17.0.3. 😬 🙈

[cap10morgan]

@tianon Yeah I get that openjdk won't get 17.0.3. But it seemed like there was some urgency to update to 17.0.3 (more than just the usual "oh there's a new patch release out"), so just wanted to clarify if this was the source of the urgency. But perhaps I misunderstood.

[scriptmonkey]

FYI to affected maintainers:
* tomee: @lordofthejars @otaviojava @jgallimore @scriptmonkey

Thank you for tagging us in this PR! It would seem that TomEE will be moving to Temurin.

[syphr42]

@cap10morgan CVE-2022-21449 might be a good reason to make 17.0.3 available soon, but it's unclear to me if it affects only Oracle builds.

[cap10morgan]

@syphr42 I don't think they do only affect Oracle builds. It's just that Oracle is alone in not releasing a fixed version.

[cap10morgan]

@tianon Yeah I get that openjdk won't get 17.0.3. But it seemed like there was some urgency to update to 17.0.3 (more than just the usual "oh there's a new patch release out"), so just wanted to clarify if this was the source of the urgency. But perhaps I misunderstood.

Oh, it was the description of #493 that sent me down this "it's motivated by fixing some security vulns" rabbit hole. Sorry, should have commented over there. :)