Java security patch breaks Guava library
Widely-used Google toolkit is affected by subtle change in JDK 7u51, but Oracle says its not an issue.
A small security fix in Java update 51, released last week, appears to be incompatible with the popular Google Guava library.
However, Oracle have so far refused to revert the change, which according to the changelogs was meant to “enhance generic classes”.
Soon after Java 7u51 was released, IBM engineer Robert McKenna filed an issue in the JDK bug tracker:
Within half an hour the ticket was closed by Oracle staffer Joel Borggrén-Franck, who said that it was “indeed intended” and “not an issue”. However, to Google Guava and the many projects that rely on it, it is indeed an issue, breaking an essential part of the widely-used library. For example, Apache jclouds, which provides a generic API for multiple cloud services, experiences issues when searching for interface implementations – a ‘critical’ bug. To give a sense of how ubiquitous Guava is, just read through the list of jcloud users, which includes Twitter, Red Hat, Rackspace, Salesforce, CloudBees, Apache Camel and Adobe. Reddit commentators subsequently weighed in on the issue. In response to finger-wagging over Guava using a supposedly undocumented internal feature, user tavianator noted:
sun.reflect.generics.reflectiveObjects.TypeVariableImpl does not honor equals in the same way that it did in update 45. It now checks the parameter to the equals method to ensure that it is an instance of TypeVariableImpl.
The Guava code doesn’t actually use the internal API to my knowledge. What they are doing is attempting to make an implementation of the (public) interface TypeVariable that compares equal() to ones returned by the JVM. But the new version of the JDK makes this impossible.Regardless of who is in the right, until the issue is resolved Guava users might want to think twice before updating to the newest Java release. Photo by Rajesh Dangi.
The spec doesn’t say explicitly whether this should work, but they certainly aren’t using any internal APIs, just un- or under-documented behaviour.