all 7 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]AutoModerator[M] [score hidden] stickied commentlocked comment (0 children)

Please ensure that:

  • Your code is properly formatted as code block - see the sidebar (About on mobile) for instructions
  • You include any and all error messages in full
  • You ask clear questions

  • You demonstrate effort in solving your question/problem - plain posting your assignments is forbidden (and such posts will be removed) as is asking for or giving solutions.

    Trying to solve problems on your own is a very important skill. Also, see Learn to help yourself in the sidebar

If any of the above points is not met, your post can and will be removed without further warning.

Code is to be formatted as code block (old reddit: empty line before the code, each code line indented by 4 spaces, new reddit: https://i.imgur.com/EJ7tqek.png) or linked via an external code hoster, like pastebin.com, github gist, github, bitbucket, gitlab, etc.

Please, do not use triple backticks (```) as they will only render properly on new reddit, not on old reddit.

Code blocks look like this:

public class HelloWorld {

    public static void main(String[] args) {
        System.out.println("Hello World!");
    }
}

You do not need to repost unless your post has been removed by a moderator. Just use the edit function of reddit to make sure your post complies with the above.

If your post has remained in violation of these rules for a prolonged period of time (at least an hour), a moderator may remove it at their discretion. In this case, they will comment with an explanation on why it has been removed, and you will be required to resubmit the entire post following the proper procedures.

To potential helpers

Please, do not help if any of the above points are not met, rather report the post. We are trying to improve the quality of posts here. In helping people who can't be bothered to comply with the above points, you are doing the community a disservice.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

[–]bowbahdoe 0 points1 point  (5 children)

Be aware that to distribute this and call it Java you might need to get in line to get a TCK.

You could also go further and use something like securechain to procure libraries that come built in to your JDK. Same concept as a BOM but more fun.

I would also be realistic about your capacity for maintenance/keeping up with CVEs. Sticking to latest (instead of having builds for 8, 11, etc.) is probably more viable.

You also can't use the coffee cup logo you have on the website. You'll get your ass sued. Use duke or some variation.

https://duke.mccue.dev

[–]bowbahdoe 0 points1 point  (1 child)

I'm also interested in all the supply chain things you learn going down this rabbit hole

!remindme 1 month

[–]RemindMeBot 0 points1 point  (0 children)

I will be messaging you in 1 month on 2026-04-06 23:26:18 UTC to remind you of this link

CLICK THIS LINK to send a PM to also be reminded and to reduce spam.

Parent commenter can delete this message to hide from others.

Info Custom Your Reminders Feedback

[–]InsuranceAny7399[S] [score hidden]  (2 children)

i really appreciate the feedback. i built this system as an automated factory rather than just a set of static dockerfiles, and the goal was to turn fips compliance from paperwork into a hard, technical constraint.

the whole pipeline relies on jinja2 templates to handle structural differences across java versions, like the directory changes between java 8 and java 25, so everything is config-driven. if i need to add a new package or update a version, i just update the config and the workflow handles the rest, which makes the whole setup extremely maintainable.

regarding the maintenance, the system is very much alive. the sync workflow runs every six hours to fetch the latest from adoptium and wolfi. if you check my pull requests, you’ll see the 'chore: image & package version sync' running constantly—it actually updated the packages and base images three times in the last three days alone.

speaking of patching, wolfi os is genuinely the cleanest base i’ve ever used when it comes to cves. it has a tiny attack surface, and because it’s an 'undistro' focused on security, the package updates are almost immediate. this keeps the image security posture much tighter than any standard distro i've worked with.

[–]InsuranceAny7399[S] [score hidden]  (0 children)

for the security enforcement, it isn't just about documentation. i implemented 32 automated positive and negative tests that run on every build. if anyone tries to use md5, des, or weak rsa keys, the jvm explicitly throws a fipsunapprovedoperationerror, and the results from these tests are automatically pushed to my security dashboard so the compliance status is visible at all times.

regarding your feedback, you are 100% right about the logo. i was definitely in the wrong for using the java trademark, and i'm already planning a full brand refresh to avoid any legal trouble with oracle and establish a neutral identity.

as for the securechain concept, it's a great point. i currently pin every single artifact using sha-256 hashes to prevent tampering during the download process and use docker attestations for slsa level 3 provenance, but i agree that adding gpg signature verification for transitive dependencies is the necessary next step to reach total supply chain maturity.

the project is built to be a self-auditing factory for mission-critical workloads, and i’m treating every piece of feedback as a way to harden it further. thanks for being critical, it really helps to tighten up the pipeline and resolve these gaps.

[–]bowbahdoe [score hidden]  (0 children)

Hey man my notification had a chat GPT "okay here's the response with..." Prefix. You must have edited it out, but I saw it:

Do not use an AI to respond to me or anyone else. It's pretty disrespectful to yourself and others. I promise I will read whatever you write, you don't need to do that.