Eliminating Java Update Confusion
There seems to be a bit of confusion about the updates to OpenJDK. If you are puzzled, check here for more clarity and how these changes affect Java users.
Join the DZone community and get the full member experience.Join For Free
It has become clear to me, having spoken to many developers at many different events and seen recent postings on sites like Reddit, that there is still a lot of confusion about how the JDK will be delivered and updated in the future.
In this post, I'll clarify, as concisely as possible, with references to the source of the information precisely how versions of the JDK and subsequent updates will be delivered in the future. This will aid developers in making decisions about future deployments of applications on the Java platform.
- Just before the release of JDK 9, Oracle made a series of announcements about the future development of the JDK through the OpenJDK project. The first of these announcements was the move to a time-based release model. Starting with JDK 9 there are now two releases of the JDK every year, occurring in March and September.
- At the same time, Oracle announced that it would provide two binary distributions of the JDK. The Oracle JDK would continue to be delivered under the Oracle Binary Code License Agreement for Java SE. The second binary distribution is built directly from the OpenJDK source code without any modifications. This is released under the less restrictive GPLv2 license with classpath exception (CPE).
- Oracle stated that their goal was to eliminate any functional differences between these two binaries. This will be complete with the release of JDK 11 in September. To achieve this goal, certain features (such as Flight Recorder and Mission Control) have been contributed to the OpenJDK project, whilst other features (like Java Web Start and JavaFX) are being removed from the Oracle JDK.
- Oracle has moved to a long-term support (LTS) model for the Oracle JDK but not the OpenJDK binaries. An LTS release will occur every three years. JDK 8 is the first LTS release. The next will be JDK 11 and subsequently JDK 17, JDK 23, etc.
- Because there are no LTS releases of OpenJDK, every release will only receive updates for six months, until the release of the next JDK version.
- Public updates of JDK 8 will end in January of 2019. Non-commercial users will still receive updates through the automated Java updater until December 2020. The updater will not move users to newer versions of the JDK as has happened in the past.
- In a significant move by Oracle they have recently announced that, from JDK 11, the Oracle JDK binary will no longer be free for use in production. Developers will still be able to download Oracle JDK binaries and use them for development, testing and demonstrations without change. For use in a production environment, a support contract with Oracle will be required.
- Security patches and bug fixes will only be contributed in source form to the latest version of the OpenJDK. Oracle will not contribute backported updates to older versions of OpenJDK. Oracle's approach is that this work can be undertaken by the broader Java community if there is a demand for it.
The impact on Java users of these changes can be summarised as follows:
- The JDK still remains completely free for use. The thing that is changing is the availability of updates to specific versions of the JDK.
- The only free-for-use, in-production JDK binary available from Oracle (as of JDK 11) will be the OpenJDK binaries. These will only have public security patch and bug fix updates for six months, until the release of the next version.
- There is no free LTS release of the JDK from Oracle (for use in production).
- Users can continue to use any binary of the JDK (the Oracle version or OpenJDK one) indefinitely. They will not, however, continue to get updates to these JDKs once public updates end.
- Commercial users who want to continue to get security patches and bug fixes for JDK 8 or subsequent LTS releases after public updates have ended will have three options:
- Purchase a commercial support contract from Oracle.
- Use a different binary distribution of the OpenJDK, which has security patches and bug fixes backported to it. The Zulu OpenJDK binary is an example of this.
- Create their own binary distribution from the OpenJDK source code and backport updates themselves.
A Java community-led project, AdoptOpenJDK, has been started to produce free OpenJDK binaries. At the time of writing, this project is able to build binaries directly from OpenJDK source but has not determined who will undertake the (potentially complex) task of backporting updates from the current release to older versions.
Azul's Zulu distribution of OpenJDK is free but can also be delivered under a commercial support contract with agreements on the availability of updates as well as 24x7x365 or 8×5 support. Pricing for this is very reasonable compared to the other options.
Given that JDK 8 public updates will end at the start of next year users should be actively considering how they will ensure current and future deployed JDK versions are maintained for security and stability.
Have you decided what you will do?
Published at DZone with permission of Simon Ritter, DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.