-2

  1. At one place I got this information "With Oracle's new licensing policy you can select any 2 from Stable, Secure, Free." This statement suggests that if I want to select Stable and Secure, then I cannot be free, means I have to use Oracle JDK and pay for license.

  2. Other places I have read that open source community will make sure to update OpenJDK.

If I am using Openjdk 8 in production, then will I get security updates for OpenJDK?

Is updating to newer OpenJDK version the only solution? Even If I move to a newer version (suppose LTS version OpenJDK 11*) for now, then same question in future to get security updates.

I know about the new Oracle release cadence and license policy. I am also aware about the similarity of OpenJDK and Oracle JDK (starting from version 11), but my question is specific to OpenJDK Updates.

LTS version OpenJDK 11: I am not sure if I should call any OpenJDK version as LTS :)

W. Churchill
  • 346
  • 1
  • 7
  • 28
hsingh
  • 661
  • 5
  • 26
  • I don't believe that a single "right" answer to this question is possible, and therefore this is not an appropriate question for Stack Overflow. I expect that you'll get one set of answers from Oracle, and another from the maintainers of the OpenJDK. For any particular release, "Stable" and "Secure" will always be relative terms...especially "Secure". Nothing is perfectly secure. From where did did you read #1 above? Just curious (guessing an Oracle resource). – CryptoFool Jun 16 '19 at 05:38
  • Since your question is predicated on the quote you cite about Oracle's policies in bullet point #1, please update your question with a link to that quote. I can't find it anywhere, and I'm curious about it as well. – skomisa Jun 16 '19 at 05:47
  • 2
    I'm voting to close this question as off-topic because this community is about programming problems. It is not about legal advice on licensing models of some 3rd parry service. – GhostCat Jun 16 '19 at 06:31
  • There should be a SO site for opinion based questions too, IMO. Opinions are sometimes helpful. – Praveen Tiwari Jul 29 '19 at 15:00

1 Answers1

2

I believe that you got the idea of "Stable, Free, Secure" from https://www.azul.com/java-stable-secure-free-choose-two-three/

First of all, be aware that there is a hidden agenda behind propositions like this. They (in this case Azul) want to you pay for support. This is also true of Oracle, and most if not all other Java vendors / distributors. (Even the major Linux distro vendors who include openjdk packages want you to pay for distro support.)

This is not necessarily a bad thing. At the end of the day, Java developers have to be paid to work, and it is not unreasonable to expect people who rely on Java to contribute their share.

The answer is that it depends on whether some organization "steps up to the plate" to do the work of applying or backporting security updates from Oracle (and possibly other vendors) to the codebase of a given OpenJDK LTS release when the OpenJDK team stops doing it. Azul say that they will do this for paying customers, and by implication for paying customers only.

Q: Could some other organization do this "for free"?

A: Possibly. It depends on whether they can afford to, and whether Oracle decides to limit availability of security patches in a way that would prevent this.

But we don't know, because we can't predict the future. And on the other hand, we can't reliably predict whether (say) Azul will still be in the business of supporting Java in the future. Or even if they will still be in business.

This kind of uncertainty is normal in the IT sector. You / your organization just need to make decisions based on what you know, and adapt if the decisions prove to be wrong in the future.

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • That means, as of now there is no guarantee to get "free" security updates for OpenJDK version for long time. Which also means, keep updating the OpenJDK version after every six months to get latest security updates. In short "LTS" word is meant for only paid Oracle JDK versions. – hsingh Jun 16 '19 at 12:19
  • 1
    hsingh - don't worry, openjdk8 security updates are available and planned for few more years courtesy Andrew Haley @RedHat. You can download the updates from https://wiki.openjdk.java.net/display/jdk8u/Main. Read Andrew's blog post on this https://developers.redhat.com/blog/2018/09/24/the-future-of-java-and-openjdk-updates-without-oracle-support/ https://developers.redhat.com/blog/2019/05/22/openjdk-8-and-11-still-in-safe-hands/ – Praveen Tiwari Jul 29 '19 at 14:57
  • you could also use azul community builds https://www.azul.com/downloads/zulu-community/ or amazon corretto https://aws.amazon.com/corretto/faqs/. Both are much reliables and provide LTS for java 8 and 11. enjoy – Praveen Tiwari Jul 30 '19 at 02:31
  • I think that hsingh was looking for Guarantees (... the kind that are written in blood ...). Such things don't exist in the IT world. Even Oracles guarantees are only good until they decide to change their license policy (again) for future releases. Or jack up the prices. – Stephen C Jul 30 '19 at 02:39