2

With changes in JDK licensing agreement from Oracle, companies are switching to OpenJDK.

My question is - which distribution of the OpenJDK would be a better choice? I am evaluating Oracle Open JDK and AdoptOpenJDK, and they both seems to be an idea choice.. However when it comes to support, Oracle OpenJDK is following a 6 month release cadence without any Long term support, however AdoptOpenJDK has LTS for Java version 8 and 11. So if I switch to Oracle OpenJDK, then I will have to follow the new release cadence to be up to data with security patches (I don't care much about the new features), however If I switch to AdoptOpenJDK, then I can go with one of their LTS version (11), and expect the new security patches will be applied to this version. My main concern is, I wanted to be up to date with Java security updates after switching to OpenJDK distribution.

References https://www.reddit.com/r/java/comments/9hd97k/openjdk_vs_adoptopenjdk/

https://www.baeldung.com/oracle-jdk-vs-openjdk

Vicky
  • 5,380
  • 18
  • 60
  • 83
  • I like [Corretto](https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/what-is-corretto-11.html), but there are other choices. Sadly, your question boils down to opinion. No one knows which distribution is going to prove "ideal" in all circumstances. – Elliott Frisch Mar 15 '20 at 03:27
  • If you want a watertight guarantee that you will get all of the Oracle security patches to an LTS JDK, stay with Oracle. For anything else, you are depending on another vendor to integrate the Oracle-orignated patches in their version. OTOH, you are also relying on Oracle (or someone else) continuing to create and distribute the patches in the first place. As Elliott says, any predictions of future vendor behavior are pure opinion. – Stephen C Mar 15 '20 at 04:12
  • 1
    (As they say, only two things are certain in the world: death and taxes.) – Stephen C Mar 15 '20 at 04:13

1 Answers1

5

tl;dr

If you want the most rapid release of critical security patches, pay for a support plan from a vendor such as Azul systems, BellSoft, Oracle, Pivotal, or Red Hat (IBM).

To better understand the current state of the world of Java releases, you really should study the document Java Is Still Free. Written by the Java Champions community of independent Java leaders and experts.

Details

With changes in JDK licensing agreement from Oracle, companies are switching to OpenJDK.

To be clear here, you may be referring to Oracle changing the terms to their Oracle JDK product to require a fee when used in production. That product is still free-of-cost for use in development, testing, and such.

My question is - which distribution of the OpenJDK would be a better choice?

Answering that depends on the criteria important to you. But you did not mention any criteria other than needing security updates rapidly (more on that below).

I am evaluating Oracle Open JDK and AdoptOpenJDK, and they both seems to be an idea choice..

Be clear on this: The OpenJDK project publishes source code only, not builds nor installers. Many vendors provide builds/installers based on the OpenJDK source code.

Oracle is one such vendor, providing three products:

  • Oracle JDK — their branded product requiring a fee for production use, with paid support available.
  • jdk.java.net — a build of OpenJDK without any fees and without any support.
  • GraalVM — a special product, a Java VM and JDK based on HotSpot/OpenJDK, implemented in Java, and supporting additional programming languages and execution modes, like ahead-of-time compilation of Java applications for fast startup and low memory footprint.

All three of these are based on OpenJDK source code. The first and last offer paid support programs.

Oracle has publicly declared their intent to keep Oracle JDK at feature-parity with OpenJDK. Oracle sponsors the OpenJDK project as part of that commitment. At the same time, Oracle reserves the right to rapidly release any critical security patch to their paying customers. They will eventually submit such patches to the OpenJDK project. But those submitted patches are likely to take more time to go through the OpenJDK process before being released.

AdoptOpenJDK is another vendor offering builds and installers of the OpenJDK source code base. So, again, any critical security patches may not reach the public free-of-charge as fast as a patch from another vendor to their paying customers.

Here is a flow chart I made to help guide you in your selection of a vendor for a Java implementation. You have a variety of choices, some with support options.

Flowchart guiding you in choosing a vendor for a Java 11 implementation

However when it comes to support, Oracle OpenJDK is following a 6 month release cadence without any Long term support, however AdoptOpenJDK has LTS for Java version 8 and 11.

I believe you are incorrect here. Oracle does maintain LTS updates to their Oracle JDK product for both Java 8 and Java 11, for some number of years to the public, and for additional years to their paying customers.

The Java community is much more cooperative in working together than you may understand. Every implementation of Java I know of is largely based on the OpenJDK project. The OpenJDK project is supported by Oracle, Apple, IBM, SAP, and possibly others. Amazon, Microsoft, and other companies contribute. The rapid release train and Long-Term Support (LTS) strategy has been embraced by the entire Java community.

Oracle has turned over stewardship of the LTS versions 8 and 11 to Red Hat, but Oracle continues to support them both. See the Oracle Java SE Support Roadmap for details.

So if I switch to Oracle OpenJDK, then I will have to follow the new release cadence to be up to data with security patches

Every Java implementation I know of is following along the same release cadence.

(I don't care much about the new features),

Then you should certainly stick to using only the LTS versions. Currently that would be Java 8 and Java 11.

If I switch to AdoptOpenJDK, then I can go with one of their LTS version (11), and expect the new security patches will be applied to this version.

You can expect security patches from any vendor providing a Java implementation. The question is how rapidly those patches will arrive to you.

My main concern is, I wanted to be up to date with Java security updates

Then I recommend you purchase a paid support plan from a reliable vendor. You have a choice of several. See the left side of the blue barrel in my diagram above.

If you think the chance of critical security vulnerability affecting you specifically is exceedingly low, or that you are likely to be able to mitigate such a vulnerability, then the cost of a support plan may not be worth it to you. In this case, you would wait for a newer free-of-cost release. You may be waiting longer than you would with a paid vendor.

after switching to OpenJDK distribution.

Every Java implementation I know of being distributed today is based on OpenJDK.

Here is another graphic listing possible motivations for choosing a particular vendor for your Java implementation.

Motivations in choosing a vendor for Java

Basil Bourque
  • 303,325
  • 100
  • 852
  • 1,154
  • 1
    Bear in mind that the last graphic is opinion. (I am sure that if you asked the sales folks for some of the listed vendors, they would offer different opinions :-) ) – Stephen C Mar 15 '20 at 06:01
  • @StephenC Well, I tried for mostly fact and only a little opinion (hence the word *possible*). The graphic is from a slide in a talk where I do more explaining. As for fact, OpenJ9 is only available from AdoptOpenJDK, afaik. The purpose of Corretto is to match closely the deployment environment of Amazon AWS. Zing and GraalVM are the only two special needs products I know of. OpenJFX is only bundled with Liberica, afaik. The first item, the shrug, merely means that a newbie or someone overwhelmed by the choices might as well start out by accessing AdoptOpenJDK, though others can work too. – Basil Bourque Mar 15 '20 at 06:07
  • I am not disagreeing with your opinion. (I actually concur with it.) I am just pointing out that it is opinion ... and that probably should be stated. – Stephen C Mar 15 '20 at 06:10
  • @StephenC Can you cite specifically the opinionated elements? – Basil Bourque Mar 15 '20 at 06:46
  • Well put it this way. An Oracle salesman would NOT advise that the default option should be to use OpenJDK. They would probably say that an Oracle JDK + a subscription should be the default choice. That is an opinion ... which makes your default recommendation an opinion too. (Unless you can provide indisputable evidence that the salesman's arguments are invalid.) I could probably dig deeper and find other examples too. – Stephen C Mar 15 '20 at 06:53
  • All I am saying is ... add a disclaimer: "These are my opinions ..." – Stephen C Mar 15 '20 at 06:56
  • The Azu Zulu Community builds of OpenJDK should at least be mentioned as an alternative to AdoptOpenJDK. – Stefan Zobel Mar 15 '20 at 23:24
  • @StefanZobel *Zulu* is mentioned at least twice, as is the *Zing* product, both from Azul Systems. And Azul Systems is part of the AdoptOpenJDK community. – Basil Bourque Mar 15 '20 at 23:29
  • 1
    Sure, but "pay for a support plan from a vendor such as Azul systems" gives the impression that you necessarily have to pay to use an OpenJDK build from Azul which is not the case. That's what I was after. – Stefan Zobel Mar 15 '20 at 23:40
  • 1
    @StefanZobel I changed the flow chart to show *Zulu Enterprise* and *Zulu Community* products separately, to clarify. – Basil Bourque Mar 16 '20 at 00:04
  • @Basil (flow chart) If I select `I want free of cost` and later select `just develop, test, ..` the path leads to OracleJDK. AFAIK this is only true for open source developers. Developers in a enterprise environment or a commercial background have to pay to use OracleJDK even if they just develop. – Robert Mar 16 '20 at 18:43
  • @Basil or to be precise: Installing OracleJDK without a paid license is IMHO a general risk because you can't really control that the JDK is only used for developing tools as mentioned in the OTN license agreement. By starting any other tool that detects and uses the JDK automatically you are violating the license agreement! – Robert Mar 16 '20 at 18:53
  • @Robert I see no special terms on *Oracle JDK* regarding open-source developers when I look at [the license](https://www.oracle.com/downloads/licenses/javase-license1.html) or [the summary](https://www.oracle.com/java/technologies/javase-jdk13-downloads.html) or [the FAQ](https://www.oracle.com/technetwork/java/javase/overview/oracle-jdk-faqs.html). If you do, please cite. The only mentions of open-source relate to the JDK, but no mention of people creating open-source apps *using* the JDK. As I read the terms, development within a company is allowed without a fee (except for export ban). – Basil Bourque Mar 16 '20 at 21:47