Azul Intelligence Cloud The Powerful Analytics Solution That Boosts DevOps Efficiency with Insights from Production Java Runtime Data from Any JVM  
Blog chevron_right Java

Java: Stable, Secure and Free. Choose Two out of Three

It’s 2018, and significant changes are happening for Java. As announced last year we’re moving to a time-based release of the JDK, rather than feature-based. This is excellent news, as it means features can be integrated when ready and developers will get access to new features much faster than they ever have before. JDK 10 will be released in March, and we’re already into ramp-down phase two, so everything is progressing according to plan. The JSR for the specification is well underway and passed public review. There are even JDK Enhancement Proposals (JEPs) being targeted to JDK 11.

The Java landscape looks good…

However, there are more changes related to this new speed of release that will make themselves apparent this year, and these might not be quite so exciting. Specifically, in January 2019, only four months after JDK 11 is released, there will be no more public updates for JDK 8.

What we’re used to with Java is what I’ve put in the title, a platform that has three important qualities, explicitly related to how it is supported.

  1. Stable: In the past, a new release of the JDK has added features, which, although thoroughly tested during development, need real-world production systems to identify any wrinkles that need ironing out. To enable users to continue with stable builds while testing the latest there has been an overlap in updates. When JDK 6 was released, updates to JDK 5 continued to be published for nearly three years (two years and eleven months to be precise). With JDK 7, JDK 6 continued to have public updates for a year and nine months. JDK 7 then had thirteen months of public updates after the release of JDK 8.
  2. Secure: There are regular updates published for the JDK that include any patches for newly identified security issues. If you install updates as they’re released, your Java will be as secure as it can be.
  3. Free: One of the greatest things about Java is that it’s always been a free platform, even before it was released as open-source in 2006. There have been restrictions on where Java can be used without a license fee, but that has always been targeted at mobile and embedded applications; for desktop clients and enterprise servers the latest version has no cost.

As I said, things are changing…

With the new, time-based release cadence, the engineering effort of making updates available for numerous earlier releases would be unsustainable. To address the needs of two orthogonal groups of users, Oracle decided to switch to a Long Term Support  model. Specific JDK versions will be LTS releases, meaning they will have updates for three years. All other, intermediate, releases will be termed Feature releases and only have updates for six months (until the next Feature release). To synchronise the new system, JDK 8 has been classified an LTS release. The next one will be JDK 11, to be released in September.

The most significant change this new model includes is that there will no longer be any effective overlap for updates between releases. I’ve put that in bold and italics to make sure that this is clear.  I’ll mention again that this means that public updates to JDK 8 will cease in January 2019, as that will affect a lot of users.

We’ve also created a picture that hopefully makes this easier to understand.

The implication of this change is that Java is still stable, secure and free but you must now choose two of those three qualities. When deploying Java in the future, you can’t have all three at the same time.

Let me explain this a bit more.

Suppose you are most concerned about security (as you should be) but don’t want to spend any money. To do this, you will need to switch to new versions of the JDK as soon as they are released. With no overlap you must do this to be able to install all security-related fixes. Unfortunately, with no overlap, you must switch to a JDK release that has not had time to be tested in real production environments, so you lose the stability you had.

Alternatively, you may favour stability and zero cost. Again, this is possible; all you do is continue to use the previous support version after a new one is released. You continue to have the stability you’re used to, need pay nothing, but will not get security patches, as they will no longer be available for that release.

Finally, if you want stability and security, it is not going to be free. You can continue to use the previous LTS release, but access to patches will only be available through a commercial support contract.

Azul has our Zulu branded OpenJDK binaries (both Enterprise and Embedded) built from the project source, tested with the TCK/JCK and even analysed using tools we’ve created to ensure that there is no contamination of the open-source through incorrect headers. We offer this as a free download for the latest version and with commercial support for those who want it.

Last week we announced how we would be providing extended support in three ways for different versions of the JDK.

Again, we’ve produced a picture to help make this easier to understand.

Java SE Lifecycle 5+ Year Timeline
Java SE Lifecycle 5+ Year Timeline

Java SE Lifecycle 5+ Year Timeline Updated 31-Jan-2018

For further information on this and more detail on the changes to Java and understanding OpenJDK, there is a recording of a webinar I delivered on this subject. The slides are available here, and the recording can be accessed here.

Many Java users I’m talking to are starting to plan what they will do prior to next January when public updates of JDK 8 are scheduled to end.

Please contact us if you’d like to discuss Java support options.