Free Java 8 security updates from Oracle ended in January.

Azul can help keep your Java infrastructure secure.

Learn How

Updated Choices For Java Updates

duke choice

Last month was of particular significance to both Java developers and users. The reason was the release of update 202 of Oracle JDK 8, which was the final public update (for commercial users) of JDK 8 from Oracle. Users now need to think carefully about their strategy for updating the Java runtime in the future.

For non-commercial desktop users, updates to Oracle Java SE 8 will continue to be provided through the existing Java Update mechanism. According to Oracle, this will be, “…through at least the end of 2020.” It is assumed that, when the first of these updates come out in April, the license will be changed to preclude the use of these updates in a commercial deployment.

java change

For the vast majority of Java users then, there are a number of choices available for what to do next:

  1. Continue to use Oracle JDK 8 but without further security patches or bug fixes. This clearly has significant implications in terms of platform stability and security. This option may not be open to many users due to regulatory compliance issues requiring all software being used to be updated to the most recent version.
  2. Migrate applications to the free Oracle OpenJDK JDK.

    Since JDK 9, Oracle has been providing two binary distributions of the JDK. The traditional Oracle JDK (from java.oracle.com) and the newer, OpenJDK binary (from jdk.java.net). As of JDK 11, these are functionally equivalent but have different licenses. The OpenJDK binaries are provided under the same license as the source code, i.e., GPLv2 with classpath exception. The Oracle JDK 11 binary is now under the Oracle Technology Network License Agreement for Java SE. This allows free use for development and testing but requires an Oracle Java SE subscription to be used in commercial production.

    The Oracle OpenJDK binaries are therefore an option that is free for use in production and has regular updates. The drawback to this option is that there is no long-term support (LTS) for any of these releases. Oracle OpenJDK 11.0.2, also released last month is the last update for JDK 11. To continue to get the latest updates, users will need to update their entire JDK every six months (to keep pace with the new JDK release cadence).

  3. Migrate to a free binary distribution of the OpenJDK. There are several options for this:
    • As already explained, there is the Oracle OpenJDK JDK.
    • Azul provides a community edition of our Zulu JDK, which is free. This is available here for a range of platforms, as well as versions.
    • AdoptOpenJDK provides free JDK distributions for a wide range of platforms (Azul are one of the sponsors of this project).  Although these binaries are well tested, they are not currently verified as Java SE compliant using the TCK.
    • Amazon Corretto provides binaries for common platforms.

    When considering the use of a free distribution a critical consideration should be how updates get included. Oracle will only be contributing the source code of updates to the current OpenJDK project (the next update will, therefore, be part of the OpenJDK 12 project). For those security patches and bug fixes to be included in an OpenJDK 8 binary, it is necessary to backport the changes. Red Hat has recently taken over as the project lead of OpenJDK 8 after Oracle resigned this position. When and if updates get backported will determine how quickly free binaries will be aligned with the current JDK version.

    It is also worth noting that Amazon has stated that their intention is “targeted backports from newer releases”; ones that they consider important for their customers, i.e., users of Amazon Web Services (AWS). This will lead to some potential divergence between Corretto and other free OpenJDK distributions.

  4. Consider a commercial Java support contract. In addition to the Oracle option, Azul provides the Zulu Enterprise product. This is a fully supported OpenJDK distribution with independently backported fixes. Part of this is an SLA that includes how quickly binaries including backported updates will be made available. Should you find a problem while running Zulu Enterprise we have a great team of engineers that can assist you and produce a fix if required.

The next scheduled update for Java is in April, so you still have a couple of months to consider your options. Which one will you choose?

Recommended Reading

© Azul Systems, Inc. 2019 All rights reserved.