The Java ecosystem has always been built on a high quality $free (zero-cost) JDK available from Oracle, and previously Sun. This is as true today as it always has been - but the new six-monthly release cycle does mean some big changes are happening.
Six-monthly releases
Java now has a release every six months, something which greatly impacts how each version is supported. By support, I mean the provision of update releases with security patches and important bug fixes.
Up to and including Java 8, $free security updates were provided for many years. Certainly up to and beyond the launch of the next version. With Java 9 and the six-monthly release cycle, this $free support is now much more tightly controlled.
In fact, Oracle will not be providing $free long-term support (LTS) for any single Java version at all from Java 11 onwards.
| Version | Release date | End of $free updates from Oracle |
|---|---|---|
| Java 8 | March 2014 | January 2019 (for commercial use) |
| Java 9 | Sept 2017 | March 2018 |
| Java 10 | March 2018 | Sept 2018 |
| Java 11 | Sept 2018 | March 2019 (might be extended, see below) |
| Java 12 | March 2019 | Sept 2019 |
The idea here is simple. Oracle wants to focus its energy on moving Java forward with the cost of long-term support directly paid for by customers (instead of giving it away for $free). To do this, they need developers to continually upgrade their version of Java, moving version every six months (and picking up the patch releases in-between). Of course, for most development shops, such rapid upgrade is not feasible. But Java is now developed as OpenJDK, which means that Oracle's support dates are not the only ones to consider.
OpenJDK
A key point to grasp is that most JDK builds in the world are based on the open source OpenJDK project. The Oracle JDK is merely one of many builds that are based on the OpenJDK codebase. While it used to be the case that Oracle had additional extras in their JDK, as of Java 11 this is no longer the case.
Many other vendors also provide builds based on the OpenJDK codebase. These builds may have additional branding and/or additional non-core functionality. Most of these vendors also contribute back to the upstream OpenJDK project, including the security patches.
The impact is that the JDK you use should now be a choice you actively make, not passively accept. How fast can you get security patches? How long will it be supported? Do you need to be able to apply contractual pressure to a vendor to help with any issues?
In addition, there are two main ways that the JDK is obtained. The first is an update mechanism buit into the operating system (eg. *nix). The second is to visit a URL and download a binary (eg. Windows).
To examine this further, lets look at Java 8 and Java 11 separately.
Staying on Java 8
If you want to stay on Java 8 after January 2019, here are the choices as I see them:
1) Don't care about security.
It is entirely possible to remain on the last $free release forever. Just don't complain when hackers destroy your company.
2) Rely on Operating System updates.
On *nix platforms, you may well obtain your JDK via the operating system (eg. Red Hat, Debian, Fedora, Arch, etc.). And as such, updates to the JDK are delivered via the operating system vendor. This is where Red Hat's participation is key - they promise Java 8 updates until June 2023 in Red Hat Enterprise Linux - but they also have an "upstream first" policy, meaning they prefer to push fixes back to the "upstream" OpenJDK project. Whether you get security patches to the JDK or not will depend on your operating system vendor, and whether they need you to pay for those updates.
3) Pay for support.
A number of companies, including Azul, IBM, Oracle and Red Hat, offer ongoing support for Java. By paying them, you get access to the stream of security patches and update releases with certain guarantees (as opposed to volunteer-led approaches). If you have cash, maybe it is fair and reasonable to pay for Java?
4) Use the non-commercial build in a commercial setting.
Oracle will provide builds of Java 8 for non-commercial use until December 2019, so you could use those. But you don't want Oracle's software licensing teams chasing you, do you?
5) Build OpenJDK yourself.
The stream of security patches * is published to a public Mercurial repository under the GPL license. As such, it is perfectly possible to build OpenJDK yourself by keeping track of commits to that repository. I suspect this not a very realistic choice for most companies.
6) Use the builds from AdoptOpenJDK.
The community team at AdoptOpenJDK has been busy over the past few years creating a build farm and testing rig. As such, they are now able to take the stream of security patches * and turn them into releases, just like you would get from the commercial offerings. They are also running the Java TCK (testing compatibility kit) to allow these builds to be fully certified as Java SE. Their plan is to produce Java 8 builds until September 2022, one year after Java 17 comes out. Obviously, you don't get a warranty or genuine support - its a community build farm project. But for most users that want to use Java 8 without paying, this is likely the best choice.
Note that Azul also offers $free OpenJDK release builds at zulu.org.
* The last two options assume that a group actually will step forward and take over the "JDK 8 updates" OpenJDK project once Oracle stop. While the exact project details are not yet confirmed, this IBM statement indicates real backing for the approach:
Recognizing the impact that the release cycle changes will have with Java developers, IBM will partner with other members of the OpenJDK community to continue to update an OpenJDK Java 8 stream with security patches and critical bug fixes. We intend to keep the current LTS version secure and high quality for 4 years. This timescale bridges the gap between LTS versions with 1 year to allow for a migration period. IBM has also invested in an open build and test project (AdoptOpenJDK.net) along with many partners and Java leaders to provide community binaries across commonly used platforms of OpenJDK with Hotspot and OpenJDK with Eclipse OpenJ9. These community binaries are TCK (Java SE specification) compliance tested and ready for developers to download and use in production.
IBM statement
It is also hard to see Red Hat not contributing to this effort given their June 2023 support date and "upstream first" policy. Note that the process around security issues will be managed by the newly formed vulnerability group.
Staying on Java 9 or Java 10
Don't.
No-one wants to provide builds or support for Java 9 or Java 10. And anyway, there is no good reason not to upgrade to Java 11 in my opinion.
(Actually, Azul are providing medium-term support for Java 9, if you really need it.)
Staying on Java 11
It is a brave new world and not 100% clear, but this is how it looks like things will happen.
Firstly, it is not clear that there will be an Oracle JDK that is $free to download. Despite my best attempts, I could not get 100% clarity on this point, but see also this tweet.
But in reality, it is now irrelevant as to whether Oracle JDK is $free to download or not. That is because from Java 11, developers can treat Oracle JDK and OpenJDK as being equivalent. It is no longer appropriate or correct to consider the OpenJDK build to be secondary or less important. In fact, the most important build is now the OpenJDK one.
To be more specific, as of the release date, Java 11 developers should consider using jdk.java.net to obtain a binary download, not any page on oracle.com.
So, how long will Oracle provide security patches to Java 11?
Again, the answer to this is not 100% clear:
> What will Java 11 get from Oracle?
At least six months of free, GPL-licensed updates with binaries at http://jdk.java.net.
(I say “at least” because that’s the current plan. The plan could change, to a longer time period, if the situation warrants.)
Mark Reinhold, Oracle
Clearly, six months of security updates is not long enough to treat Java 11 as a "long term support" (LTS) release. The promise of the period being potentially longer doesn't really help, as companies need longer timelines and more certainty. So the assumption should be that Java 11 has just 6 months of releases containing security patches from Oracle.
At this point, things move into the realms of probabilities. In all likelihood, when Oracle steps down from managing the "JDK 11 updates" project at OpenJDK (the one containing the security patches), someone else will take over. This has happened before with Java 6 and 7. And the evidence is that it will happen for Java 11 too:
OpenJDK is a community project. It's up to the community to support it.
In practice this means that a group of organizations and individuals will maintain each OpenJDK LTS release for some period
(TBA for 11, but it's sure to be a *lot* longer than six months.)
I am certain that there will be a jdk11u project, and it will be properly and professionally run.
I think it's likely that I'll be leading the project, but someone else may be chosen.
Andrew Haley, Red Hat
That covers the repository containing the security patches. (Red Hat have an excellent record in maintaining old releases of OpenJDK for the wider community.) But there is still the question of producing actual releases to download that have been certified as passing the Java SE testing TCK.
This is where the AdoptOpenJDK build farm is critical:
As part of the discussions Andrew mentioned, AdoptOpenJDK offered to build, test and make available OpenJDK
LTS binaries for the major (and several minor) platforms. This isn't yet set in concrete but folks broadly thought that
was a good idea. So the challenge of having a build and test farm for this joint effort is solved.
Martijn Verburg, AdoptOpenJDK
And AdoptOpenJDK are currently planning to do create releases until September 2022, one year after Java 17 comes out.
If people do what they say they will, then we can therefore conclude that it will be possible to use Java 11 for 4 years from release, with security patches, for $free (zero-cost). (I would imagine that if volunteers came forward, the September 2022 date could be moved even further into the future.)
Of course, only you and your company can decide if it is right and proper to use Java without giving back to the ecosystem. It could be argued that it is more ethical to either pay for support, or assist either the AdoptOpenJDK or "JDK 11 updates" OpenJDK project.
Platforms
The OpenJDK builds by Oracle at http://jdk.java.net/ only cover three platforms. But this doesn't mean that they are the only platforms OpenJDK runs on. For example, AdoptOpenJDK provides Java 8 builds on 7 platforms with Hotspot (including ARM) and more platforms with OpenJ9 (including Windows 32 bit).
Summary
All the pieces are in place for Java 11 to be maintained as a long-term support release. However, unlike Java 6, 7 and 8, Oracle will not be leading the long-term support effort. In all likelihood, Red Hat will take over this task - they have said publicly that they would like to.
For the first 6 months of Java 11's life, Oracle will be providing GPL+CE licensed $free zero-cost downloads at jdk.java.net with security patches.
To get GPL+CE licensed $free zero-cost update releases of Java 11 after the first six months, you are likely to need to obtain them from a different URL and a different build team. Currently, my view is that AdoptOpenJDK build farm is the place to look for those builds. But zulu.org is another possibility.
Feel free to comment if I've missed something obvious.
Thank you for this useful, important info. Btw, minor typo: 'Any anyway'
ReplyDeleteIt's absolutely an indictment of Oracle's stewardship of Java that it takes a blog post (however excellent) from a non-employee (however central a Java community member) to coherently explain their plan for the future of Java. Customers, vendors, and coworkers are getting mixed messages from news sources, and it's causing a whole bunch of uncertainty: the one thing you absolutely do not want in an enterprise software platform.
ReplyDeleteWill critical Java vulnerabilities in 11 be fixed by RedHat or AOJDK even long after Oracle has abandoned that version? I think this is where the probabilities drop significantly. It will be interesting to see what happens.
ReplyDeleteBy the OpenJDK vulnerability group.
Deletehttp://openjdk.java.net/census#vulnerability
One option you overlooked is to use the JDK provided by your OS vendor. For example, if you're running on RHEL RedHat says they'll support Java 8 through June 2023 (https://access.redhat.com/articles/1299013). I imagine CentOS will receive these OpenJDK updates as well.
ReplyDeleteI included "pay for support", and you probably pay for RHEL...
DeleteI'd like to see Redhat/CentOS/AWS/Canonical use the AdoptOpenJDK builds in their upstream repos. Is there any reason to believe they would or would not?
ReplyDeleteBecause binary compatibility precludes it and there are trust and responsibility issues when rebundling others software.
DeleteBest plan is not to do it. Also monocultures are bad.
There is no chance that we will use the AdoptOpenJDK builds because we tweak our builds to use system libraries rather than bundled libraries and we make a few other distro-specific patches. Also, as a matter of policy, our distros are built from source.
DeleteHow can we tell that a Linux distro build has or has not passed the TCK or that the version arvertised by the OS is the right version/patch version. I know of at least one screw up from at least one major distro for that. I've never been able to find the provenance of an OpenJDK package provided by a distro. I have no idea what flags we're used to build it. Each distro needs to make this clear. I see Amazon, Canonical, RedHat as signatories for the JCK, but where can I tell if a specific package provided from those distros package repositories has actually been run against or passed the JCK?
DeleteThanks for the info. I'm still confused though. Does Oracle's new license policy only apply to the JDK, or also apply to the JRE? Do I have to pay for the Oracle 11 JRE in production or only when using the JDK?
ReplyDeleteIf you want zero-cost, avoid Oracle JDK/JRE.
DeleteA lot of IT support people are wondering the same thing. It sort of counts as commercial use if I'm using the JRE as part of a job to access business sites and apps, but also not the same as commercially developing Java apps with the JDK. But even if we use the JRE 8 updates until they're done, it looks like eventually we'll have to move to a JRE based on Java 11. But from who I'm not sure.
DeleteI certainly hope http://jdk.java.net will install a certificate to create a secure link for downloads
ReplyDeleteThat's not a bad idea. jdk.java.net is not an OpenJDK site, though, and we'd have to thgink about how to handle the signing keys. It's possible that several organizations will be doing the builds for various platforms.
DeleteThe Oracle vs Google proves the contrary though.
ReplyDelete