Vulnerability of the non LTS JDK releases
Lovro Pandžić
Lovro.Pandzic at infobip.com
Mon Aug 26 05:38:36 UTC 2024
Hello all,
Not sure if this is the right address to talk about this issue so feel free to redirect me to another if it’s more appropriate.
Since the introduction of 6 month cadence release JDK process there’s one issue in the process I think has not been addressed properly.
Projects that want to follow the train in it’s tracks and be on latest, usually non lts, version and that use any non trivial kind of dependency (Spring, Sonar, …) they must accept the fact that there will be periods of time (usually a month or two) where they’ll be forced to stay on an unsupported non LTS version until all of their dependencies add support for latest JDK version so they can upgrade as well.
With the process and all of the ecosystem in mind this is unfortunate because rarely anyone will want to commit to these periods of time where they’re basically on their own if something bad happens – e.g. a new critical security vulnerability is found.
So I wanted to ask what’s your opinion on the matter? The message I got from all the talks is that JDK maintainers would generally like for people to upgrade to newer versions more frequently. Can something be done to address this problem? Can we maybe have a up to 1 year commitment of security fixes for non LTS releases after they have been released?
Best Regards,
Lovro Pandzic
[cid:Infobip_logo_vertical_signature_82b9a4df-75e7-451e-8786-4ac1bae94f8f.png]
Lovro Pandžić
Senior Principal Engineer
E Lovro.Pandzic at infobip.com
M +385921001403
A Utinjska 29A, 10000 Zagreb, Croatia
www.infobip.com<http://www.infobip.com>
[cid:Email-Signature-Fast-Company-16-04-24-ES_4efbebf4-7824-4f7c-aed4-97100c47b3a5.png]<https://www.infobip.com/news/infobip-named-to-fast-companys-annual-list-of-the-worlds-most-innovative-companies-of-2024>
[https://cf-cdn.infobip.com/email_signature/Facebook.png]<https://www.facebook.com/infobip> [https://cf-cdn.infobip.com/email_signature/Linkedin.png] <https://www.linkedin.com/company/infobip> [https://cf-cdn.infobip.com/email_signature/Twitter.png] <https://twitter.com/Infobip> [https://cf-cdn.infobip.com/email_signature/Instagram.png] <https://www.instagram.com/infobip/> [https://cf-cdn.infobip.com/email_signature/Youtube.png] <https://www.youtube.com/channel/UCUPSTy53VecI5GIir3J3ZbQ>
GSMA Associate Member
This email message and any attachments are intended solely for the use of the addressee. If you are not the intended recipient, you are prohibited from reading, disclosing, reproducing, distributing, disseminating or otherwise using this transmission. If you have received this message in error, please promptly notify the sender by reply email and immediately delete this message from your system. This message and any attachments may contain information that is confidential, privileged or exempt from disclosure. Delivery of this message to any person other than the intended recipient is not intended to waive any right or privilege.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20240826/b203e8c3/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2551 bytes
Desc: Infobip_logo_vertical_signature_82b9a4df-75e7-451e-8786-4ac1bae94f8f.png
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20240826/b203e8c3/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 19649 bytes
Desc: Email-Signature-Fast-Company-16-04-24-ES_4efbebf4-7824-4f7c-aed4-97100c47b3a5.png
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20240826/b203e8c3/attachment-0003.png>
More information about the jdk-dev
mailing list