Vulnerability of the non LTS JDK releases

Lovro Pandžić Lovro.Pandzic at infobip.com
Thu Aug 29 08:09:05 UTC 2024 

Thank you for clarification.

Maybe I should clarify my original mail as well:
I’m not asking for any specific jdk vendor version support or any jdk version support change at all for that matter.
I’m asking for a right place to ask where it was decided that versions are 6 months apart and that each non LTS version will only have supported up until the next one is out.

My observation is that current process and state of things put people into an uncomfortable position where they either have to accept to be on unsupported version of non lts for some time and risk security vulnerabilites and all the stress that comes with that or if they don’t want to deal with that – they must pick LTS versions.
This state of affairs is unfortunate and makes non LTS version seem as if non LTS versions are “for development” only and not ready for production use.

They are only ok for production use if you control all the software you’re running on and you have guarantees that on day 1 of next non LTS release you can upgrade all in one go – which in my experience is never true.

Hope this clarifies things a bit.

Thank you,




[cid:Infobip_logo_vertical_signature_e28e13d2-255b-4571-a70c-8292f2d75c0b.png]

Lovro Pandžić

Senior Principal Engineer


E Lovro.Pandzic at infobip.com

M +385921001403


A Utinjska 29A, 10000 Zagreb, Croatia

www.infobip.com<http://www.infobip.com>






From: Chen Liang <chen.l.liang at oracle.com>
Date: Monday, 26 August 2024 at 17:25
To: Lovro Pandžić <Lovro.Pandzic at infobip.com>, jdk-dev at openjdk.org <jdk-dev at openjdk.org>
Subject: [EXTERNAL] Re: Vulnerability of the non LTS JDK releases
Hello Lovro,
To clarify Alan's remarks, there's a dedicated jdk-updates-dev list and a jdk-updates project responsible for any released jdk; for example, if 23 is released, the subsequent releases of 23.0.1 and 23.0.2, etc. are their responsibility. A request for backporting critical security fixes to 1 release before the latest should be raised to the jdk-updates project., which is usually constituted of "the companies and organizations that make supported JDK releases available."

For the frequency of security fixes: there's a https://openjdk.org/groups/vulnerability/ vulnerabiltiy group that releases security fixes every quarter (see https://mail.openjdk.org/pipermail/vuln-announce/), usually in Jan, Apr, Jul, and Oct. Do you wish for Apr and Oct vulnerability fixes to be incorporated into the last release before the latest (released just one month prior)? You can raise this request to the jdk-updates-dev list there.

I have heard that even backporting even security fixes would be a heavy maintenance cost; so, the updates group might reject your request of 1 year of security fixes, as new releases roll out every half a year. But a security fix for the one version before the latest released version release makes sense to me, especially that the new version is just released for one month. Ultimately, it is up to jdk-update project's discretion, so go ask them.

Regards,
Chen Liang
________________________________
From: jdk-dev <jdk-dev-retn at openjdk.org> on behalf of Alan Bateman <alan.bateman at oracle.com>
Sent: Monday, August 26, 2024 2:23 AM
To: Lovro Pandžić <Lovro.Pandzic at infobip.com>; jdk-dev at openjdk.org <jdk-dev at openjdk.org>
Subject: Re: Vulnerability of the non LTS JDK releases

On 26/08/2024 06:38, Lovro Pandžić wrote:


Hello all,



Not sure if this is the right address to talk about this issue so feel free to redirect me to another if it’s more appropriate.

Your question isn't unreasonable but it's not really a question for the OpenJDK project, instead it's a question for the companies and organizations that make supported JDK releases available.






:



Projects that want to follow the train in it’s tracks and be on latest, usually non lts, version and that use any non trivial kind of dependency (Spring, Sonar, …) they must accept the fact that there will be periods of time (usually a month or two) where they’ll be forced to stay on an unsupported non LTS version until all of their dependencies add support for latest JDK version so they can upgrade as well.

Just a reminder that there Early Access (EA) builds published weekly so these projects don't need to wait until the GA to test. Ongoing testing with EA builds help find issues earlier and allows these projects to align their releases with the JDK releases.

-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20240829/4be63035/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 2551 bytes
Desc: Infobip_logo_vertical_signature_e28e13d2-255b-4571-a70c-8292f2d75c0b.png
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20240829/4be63035/attachment-0001.png>

More information about the jdk-dev mailing list