Vulnerability of the non LTS JDK releases

[Andrew Haley]

On 8/29/24 09:09, Lovro Pandžić wrote:
> Maybe I should clarify my original mail as well:
> I’m not asking for any specific jdk vendor version support or any jdk version support change at all for that matter.
> 
> I’m asking for a right place to ask where it was decided that versions are 6 months apart and that each non LTS version will only have supported up until the next one is out.
> 
> My observation is that current process and state of things put people into an uncomfortable position where they either have to accept to be on unsupported version of non lts for some time and risk security vulnerabilites and all the stress that comes with that or if they don’t want to deal with that – they must pick LTS versions.

Or pay someone for support of other releases. That's true.

> This state of affairs is unfortunate and makes non LTS version seem as if non LTS versions are “for development” only and not ready for production use.

I can speak to this.

The OpenJDK project does not define "LTS" and "non LTS" versions of OpenJDK.

Any qualified organization may volunteer to update any version of the JDK.
Non-Oracle vendors have settled on a bi-annual cadence of LTS releases to support,
because that's a reasonable compromise between effort and reward.

So, we support the "LTS" releases that we need to support, for our customers
and the wider community. We have to concentrate our efforts somewhere.

Does that answer your question?

-- 
Andrew Haley  (he/him)
Java Platform Lead Engineer
Red Hat UK Ltd. <https://www.redhat.com>
https://keybase.io/andrewhaley
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671