Vulnerability of the non LTS JDK releases

Lindenmaier, Goetz goetz.lindenmaier at sap.com
Thu Aug 29 09:31:38 UTC 2024 

Hi Lovro,

There is no central place where this is decided.
This is an open source project. Activities depend on people/parties
that engage in this project.
Oracle decided to support 11, 17, 21 etc long term in their commercial version.
Also, they support all Java versions for 2 releases in OpenJDK.

Other parties decided to take over support for some of the Java versions
after that.
I.e., Red Hat and SAP decided to dedicate people to support 11, 17 and 21
for a longer time. Azul had dedicated people to support 13 and 15 for
some time after the first two updates.
The community is helping with this effort.
In the end, various parties are building binaries from the maintained
repos.

So if you have need of longer support of the non-LTS, you can turn
them into LTS releases by taking up support in the OpenJDK.
There are mails announcing end of engagement of the current
supportee of versions, e.g.,
https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-November/027149.html
All activities around updates after Java 8 are bundled in the
jdk-updates project of OpenJDK. Lead of this project is Rob McKenna.

Best regards, Goetz.

From: jdk-dev <jdk-dev-retn at openjdk.org> On Behalf Of Lovro Pandžic
Sent: Thursday, August 29, 2024 10:09 AM
To: Chen Liang <chen.l.liang at oracle.com>; jdk-dev at openjdk.org
Subject: Re: Vulnerability of the non LTS JDK releases

Some people who received this message don't often get email from lovro.pandzic at infobip.com<mailto:lovro.pandzic at infobip.com>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
Thank you for clarification.

Maybe I should clarify my original mail as well:
I'm not asking for any specific jdk vendor version support or any jdk version support change at all for that matter.
I'm asking for a right place to ask where it was decided that versions are 6 months apart and that each non LTS version will only have supported up until the next one is out.

My observation is that current process and state of things put people into an uncomfortable position where they either have to accept to be on unsupported version of non lts for some time and risk security vulnerabilites and all the stress that comes with that or if they don't want to deal with that - they must pick LTS versions.
This state of affairs is unfortunate and makes non LTS version seem as if non LTS versions are "for development" only and not ready for production use.

They are only ok for production use if you control all the software you're running on and you have guarantees that on day 1 of next non LTS release you can upgrade all in one go - which in my experience is never true.

Hope this clarifies things a bit.

Thank you,



[cid:image001.png at 01DAFA04.5AFF60B0]

Lovro Pandžić

Senior Principal Engineer

E Lovro.Pandzic at infobip.com<mailto:Lovro.Pandzic at infobip.com>

M +385921001403

A Utinjska 29A, 10000 Zagreb, Croatia

www.infobip.com<http://www.infobip.com/>




From: Chen Liang <chen.l.liang at oracle.com<mailto:chen.l.liang at oracle.com>>
Date: Monday, 26 August 2024 at 17:25
To: Lovro Pandžić <Lovro.Pandzic at infobip.com<mailto:Lovro.Pandzic at infobip.com>>, jdk-dev at openjdk.org<mailto:jdk-dev at openjdk.org> <jdk-dev at openjdk.org<mailto:jdk-dev at openjdk.org>>
Subject: [EXTERNAL] Re: Vulnerability of the non LTS JDK releases
Hello Lovro,
To clarify Alan's remarks, there's a dedicated jdk-updates-dev list and a jdk-updates project responsible for any released jdk; for example, if 23 is released, the subsequent releases of 23.0.1 and 23.0.2, etc. are their responsibility. A request for backporting critical security fixes to 1 release before the latest should be raised to the jdk-updates project., which is usually constituted of "the companies and organizations that make supported JDK releases available."

For the frequency of security fixes: there's a https://openjdk.org/groups/vulnerability/ vulnerabiltiy group that releases security fixes every quarter (see https://mail.openjdk.org/pipermail/vuln-announce/), usually in Jan, Apr, Jul, and Oct. Do you wish for Apr and Oct vulnerability fixes to be incorporated into the last release before the latest (released just one month prior)? You can raise this request to the jdk-updates-dev list there.

I have heard that even backporting even security fixes would be a heavy maintenance cost; so, the updates group might reject your request of 1 year of security fixes, as new releases roll out every half a year. But a security fix for the one version before the latest released version release makes sense to me, especially that the new version is just released for one month. Ultimately, it is up to jdk-update project's discretion, so go ask them.

Regards,
Chen Liang
________________________________
From: jdk-dev <jdk-dev-retn at openjdk.org<mailto:jdk-dev-retn at openjdk.org>> on behalf of Alan Bateman <alan.bateman at oracle.com<mailto:alan.bateman at oracle.com>>
Sent: Monday, August 26, 2024 2:23 AM
To: Lovro Pandžić <Lovro.Pandzic at infobip.com<mailto:Lovro.Pandzic at infobip.com>>; jdk-dev at openjdk.org<mailto:jdk-dev at openjdk.org> <jdk-dev at openjdk.org<mailto:jdk-dev at openjdk.org>>
Subject: Re: Vulnerability of the non LTS JDK releases

On 26/08/2024 06:38, Lovro Pandžić wrote:

Hello all,



Not sure if this is the right address to talk about this issue so feel free to redirect me to another if it's more appropriate.

Your question isn't unreasonable but it's not really a question for the OpenJDK project, instead it's a question for the companies and organizations that make supported JDK releases available.





:



Projects that want to follow the train in it's tracks and be on latest, usually non lts, version and that use any non trivial kind of dependency (Spring, Sonar, ...) they must accept the fact that there will be periods of time (usually a month or two) where they'll be forced to stay on an unsupported non LTS version until all of their dependencies add support for latest JDK version so they can upgrade as well.

Just a reminder that there Early Access (EA) builds published weekly so these projects don't need to wait until the GA to test. Ongoing testing with EA builds help find issues earlier and allows these projects to align their releases with the JDK releases.

-Alan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20240829/23d93137/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 2551 bytes
Desc: image001.png
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20240829/23d93137/image001-0001.png>

More information about the jdk-dev mailing list