Vulnerability of the non LTS JDK releases

Dalibor Topic dalibor.topic at oracle.com
Thu Aug 29 17:12:18 UTC 2024 

On 29.08.2024 10:09, Lovro Pandžić wrote:
> Thank you for clarification.
> 
> Maybe I should clarify my original mail as well:
> I’m not asking for any specific jdk vendor version support or any jdk 
> version support change at all for that matter.
> 
> I’m asking for a right place to ask where it was decided that versions 
> are 6 months apart and that each non LTS version will only have 
> supported up until the next one is out.

Accelerating the release cadence was discussed on the discuss mailing 
list in 2017:
https://mail.openjdk.org/pipermail/discuss/2017-September/004281.html

Decisions about how long someone is working on something are 
decentralized by nature in open source.

Oracle's decision to maintain the JDK updates it leads for 6 months in 
OpenJDK is Oracle's and pretty obvious: having maintained OpenJDK 6, 7, 
8 for the benefit of the OpenJDK community for many, many overlapping 
years in OpenJDK, the faster cadence allowed for that work to be 
delegated in a predictable fashion according to the actual needs and 
abilities of the OpenJDK community.

Other contributors' decisions to pick up the maintenance of a particular 
update train or not once Oracle moves on to maintain the next JDK 
release in OpenJDK is entirely theirs, which leads to some JDK update 
releases receiving further maintenance within OpenJDK, while other 
update releases don't.

> My observation is that current process and state of things put people 
> into an uncomfortable position where they either have to accept to be on 
> unsupported version of non lts for some time and risk security 
> vulnerabilites and all the stress that comes with that or if they don’t 
> want to deal with that – they must pick LTS versions.

As with any other open source community, organizations that require 
something that's not available have the choice to find someone to fund 
to perform that work for them, or to acquire the necessary expertise to 
perform it themselves.

The OpenJDK JDK Updates Project has the necessary processes in place to 
enable transition of maintenance leadership on an update release series 
between different groups of maintainers, since they, too, may have their 
own agendas with respect to how they utilize their resources, and those 
things can and do change over time.

For example, some JDK update releases receive(d) longer periods of 
contributions within OpenJDK from developers outside of Oracle beyond 
the initial maintenance period provided by Oracle. Others don't. 
Sometimes, that's even the case for non-LTS releases. Sometimes, it's not.

> This state of affairs is unfortunate and makes non LTS version seem as 
> if non LTS versions are “for development” only and not ready for 
> production use.

All JDK versions are ready for production use. How long you can use them 
in production may differ based on your platform, vendor, etc. though.

If, for some reason, you chose to rely on OpenJDK in production, then 
ultimately how long you can update and use a release in production 
depends on your own maintenance of that release, as with any other open 
source project.

Oracle provides a simple upgrade path of Oracle-maintained OpenJDK 
updates from one JDK release to the next, free & overlapping Oracle JDK 
releases from one LTS release to the next, and a commercially available 
subscription for users with different needs. Others contributing to 
OpenJDK may have their own, differing offerings that are focused on what 
their users need.

The JDK Updates Project would be the right place to discuss specifics of 
maintaining JDK releases, if that's what you want to do: jdk-dev is for 
the discussion of general technical issues related to the development of 
the current JDK main-line feature release, and this thread is now 
steering very far from that.

> They are only ok for production use if you control all the software 
> you’re running on and you have guarantees that on day 1 of next non LTS 
> release you can upgrade all in one go – which in my experience is never 
> true.

That ultimately depends on the organization and the use case. Some 
organizations can and do move along their use cases forward with each 
new JDK release, others don't, for many different reasons.

cheers,
dalibor topic

-- 
<http://www.oracle.com> Dalibor Topic
Consulting Product Manager
Phone: +494089091214 <tel:+494089091214>, Mobile: +491737185961
<tel:+491737185961>

Oracle Global Services Germany GmbH
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRB 246209
Geschäftsführer: Ralf Herrmann

More information about the jdk-dev mailing list