<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:DengXian;
panose-1:2 1 6 0 3 1 1 1 1 1;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:"\@DengXian";
panose-1:2 1 6 0 3 1 1 1 1 1;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:12.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
p.xmsonormal, li.xmsonormal, div.xmsonormal
{mso-style-name:x_msonormal;
margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;}
span.EmailStyle23
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Hi Lovro,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">There is no central place where this is decided.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">This is an open source project. Activities depend on people/parties<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">that engage in this project.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Oracle decided to support 11, 17, 21 etc long term in their commercial version.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Also, they support all Java versions for 2 releases in OpenJDK.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Other parties decided to take over support for some of the Java versions<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">after that.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">I.e., Red Hat and SAP decided to dedicate people to support 11, 17 and 21<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">for a longer time. Azul had dedicated people to support 13 and 15 for
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">some time after the first two updates.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">The community is helping with this effort.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">In the end, various parties are building binaries from the maintained<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">repos.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">So if you have need of longer support of the non-LTS, you can turn<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">them into LTS releases by taking up support in the OpenJDK.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">There are mails announcing end of engagement of the current<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">supportee of versions, e.g.,
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><a href="https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-November/027149.html">https://mail.openjdk.org/pipermail/jdk-updates-dev/2023-November/027149.html</a><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">All activities around updates after Java 8 are bundled in the
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">jdk-updates project of OpenJDK. Lead of this project is Rob McKenna.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">Best regards, Goetz.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<div style="border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt">
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif"> jdk-dev <jdk-dev-retn@openjdk.org>
<b>On Behalf Of </b>Lovro Pandžic<br>
<b>Sent:</b> Thursday, August 29, 2024 10:09 AM<br>
<b>To:</b> Chen Liang <chen.l.liang@oracle.com>; jdk-dev@openjdk.org<br>
<b>Subject:</b> Re: Vulnerability of the non LTS JDK releases<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" align="left" width="100%" style="width:100.0%">
<tbody>
<tr>
<td width="0" style="width:.3pt;background:#A6A6A6;padding:5.25pt 1.5pt 5.25pt 1.5pt">
</td>
<td width="100%" style="width:100.0%;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 11.25pt;aspect-ratio: revert !important;background:revert !important;block-size: revert !important;border:revert !important;bottom: revert !important;color:revert !important;color-scheme: revert !important;content-visibility: revert !important;cursor:revert !important;direction:revert !important;display:revert !important;font-size:revert !important;height:revert !important;hyphens: revert !important;letter-spacing:revert !important;line-height:revert !important;margin:revert !important;opacity: revert !important;order: revert !important;outline: revert !important;overflow:revert !important;padding:revert !important;position:revert !important;resize: revert !important;rotate: revert !important;scale: revert !important;tab-size: revert !important;table-layout:revert !important;text-align:revert !important;text-indent:revert !important;text-orientation: revert !important;text-overflow: revert !important;text-shadow:revert !important;text-transform:revert !important;text-wrap: revert !important;top:revert !important;transition: revert !important;user-select: revert !important;vertical-align:revert !important;visibility:revert !important;white-space:revert !important;width:revert !important;word-break:revert !important;word-spacing:revert !important;writing-mode:revert !important;zoom: revert !important">
<div>
<p class="MsoNormal" style="mso-element:frame;mso-element-frame-hspace:2.25pt;mso-element-wrap:around;mso-element-anchor-vertical:paragraph;mso-element-anchor-horizontal:column;mso-height-rule:exactly">
<span style="font-size:9.0pt;font-family:"Segoe UI",sans-serif;color:#212121">Some people who received this message don't often get email from
<a href="mailto:lovro.pandzic@infobip.com">lovro.pandzic@infobip.com</a>. <a href="https://aka.ms/LearnAboutSenderIdentification">
Learn why this is important</a> <o:p></o:p></span></p>
</div>
</td>
<td width="75" style="width:56.25pt;background:#EAEAEA;padding:5.25pt 3.75pt 5.25pt 3.75pt;aspect-ratio: revert !important;background:revert !important;block-size: revert !important;border:revert !important;bottom: revert !important;color:revert !important;color-scheme: revert !important;content-visibility: revert !important;cursor:revert !important;direction:revert !important;display:revert !important;font-size:revert !important;height:revert !important;hyphens: revert !important;letter-spacing:revert !important;line-height:revert !important;margin:revert !important;opacity: revert !important;order: revert !important;outline: revert !important;overflow:revert !important;padding:revert !important;position:revert !important;resize: revert !important;rotate: revert !important;scale: revert !important;tab-size: revert !important;table-layout:revert !important;text-align:revert !important;text-indent:revert !important;text-orientation: revert !important;text-overflow: revert !important;text-shadow:revert !important;text-transform:revert !important;text-wrap: revert !important;top:revert !important;transition: revert !important;user-select: revert !important;vertical-align:revert !important;visibility:revert !important;white-space:revert !important;width:revert !important;word-break:revert !important;word-spacing:revert !important;writing-mode:revert !important;zoom: revert !important;align: left !important">
</td>
</tr>
</tbody>
</table>
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Thank you for clarification.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Maybe I should clarify my original mail as well:<br>
I’m not asking for any specific jdk vendor version support or any jdk version support change at all for that matter.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">I’m asking for a right place to ask where it was decided that versions are 6 months apart and that each non LTS version will only have supported up until the next one is out.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">My observation is that current process and state of things put people into an uncomfortable position where they either have to accept to be on unsupported version of non lts for
some time and risk security vulnerabilites and all the stress that comes with that or if they don’t want to deal with that – they must pick LTS versions.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">This state of affairs is unfortunate and makes non LTS version seem as if non LTS versions are “for development” only and not ready for production use.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">They are only ok for production use if you control all the software you’re running on and you have guarantees that on day 1 of next non LTS release you can upgrade all in one go
– which in my experience is never true.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Hope this clarifies things a bit.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US">Thank you,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;mso-fareast-language:EN-US"><o:p> </o:p></span></p>
<p><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#373A3B"> <o:p></o:p></span></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="865" style="width:648.75pt;margin-left:7.5pt">
<tbody>
<tr>
<td width="65" valign="bottom" style="width:48.75pt;padding:0in 15.0pt 0in 0in">
<p class="MsoNormal"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#373A3B"><img border="0" width="65" height="60" style="width:.6805in;height:.625in" id="Picture_x0020_1" src="cid:image001.png@01DAFA04.5AFF60B0"></span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#373A3B"><o:p></o:p></span></p>
</td>
<td width="800" valign="bottom" style="width:600.0pt;padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0">
<tbody>
<tr>
<td nowrap="" valign="bottom" style="padding:0in 14.25pt 0in 8.25pt">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:1.5pt;margin-left:0in">
<strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#373A3B">Lovro Pandžić</span></strong><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#373A3B"><o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:1.5pt;margin-left:0in">
<span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#373A3B">Senior Principal Engineer</span><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#373A3B"><o:p></o:p></span></p>
</td>
<td nowrap="" valign="bottom" style="border:none;border-left:solid black 1.0pt;padding:0in 15.0pt 0in 15.0pt">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.75pt;margin-left:0in">
<strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#373A3B">E
</span></strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#373A3B"><a href="mailto:Lovro.Pandzic@infobip.com">Lovro.Pandzic@infobip.com</a><o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:1.5pt;margin-left:0in">
<strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#373A3B">M</span></strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#373A3B"> +385921001403<o:p></o:p></span></p>
</td>
<td nowrap="" valign="bottom" style="border:none;border-left:solid black 1.0pt;padding:0in 15.0pt 0in 15.0pt">
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:3.75pt;margin-left:0in">
<strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#373A3B">A
</span></strong><span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#373A3B">Utinjska 29A, 10000 Zagreb, Croatia<o:p></o:p></span></p>
<p style="mso-margin-top-alt:0in;margin-right:0in;margin-bottom:1.5pt;margin-left:0in">
<span style="font-size:8.5pt;font-family:"Arial",sans-serif;color:#373A3B"><a href="http://www.infobip.com/"><span style="color:#373A3B;text-decoration:none">www.infobip.com</span></a><o:p></o:p></span></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p style="margin-top:0in"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#373A3B"> <o:p></o:p></span></p>
<p style="margin-top:0in"><span style="font-size:10.0pt;font-family:"Arial",sans-serif;color:#373A3B"> <o:p></o:p></span></p>
<div id="mail-editor-reference-message-container">
<div>
<div>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="margin-bottom:12.0pt"><b><span style="color:black">From:
</span></b><span style="color:black">Chen Liang <<a href="mailto:chen.l.liang@oracle.com">chen.l.liang@oracle.com</a>><br>
<b>Date: </b>Monday, 26 August 2024 at 17:25<br>
<b>To: </b>Lovro Pandžić <<a href="mailto:Lovro.Pandzic@infobip.com">Lovro.Pandzic@infobip.com</a>>,
<a href="mailto:jdk-dev@openjdk.org">jdk-dev@openjdk.org</a> <<a href="mailto:jdk-dev@openjdk.org">jdk-dev@openjdk.org</a>><br>
<b>Subject: </b>[EXTERNAL] Re: Vulnerability of the non LTS JDK releases<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Hello Lovro,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">To clarify Alan's remarks, there's a dedicated jdk-updates-dev list and a jdk-updates project responsible for any released jdk; for example, if 23 is released, the subsequent releases of 23.0.1 and 23.0.2, etc.
are their responsibility. A request for backporting critical security fixes to 1 release before the latest should be raised to the jdk-updates project., which is usually constituted of "the companies and organizations that make supported JDK releases available."<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">For the frequency of security fixes: there's a
<a href="https://openjdk.org/groups/vulnerability/">https://openjdk.org/groups/vulnerability/</a> vulnerabiltiy group that releases security fixes every quarter (see
<a href="https://mail.openjdk.org/pipermail/vuln-announce/">https://mail.openjdk.org/pipermail/vuln-announce/</a>), usually in Jan, Apr, Jul, and Oct. Do you wish for Apr and Oct vulnerability fixes to be incorporated into the last release before the latest
(released just one month prior)? You can raise this request to the jdk-updates-dev list there.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">I have heard that even backporting even security fixes would be a heavy maintenance cost; so, the updates group might reject your request of 1 year of security fixes, as new releases roll out every half a year.
But a security fix for the one version before the latest released version release makes sense to me, especially that the new version is just released for one month. Ultimately, it is up to jdk-update project's discretion, so go ask them.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black"><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Regards,<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="color:black">Chen Liang<o:p></o:p></span></p>
</div>
<div class="MsoNormal" align="center" style="text-align:center">
<hr size="1" width="100%" align="center">
</div>
<div id="divRplyFwdMsg">
<p class="MsoNormal"><b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black">From:</span></b><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:black"> jdk-dev <<a href="mailto:jdk-dev-retn@openjdk.org">jdk-dev-retn@openjdk.org</a>>
on behalf of Alan Bateman <<a href="mailto:alan.bateman@oracle.com">alan.bateman@oracle.com</a>><br>
<b>Sent:</b> Monday, August 26, 2024 2:23 AM<br>
<b>To:</b> Lovro Pandžić <<a href="mailto:Lovro.Pandzic@infobip.com">Lovro.Pandzic@infobip.com</a>>;
<a href="mailto:jdk-dev@openjdk.org">jdk-dev@openjdk.org</a> <<a href="mailto:jdk-dev@openjdk.org">jdk-dev@openjdk.org</a>><br>
<b>Subject:</b> Re: Vulnerability of the non LTS JDK releases</span> <o:p></o:p></p>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
</div>
<div>
<p class="MsoNormal" style="margin-bottom:12.0pt">On 26/08/2024 06:38, Lovro Pandžić wrote:<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="xmsonormal">Hello all,<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">Not sure if this is the right address to talk about this issue so feel free to redirect me to another if it’s more appropriate.<o:p></o:p></p>
</div>
</blockquote>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
Your question isn't unreasonable but it's not really a question for the OpenJDK project, instead it's a question for the companies and organizations that make supported JDK releases available.<br>
<br>
<br>
<o:p></o:p></p>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<div>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">:<o:p></o:p></p>
<p class="xmsonormal"> <o:p></o:p></p>
<p class="xmsonormal">Projects that want to follow the train in it’s tracks and be on latest, usually non lts, version and that use any non trivial kind of dependency (Spring, Sonar, …) they must accept the fact that there will be periods of time (usually a
month or two) where they’ll be forced to stay on an unsupported non LTS version until all of their dependencies add support for latest JDK version so they can upgrade as well.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<p class="MsoNormal">Just a reminder that there Early Access (EA) builds published weekly so these projects don't need to wait until the GA to test. Ongoing testing with EA builds help find issues earlier and allows these projects to align their releases with
the JDK releases.<br>
<br>
-Alan<o:p></o:p></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</body>
</html>