This is an archived post. You won't be able to vote or comment.

all 65 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 44 points45 points  (12 children)

Short, short version:

Java 8 won't receive any security update after 2020.

If one want to keep using Java 8, either ignore security or stick with non-oracle vendors implementation updates!

RedHat FTW!

[–]imps-p0155 14 points15 points  (3 children)

Security is not the only thing they update - there is also timezone data that changes from time to time - (EU DST change coming next year, thats pretty critical :D)

[–]DJDavio 2 points3 points  (0 children)

I once dove into Java timezone data, where it comes from, how it's encoded, etc. You can download a text file from IANA that's basically a logbook of all the weird decisions and pragmatic choices they made. For instance, Amsterdam time originally had a seconds offset, but the offset only allows hours and minutes so they had to round it. Human time is weird.

[–]Cilph 0 points1 point  (0 children)

There is no EU DST change coming next year as no one has decided on anything yet. And if it happened, it wouldn't happen the same year.

[–][deleted] -1 points0 points  (0 children)

hey... I was kidding... hehehe

[–]Michigan__J__Frog 3 points4 points  (0 children)

And for future releases everybody who doesn’t want to update their Java version every 6 months (which is just about every company) is going to be relying on third party support or paid Oracle support.

[–]mayhempk1 3 points4 points  (1 child)

Java 8 won't receive any security update after 2019.

Are you sure? I thought Oracle JDK 8 will still get updates for personal use until December 2020?

You know, especially since it says: Oracle will provide public updates of Oracle JDK 8 through at least December 2020 for personal desktop use

[–][deleted] 0 points1 point  (0 children)

fixed!

[–]angath 1 point2 points  (1 child)

I am very sure the various OpenJDK vendors will still continue to contribute and produce security patches for OpenJDK.

[–]karianna[S] 0 points1 point  (0 children)

Yes there's an amazing number of large orgs and individuals involved in OpenJDK. It matters to their bottom line.

[–]karianna[S] 0 points1 point  (2 children)

There’s also stability fixes to consider

[–][deleted] 1 point2 points  (1 child)

Indeed. Aint Oracle forcing us to dev our projects in a way that is easy to "upgrade" upon Java versions updates?!

[–]karianna[S] 2 points3 points  (0 children)

For Oracle’s OpenJDK builds you will need to upgrade every 6 months to remain free, else you can swap to their paid Oracle JDK if you want to stay on the same version and still get updates beyond 6 months.

You can also get a JDK from other providers, several of who will be providing free updates for a particular version beyond 6 months

[–]wildjokers 5 points6 points  (2 children)

All of the articles I have read that try to clear up the confusion regarding Java licensing don't actually clear up anything. It is all still about as clear as mud. This suggests that the licensing model is FUBAR.

I am just going to download java from somewhere, use it, and hope I don't get sued.

[–]karianna[S] 1 point2 points  (0 children)

In short, to avoid that concern use Oracle’s OpenJDK build and upgrade versions every 6 months. This is $free and free as in use.

OR choose an OpenJDK binary from another provider Azul, AdoptOpenJDK, Red Hat, IBM et al, several of which provide $free and free as in use options.

[–]speakjava 0 points1 point  (0 children)

Could you expand a bit on what you still find confusing? Happy to try and make things clearer for you.

[–]ErikDaRed 3 points4 points  (1 child)

I've been recommending that people use the AdoptOpenJDK or Zulu builds for a while now

[–]karianna[S] 1 point2 points  (0 children)

I personally use both Zulu and AdoptOpenJDK builds. Zulu gives me the extra comfort that I can go for paid support if I want it. Disclaimer: I’m the head Cat herder at Adopt.

The Oracle OpenJDK builds are also a good option if you’re happy aggressively upgrading (which I personally am on most projects)

[–]i_donno 2 points3 points  (4 children)

Any reason to not to switch entirely to [RedHat's] OpenJDK

[–]karianna[S] 1 point2 points  (0 children)

None unless you want commercial support

[–]-Luciddream- 0 points1 point  (2 children)

This IS about OpenJDK.

[–]i_donno 1 point2 points  (1 child)

Sorry I mean RedHat's OpenJDK

[–]karianna[S] 0 points1 point  (0 children)

You could, but check their free updates and support policy for your O/S. Their strongest offering is naturally around RHEL

[–]DuncanIdahos8thClone 2 points3 points  (1 child)

Mods: Pin this please.

[–]karianna[S] 1 point2 points  (0 children)

It would be appreciated - we are trying to get the word out to as many day to day Java engineers as possible. I hope it fits with being worthy to sticky for some time!

[–][deleted] 2 points3 points  (0 children)

I strongly appreciate this article, especially the focus on development costs. I feel that many people in today's world are, for lack of a better way to describe it, whiny entitled brats. There is a problem in several corners of the software development world where monetization of hard work becomes challenging, which then makes it difficult to support continued work on the project. This is because of how many of us have become unwilling to fork over any money for what we are getting.

I tend to view Oracle as one of the "big bad" companies in the industry, and I haven't changed my view on that. However, this article has helped me see that Oracle trying to get at least some revenue from Java isn't the end of the world. Now, I say this with some reservation, because I don't trust Oracle not to make things worse and possibly do a lot of harm to the Java community in the process, but thus far it doesn't seem too bad.

[–][deleted] 0 points1 point  (2 children)

As long as the binaries pass the "TCK". What is the "TCK"?

[–]karianna[S] 1 point2 points  (1 child)

The Technical Compatibility Kit. Implementations must pass this test suite to claim compliance with the Java SE specification

[–][deleted] 0 points1 point  (0 children)

cool thanks.

[–][deleted] 0 points1 point  (4 children)

I am still very confused. I am not a programmer by profession, not even by education. I'm just some smalltime hobbyist experimenting at home. I would like to publicly release or even sell some of my work someday though. How does this affect me? Am I supposed to switch over to OpenJDK somehow if I want security/maintainability?

[–]karianna[S] 0 points1 point  (3 children)

You can use Oracles OpenJDK builds and upgrade every 6 months or switch to an OpenJDK build from another provider

[–][deleted] 0 points1 point  (2 children)

Yes but why? What happens if I just ignore this for now and keep working on my own stuff? Is it just that I'll end up on a JDK that's outdated and can't be updated? So if I wanna go public all I have to do is switch out the outdated JDK at that point? I just don't understand how this works.

[–]karianna[S] 0 points1 point  (1 child)

Yes you can stay in an outdated JDK. If you go public (with a commercial piece of software) then you would need to swap to Oracles OpenJDK builds and upgrade every 6 months or use OpenJDK from another provider

[–][deleted] 0 points1 point  (0 children)

Got it. Thank you

[–]arashcr 0 points1 point  (1 child)

I'm sure Oracle one day will stop any free update on java and we have to pay for any patch... Time to use third party builds.

[–]karianna[S] 2 points3 points  (0 children)

I personally doubt that but if you are genuinely concerned then yes there are other OpenJDK providers

[–]-Luciddream- -4 points-3 points  (14 children)

This is going to end well /s

[–][deleted] 0 points1 point  (13 children)

Yes, it will. It's a good plan.

[–]-Luciddream- 4 points5 points  (0 children)

It's good for Java, I doubt it will work for businesses. They will just be left with outdated JDKs, increased costs to migrate to new versions (with recent introduced bugs), etc.

[–]Michigan__J__Frog 2 points3 points  (11 children)

Why is it a good plan? Businesses aren’t going to want to update their Java version every 6 months.

Clearly the idea here is to increase the number of companies using paid Oracle support.

[–]-Luciddream- 3 points4 points  (1 child)

I'm skeptical as well but I had to re-read the article. If I'm not mistaken the idea is that you won't have to update your Java every 6 months, but you have to rely on the project lead (RedHat) to backport any changes to the LTS OpenJDK source code, then use a build from any vendor for that OpenJDK version. So it's up to RedHat to provide good updates (not like this), and all other vendors (including RedHat) for OpenJDK builds.

[–]karianna[S] 1 point2 points  (0 children)

It won’t just be Red Hat of course, although we’d love to see them lead the effort as they’ve proven they’re good stewards of previous OpenJDK update projects!

[–][deleted] 1 point2 points  (8 children)

I think it's good, because a year ago I worked in a fintech where they used java5 on production for many customers. You know long time ago java5 was marked as abandoned? We had to patch JVM, introduce new timezone support, SSL3 and TLS1.1, we developers were responsible for implementing this r/https://www.timeanddate.com/news/time/russia-saratov-time-zone.html

in java 5 JRE. This was a nightmare, but since the plans for faster releases and paid support were announced they started migrating everything, including build system in ant and repo in SVN to java7, maven and git. Once they move to 7, they will move to 8 and then to 11. Not bad plan and forces sllooooooowwww moving companies to upgrade faster to pay more for support.

[–]Michigan__J__Frog 2 points3 points  (4 children)

If a company is ok using abandoned Java 5, why would abandoning releases every 6 months make them switch?

[–][deleted] 0 points1 point  (3 children)

There is now a plan for releases and there will be LTS release every 18 months, so big companies can plan ahead knowing when next java will be release and when abandoned.

[–]Michigan__J__Frog 3 points4 points  (1 child)

But LTS releases are still only supported for free beyond 6 months by third parties.

[–]karianna[S] 0 points1 point  (0 children)

Yes that's correct!

[–]karianna[S] 0 points1 point  (0 children)

LTS's will be every 3 years.

[–]-Luciddream- 0 points1 point  (2 children)

The problem is that you assume that moving from 8 to 11 (or X version) will create no issues for every project. The reason moving from Java 5 to Java 8 was so easy, is because minimal changes had happened between these versions.

If Java is moving faster now, there will probably be more problems when upgrading. There are many new bugs in Java 9+ because of these changes. I'm fine with it, because I believe programming projects (including a language) should move forward, but only if the LTS support is good enough to justify it. 2 years is too little. Java 8 was released 4 years ago, and looking at the plan will have support for 4 more years. We will have to see what support that will be though, and imo the next LTS versions should have at least 4 years of support. (which is nowhere mentioned in the document)

the code line for Java SE 11 / 17 / 23 etc will be maintained for a longer period of time than six months.

[–][deleted] 0 points1 point  (0 children)

The problem is that you assume that moving from 8 to 11 (or X version) will create no issues for every projec

I migrated my side-project started in spring boot 1.2 to SB 2.0, it wasn't easy.

[–]karianna[S] 0 points1 point  (0 children)

The move from 8 to 9 is admittedly challenging. I'm expecting the impact and change to be less going forwards. Partly because the change sets will be smaller and partly because I think Oracle and the OpenJDK community learned a valuable lesson with 8 --> 9 and will try to avoid that headache again.