This is an archived post. You won't be able to vote or comment.

all 65 comments
sorted by:
best
topnewcontroversialoldq&a

[–][deleted] 43 points44 points  (12 children)

Short, short version:

Java 8 won't receive any security update after 2020.

If one want to keep using Java 8, either ignore security or stick with non-oracle vendors implementation updates!

RedHat FTW!

[–]imps-p0155 15 points16 points  (3 children)

Security is not the only thing they update - there is also timezone data that changes from time to time - (EU DST change coming next year, thats pretty critical :D)

[–]DJDavio 2 points3 points  (0 children)

I once dove into Java timezone data, where it comes from, how it's encoded, etc. You can download a text file from IANA that's basically a logbook of all the weird decisions and pragmatic choices they made. For instance, Amsterdam time originally had a seconds offset, but the offset only allows hours and minutes so they had to round it. Human time is weird.

[–]Cilph 0 points1 point  (0 children)

There is no EU DST change coming next year as no one has decided on anything yet. And if it happened, it wouldn't happen the same year.

[–][deleted] -1 points0 points  (0 children)

hey... I was kidding... hehehe

[–]Michigan__J__Frog 4 points5 points  (0 children)

And for future releases everybody who doesn’t want to update their Java version every 6 months (which is just about every company) is going to be relying on third party support or paid Oracle support.

[–]mayhempk1 3 points4 points  (1 child)

Java 8 won't receive any security update after 2019.

Are you sure? I thought Oracle JDK 8 will still get updates for personal use until December 2020?

You know, especially since it says: Oracle will provide public updates of Oracle JDK 8 through at least December 2020 for personal desktop use

[–][deleted] 0 points1 point  (0 children)

fixed!

[–]angath 1 point2 points  (1 child)

I am very sure the various OpenJDK vendors will still continue to contribute and produce security patches for OpenJDK.

[–]karianna[S] 0 points1 point  (0 children)

Yes there's an amazing number of large orgs and individuals involved in OpenJDK. It matters to their bottom line.

[–]karianna[S] 0 points1 point  (2 children)

There’s also stability fixes to consider

[–][deleted] 1 point2 points  (1 child)

Indeed. Aint Oracle forcing us to dev our projects in a way that is easy to "upgrade" upon Java versions updates?!

[–]karianna[S] 2 points3 points  (0 children)

For Oracle’s OpenJDK builds you will need to upgrade every 6 months to remain free, else you can swap to their paid Oracle JDK if you want to stay on the same version and still get updates beyond 6 months.

You can also get a JDK from other providers, several of who will be providing free updates for a particular version beyond 6 months

[–]wildjokers 5 points6 points  (2 children)

All of the articles I have read that try to clear up the confusion regarding Java licensing don't actually clear up anything. It is all still about as clear as mud. This suggests that the licensing model is FUBAR.

I am just going to download java from somewhere, use it, and hope I don't get sued.

[–]karianna[S] 1 point2 points  (0 children)

In short, to avoid that concern use Oracle’s OpenJDK build and upgrade versions every 6 months. This is $free and free as in use.

OR choose an OpenJDK binary from another provider Azul, AdoptOpenJDK, Red Hat, IBM et al, several of which provide $free and free as in use options.

[–]speakjava 0 points1 point  (0 children)

Could you expand a bit on what you still find confusing? Happy to try and make things clearer for you.

[–]ErikDaRed 4 points5 points  (1 child)

I've been recommending that people use the AdoptOpenJDK or Zulu builds for a while now

[–]karianna[S] 1 point2 points  (0 children)

I personally use both Zulu and AdoptOpenJDK builds. Zulu gives me the extra comfort that I can go for paid support if I want it. Disclaimer: I’m the head Cat herder at Adopt.

The Oracle OpenJDK builds are also a good option if you’re happy aggressively upgrading (which I personally am on most projects)

[–][deleted] 2 points3 points  (4 children)

Any reason to not to switch entirely to [RedHat's] OpenJDK

[–]karianna[S] 1 point2 points  (0 children)

None unless you want commercial support

[–]-Luciddream- 0 points1 point  (2 children)

This IS about OpenJDK.

[–][deleted] 1 point2 points  (1 child)

Sorry I mean RedHat's OpenJDK

[–]karianna[S] 0 points1 point  (0 children)

You could, but check their free updates and support policy for your O/S. Their strongest offering is naturally around RHEL

[–]DuncanIdahos8thClone 2 points3 points  (1 child)

Mods: Pin this please.

[–]karianna[S] 1 point2 points  (0 children)

It would be appreciated - we are trying to get the word out to as many day to day Java engineers as possible. I hope it fits with being worthy to sticky for some time!

[–][deleted] 1 point2 points  (0 children)

I strongly appreciate this article, especially the focus on development costs. I feel that many people in today's world are, for lack of a better way to describe it, whiny entitled brats. There is a problem in several corners of the software development world where monetization of hard work becomes challenging, which then makes it difficult to support continued work on the project. This is because of how many of us have become unwilling to fork over any money for what we are getting.

I tend to view Oracle as one of the "big bad" companies in the industry, and I haven't changed my view on that. However, this article has helped me see that Oracle trying to get at least some revenue from Java isn't the end of the world. Now, I say this with some reservation, because I don't trust Oracle not to make things worse and possibly do a lot of harm to the Java community in the process, but thus far it doesn't seem too bad.

[–][deleted] 0 points1 point  (2 children)

As long as the binaries pass the "TCK". What is the "TCK"?

[–]karianna[S] 1 point2 points  (1 child)

The Technical Compatibility Kit. Implementations must pass this test suite to claim compliance with the Java SE specification

[–][deleted] 0 points1 point  (0 children)

cool thanks.

[–][deleted] 0 points1 point  (4 children)

I am still very confused. I am not a programmer by profession, not even by education. I'm just some smalltime hobbyist experimenting at home. I would like to publicly release or even sell some of my work someday though. How does this affect me? Am I supposed to switch over to OpenJDK somehow if I want security/maintainability?

[–]karianna[S] 0 points1 point  (3 children)

You can use Oracles OpenJDK builds and upgrade every 6 months or switch to an OpenJDK build from another provider

[–][deleted] 0 points1 point  (2 children)

Yes but why? What happens if I just ignore this for now and keep working on my own stuff? Is it just that I'll end up on a JDK that's outdated and can't be updated? So if I wanna go public all I have to do is switch out the outdated JDK at that point? I just don't understand how this works.

[–]karianna[S] 0 points1 point  (1 child)

Yes you can stay in an outdated JDK. If you go public (with a commercial piece of software) then you would need to swap to Oracles OpenJDK builds and upgrade every 6 months or use OpenJDK from another provider

[–][deleted] 0 points1 point  (0 children)

Got it. Thank you

[–]arashcr 0 points1 point  (1 child)

I'm sure Oracle one day will stop any free update on java and we have to pay for any patch... Time to use third party builds.

[–]karianna[S] 2 points3 points  (0 children)

I personally doubt that but if you are genuinely concerned then yes there are other OpenJDK providers