Issue
At one place I got this information "With Oracle's new licensing policy you can select any 2 from Stable, Secure, Free." This statement suggests that if I want to select Stable and Secure, then I cannot be free, means I have to use Oracle JDK and pay for license.
Other places I have read that open source community will make sure to update OpenJDK.
If I am using Openjdk 8 in production, then will I get security updates for OpenJDK?
Is updating to newer OpenJDK version the only solution? Even If I move to a newer version (suppose LTS version OpenJDK 11*) for now, then same question in future to get security updates.
I know about the new Oracle release cadence and license policy. I am also aware about the similarity of OpenJDK and Oracle JDK (starting from version 11), but my question is specific to OpenJDK Updates.
LTS version OpenJDK 11: I am not sure if I should call any OpenJDK version as LTS :)
Solution
I believe that you got the idea of "Stable, Free, Secure" from https://www.azul.com/java-stable-secure-free-choose-two-three/
First of all, be aware that there is a hidden agenda behind propositions like this. They (in this case Azul) want to you pay for support. This is also true of Oracle, and most if not all other Java vendors / distributors. (Even the major Linux distro vendors who include openjdk packages want you to pay for distro support.)
This is not necessarily a bad thing. At the end of the day, Java developers have to be paid to work, and it is not unreasonable to expect people who rely on Java to contribute their share.
The answer is that it depends on whether some organization "steps up to the plate" to do the work of applying or backporting security updates from Oracle (and possibly other vendors) to the codebase of a given OpenJDK LTS release when the OpenJDK team stops doing it. Azul say that they will do this for paying customers, and by implication for paying customers only.
Q: Could some other organization do this "for free"?
A: Possibly. It depends on whether they can afford to, and whether Oracle decides to limit availability of security patches in a way that would prevent this.
But we don't know, because we can't predict the future. And on the other hand, we can't reliably predict whether (say) Azul will still be in the business of supporting Java in the future. Or even if they will still be in business.
This kind of uncertainty is normal in the IT sector. You / your organization just need to make decisions based on what you know, and adapt if the decisions prove to be wrong in the future.
Answered By - Stephen C
Answer Checked By - Marilyn (JavaFixing Volunteer)
