[FIXED] Security Updates with OpenJDK distribution

Issue

With changes in JDK licensing agreement from Oracle, companies are switching to OpenJDK.

My question is - which distribution of the OpenJDK would be a better choice? I am evaluating Oracle Open JDK and AdoptOpenJDK, and they both seems to be an idea choice.. However when it comes to support, Oracle OpenJDK is following a 6 month release cadence without any Long term support, however AdoptOpenJDK has LTS for Java version 8 and 11. So if I switch to Oracle OpenJDK, then I will have to follow the new release cadence to be up to data with security patches (I don't care much about the new features), however If I switch to AdoptOpenJDK, then I can go with one of their LTS version (11), and expect the new security patches will be applied to this version. My main concern is, I wanted to be up to date with Java security updates after switching to OpenJDK distribution.

References https://www.reddit.com/r/java/comments/9hd97k/openjdk_vs_adoptopenjdk/

https://www.baeldung.com/oracle-jdk-vs-openjdk

Solution

tl;dr

If you want the most rapid release of critical security patches, pay for a support plan from a vendor such as Azul systems, BellSoft, Oracle, Pivotal, or Red Hat (IBM).

To better understand the current state of the world of Java releases, you really should study the document Java Is Still Free. Written by the Java Champions community of independent Java leaders and experts.

Details

With changes in JDK licensing agreement from Oracle, companies are switching to OpenJDK.

To be clear here, you may be referring to Oracle changing the terms to their Oracle JDK product to require a fee when used in production. That product is still free-of-cost for use in development, testing, and such.

My question is - which distribution of the OpenJDK would be a better choice?

Answering that depends on the criteria important to you. But you did not mention any criteria other than needing security updates rapidly (more on that below).

I am evaluating Oracle Open JDK and AdoptOpenJDK, and they both seems to be an idea choice..

Be clear on this: The OpenJDK project publishes source code only, not builds nor installers. Many vendors provide builds/installers based on the OpenJDK source code.

Oracle is one such vendor, providing three products:

• Oracle JDK — their branded product requiring a fee for production use, with paid support available.
• jdk.java.net — a build of OpenJDK without any fees and without any support.
• GraalVM — a special product, a Java VM and JDK based on HotSpot/OpenJDK, implemented in Java, and supporting additional programming languages and execution modes, like ahead-of-time compilation of Java applications for fast startup and low memory footprint.

All three of these are based on OpenJDK source code. The first and last offer paid support programs.

Oracle has publicly declared their intent to keep Oracle JDK at feature-parity with OpenJDK. Oracle sponsors the OpenJDK project as part of that commitment. At the same time, Oracle reserves the right to rapidly release any critical security patch to their paying customers. They will eventually submit such patches to the OpenJDK project. But those submitted patches are likely to take more time to go through the OpenJDK process before being released.

AdoptOpenJDK is another vendor offering builds and installers of the OpenJDK source code base. So, again, any critical security patches may not reach the public free-of-charge as fast as a patch from another vendor to their paying customers.

Here is a flow chart I made to help guide you in your selection of a vendor for a Java implementation. You have a variety of choices, some with support options.

However when it comes to support, Oracle OpenJDK is following a 6 month release cadence without any Long term support, however AdoptOpenJDK has LTS for Java version 8 and 11.

I believe you are incorrect here. Oracle does maintain LTS updates to their Oracle JDK product for both Java 8 and Java 11, for some number of years to the public, and for additional years to their paying customers.

The Java community is much more cooperative in working together than you may understand. Every implementation of Java I know of is largely based on the OpenJDK project. The OpenJDK project is supported by Oracle, Apple, IBM, SAP, and possibly others. Amazon, Microsoft, and other companies contribute. The rapid release train and Long-Term Support (LTS) strategy has been embraced by the entire Java community.

Oracle has turned over stewardship of the LTS versions 8 and 11 to Red Hat, but Oracle continues to support them both. See the Oracle Java SE Support Roadmap for details.

So if I switch to Oracle OpenJDK, then I will have to follow the new release cadence to be up to data with security patches

Every Java implementation I know of is following along the same release cadence.

(I don't care much about the new features),

Then you should certainly stick to using only the LTS versions. Currently that would be Java 8 and Java 11.

If I switch to AdoptOpenJDK, then I can go with one of their LTS version (11), and expect the new security patches will be applied to this version.

You can expect security patches from any vendor providing a Java implementation. The question is how rapidly those patches will arrive to you.

My main concern is, I wanted to be up to date with Java security updates

Then I recommend you purchase a paid support plan from a reliable vendor. You have a choice of several. See the left side of the blue barrel in my diagram above.

If you think the chance of critical security vulnerability affecting you specifically is exceedingly low, or that you are likely to be able to mitigate such a vulnerability, then the cost of a support plan may not be worth it to you. In this case, you would wait for a newer free-of-cost release. You may be waiting longer than you would with a paid vendor.

after switching to OpenJDK distribution.

Every Java implementation I know of being distributed today is based on OpenJDK.

Here is another graphic listing possible motivations for choosing a particular vendor for your Java implementation.

Answered By - Basil Bourque
Answer Checked By - David Goodson (JavaFixing Volunteer)