The Java ecosystem has always been built on a high quality $free (zero-cost) JDK available from Oracle, and previously Sun. This is as true today as it always has been - but the new six-monthly release cycle does mean some big changes are happening.
Java now has a release every six months, something which greatly impacts how each version is supported. By support, I mean the provision of update releases with security patches and important bug fixes.
Up to and including Java 8, $free support was provided for many years. Certainly up to and beyond the launch of the next version. With Java 9 and the six-monthly release cycle, this $free support is now much more tightly controlled.
In fact, Oracle will not be providing $free long-term support (LTS) for Java at all from Java 11 onwards.
|Version||Release date||End of $free support from Oracle|
|Java 8||March 2014||January 2019 (for commercial use)|
|Java 9||Sept 2017||March 2018|
|Java 10||March 2018||Sept 2018|
|Java 11||Sept 2018||March 2019 (might be extended, see below)|
|Java 12||March 2019||Sept 2019|
The idea here is simple. Oracle wants to focus its energy on moving Java forward with the cost of long-term support directly paid for by customers (instead of giving it away for $free). To do this, they need developers to continually upgrade their version of Java, moving version every six months (and picking up the patch releases in-between). Of course, for most development shops, such rapid upgrade is not feasible. But Java is now developed as OpenJDK, which means that Oracle's support dates are not the only ones to consider.
A key point to grasp is that most JDK builds in the world are based on the open source OpenJDK project. The Oracle JDK is merely one of many builds that are based on the OpenJDK codebase. While it used to be the case that Oracle had additional extras in their JDK, as of Java 11 this is no longer the case.
Many other vendors also provide builds based on the OpenJDK codebase. These builds may have additional branding and/or additional non-core functionality. Most of these vendors also contribute back to the upstream OpenJDK project, including the security patches.
The impact is that the JDK you use should now be a choice you actively make, not passively accept. How fast can you get security patches? How long will it be supported? Do you need to be able to apply contractual pressure to a vendor to help with any issues?
In addition, there are two main ways that the JDK is obtained. The first is an update mechanism buit into the operating system (eg. *nix). The second is to visit a URL and download a binary (eg. Windows).
To examine this further, lets look at Java 8 and Java 11 separately.
Staying on Java 8
If you want to stay on Java 8 after January 2019, here are the choices as I see them:
1) Don't care about security.
It is entirely possible to remain on the last $free release forever. Just don't complain when hackers destroy your company.
2) Rely on Operating System updates.
On *nix platforms, you may well obtain your JDK via the operating system (eg. Red Hat, Debian, Fedora, Arch, etc.). And as such, updates to the JDK are delivered via the operating system vendor. This is where Red Hat's participation is key - they promise Java 8 updates until June 2023 in Red Hat Enterprise Linux - but they also have an "upstream first" policy, meaning they prefer to push fixes back to the "upstream" OpenJDK project. Whether you get security patches to the JDK or not will depend on your operating system vendor, and whether they need you to pay for those updates.
3) Pay for support.
A number of companies, including Azul, IBM, Oracle and Red Hat, offer ongoing support for Java. By paying them, you get access to the stream of security patches and update releases with certain guarantees (as opposed to volunteer-led approaches). If you have cash, maybe it is fair and reasonable to pay for Java?
4) Use the non-commercial build in a commercial setting.
Oracle will provide builds of Java 8 for non-commercial use until December 2019, so you could use those. But you don't want Oracle's software licensing teams chasing you, do you?
5) Build OpenJDK yourself.
The stream of security patches * is published to a public Mercurial repository under the GPL license. As such, it is perfectly possible to build OpenJDK yourself by keeping track of commits to that repository. I suspect this not a very realistic choice for most companies.
6) Use the builds from AdoptOpenJDK.
The community team at AdoptOpenJDK has been busy over the past few years creating a build farm and testing rig. As such, they are now able to take the stream of security patches * and turn them into releases, just like you would get from the commercial offerings. They are also running the Java TCK (testing compatibility kit) to allow these builds to be fully certified as Java SE. Their plan is to produce Java 8 builds until September 2022, one year after Java 17 comes out. Obviously, you don't get a warranty or genuine support - its a community build farm project. But for most users that want to use Java 8 without paying, this is likely the best choice.
Note that Azul also offers $free OpenJDK release builds at zulu.org.
* The last two options assume that a group actually will step forward and take over the "JDK 8 updates" OpenJDK project once Oracle stop. While the exact project details are not yet confirmed, this IBM statement indicates real backing for the approach:
Recognizing the impact that the release cycle changes will have with Java developers, IBM will partner with other members of the OpenJDK community to continue to update an OpenJDK Java 8 stream with security patches and critical bug fixes. We intend to keep the current LTS version secure and high quality for 4 years. This timescale bridges the gap between LTS versions with 1 year to allow for a migration period. IBM has also invested in an open build and test project (AdoptOpenJDK.net) along with many partners and Java leaders to provide community binaries across commonly used platforms of OpenJDK with Hotspot and OpenJDK with Eclipse OpenJ9. These community binaries are TCK (Java SE specification) compliance tested and ready for developers to download and use in production.
It is also hard to see Red Hat not contributing to this effort given their June 2023 support date and "upstream first" policy.
Staying on Java 9 or Java 10
No-one wants to provide builds or support for Java 9 or Java 10. And anyway, there is no good reason not to upgrade to Java 11 in my opinion.
Staying on Java 11
It is a brave new world and not 100% clear, but this is how it looks like things will happen.
But in reality, it is now irrelevant as to whether Oracle JDK is $free to download or not. That is because from Java 11, developers can treat Oracle JDK and OpenJDK as being equivalent. It is no longer appropriate or correct to consider the OpenJDK build to be secondary or less important. In fact, the most important build is now the OpenJDK one.
So, how long will Oracle provide security patches to Java 11?
Again, the answer to this is not 100% clear:
> What will Java 11 get from Oracle? At least six months of free, GPL-licensed updates with binaries at http://jdk.java.net. (I say “at least” because that’s the current plan. The plan could change, to a longer time period, if the situation warrants.)
Clearly, six months of support is not long enough to treat Java 11 as a "long term support" (LTS) release. The promise of the period being potentially longer doesn't really help, as companies need longer timelines and more certainty. So the assumption should be that Java 11 has just 6 months of releases containing security patches from Oracle.
At this point, things move into the realms of probabilities. In all likelihood, when Oracle steps down from managing the "JDK 11 updates" project at OpenJDK (the one containing the security patches), someone else will take over. This has happened before with Java 6 and 7. And the evidence is that it will happen for Java 11 too:
OpenJDK is a community project. It's up to the community to support it.
In practice this means that a group of organizations and individuals will maintain each OpenJDK LTS release for some period
(TBA for 11, but it's sure to be a *lot* longer than six months.)
I am certain that there will be a jdk11u project, and it will be properly and professionally run.
I think it's likely that I'll be leading the project, but someone else may be chosen.
Andrew Haley, Red Hat
That covers the repository containing the security patches. (Red Hat have an excellent record in maintaining old releases of OpenJDK for the wider community.) But there is still the question of producing actual releases to download that have been certified as passing the Java SE testing TCK.
This is where the AdoptOpenJDK build farm is critical:
As part of the discussions Andrew mentioned, AdoptOpenJDK offered to build, test and make available OpenJDK
LTS binaries for the major (and several minor) platforms. This isn't yet set in concrete but folks broadly thought that
was a good idea. So the challenge of having a build and test farm for this joint effort is solved.
Martijn Verburg, AdoptOpenJDK
And AdoptOpenJDK are currently planning to do create releases until September 2022, one year after Java 17 comes out.
If people do what they say they will, then we can therefore conclude that it will be possible to use Java 11 for 4 years from release, with security patches, for $free (zero-cost). (I would imagine that if volunteers came forward, the September 2022 date could be moved even further into the future.)
Of course, only you and your company can decide if it is right and proper to use Java without giving back to the ecosystem. It could be argued that it is more ethical to either pay for support, or assist either the AdoptOpenJDK or "JDK 11 updates" OpenJDK project.
The OpenJDK builds by Oracle at http://jdk.java.net/ only cover three platforms. But this doesn't mean that they are the only platforms OpenJDK runs on. For example, AdoptOpenJDK provides Java 8 builds on 7 platforms with Hotspot (including ARM) and more platforms with OpenJ9 (including Windows 32 bit).
All the pieces are in place for Java 11 to be maintained as a long-term support release. However, unlike Java 6, 7 and 8, Oracle will not be leading the long-term support effort. In all likelihood, Red Hat will take over this task - they have said publicly that they would like to.
For the first 6 months of Java 11's life, Oracle will be providing GPL licensed $free zero-cost downloads at jdk.java.net with security patches.
To get GPL licensed $free zero-cost update releases of Java 11 after the first six months, you are likely to need to obtain them from a different URL and a different build team. Currently, my view is that AdoptOpenJDK build farm is the place to look for those builds. But zulu.org is another possibility.
Feel free to comment if I've missed something obvious.