2. Overview
Oracle recently made several changes affecting how they maintain, support &
license use of Java (more accurately the JDK).
This has commercial & technical implications for all enterprises running apps on
the JVM (users of the JDK)
● Impacts all apps that run on the JVM - regardless of language (Java, Groovy,
Scala)
● Anyone responsible for developing or provisioning JVM apps for prod usage
needs to aware
● Don’t panic! Java is still free. And changes broadly positive.
2
3. Java Terminology
Java SE (JSE) - Specification of Java language including APIs (Owned by Oracle)
Java Development Kit (JDK) - A binary implementation of JSE, plus some other
supporting tools and utilities.
OpenJDK - OSS project for source implementation of JSE that has served as RI of
the JSE since JDK 7.
OpenJDK binary - A build & packaged distribution of OpenJDK source. Several
exist, free (unbranded) & commercial (branded), produced by different entities
3
4. What Java users are accustomed to prior to changes
Oracle provides the ‘standard’ JDK
● Oracle (before them Sun) have provided the de facto standard JDK for all
popular platforms (Win, OS X, x86); & underwritten quality
Scheduling of Java Feature Releases (e.g. ..., 7, 8. 9)
● Fixed scope (set of new features and enhancements); Variable release date
(not shipped until feature complete; known to slip, significantly).
4
5. What Java users are accustomed to prior to changes
Java - Stable, Secure and Zero Cost (Overlapping, Long Term, Free Updates)
● “Stable” - Oracle provide free updates for old JDK versions, for considerable
period after new versions released, e.g.
○ JDK 7 released = July 2011; End of free public updates = April 2015. (~4 years)
○ JDK 8 released = March 2014; End of free public updates = Jan 2019 (~5 years)
○ Long overlap overlap provides ‘stability’ - users have plenty of time to wait for battle-testing &
test upgrade to new versions, whilst still benefiting from fixes & security patches to current
● “Secure” - Oracle produced free update releases to Oracle JDK containing
rolled-up security patches, every 3 months. (Including backporting to old
versions of JDK that’re still receiving free public updates).
5
6. What Java users are accustomed to prior to changes
Java - Stable, Secure and Zero Cost (Overlapping, Long Term Free Updates)
● Zero Cost - For desktop and server apps (only), the Oracle JDK has been
free to use in production.
6
7. What’s Changed & Why?
1) Java SE Release Schedule
● Given delays in past releases (e.g. JDK 9/Modules), dev feedback & trends,
Oracle switched to a time-based release schedule
● New feature release (10, 11, 12...) of Java, every 6 months.
● +ves - Faster pace of innovation. Devs get new features as soon as complete
● However...also led to Oracle changing approach to maintaining (updating)
and supporting Java...
7
8. What’s Changed & Why?
2) Oracle Changes to JDK Maintenance & (Oracle) Support
● Shorter duration of free/public updates provided by Oracle (only)
○ Free updates (fixes & security patches) to OpenJDK only provided for 6 months after
release (until the next feature release), rather than several years. No longer an overlap! e.g.
JDK 10 - Released March 2018; End of public updates = Sept 2018. (Already EoL)
JDK 11 - Released Sept 2018; End of public updates = March 2019.
● Availability of (Paid) Oracle (only) Support
○ Oracle designating some JDK releases as Long Term Support (LTS) for their purposes
(One every 2 or 3 years / 6th feature release - (8), 11, 17, 23, ...).
○ LTS releases get paid Oracle support for min 5 years.
○ Oracle NOT offering any support (even paid) for non-LTS releases (9, 10, 12...)
8
9. Picture credit: Simon Ritter, Azul Systems
What’s Changed & Why?
Oracle-specific update &
support policy.
Other support offerings
available from limited no.
other vendors.
9
10. What’s Changed & Why?
3) Licensing of Oracle JDK
● From JDK 11 (released 09/2018) Oracle JDK now requires license in prod
for all deployments (including servers). (Still usable for free in dev & test).
● Pre JDK 11, licensing terms are unchanged e.g. can continue to use Oracle
JDK 8 in prod indefinitely
10
11. General Impact of Changes to Oracle Updates & Support
Based on what’s known today*, you can only have 2 of 3 previously described
stability, security, zero-cost (must sacrifice one, to some extent). (*See slide 13).
Option 1 - Secure & Free, But sacrifice Stability
● Case - Security important, but don’t want to spend any money...
● To ensure availability of security updates you need to commit to switching to
major new versions of the JDK immediately on release (every 6 months)
● Reduces stability - Adopt new releases in prod before battle-tested by others
● Also a commitment to regression test and possibly update app (if breaking
changes) every 6 months
11
12. Option 2 - Stable & Free, But sacrifice Security (May be avoidable*)
● Stability at zero cost still possible by staying on previous LTS release (e.g. 8) after new
one (e.g. 9) released, & upgrading at leisure. But (as of today) no guarantee continue to
receive free updates (inc. security patches) when Oracle cease to provide them.
Option 3 - Secure & Stable, But not free (May be avoidable*)
● To get stability & security as before, might now need to pay for it.
● Can continue to use previous LTS release (e.g. 8 or 11), but (as of today) access to
updates after 6 months only guaranteed with commercial support contract from vendor
● Also, to receive updates for non-LTS releases almost certainly need commercial
support contract, which fewer vendors are offering (not Oracle)
General Impact of Changes to Oracle Updates & Support
12
13. *Future provision of overlapping free updates for previous JDK releases relies on
continued contribution to OpenJDK from other parties, which is still TBC -
● Requires other OpenJDK committers donate effort to backport updates (fixes &
security updates) after Oracle ceases; And other orgs to provide builds
● +ve - RedHat & others already do it for JDK 6 & 7. And Linux distro builds. But
Oracle changes create greater maintenance burden - more releases, earlier
● -ve - As of today no one yet appointed maintenance leads for JDK 8U, 9U, 10U
● Expectation - RedHat & others continue to provide updates, but for Oracle’s
LTS releases (only), starting with JDK 8.
○ If happens, can still have Stable, Secure & Free - but ONLY for LTS releases
General Impact of Changes to Oracle Updates & Support
13
14. Potential Benefits of Paid Support
1. Retain stability - Might not be necessary, hopefully long term, overlapping
updates to LTS releases continue to be provided by other OpenJDK committers
2. Obtain updates to non-LTS releases in prod - Nobody offering this for free.
And only a subset of support vendors offering it.
3. Support Java - Paying for support is one way to show support for Java. There
are also other, more direct ways to support Java OSS community.
14
15. My Advice for JVM dev teams
If/while you company is not paying for JDK support -
1) Choice of JDK
1. Do not start using Oracle JDK in prod - If you don’t have a license.
2. Do not start using Oracle OpenJDK in prod - It will only receives updates for 6
months
3. Review current choice JDK in few months when each provider’s position clearer
on key criteria
a. Length of time new builds produced for JDK update releases (both LTS and non-LTS)
b. Quality of builds - Primarily testing for JSE conformance (TCK tests).
4. AdoptOpenJDK may become best free JDK to use with respect to criteria
15
16. My Advice for JVM dev teams
2) JDK Release Adoption
● Only use LTS JDK releases (currently 8 or 11) in prod
○ Maximises likelihood you’ll continue to benefit from free updates for > 6 months (stable,
secure, free)
● Otherwise...before just adopting non-LTS JDK releases (9, 10, 12,...) in prod,
ensure you discuss and understand trade-offs & risks -
○ No free updates (including security patches) after 6 months
○ Reduces future paid support options (e.g. Oracle don’t offer it for non-LTS)
○ Is adoption of a non-LTS release really essential for biz?
16