
Winter Is Coming for Java Updates - javinpaul
https://www.azul.com/winter-is-coming-for-java-updates/
======
gcoleman
I thought Redhat were backporting fixes to OpenJDK 8 and 11:

[https://developers.redhat.com/blog/2018/09/24/the-future-
of-...](https://developers.redhat.com/blog/2018/09/24/the-future-of-java-and-
openjdk-updates-without-oracle-support/)

~~~
didibus
The OpenJDK is the source code. Like a master branch where commits are made.

That branch is always moving forward. New features added, new bug or security
patched, etc.

Now there comes points where you need to package the OpenJDK source code into
a binary.

This packaging process is done by multiple different "vendors".

Now Oracle packages for free a release every 6 months. That package is the
Oracle OpenJDK. If another vendor did a package it would be Other Vendor
OpenJDK.

Now the idea of back-porting is basically a cherry pick package. Instead of
packaging the latest commit. You cherry pick only bug and security commits and
apply them to say the release 8 commit. That way, you don't introduce new
features, only bug fixes. Then you make sure you didn't break anything
compatibility wise.

The idea is that those should be easier to migrate to, since by leaving out
new features, you limit potential backward breaking changes.

This cherry picking merge, which can be painful to do, because sometimes you
may need to address weird merge conflicts, or even make some changes to the
fix since you're trying to apply it to a earlier commit then it was built on.
This is what Oracle now charges money for.

Other vendors also offer back-ported releases for money. Azul and RedHat for
example.

AdoptOpenJdk is a new community initiative trying to do backported releases
for free with volunteer work.

And Amazon Coretto is doing it for free, but hoping that by moving to their
JDK package, you'd eventually end up using AWS.

------
jryan49
The amazon build of OpenJDK 11, Corretto [1], seems to be back porting some
version 12 fixes as well. This could be the start of fragmenting the ecosystem
all over again.

1:
[https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/p...](https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/patches.html)

~~~
Recurecur
> This could be the start of fragmenting the ecosystem all over again.

Absolutely not. The OpenJDK is the official reference implementation, and
Oracle has open sourced everything important.

The only question is how quickly the various OpenJDK packagers will provide
security updates. The Red Hat option looks very practical if you're a Red Hat
user.

~~~
tyingq
So various packagers making different choices about which updates get
backported, and when, is absolutely not fragmentation?

I'm curious how each packager is going to decide what version numbers they use
for backported builds.

~~~
adl
Do you believe that the Linux Kernel is fragmented? That's exactly what
different distros do to the kernel.

~~~
jryan49
It's definitely has created distro hell. I feel like a huge reason Linux can't
get more desktop share is because we don't combine our effort and a lot of
duplicate work is done between the distros. It's inefficient. There are things
like flatpak now though...

~~~
tremon
I think your comment has little to do with the fragmentation of the Linux
kernel (which the GP was referring to), and more with the ecosystem around it.

------
djsumdog
I am deeply confused now by the name "openjdk." I thought openjdk was the open
source version, but it seems like it's just an adjective according to this
article.

IceTea is one OpenJDK JDK? Azul is another? Does IBM still maintain a JVM and
will that be another? What the hell is this thing:

[https://hub.docker.com/_/openjdk](https://hub.docker.com/_/openjdk)

Is that Oracle's OpenJDK release, which is different from Oracle Java? Or is
this the IceTea release?

~~~
Nursie
OpenJDK seems to effectively be a standard, or set of interfaces/classes that
must be provided.

Oracle's OpenJDK build is very similar to Oracle Java but comes without the
support contract or the license fee. Amazon are apparently working on one
tailored more to AWS, etc.

(edit: didn't realise it was the literal upstream source - probably best to
ignore my comment!)

------
dreamcompiler
I'm not in the Java world, but is it possible to make Oracle irrelevant? Are
there not language specs, IDEs, and JVMs available from non-Oracle sources?
And if not, why not?

~~~
bilbo0s
Yes.

You can just use the latest OpenJDK. That's the open source version. But the
enterprises want to use the Oracle version. Which they can, but they would
have to pay for it. So, I assume, most of the hullabaloo is about Oracle
_charging_ for their JVM.

Essentially, for whatever reason, there are people who don't like open source.
So they don't want to use the open source JVM.

~~~
huffstler
I work in an organization that has bought support for Java (11, I think). Your
comment is technically correct, but doesn't capture the whole situation I
believe.

We use OpenJDK11 currently. The reason we're buying support is because bug
fixes and backports END for JDK11 once JDK12 is (already was) released. If you
want security/bug fixes, you'll need to upgrade your application to the new
JDK every 6 months. For a team like ours (~8) people, it's simply not viable
for us to be in a state of continual upgrading. We wouldn't get anything else
accomplished. Our job is to provide value to the business, not be stuck in
perpetual runtime upgrades. Buying the license allows us time between
upgrading JDK versions so that we can target jdk11 for new applications.

For quite some time after jdk11 was released there was also a prevalent
opinion by some of the more senior members on the team that Oracle was going
to be gimping the OpenJDK release in some way or another. Even after being
shown that that wasn't the case we had _multiple_ meetings where it was
discussed that we shouldn't migrate to OpenJDK because of bugs that "existed
in there, that don't in Oracle build". This is most certainly due to
historical reasons, and I don't blame them for thinking it.

I can't speak to why we don't rely on other LTS options, I was not a part of
the meetings that decided our actions. Ideally, we would rely on something
like adoptopenjdk, but the powers that be decided to pay Oracle instead.

~~~
eropple
So I have been in Java versioning hell before, and I empathize--but that was,
like, Java 5 to 6. My experiences with Java since then have been almost
completely seamless. So, this may be a silly question, but I'd be curious:
what is so disruptive to your workflow that upgrading a JDK, running your test
suite under instrumentation to smoke out incompatibilities and noticeable
perf/memory/etc. regressions, and deploying it would cause you to not "get
anything else accomplished"?

~~~
nradov
I can't speak for the OP, but from what I've seen in other organizations a
reluctance to upgrade JDK versions usually indicates a lack of confidence in
their test automation suite. If they can't be confident that their tests will
catch regression defects then a JDK upgrade seems risky and requires planning
ahead for a major manual testing effort. This is just one area where getting
to 100% automated functional testing delivers huge benefits.

~~~
huffstler
Pretty much right on the nose. As I mentioned elsewhere, testing is not
required where I work. As such, there's no guarantee that upgrades to JDK
won't break something behind the scenes now only to blow up later in
production.

------
tekkk
So is Oracle's goal killing off Java? It seems so from the looks of it. Or
perhaps I'm missing the big picture here

~~~
pron
You are. The community asked for those changes, but some don't understand them
and are confused because they apply old terms to new concepts.

First, Oracle has completely open sourced the JDK, for the first time ever.
Instead of a JDK with a complex license, mixing both free and commercial
features and containing field-of-use restrictions, Oracle now provides the JDK
under a 100% free and open source license, or under a commercial license for
those who wish to purchase a support subscription (and fund the development of
OpenJDK).

Second, there are no longer major releases, and the new feature releases are
similar to the old six-monthly "limited update". JDK 10, 11 and 12 are roughly
the same size as 7u2 and 7u4, which also didn't get free security patches
after six months. What's changed is the name given to those releases, and to
make the updates cheaper and easier, they have been made more gradual, by
allowing spec changes in feature releases. Not only do you get security fixes
for free forever, but there are no more major upgrades.

So the main point of confusion is that some confuse the new feature releases
with the old major releases, when, in fact, they are much closer to the old
"limited update" releases. People see a new version number, see that that
number is not freely supported beyond six months and panic, when, in fact, the
old releases that were similar to the new feature releases were also not
supported beyond six months. They themselves were considered "updates" to some
major release, but major releases no longer exist, and the "updates" now get a
new version number. See here [1] for a more complete explanation.

 _In addition_ , there's another _new_ model, that allows organizations that
for some reason need a much less gradual upgrade process than the new one --
and even less gradual than the old one -- and that is something that Oracle
charges for. But because the JDK is now completely open source, other OpenJDK
members have committed to backporting the fixes to provided a similar step-
wise upgrade path for free.

(I work on OpenJDK at Oracle, but speak only for myself)

[1]:
[https://www.reddit.com/r/java/comments/bav1sy/winter_is_comi...](https://www.reddit.com/r/java/comments/bav1sy/winter_is_coming_for_java_updates/eke9l7u/)

~~~
deng
Just one data point: our IT has now blocked the whole java.com domain. Oracle
Java is now primarily seen as an infection you get through the Java Updater.
Yes, I know of OpenJDK and I'm currently in the process of migrating machines
to it, but I can assure you the damage to Java is very real.

~~~
pron
OpenJDK _is_ the name of the JDK developed primarily by Oracle.

java.com is the website for "consumer-side" Java -- i.e. the desktop JRE. The
JRE and "consumer Java" no longer exist (as they've been replaced by jlink),
and so the website is out of date and largely irrelevant. I hope someone soon
figures out what other use to put it to.

~~~
deng
You might not like it, but java.com/download is still the first result when
searching for Java.

I am aware what OpenJDK is and who develops it, and I can handle the changes
to our systems just fine, but I'm an engineer, not a manager. I can assure you
that the confusion around Java is very real, as well as IT departments
worrying about machines updating to a Java version requiring a commercial
license.

~~~
pron
I don't think that the desktop JRE's autoupdater can automatically update to
versions (of the old JDK 8) that now require a commercial license, but I'm not
sure. I'll ask. But I understand and agree that communication/websites can and
should be clearer/easier to find.

EDIT:

I asked about the JRE autoupdater, and got this answer:

Before update, it will offer to change the license to personal use (or to get
a commercial one) or remove the software. It will default to remove. You can
also choose not to upgrade and not to remove and keep using an out-of-date
version. And if you accidentally remove, you can still get the old free
versions from the Java archives.

~~~
ptx
This is the core piece of crucial information in all this, and I haven't found
it anywhere else.

We have Java installed. As far as I know, we never told the installer if our
use was planned to be commercial or personal. But in a few days, personal-use-
installations will get a free update and commercial-use-installations will...

A) not get updates, through the updater using heuristics and mind-reading to
divine that the installation is not personal?

B) get the update and thus be expensively out of compliance with the license?

C) have the updater present the problem to the end user and expect them to
carefully consider the legal situation?

I think many people have assumed that the answer is B and are currently busy
uninstalling Java everywhere, but if I understand you right the answer is
actually C?

Is there more information on this anywhere? Most importantly, what is the
correct official way to tell the updater ahead of time to keep the old version
and never update? (We have a legacy application that uses applets.)

~~~
hoseja
The answer is C. I got prompted with a Java update and just went ahead with
it, without much consideration; I mean, it's just a Java update, I don't even
use Java for anything on this machine but w/e. This morning I got a panicked
email from our IT, sent to a significant portion of the company about the fact
that we now run a commercially-licensed version.

There is no longer a parasitic Java installation on my computer.

------
aphexairlines
Trying out alternative OpenJDK builds (from Azul, RedHat, Amazon, or IBM) is a
good opportunity to also try GraalVM:
[https://github.com/oracle/graal/releases](https://github.com/oracle/graal/releases)

~~~
L0stLink
As I understand it, Jython was not affected by Python Global Interpreter Lock
(GIL), is the same true for GraalVM Python? If it is than it would be a great
way to to speed up python applications.

~~~
chrisseaton
Graal's Python and Ruby don't have GILs, that's correct.

~~~
L0stLink
wow thanks, this has definitely piqued my interest in GraalVM, I have seen
some polyglot examples on the official website, depending on the overhead it
is going to enable some very interesting use-cases. Very excited to see where
this goes.

------
debug-desperado
Saw a presentation from the Azul guys about Zing last year. They have a very
impressive product, and the number of ex-Sun engineers is reassuring. They
also seem to have a good relationship with Oracle.

Among the repackaged OpenJDK offerings, Zulu is at the top of my list.

~~~
moocowtruck
i also appreciate zulu's arm packagings!

