A quick Java comment
cantor.2 at osu.edu
Wed Apr 17 13:02:53 EDT 2019
Javapocalypse was last night, in case people didn't notice, it was the first set of security updates for Java 8 that are no longer included in a free-for-production-use Oracle Java package.
Nothing much has sorted out yet other than we're now seeing how quickly the various sources are shipping 8 and 11 updates and that sort of thing. This isn't me speaking official project policy, I'm just outlining what seem to be the directions.
I'll update our page as best I can, but the latest I can say is that we're still testing on various different flavors and evaluating the options, but that our focus is fully on flavors of OpenJDK, and that the obvious leaders in the space right now are Red Hat, Amazon, and possibly AdoptOpenJDK. Oracle's OpenJDK is fine but it moves too fast, so it's going to be tested, but not a production platform for us.
Not all of those support particular platforms, and that's really a key takeaway: we can't test on every Linux flavor, so if you have to rely on your Linux vendor for the Java version, you can probably bet that we won't officially support it or test on it apart from probably Red Hat's. Of course, most of them are going to be very close to Red Hat's since they own Java 8's maintenance and probably will or do own Java 11's, but "close" is not "the same".
Amazon's version is nice mainly because they are being very public about the additional patches they apply.
If we get real demand from paying members to fully buy into worrying about Oracle's commercial Java, we probably will, but I don't really expect that to be a thing. It is free for us to test on, it's just that if people aren't using it, testing on it is a waste of resources.
AdoptOpenJDK would be a lot more attractive if they weren't doing the builds with what seems to be a publically accessible Jenkins, which has a suboptimal security track record, putting it politely. If we get some idea they have a more trustworthy build process, I'd feel better.
Windows is really the biggest question mark, since that has no vendor option, and probably means we will have to pick one or more and we're not quite there yet.
I don't think we have firm plans to ship/embed Java, because of the security fix implications of that, but we might change that thinking too, if we decide quarterly patches aren't enough of a downside given our release schedule already.
More information about the users