When I recently attended the Manchester Java Community’s, AdoptOpenJDK meetup event, I went with one burning question, and if the speaker, Stewart Addison (member of the steering council of AdoptOpenJDK) didn’t cover it in the presentation, I was definitely going to ask it! My question was security. Given the open source nature of OpenJDK and any of its derivatives, how secure can it truly be? In fact, how quickly can the maintainers learn about security vulnerabilities from Oracle and patch them?
But perhaps a bit of context is in order. Back in early 2018 Oracle announced that their license for running their JRE would be changing to a paid model. The pricing would be (and now is) based on the number of processors running the JRE per month. You can see how that might add up. Here’s an article from the time, with a humorous poll, that sums up the community’s feelings on the matter. The feelings were bad. There was an upsurge of usage of OpenJDK, and funding for OpenJDK vendors has been growing since!
What is OpenJDK?
Oracle continues to provide a free open source version of their development kit, including the JRE. This version is patched and kept up to date for 6 months until the newest version of Java is released. After that, no updates, no security patches, no support, unless you update to the new version, or pay for the license. Considering Oracle no-longer guarantees backwards compatibility, updating every 6 months is an untenable task for most companies.
This is where OpenJDK vendors come in. By various means numerous organisations have taken copies of the OpenJDK source code and maintained it after that 6 month cycle. For brevity’s sake I will only focus on the 3 that interested me, but Stewart covered more in his talk.
- Red Hat OpenJDK – The most official version of the JDK outside Oracle’s own, as Oracle and Red Hat work closely together.
- AdoptOpenJDK – The most open source contribution. Their build pipelines, tests, nightly builds, etc. are open to the public to see and download.
- Coretto (Amazon’s OpenJDK) – Used by Amazon for their own backends and services, but Amazon do not provide support for its use outside their infrastructure.
Wasn’t There a Question?!
Oh yea! So, I got to the end, politely waited through other, inferior, questions, then just as I was about to ask, the man in front of me asked (I’ll paraphrase) “When Oracle detects a security vulnerability in their JDK and patches it, does it take a long time for you to learn about it and patch it? Is there a window, during which AdoptOpenJDK users are vulnerable?”…
He stole my thunder! The condensed version of the answer is; when security vulnerabilities are detected, vendors are informed immediately. There is a sizable period for the vendors to update their code before the public is informed. The Red Hat team has an advantage here as they continue to work with Oracle on security patches.
Well There You Have It
Even though I had my glory stolen from me and the only question I got to ask was “Can I get a copy of your slides?” (which Stewart kindly agreed to) I still feel that the event was hugely worthwhile, and that everyone who came together to make it happen deserves huge thanks. I was hooked from start to end. However, the 2 junior C# developers that tagged along with me didn’t seem so enamoured. Maybe they’ll listen to me next time I suggest they sit a Meetup out…