安全更新与OpenJDK发行版

huangapple go评论159阅读模式
英文:

Security Updates with OpenJDK distribution

问题

随着Oracle JDK许可协议的变化,许多公司正转向OpenJDK。

我的问题是 - 在OpenJDK的选择上,哪个发行版会是一个更好的选择?我正在评估Oracle Open JDK和AdoptOpenJDK,它们似乎都是不错的选择。然而,就支持方面而言,Oracle OpenJDK遵循每6个月发布一次的节奏,没有长期支持,然而AdoptOpenJDK在Java 8和11版本上有长期支持。因此,如果我切换到Oracle OpenJDK,我将不得不遵循新的发布节奏以保持与安全补丁的最新状态(我对新功能不是很关心)。然而,如果我切换到AdoptOpenJDK,我可以选择他们的一个LTS版本(11),并期望新的安全补丁会应用于这个版本。我的主要关注是,我希望在切换到OpenJDK发行版后能够及时获得Java安全更新。

参考资料:
https://www.reddit.com/r/java/comments/9hd97k/openjdk_vs_adoptopenjdk/
https://www.baeldung.com/oracle-jdk-vs-openjdk

英文:

With changes in JDK licensing agreement from Oracle, companies are switching to OpenJDK.

My question is - which distribution of the OpenJDK would be a better choice? I am evaluating Oracle Open JDK and AdoptOpenJDK, and they both seems to be an idea choice.. However when it comes to support, Oracle OpenJDK is following a 6 month release cadence without any Long term support, however AdoptOpenJDK has LTS for Java version 8 and 11. So if I switch to Oracle OpenJDK, then I will have to follow the new release cadence to be up to data with security patches (I don't care much about the new features), however If I switch to AdoptOpenJDK, then I can go with one of their LTS version (11), and expect the new security patches will be applied to this version. My main concern is, I wanted to be up to date with Java security updates after switching to OpenJDK distribution.

References
https://www.reddit.com/r/java/comments/9hd97k/openjdk_vs_adoptopenjdk/

https://www.baeldung.com/oracle-jdk-vs-openjdk

答案1

得分: 5

tl;dr

如果您想要最快速地获取关键的安全补丁,请为来自供应商(如Azul systems、BellSoft、Oracle、Pivotal或Red Hat(IBM))的支持计划付费。

要更好地了解当前的Java发行状态,您确实应该研究由独立的Java领袖和专家社区Java Champions撰写的文档Java Is Still Free

Details

>随着Oracle JDK许可协议的变更,公司正在切换到OpenJDK。

在这里要明确的是,您可能是在指Oracle将其Oracle JDK产品的条款更改为在生产中使用时需要付费。该产品在开发、测试等方面仍然是免费的。

>我的问题是 - 哪个分发的OpenJDK会是一个更好的选择?

回答这个问题取决于对您重要的标准。但您除了需要快速获取安全更新(下面会有更多详细信息)外,没有提及其他标准。

>我正在评估Oracle Open JDK和AdoptOpenJDK,它们似乎都是不错的选择...

要明确的是,OpenJDK项目只发布源代码,没有构建或安装程序。许多供应商提供基于OpenJDK源代码的构建/安装程序。

Oracle就是其中一个供应商,提供三种产品:

  • Oracle JDK —— 他们的品牌产品在生产使用时需要付费,并提供付费支持。
  • jdk.java.net —— OpenJDK的一个构建版本,无任何费用,也无任何支持。
  • GraalVM —— 一种特殊的产品,一个基于HotSpot/OpenJDK的Java VM和JDK,用Java实现,支持其他编程语言和执行模式,如提前编译Java应用程序以实现快速启动和低内存占用。

这三个产品都基于OpenJDK源代码。第一个和最后一个提供付费支持计划。

Oracle已公开宣布他们将使Oracle JDK与OpenJDK保持功能一致。Oracle作为这一承诺的一部分赞助OpenJDK项目。与此同时,Oracle保留了在迅速发布任何关键安全补丁给付费客户的权利。他们最终会将这些补丁提交给OpenJDK项目。但是,这些提交的补丁在被发布之前可能需要更长的时间经过OpenJDK流程。

AdoptOpenJDK是另一个供应商,提供OpenJDK源代码基础的构建和安装程序。因此,任何关键的安全补丁可能不会像其他供应商的补丁那样迅速地免费公开发布给公众。

下面是一个我制作的流程图,可以帮助您选择一个供应商的Java实现。您有多种选择,其中一些具有支持选项。

安全更新与OpenJDK发行版

>然而,当涉及到支持时,Oracle OpenJDK遵循每6个月发布一次的发布周期,没有任何长期支持,然而AdoptOpenJDK对Java 8和11版本提供了LTS。

我认为您在这方面是不正确的。Oracle确实在Java 8和Java 11的Oracle JDK产品上为公众提供LTS更新,为某些年份提供支持,也为付费客户提供额外的支持年限。

Java社区在合作方面要比您可能理解的要好得多。我所知道的每个Java实现主要都基于OpenJDK项目。OpenJDK项目得到了Oracle、Apple、IBM、SAP以及可能其他公司的支持。Amazon、Microsoft等公司也在做出贡献。整个Java社区都已经接受了快速发布和长期支持(LTS)战略。

Oracle已经将LTS版本8和11的管理权交给了Red Hat,但Oracle仍然继续支持它们。请查看Oracle Java SE支持路线图获取详细信息。

>所以,如果我切换到Oracle OpenJDK,我将不得不遵循新的发布周期,以保持安全补丁的最新状态。

我所知道的每个Java实现都遵循相同的发布周期。

>(我不太关心新功能),

那么您肯定应该只使用LTS版本。目前,这将是Java 8和Java 11。

>如果我切换到AdoptOpenJDK,我可以选择他们的LTS版本(11),并期望新的安全补丁将应用于此版本。

您可以期望从任何提供Java实现的供应商获得安全补丁。问题是这些补丁会多快地到达您。

>我主要的关注点是,我希望能及时获得Java安全更新。

那么我建议您从可靠的供应商购买付费支持计划。您有几种选择。在我上面的图表的蓝桶的左侧可以看到。

如果您认为关键的安全漏洞影响您的可能性极低,或者您可能能够减轻此类漏洞,那么支持计划的成本对您可能没有那么大的价值。在这种情况下,您将等待更新的

英文:

tl;dr

If you want the most rapid release of critical security patches, pay for a support plan from a vendor such as Azul systems, BellSoft, Oracle, Pivotal, or Red Hat (IBM).

To better understand the current state of the world of Java releases, you really should study the document Java Is Still Free. Written by the Java Champions community of independent Java leaders and experts.

Details

>With changes in JDK licensing agreement from Oracle, companies are switching to OpenJDK.

To be clear here, you may be referring to Oracle changing the terms to their Oracle JDK product to require a fee when used in production. That product is still free-of-cost for use in development, testing, and such.

>My question is - which distribution of the OpenJDK would be a better choice?

Answering that depends on the criteria important to you. But you did not mention any criteria other than needing security updates rapidly (more on that below).

>I am evaluating Oracle Open JDK and AdoptOpenJDK, and they both seems to be an idea choice..

Be clear on this: The OpenJDK project publishes source code only, not builds nor installers. Many vendors provide builds/installers based on the OpenJDK source code.

Oracle is one such vendor, providing three products:

  • Oracle JDK — their branded product requiring a fee for production use, with paid support available.
  • jdk.java.net — a build of OpenJDK without any fees and without any support.
  • GraalVM — a special product, a Java VM and JDK based on HotSpot/OpenJDK, implemented in Java, and supporting additional programming languages and execution modes, like ahead-of-time compilation of Java applications for fast startup and low memory footprint.

All three of these are based on OpenJDK source code. The first and last offer paid support programs.

Oracle has publicly declared their intent to keep Oracle JDK at feature-parity with OpenJDK. Oracle sponsors the OpenJDK project as part of that commitment. At the same time, Oracle reserves the right to rapidly release any critical security patch to their paying customers. They will eventually submit such patches to the OpenJDK project. But those submitted patches are likely to take more time to go through the OpenJDK process before being released.

AdoptOpenJDK is another vendor offering builds and installers of the OpenJDK source code base. So, again, any critical security patches may not reach the public free-of-charge as fast as a patch from another vendor to their paying customers.

Here is a flow chart I made to help guide you in your selection of a vendor for a Java implementation. You have a variety of choices, some with support options.

安全更新与OpenJDK发行版

>However when it comes to support, Oracle OpenJDK is following a 6 month release cadence without any Long term support, however AdoptOpenJDK has LTS for Java version 8 and 11.

I believe you are incorrect here. Oracle does maintain LTS updates to their Oracle JDK product for both Java 8 and Java 11, for some number of years to the public, and for additional years to their paying customers.

The Java community is much more cooperative in working together than you may understand. Every implementation of Java I know of is largely based on the OpenJDK project. The OpenJDK project is supported by Oracle, Apple, IBM, SAP, and possibly others. Amazon, Microsoft, and other companies contribute. The rapid release train and Long-Term Support (LTS) strategy has been embraced by the entire Java community.

Oracle has turned over stewardship of the LTS versions 8 and 11 to Red Hat, but Oracle continues to support them both. See the Oracle Java SE Support Roadmap for details.

> So if I switch to Oracle OpenJDK, then I will have to follow the new release cadence to be up to data with security patches

Every Java implementation I know of is following along the same release cadence.

>(I don't care much about the new features),

Then you should certainly stick to using only the LTS versions. Currently that would be Java 8 and Java 11.

>If I switch to AdoptOpenJDK, then I can go with one of their LTS version (11), and expect the new security patches will be applied to this version.

You can expect security patches from any vendor providing a Java implementation. The question is how rapidly those patches will arrive to you.

>My main concern is, I wanted to be up to date with Java security updates

Then I recommend you purchase a paid support plan from a reliable vendor. You have a choice of several. See the left side of the blue barrel in my diagram above.

If you think the chance of critical security vulnerability affecting you specifically is exceedingly low, or that you are likely to be able to mitigate such a vulnerability, then the cost of a support plan may not be worth it to you. In this case, you would wait for a newer free-of-cost release. You may be waiting longer than you would with a paid vendor.

>after switching to OpenJDK distribution.

Every Java implementation I know of being distributed today is based on OpenJDK.

Here is another graphic listing possible motivations for choosing a particular vendor for your Java implementation.

安全更新与OpenJDK发行版

huangapple
  • 本文由 发表于 2020年3月15日 10:49:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/60689292.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定