Monday, 3 September 2018

Time to look beyond Oracle's JDK

From Java 11 its time to think beyond Oracle's JDK. Time to appreciate the depth of the ecosystem built on OpenJDK. Here is a list of some key OpenJDK builds.

This is a quick follow up to my recent zero-cost Java post

OpenJDK builds

In practical terms, there is only one set of source code for the JDK. The source code is hosted in Mercurial at OpenJDK.

Anyone can take that source code, produce a build and publish it on a URL. But there is a distinct certification process that should be used to ensure the build is valid.

Certification is run by the Java Community Process, which provides a Technology Compatibility Kit (TCK, sometimes referred to as the JCK). If an organization produces an OpenJDK build that passes the TCK then that build can be described as "Java SE compatible".

Note that the build cannot be referred to as "Java SE" without the vendor getting a commercial license from Oracle. For example, builds from AdoptOpenJDK that pass the TCK are not "Java SE", but "Java SE compatible" or "compatible with the Java SE specification". Note also that certification is currently on a trust-basis - the results are not submitted to the JCP/Oracle for checking and cannot be made public. See Volker's excellent comment for more details.

To summarise, the OpenJDK + Vendor process turns one sourcebase into many different builds.

In the process of turning the OpenJDK sourcebase into a build, the vendor may, or may not, add some additional branding or utilities, provided these do not prevent certification. For example, a vendor cannot add a new public method to an API, or a new language feature.

Oracle JDK

http://www.oracle.com/technetwork/java/javase/downloads/

From Java 11 this is a branded commercial build with paid-for support. It can be downloaded and used without cost only for development use. It cannot be used in production without paying Oracle (so it is a bit of a trap for the unwary). Oracle intends to provide full paid support until 2026 or later (details). Note that unlike in the past, the Oracle JDK is not "better" than the OpenJDK build (provided both are at the same security patch level). See here for more details of the small differences between Oracle JDK and the OpenJDk build by Oracle.

OpenJDK builds by Oracle

http://jdk.java.net/

These are $free pure unbranded builds of OpenJDK under the GPL license with Classpath Extension (safe for use in companies). These builds are only available for the first 6 months of a release. For Java 11, the expectation is there will be Java 11.0.0, then two security patches 11.0.1 and 11.0.2. To continue using the OpenJDK build by Oracle with security patches, you would have to move to Java 12 within one month of it being released. (Note that the provision of security patches is not the same as support. Support involves paying someone to triage and act upon your bug reports.)

Eclipse Temurin by Adoptium (formerly AdoptOpenJDK)

https://adoptium.net/

These are $free pure unbranded builds of OpenJDK under the GPL license with Classpath Extension. Unlike the OpenJDK builds by Oracle, these builds will continue for a much longer period for major releases like Java 11. The Java 11 builds will continue for 4 years, one year after the next major release (details). Adoptium is a project at Eclipse backed by some major industry companies. They will provide builds provided that other groups create and publish security patches in a source repository at OpenJDK.

Red Hat OpenJDK builds

Red Hat provides builds of OpenJDK via Red Hat Enterprise Linux (RHEL) which is a commercial product with paid-for support (details). They are very good at providing security patches back to OpenJDK, and Red Hat has run the security updates project of Java 6 and 7. The Red Hat build is integrated better into the operating system, so it is not a pure OpenJDK build (although you wouldn't notice the difference).

Other Linux OpenJDK builds

Different Linux distros have different ways to access OpenJDK. Here are some links for common distros: Debian, Fedora, Arch, Ubuntu.

Azul Zulu

https://www.azul.com/downloads/zulu/

Zulu is a branded build of OpenJDK with commercial paid-for support. In addition, Azul provides some Zulu builds for $free as "Zulu Community", however there are no specific commitments as to the availability of those $free builds. Azul has an extensive plan for supporting Zulu commercially, including plans to support Java 9, 13 and 15, unlike any other vendor (details).

Amazon Corretto

https://aws.amazon.com/corretto/

In preview from 2018-11-14, this is a zero-cost build of OpenJDK with long-term support that passes the TCK. It is under the standard GPL+CE license of all OpenJDK builds. Amazon will be adding their own patches and running Corretto on AWS, so it will be very widely used. Java 8 support will be until at least June 2023.

IBM Semeru (formerly AdoptOpenJDK OpenJ9 builds)

https://developer.ibm.com/languages/java/semeru-runtimes/

In addition to the standard OpenJDK builds, AdoptOpenJDK offered builds with OpenJ9 instead of HotSpot. OpenJ9 was originally IBM's JVM, but OpenJ9 is now Open Source at Eclipse. These builds are now avaialble from IBM directly. They also provide commercial paid-for support for the AdoptOpenJDK builds with OpenJ9.

SAP

https://sap.github.io/SapMachine/

SAP provides a JDK for Java 10 and later under the GPL+CE license. They also have a commercial closed-source JVM. Information on support lifetimes can be found here.

Liberica

https://bell-sw.com/java.html

Liberica from Bellsoft is a $free TCK verified OpenJDK distribution for x86, ARM32 and ARM64. Information on support can be found here.

ojdkbuild project

https://github.com/ojdkbuild/ojdkbuild

A community project sponsored by Red Hat that produces OpenJDK builds. They are the basis of Red Hat's Windows builds. The project has no customer support but does intend to provide builds so long as Red Hat supports a Java version. No information is provided about the TCK.

Others

There are undoubtedly other builds of OpenJDK, both commercial and $free. Please contact me if you'd like me to consider adding another section.

Summary

There are many different builds of OpenJDK, the original upstream source repository. Each build offers its own unique take - $free or commercial, branded or unbranded.

Choice is great. But if you just want the "standard", currently my best advice is to use the OpenJDK builds by Oracle, Adoptium builds or the one in your Operating System (Linux).

49 comments:

  1. > Other Linux OpenJDK builds

    How many of them actually run the TCK? I assume Fedora is the same as RHEL. But Debian?

    Red Hat obviously has some patches but "you wouldn't notice the difference"(tm). Are they documented somewhere? What about the other Linux builds, do they build just from the OpenJDK sources or do they have some patches as well?

    ReplyDelete
    Replies
    1. You can get the source rpm and pull them apart. Engineering tries to upstream all patches first, so having rhel specific patches is the exception rather the rule (at least from my perspective in the product security team).

      Delete
    2. > You can get the source rpm and pull them apart.

      So undocumented then?

      > so having rhel specific patches is the exception rather the rule

      This directly contradicts the statements made by Andrew Haley in the comment linked in the article

      https://blog.joda.org/2018/08/java-is-still-available-at-zero-cost.html?showComment=1535557540917#c3115313366548497

      Delete
  2. Thanks for sharing this information. You're doing an important thing for all of us here.

    ReplyDelete
  3. Hi Stephen,
    thanks for compiling this useful overview. However, it contains a tiny but crucial inaccuracy: you can NEVER call you OpenJDK build “Java SE” unless you buy a commercial license from Oracle which allows you to do so (“Java” and “Java SE” are a trademark registered by Oracle). All you can do if you fully pass a “certification” run with the TCK is to call your binary “Java (TM) SE XX compatible” or say that it passed the “Java (TM) SE XX TCK.
    Notice moreover that the TCK can be run in several “modes” of which the “certification” mode is by far the most extensive and expensive one. Unfortunately, neither are the users of the TCK for the OpenJDK (i.e. OCTLA signers http://openjdk.java.net/groups/conformance/JckAccess/jck-access.html) allowed to share their certification results with the public nor are they required to submit theses results to Oracle for checking. So claiming compatibility with a Java SE specification is currently a matter of trust.

    ReplyDelete
    Replies
    1. Great info thanks, I've updated the blog.

      Delete
    2. So what we need is for someone to leak the TCK to people who haven't signed?

      Delete
  4. A correction for your information. TCK stands for Technology Compatibility Kit rather than Testing Compatibility Kit.

    ReplyDelete
  5. In addition to RHEL, Red Hat also has OpenJDK builds for Windows: https://developers.redhat.com/products/openjdk/overview/

    ReplyDelete
  6. What about IntellIJ? They provide a very good range of OpenJDK builds for most popular patforms.

    ReplyDelete
  7. Thanks for the information. One naive question: Is there a way to get the tar/zip for Oracle OpenJDK? The site http://openjdk.java.net/ seem to point to a download of Oracle JDK and not Oracle OpenJDK.

    ReplyDelete
    Replies
    1. Thanks Stephen! Hope I am not missing anything here ..I downloaded JDK 8 from the above link and looked at License file and it redirected to http://java.com/license which points to Oracle BCL. Is that correct?

      Delete
    2. This article is about Java 11. For Java 8 there was no "OpenJDK build by Oracle".

      Delete
  8. Excellent Article. Thanks for sharing.

    ReplyDelete
  9. So, really, it all comes down to:
    * How often security patches are pushed back into the OpenJDK source (by anyone)
    * How often companies rebuild and release THEIR OpenJDK build

    By the sounds of it, best bet is:
    * Oracle OpenJDK if you think you CAN update through major versions easily
    * AdoptOpenJDK if you think you can't

    ReplyDelete
  10. I just want to tell that in order to avoid thinking about Oracle licencing issues, I switched to Zulu several days ago and deleted all Java. So far, Zulu works great without a glitch with may JavaEE apps (Hibernate+Maven+Sprint+Primefaces) and eclipse.

    ReplyDelete
  11. I think a very good reason for getting the Oracle JDK is that it actually invests back into an organization heavily contributing to the development effort. Especially now that the subscription fees are sane…

    ReplyDelete
  12. I just want to add:
    - https://github.com/ojdkbuild/ojdkbuild, used by docker for their windows container builds

    - https://bintray.com/jetbrains/intellij-jdk, only openjdk8, used by jetbrains for theirs intellij based ide, openjdk with font smoothing patch

    ReplyDelete
  13. Why is there no JDK 11 download on AdoptOpenJDK?
    Will it only be available after Oracle OpenJDK 11 (http://jdk.java.net/11/) ends its live cycle after 6 month? Or is it just not maintained at the time?

    ReplyDelete
    Replies
    1. It will take a few days to run the TCK and get it uploaded. Their aim is later this week, but bear in mind it is a volunteer-led project!

      Delete
    2. Was it same with RedHatOpenJDK too?

      Delete
  14. Liberica from Bellsoft is a $free TCK verified OpenJDK distributrion for x86, ARM32 and ARM64.
    https://bell-sw.com/java.html

    ReplyDelete
  15. One need only contemplate that as of 1-Oct-2018 http://java.com and a simple search of "Java Download" continues to push Java 8 to the masses. Oracle could have resolved their own house with a more open and unified rollout, and avoided the vast majority of confusion...if they had wanted to. Politics.

    ReplyDelete
  16. Just an observation : We did a quick look at the AdoptOpenJDK (both OpenJ9 and regular) for Java 8 and it looked like OpenJ9 did not support the AES extensions in the microprocessor. I don't think Java 9 did either.

    ReplyDelete
  17. About Azul's Zulu, I have the impression that the link you provided https://www.azul.com/downloads/zulu/ is for the commercial product, while https://zulu.org/download/?show=all is for the community product, the one I supposed is the free one. What link should we use if we want it $free and open source?

    ReplyDelete
    Replies
    1. With Oracle, the commercial JDK is a different download with a different license. Whereas with Azul, there is only one download and one JDK, but you can choose to pay for support. ie. the support is an optional choice you can make separate to downloading and using the JDK. Note that zulu.org now redirects to the main Azul website.

      Delete
    2. Thank you for the clarification

      Delete
  18. So, every OpenJDK builder forks OpenJDK source code to add their own improvements.
    And , I guess, these new repositories (forks) are open source, according to GPL + CPE license.
    So, every builder could apply patches from another builder to its own repository, right ?
    And , must every builder contribute to main OpenJDK repository , backporting patches/improvements ?

    ReplyDelete
    Replies
    1. There is no requirement for builders to contribute back to the main OpenJDK repository.

      Delete
    2. OK, thanks. So, from January 2019, if you want an patched Oracle JDK 8 build , you need a paid license. But Oracle must publish the source code of these patches, because Oracle JDK's source is derivated from OpenJDK 8. So, RedHat ( or someone ) could apply these patches to OpenJDK 8 source , available for every vendor/builder. Is this a real scenario ? What is going to be the behaviour of Oracle with OpenJDK 8 from next January 2019 ?

      Delete
    3. No, Oracle is the prime author and copyright holder they are not limited by the GPL. They have their own rights under a different license, so they do not have to publish their patches. For Red Hat and others to maintain the JDK, they will need to work on their own set of patches, independent of Oracle.

      Delete
  19. Hi Stephen,
    Thanks for the info. I'm not getting this specific part under **OpenJDK builds by Oracle**: *To continue using the OpenJDK build by Oracle with security patches, you would have to move to Java 12 within one month of it being released*. Am I obliged to do this by license terms or you mean just to receive patches? Thanks.

    ReplyDelete
    Replies
    1. The license does not force you to move - it is just that most companies don't want to run unpatched software in production.

      Delete
  20. Question,
    Will the Java 8 build on Open JDK be receiving the same security patches as the Oracle builds? We need to use Java Webstart for now.

    ReplyDelete
    Replies
    1. There is an expectation that there will be some divergence between Oracle JDK and OpenJDK once Oracle ceases to be the lead of the project, but there is also the expectation that the security patches will be kept close between the two.

      Delete
  21. How does project IcedTea fall into this?

    ReplyDelete
    Replies
    1. afaik IcedTea was created for setting up a build environment for the Sun JDK during the time where the Sun JDK was required to build the Open Source JDK. IcedTea-web is the open source implementation of the WebStart and Browser Plugin formerly known as netx and hosted at sourceforge. IcedTea-web is also the Linux implementation of WebStart.

      But I may be wrong with that and anybody knowing better should update this.

      Delete
  22. Seems like I am not able to find a compatible package with 7.u80 we are using right now on "Windows Server 2003 32bit" and "Windows Server 2008 64bit" in our production.
    the most they go back is Azul with their "zulu7.29.0.5-ca-jdk7.0.222-win_x64" which is only for 64bit machines and not for 32bit machines.
    Do guys happen to know a place I can get Free 7.u80 (or compatible) for PRODUCTION for both 32bit machines and 64bit machines?
    Thanks



    ReplyDelete
  23. For our organisation, it is the loss of Java Web Start which is likely to cause us headaches.
    Corretto has no such function and when I tried IcedTea, the web page steadfastly refused to try to launch the java applet.
    Any ideas for a JWS replacement?

    ReplyDelete
    Replies
    1. I successfully used IcedTea-web for our WebStart application. Maybe you should try to analyze the log, which I found in MS-Windows in %userprofile%\Appdata\ojdkbuild\java-1.8.0-openjdk-1.8.0.212-1.b04.ojdkbuild.windows.x86\webstart\javaws_last_log.txt

      As I understand https://icedtea.classpath.org/wiki/IcedTea-Web it is sometimes a little bit pickier than Oracle's WebStart.

      Delete
  24. Hello, thanks for the Informations. Do you know if AdoptOpenJDK is free for commercial use? And what about icedtea-web? If you know wit please post a link with the information. I would apreciate it so much. Thank you in advance.

    ReplyDelete
  25. great article, really informative

    ReplyDelete
  26. How can we migrate from Oracle's JDK to Oracle's OpenJDK? please tell me what will be process ?

    ReplyDelete
  27. I think the best option is to stick with the latest AdoptOpenJDK and for those intermediate releases with a feature rich changeset where quick adoption matters switch to oracle's OpenJdk and wait fo the next AdoptOpenJDK LTS.

    ReplyDelete

Please be aware that by commenting you provide consent to associate your selected profile with your comment. Long comments or those with excessive links may be deleted by Blogger (not me!). All spam will be deleted.