Monday, 3 September 2018

Time to look beyond Oracle's JDK

From Java 11 its time to think beyond Oracle's JDK. Time to appreciate the depth of the ecosystem built on OpenJDK. Here is a list of some key OpenJDK builds.

This is a quick follow up to my recent zero-cost Java post

OpenJDK builds

In practical terms, there is only one set of source code for the JDK. The source code is hosted in Mercurial at OpenJDK.

Anyone can take that source code, produce a build and publish it on a URL. But there is a distinct certification process that should be used to ensure the build is valid.

Certification is run by the Java Community Process, which provides a Technology Compatibility Kit (TCK, sometimes referred to as the JCK). If an organization produces an OpenJDK build that passes the TCK then that build can be described as "Java SE compatible".

Note that the build cannot be referred to as "Java SE" without the vendor getting a commercial license from Oracle. For example, builds from AdoptOpenJDK that pass the TCK are not "Java SE", but "Java SE compatible" or "compatible with the Java SE specification". Note also that certification is currently on a trust-basis - the results are not submitted to the JCP/Oracle for checking and cannot be made public. See Volker's excellent comment for more details.

To summarise, the OpenJDK + Vendor process turns one sourcebase into many different builds.

In the process of turning the OpenJDK sourcebase into a build, the vendor may, or may not, add some additional branding or utilities, provided these do not prevent certification. For example, a vendor cannot add a new public method to an API, or a new language feature.

Oracle JDK

http://www.oracle.com/technetwork/java/javase/downloads/

From Java 11 this is a branded commercial build with paid-for support. It can be downloaded and used without cost only for development use. It cannot be used in production without paying Oracle (so it is a bit of a trap for the unwary). Oracle intends to provide full paid support until 2026 or later (details). Note that unlike in the past, the Oracle JDK is not "better" than the OpenJDK build (provided both are at the same security patch level). See here for more details of the small differences between Oracle JDK and the OpenJDk build by Oracle.

OpenJDK builds by Oracle

http://jdk.java.net/

These are $free pure unbranded builds of OpenJDK under the GPL license with Classpath Extension (safe for use in companies). These builds are only available for the first 6 months of a release. For Java 11, the expectation is there will be Java 11.0.0, then two security patches 11.0.1 and 11.0.2. To continue using the OpenJDK build by Oracle with security patches, you would have to move to Java 12 within one month of it being released. (Note that the provision of security patches is not the same as support. Support involves paying someone to triage and act upon your bug reports.)

AdoptOpenJDK builds

https://adoptopenjdk.net/

These are $free pure unbranded builds of OpenJDK under the GPL license with Classpath Extension. Unlike the OpenJDK builds by Oracle, these builds will continue for a much longer period for major releases like Java 11. The Java 11 builds will continue for 4 years, one year after the next major release (details). AdoptOpenJDK is a community group. They will provide builds provided that other groups create and publish security patches in a source repository at OpenJDK. Both IBM and Red Hat have indicated that they intend to provide those security patches.

AdoptOpenJDK OpenJ9 builds

https://adoptopenjdk.net/

In addition to the standard OpenJDK builds, AdoptOpenJDK will also be providing builds with OpenJ9 instead of HotSpot. OpenJ9 was originally IBM's JVM, but OpenJ9 is now Open Source at Eclipse.

Red Hat OpenJDK builds

Red Hat provides builds of OpenJDK via Red Hat Enterprise Linux (RHEL) which is a commercial product with paid-for support (details). They are very good at providing security patches back to OpenJDK, and Red Hat has run the security updates project of Java 6 and 7. The Red Hat build is integrated better into the operating system, so it is not a pure OpenJDK build (although you wouldn't notice the difference).

Other Linux OpenJDK builds

Different Linux distros have different ways to access OpenJDK. Here are some links for common distros: Debian, Fedora, Arch, Ubuntu.

Azul Zulu

https://www.azul.com/downloads/zulu/

Zulu is a branded build of OpenJDK with commercial paid-for support. In addition, Azul provides some Zulu builds for $free as "Zulu Community", however there are no specific commitments as to the availability of those $free builds. Azul has an extensive plan for supporting Zulu commercially, including plans to support Java 9, 13 and 15, unlike any other vendor (details).

Amazon Corretto

https://aws.amazon.com/corretto/

In preview from 2018-11-14, this is a zero-cost build of OpenJDK with long-term support that passes the TCK. It is under the standard GPL+CE license of all OpenJDK builds. Amazon will be adding their own patches and running Corretto on AWS, so it will be very widely used. Java 8 support will be until at least June 2023.

IBM

IBM provides and supports a JDK for Java 8 and earlier. They also provide commercial paid-for support for the AdoptOpenJDK builds with OpenJ9.

SAP

https://sap.github.io/SapMachine/

SAP provides a JDK for Java 10 and later under the GPL+CE license. They also have a commercial closed-source JVM. I haven't found any information on support lifetimes.

Liberica

https://bell-sw.com/java.html

Liberica from Bellsoft is a $free TCK verified OpenJDK distribution for x86, ARM32 and ARM64. I haven't found any information on support lifetimes.

ojdkbuild project

https://github.com/ojdkbuild/ojdkbuild

A community project sponsored by Red Hat that produces OpenJDK builds. They are the basis of Red Hat's Windows builds. The project has no customer support but does intend to provide builds so long as Red Hat supports a Java version. No information is provided about the TCK.

Others

There are undoubtedly other builds of OpenJDK, both commercial and $free. Please contact me if you'd like me to consider adding another section.

Summary

There are many different builds of OpenJDK, the original upstream source repository. Each build offers its own unique take - $free or commercial, branded or unbranded.

Choice is great. But if you just want the "standard", currently my best advice is to use the OpenJDK builds by Oracle, AdoptOpenJDK builds or the one in your Operating System (Linux).

29 comments:

  1. > Other Linux OpenJDK builds

    How many of them actually run the TCK? I assume Fedora is the same as RHEL. But Debian?

    Red Hat obviously has some patches but "you wouldn't notice the difference"(tm). Are they documented somewhere? What about the other Linux builds, do they build just from the OpenJDK sources or do they have some patches as well?

    ReplyDelete
    Replies
    1. You can get the source rpm and pull them apart. Engineering tries to upstream all patches first, so having rhel specific patches is the exception rather the rule (at least from my perspective in the product security team).

      Delete
    2. > You can get the source rpm and pull them apart.

      So undocumented then?

      > so having rhel specific patches is the exception rather the rule

      This directly contradicts the statements made by Andrew Haley in the comment linked in the article

      https://blog.joda.org/2018/08/java-is-still-available-at-zero-cost.html?showComment=1535557540917#c3115313366548497

      Delete
  2. Thanks for sharing this information. You're doing an important thing for all of us here.

    ReplyDelete
  3. Hi Stephen,
    thanks for compiling this useful overview. However, it contains a tiny but crucial inaccuracy: you can NEVER call you OpenJDK build “Java SE” unless you buy a commercial license from Oracle which allows you to do so (“Java” and “Java SE” are a trademark registered by Oracle). All you can do if you fully pass a “certification” run with the TCK is to call your binary “Java (TM) SE XX compatible” or say that it passed the “Java (TM) SE XX TCK.
    Notice moreover that the TCK can be run in several “modes” of which the “certification” mode is by far the most extensive and expensive one. Unfortunately, neither are the users of the TCK for the OpenJDK (i.e. OCTLA signers http://openjdk.java.net/groups/conformance/JckAccess/jck-access.html) allowed to share their certification results with the public nor are they required to submit theses results to Oracle for checking. So claiming compatibility with a Java SE specification is currently a matter of trust.

    ReplyDelete
  4. A correction for your information. TCK stands for Technology Compatibility Kit rather than Testing Compatibility Kit.

    ReplyDelete
  5. In addition to RHEL, Red Hat also has OpenJDK builds for Windows: https://developers.redhat.com/products/openjdk/overview/

    ReplyDelete
  6. What about IntellIJ? They provide a very good range of OpenJDK builds for most popular patforms.

    ReplyDelete
  7. Thanks for the information. One naive question: Is there a way to get the tar/zip for Oracle OpenJDK? The site http://openjdk.java.net/ seem to point to a download of Oracle JDK and not Oracle OpenJDK.

    ReplyDelete
    Replies
    1. Thanks Stephen! Hope I am not missing anything here ..I downloaded JDK 8 from the above link and looked at License file and it redirected to http://java.com/license which points to Oracle BCL. Is that correct?

      Delete
    2. This article is about Java 11. For Java 8 there was no "OpenJDK build by Oracle".

      Delete
  8. Excellent Article. Thanks for sharing.

    ReplyDelete
  9. So, really, it all comes down to:
    * How often security patches are pushed back into the OpenJDK source (by anyone)
    * How often companies rebuild and release THEIR OpenJDK build

    By the sounds of it, best bet is:
    * Oracle OpenJDK if you think you CAN update through major versions easily
    * AdoptOpenJDK if you think you can't

    ReplyDelete
  10. I just want to tell that in order to avoid thinking about Oracle licencing issues, I switched to Zulu several days ago and deleted all Java. So far, Zulu works great without a glitch with may JavaEE apps (Hibernate+Maven+Sprint+Primefaces) and eclipse.

    ReplyDelete
  11. I think a very good reason for getting the Oracle JDK is that it actually invests back into an organization heavily contributing to the development effort. Especially now that the subscription fees are sane…

    ReplyDelete
  12. I just want to add:
    - https://github.com/ojdkbuild/ojdkbuild, used by docker for their windows container builds

    - https://bintray.com/jetbrains/intellij-jdk, only openjdk8, used by jetbrains for theirs intellij based ide, openjdk with font smoothing patch

    ReplyDelete
  13. Why is there no JDK 11 download on AdoptOpenJDK?
    Will it only be available after Oracle OpenJDK 11 (http://jdk.java.net/11/) ends its live cycle after 6 month? Or is it just not maintained at the time?

    ReplyDelete
    Replies
    1. It will take a few days to run the TCK and get it uploaded. Their aim is later this week, but bear in mind it is a volunteer-led project!

      Delete
    2. Was it same with RedHatOpenJDK too?

      Delete
  14. Liberica from Bellsoft is a $free TCK verified OpenJDK distributrion for x86, ARM32 and ARM64.
    https://bell-sw.com/java.html

    ReplyDelete
  15. One need only contemplate that as of 1-Oct-2018 http://java.com and a simple search of "Java Download" continues to push Java 8 to the masses. Oracle could have resolved their own house with a more open and unified rollout, and avoided the vast majority of confusion...if they had wanted to. Politics.

    ReplyDelete
  16. Just an observation : We did a quick look at the AdoptOpenJDK (both OpenJ9 and regular) for Java 8 and it looked like OpenJ9 did not support the AES extensions in the microprocessor. I don't think Java 9 did either.

    ReplyDelete
  17. About Azul's Zulu, I have the impression that the link you provided https://www.azul.com/downloads/zulu/ is for the commercial product, while https://zulu.org/download/?show=all is for the community product, the one I supposed is the free one. What link should we use if we want it $free and open source?

    ReplyDelete

Please be aware that by commenting you provide consent to associate your selected profile with your comment. Long comments or those with excessive links may be deleted by Blogger (not me!). All spam will be deleted.