Oracle stopped providing free security updates to the widely-used Java 8 in January. Here's how to stay protected.
Oracle's stewardship of Java—which it acquired along with Sun Microsystems in 2010—has long been a point of contention among Java programmers and organizations deploying (or evaluating) Java in their environments. Despite Sun's open source-friendly stance, Oracle has been less than enthusiastic about continuing Java as a fully open-source solution, a problem amplified by changes in their licensing for OpenJDK.
The release cycle for Java, similarly, has changed under Oracle's stewardship. While typical programming languages such as C and C++ receive modest maintenance updates every few years, Java versions, as of Java 9, are incremented every six months, with Java 11 designated as the first long-term (LTS) version of Java. The problem is, Java 8 is still the most widely-used version of Java on desktops—doubtlessly due in part to Minecraft, though a variety of enterprise applications also rely on Java 8.
SEE: 10 ways to prevent developer burnout (free PDF) (TechRepublic)
Despite that, Oracle stopped providing security updates to Java 8 in January 2019, in an attempt to force organizations into paid licensing agreements. Naturally, running out-of-date, insecure versions of Java is an exceptionally bad idea, presenting a conundrum to IT managers responsible for the deployment of Java applications: Either pay to maintain support for something that was once used for free, or—if even possible—attempt to move an application off of Java entirely.
There is a viable third option, however: Using a non-Oracle distribution of Java. Because Java is still fundamentally open source, any organization that wishes to ship its own patched version of OpenJDK can do so. Red Hat—which contributes to Java upstream, and ships a number of their own products built on Java—is doing just that.
Red Hat is taking the mantle of OpenJDK maintainer for versions 8 and 11, which will be supported until June 2023 and October 2024, respectively. New features are not expected for either version, as both are essentially in maintenance mode. As mentioned earlier, version 8 predates the six month release cadence, and version 11 is an LTS version. Because of this, versions 9 and 10 will remain unsupported. Red Hat already maintains OpenJDK 7, and will continue to do so until June 2020.
Red Hat's OpenJDK is not just for RHEL, as the company is also providing Windows versions of OpenJDK. Updates are planned to be published on a quarterly basis. The company is also planning to ship IcedTea-Web, an open-source implementation of Java Web Start, which remains a proprietary extension.
Oracle released Java 12 last month. TechRepublic's Nick Heath takes a deep dive into the new features in Java 12, and provides insight into how developers can benefit from features in the newest release, as well as a deep dive into what is in store for the future of Java.
- IT budgeting: A cheat sheet (TechRepublic)
- Cloud providers 2019: A buyer's guide (TechRepublic download)
- Vendor relationship management checklist (Tech Pro Research)
- Tech Budgets 2019: A CXO's Guide (ZDNet)
- 6 ways to delete yourself from the internet (CNET)
- Best to-do list apps for managing tasks on any platform (Download.com)
- CXO: More must-read coverage (TechRepublic on Flipboard)