A few month ago Java updated to its version Java 11 and – as a developer – I wrote the article: Will the End of Java be after version 11?
Weeks later, the scenario became a bit more optimistic and I published another post: Java 11 Makes its Comeback.
You won’t tell but the situation worsened!
It happens that Oracle updated, again, their terms of license. You can see a note in their website when you try to download Java, it says “The Oracle JDK License has changed for releases starting April 16, 2019.” And it redirects to the new license athttps://www.oracle.com/technetwork/java/javase/terms/license/javase-license.html.
You read it, and find that there is the same jargon as always but it doesn’t mention to any version. That’s the trick. Because it applies to all the versions released from April 16, 2019. So?
It affects Java 8. Anything above Java 1.8u202
From April 16, 2019 there has been the following Java releases:
- Java 8 Update 221 CPU, July 16, 2019
- Java 8 Update 211 CPU, April 16, 2019
- Java 8 Update 212 PSU (OTN), April 16, 2019
- Source: https://java.com/es/download/faq/release_dates.xml
What does those Java 8 fixes include?
Java 8u212 includes the following bugs:
- JDK-8215364: JavaFX crashes on Ubuntu 18.04 with Wayland while using Swing-FX interop
- JDK-8207070: Webstart app popup on wrong screen in a one-screen setup changing to multi-monitor
- JDK-8189926: [Mac] Pulse timer should pause when idle
- JDK-8210411: JavaFX crashes on Ubuntu 18.04 with Wayland
- JDK-8211280: JavaFX build fails on Linux with gcc8
- JDK-8213952: Relax DNSName restriction as per RFC 1123
Not very important? But the last one, that is classified as “security-libs/ java security”. We’ll need to dig that, the bug description says:
DNSName only accepts letters as the first character. RFC 1123 has relaxed that restriction:
RFC 1123, Section 2.1:
One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software MUST support this more liberal syntax
So nothing extremely dangerous, until you hit a DNS name that starts with a number. Most companies can live with that.
What about Java 8u221?
There are 55 bug fixes in Java 8u221!! Listing every single item of the list here wouldn’t be nice, let’s just see a summary:
- 16 for “client-libs” (1 for general, 5 for “2d” subsystem, 5 for “ava.awt” and 5 for “javax.swing”)
- 10 for “core-libs” (1 for “java.net”, 1 for “java.util.stream”, 8 for “java.util:i18n”)
- 4 for “hotspot” (1 for each “compiler”, “runtime”, “svc, svc-agent”)
- 2 for “install”
- 13 for “javafx” (2 for “build”, 2 for “graphics”, 3 for “media”, 1 for “other” and 1 for “samples”, 4 for “web”)
- 1 for “xml”
- And the scariest part: 9 for “security–libs”. At this point we won’t give an absolute recommendation but some companies may live with those (JDK-8151225, JDK-8222137, JDK-8223499, JDK-8222136, JDK-8181594, JDK-8203228, JDK-8201317, JDK-8208648, JDK-8204909 and JDK-8193830)
Ok, so we have all the bugs reviewed and we can live with them. But do you remember the famous spoon scene in Matrix? What is the real truth behind? The reality is that a day will come with a security bug that really can expose your organization. You have to be prepared.
What JDK options do we have:
How to prepare to the day with a nasty security bug? You can pay Oracle to use their fixed version, or you can find some other company/ source that cover your ass. Since our first article we have expanded the information about JDKs:
|Provider||Free Distribution||Extended Updates (LTS)||Commercial Support||URL|
|Alibaba Dragonwell8 JDK||Yes||Yes||No||https://github.com/alibaba/dragonwell8/|
|Amazon – Corretto||Yes||Yes||No||https://aws.amazon.com/es/corretto/|
* No all versions are LTS, Oracle decides under its own criteria which ones are LTS.
- Free Distribution: The software is public and available to download and use.
- Extended Updates Known as LTS (long-term support): Public Updates after the 6 month release cycle.
- Commercial Support: Some providers offer updates and support contracts, some with cost.
Should you find Oracle as the most suitable solution for you, Oracle has a public price listing.
To sum up
The landscape has changed again, with Java 8 affected the urge to have a secure Java distribution is a must. Or pay to continue with Oracle.
We would love to have the opinion of James Gosling but since he joined AWS it seems he is not commenting on Oracle move.