What to look for in an OpenJDK Distro
Do you really need OpenJDK support? It can be tricky, and even dangerous in the case of enterprise use. When it comes to OpenJDK builds, there are several different options you can turn towards. Find out how much it will cost you, what versions of Java and security fixes are provided, what operating systems are supported, and more facts.
Java turns a ripe-old 25 in March of this year, and a look at the activity around Java in the last year alone further proves why the programming language continues to stand the test of time. A great deal of that activity has been with advancements in OpenJDK, which should spur organizations making use of Java to take a hard look at their Java roadmaps, providers and resources.
One of the biggest moments for OpenJDK came by way of Oracle: Effective January 31, 2019, the vendor ended free public updates to its proprietary OpenJDK distribution for commercial users that are not Oracle customers. What that means in practice is that commercial users can no longer get updates for Oracle JDK without an Oracle support contract. Oracle also changed the Oracle JDK license (BCPL) so that commercial use for JDK 11 and beyond will require an Oracle subscription.
Fortunately, there are many options available when it comes to OpenJDK builds. Red Hat, for example, recently took over stewardship of OpenJDK 8 and OpenJDK 11 update releases, which are the foundation for the long-term support releases of Java. Red Hat has pledged that it will work with the community to enable continued innovation in Java.
Of course, this is not Red Hat’s first experience with OpenJDK. Red Hat’s history with OpenJDK dates back to 2007, when the company became the first major software vendor to contribute to the OpenJDK community. Red Hat is also a member of the OpenJDK Governing Board, and is the largest contributor to the OpenJDK project after Oracle. In addition to providing support for OpenJDK across a range of Red Hat Enterprise Linux versions, Red Hat has consistently provided lifecycle support for its OpenJDK distributions.
This level of support is key to the use of any open source platform in the enterprise space. Indeed, the question of support should be front and center when it comes to determining which OpenJDK build is right for your organization. Here are some things to consider for any organization considering a new OpenJDK build–but especially for those that want or need to migrate from Oracle JDK in light of recent developments.
Do I really need support?
Of course, it’s possible to run OpenJDK without support, but, especially for enterprise use, that can be risky. There are numerous cases where critical OpenJDK vulnerabilities and security flaws were not fixed—or even identified–until damage to both IT infrastructure and reputation had been done. This is not to say that open source software is inherently insecure. Rather, it’s acknowledging that keeping up with the complexities of open source stacks can go beyond the resources that most organizations can dedicate–or, for that matter, want to dedicate—to management and security updates. For example, all Red Hat distributions of OpenJDK are supported for development and production for all Java workloads. This enables companies to more confidently (and reliably and securely) develop, test and deploy applications.
What additional utilities and features have been added?
Some OpenJDK builds are bare-bones, while others provide access to useful tools and middleware. Organizations should determine what “extras” an OpenJDK provides and whether those “extras” will be useful to your organization.
How much will it cost?
It’s important to know how much you will pay to use an OpenJDK build throughout the development lifecycle and what you are getting for your “money.” The Red Hat distro of OpenJDK, for example, is free with RHEL or Middleware (RHEL or Windows). Red Hat also offers long-term support and frequent updates. Some commercial versions of OpenJDK, in contrast, are free for development, but will charge for use in production. The price you pay for a commercial version likely includes full support, which will be especially important to enterprises, but it’s important to figure out the value of that support (and any other features provided) to your particular organization vs. what you can get for less.
What versions of Java does the build work with?
Some OpenJDK builds require that you move to the newest version of Java, while others support older versions of Java for longer periods of time. Be sure to research what makes sense for your enterprise.
How quickly—and for what versions of Java—are security fixes provided?
This is one of the most important considerations when going with an OpenJDK build that includes support. It’s one thing to provide security fixes; it’s quite another to provide them in a comprehensive and timely manner.
What operating systems are supported?
It’s important to determine whether the build supports all of the operating systems in use at the organization and by the organization’s partners and customers.
Will migration tools be necessary? Are they included? When moving from an OpenJDK build that makes use of proprietary extensions, are there tools available for identifying and modifying applications developed with the build? For example, if you were using Oracle JDK you might have applications that use proprietary fonts, encryption or extensions. Make sure that the OpenJDK build you move to provides tools and support that ease migration of those apps.
What platforms are you running on? For example, organizations running Red Hat OpenShift, Azure and/or AWS should consider whether and how the specific OpenJDK builds supported by the vendors of those platforms add value.
While Java is a known and trusted development quantity, the Java ecosystem can be confusing, especially when it comes to OpenJDK. With many organizations depending on Java for their core business-critical applications, recent–and future–changes must be carefully considered when determining the best way to make use of OpenJDK.