OK, here goes. I'll look at writing this up for SO as well, because if
people from our community are confused by this stuff, we can bet
others are as well.
On Tue, May 1, 2012 at 7:57 AM, Adrian Woodhead <[address removed]> wrote:
> I got the information that Oracle won't be keeping OpenJDK as up to date as
> Oracle JDK from various discussions about the issue on the internet. For
> example, there is this topic on Stack Overflow:
> Where the (current) first answer says this which sums up some of my problems
> with Oracle's way of doing things here:
> "We now have a combination of things that are making usage of Java really
> painful in open source server deployment
> Oracle JDK has updates (including security fixes) that no OpenJDK package
> has. This makes using anything other than Oracle JDK result in poorer
This is not true. Security fixes are always backported to OpenJDK.
They just enter the process at a slightly different place, because of
the need to treat security issues and patches separately from the
mainline of development. So, OpenJDK can lag behind behind Oracle JDK
very slightly, because the patch development and testing is not
happening on OpenJDK mainline, but this is an unfortunate artifact of
the process, not a goal.
The SO answer author has unfortunately misunderstood what "OpenJDK is
the reference implementation" means.
What it means: "There exists a specific tag in the OpenJDK version
control system which, when checked out and built, passes the TCK for
Java SE 7. This tag represents the source and binary code which is
deemed to be the reference implementation for SE 7."
What s/he heard: "OpenJDK got frozen when SE 7 shipped, and now lags
behind Oracle JDK."
The reality: "All Oracle engineers who are working on the JDK do so in
OpenJDK. Oracle takes branches from OpenJDK to prepare their
proprietary releases. OpenJDK is as up-to-date as it gets."
There are some *tiny* exceptions - some issues come in via non-public
routes (e.g. a customer of Oracle's has an issue that they're
sensitive about) - so some fixes may refer to bugs that aren't
publicly visible. If the bug is likely to affect anyone else, then the
Oracle folks usually sanitize and write-up the general case in public,
and file patches against that. If the bug is of no likely interest to
anyone else and mostly trivial, then they may not bother. This is
otherwise known as "sane, uncontroversial, boring management of a
customer bug database".
The other *tiny* exception are the occasional security-related issues.
> Oracle JDK can no longer be packaged distributed by third parties (e.g.
> Ubuntu). Now we have to install it by hand or script it, and maintain it, on
> all our serve"
Alternatively, you could migrate to OpenJDK for serverside deployment.
I don't really understand why you would run on a Debian-based OS,
which Oracle does not provide any support or testing for, and then
just expect a Debian package made of a carved-up proprietary JDK to be
a better bet than a built-for-Debian OpenJDK binary.
This is supposed to be F/OSS development - and if the Debian / Ubuntu
OpenJDK packages are lacking, then that's a separate conversation (and
one we'd very much like to see some movement on - please reach out to
us if this is an area you're having problems with, or if you have
contacts in the Debian pkg maintainer space).
If your concern is that there are no big sites following this
strategy, then, well, there are. Twitter are one. I know of a number
of others who are doing exactly this, but just aren't public about it.
If your concern is about reaching the required level of testing and
certainty before making a cutover like this, then, well, we're working
on it. Martijn and I are meeting with the CEO of a major vendor to
discuss exactly this issue. Please contact us offlist if you're
interested in this angle.
> There doesn't appear to be clarity regarding the flow of bug and security
> fixes into the Open JDK vs Oracle JDK.
This is partially deliberate. Parts of the process are deliberately
obfuscated. If security patches were clearly marked as such, then a
whole class of attacks become a lot easier. Oracle doubtless also have
legal constraints regarding this.
Security issues and patches are held in a separate bucket from the
mainline, and discussed on a closed mailing list. Access to all of
these things is highly restricted (to a subset of committers) but is
NOT limited to just Oracle employees.
Also, note that not all security patches are handled in this way.
For example, last year's hash attack was handled in public, because it
was presented that way (irresponsibly, if you ask me, but that's
Twitter and a couple of other folks stepped up magnificently and their
deployment model helped hugely in getting the issue fixed very quickly
indeed. Buy me a drink if you want to hear the rest of the story.