> Oracle remains the only member of the OpenJDK community participating in the vulnerability pre-disclosure process.
I don't know if that's true. I know the vulnerability group [1] has members outside Oracle [2], but I know next to nothing about that process. I'm told that nobody gets any advantage on security issues.
> They are also not releasing source for JDKs after 6 months.
What do you mean "after 6 months"? There are no longer major versions. Comparing the update schedule for 7 (a major release) and for 11 (a feature release) makes no sense. JDK 11 is more similar to 7u2 or 7u4, which also got security patches for only six months.
All fixes go into the OpenJDK mainline. What Oracle engineers won't be doing much of is backporting the fixes to old versions, which, again, aren't major versions. They won't be backporting much to 8 (which is a major release) now that it's five-years-old, either, but that's the same as under the old model.
> Therefore, users of non-Oracle supported JDKs will be exposed to a zero day attack between the time of Oracle's CVE disclosure/patch release and the time that their OpenJDK distribution creates, tests, and releases a patch. I would love to see these communities thrive, but the reality is that Oracle is strangling them in the crib by taking control of the most important support functions.
You're talking about users who choose one of the two new release models, and pick the one that's been designed as a paid service. If you're concerned about that, you can pick the other new model, which is not only free but easier overall.
I don't know if that's true. I know the vulnerability group [1] has members outside Oracle [2], but I know next to nothing about that process. I'm told that nobody gets any advantage on security issues.
> They are also not releasing source for JDKs after 6 months.
What do you mean "after 6 months"? There are no longer major versions. Comparing the update schedule for 7 (a major release) and for 11 (a feature release) makes no sense. JDK 11 is more similar to 7u2 or 7u4, which also got security patches for only six months.
All fixes go into the OpenJDK mainline. What Oracle engineers won't be doing much of is backporting the fixes to old versions, which, again, aren't major versions. They won't be backporting much to 8 (which is a major release) now that it's five-years-old, either, but that's the same as under the old model.
> Therefore, users of non-Oracle supported JDKs will be exposed to a zero day attack between the time of Oracle's CVE disclosure/patch release and the time that their OpenJDK distribution creates, tests, and releases a patch. I would love to see these communities thrive, but the reality is that Oracle is strangling them in the crib by taking control of the most important support functions.
You're talking about users who choose one of the two new release models, and pick the one that's been designed as a paid service. If you're concerned about that, you can pick the other new model, which is not only free but easier overall.
[1]: https://openjdk.java.net/groups/vulnerability/
[2]: https://openjdk.java.net/census#vulnerability