Hi,
Since version 10, OpenJDK started to follow a new release cycle [1]. In
addition, specific vendors can publish a matrix for the support of Java version
on OS versions; for example OpenJDK on RHEL [2].
When looking at openjdk-8-jdk on Stretch [3], it is visible that
Stretch is receiving "security" updates on OpenJDK 8. However, it does not seem
to be the case for Buster [4].
Debian Java page [5] specifies the default Java package for a Debian version but
does not specify further security/patch updates.
Current pages on Debian policy on Java seem to be a bit outdated. [6], [7]
A relevant short discussion occurred at [8] about AdoptOpenJDK.
To summarize my questions:
- Is there a policy page or a discussion list that clarifies when/how a
security/patch update on OpenJDK is applied on a Debian (LTS) version?
- How a default version of OpenJDK is chosen for a Debian LTS version?
- Is there a document/page that explains how the current infrastructure for
building OpenJDK packages are on Debian? I understand that OpenJDK releases
binaries instead of source which makes it harder for OS distribution
packaging.
The main motivations that drive the above questions are trying build a base
image for production systems that have been using Java on Debian-based distros
and now need to look at Java alternatives with the new release cycle and support
policies.
Thanks in advance,
Behrooz