[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sbt / scala and jdk 6 and 8

Am 12.02.19 um 23:14 schrieb Thomas Finneid:
> Is Scala and Sbt the only software that haven't migrated away from
> jdk-8? considering how much time and money the entire world has invested
> in jdk-8, I think its a bit early to remove it.
> (At work, 70 developers have spent the last half a year migrating our
> jdk 8 codebase to upgrade Spring, hibernate etc, so that we can migrate
> to java 11. We still havent started the first step (out of 4 steps) of
> java 11 migration. I expect that it will be autumn before we actually
> see any jdk-11 development. (We have about than 250 systems to migrate
> and half of the codebase is shared in business libraries))
> (From what I can see reagrding security updates in jdk, I seem to
> remember that its mostly in the security based classes, such as
> certificates and secure classloading, TLS and crypto stuff the bugfixes
> comes from)

Personally I would like to keep OpenJDK 8 as well but you also have to
keep the following points in mind:

We are all volunteers in Debian, the vast majority of people don't
receive any money for their work. Debian as a distribution has a
different point of view than a single developer or a company. When we
release Debian 10 in a few months users expect from us that all software
works at runtime, can be compiled from source out-of-the-box and
complies with the DFSG.

OpenJDK 8 will officially reach EOL status within the next two or three
years. If you ship two OpenJDKs in Debian, then users will assume that
both are supported for the lifecycle of a new release. Suddenly you have
to support many different use cases, an application shall work with
OpenJDK 11 and OpenJDK 8, everything must be compilable with both JDKs.
Remember the Java team alone maintains about 1000 source packages and
there are dozens if not hundreds of other software packages in Debian
written in Java. This gets even more complicated when you realize that
we ship only one version of a library, compiler or application since
security updates are handled by a different team of volunteers: Debian's
security team. They must be convinced to do the extra work too.

You can support such use cases but only if you have a dedicated team
that cares about all that long-term. This is much easier for a Java
company with employees that work full time on such problems, paid of

Attachment: signature.asc
Description: OpenPGP digital signature

Reply to: