Waratek's Giannakidis: Removing Serialization from Java Is Not the End of the Story

Last month, Oracle's chief architect, Mark Reinhold, said during a conference Q&A that one of Oracle's long-term goals is to change the way Java handles object serialization. In fact, he called the decision to adopt the current serialization feature a "horrible mistake," and a virtually endless source of security vulnerabilities.

Java object serialization is the process of converting an object into a stream of bytes for transport and storage. Oracle is currently planning to develop a plugin mechanism that will allow developers to choose a serialization format, such as XML, JSON, YAML. They'll also be able to choose the existing native serialization. Oracle says it is also developing a new, safe serialization format based on a new language feature called data classes, which is part of the project Amber.

Removing serialization is one of the goals of Project Amber, an OpenJDK project that aims to "explore and incubate smaller, productivity-oriented Java language features that have been accepted as candidate JEPs under the OpenJDK JEP process," the project page explains, including lambda leftovers, pattern matching, local-variable syntax for lambda parameters, switch expressions, and raw string literals. Announced last year, the project is being led by Oracle's rockstar Java architect Brian Goetz. He discusses his ideas around "the possible direction of data classes in a blog post.

Apostolos Giannakidis, security analyst at Waratek, a Dublin-based app security tools provider with a special focus on Java, is one of my go-to Java security experts. He does work for a security products vendor, but his insights are always spot on. He shared his thoughts on these long-time-coming changes in a recent blog post, with the subtitle "Oracle has declared an end to Java's serialization approach, but that's not the end of the story."

"There is little doubt that serialization issues plague Java and that addressing the underlying causes will benefit the Java community," Giannakidis wrote. "But how long will it take to bring a new approach to the market, and will simply replacing the old serialization mechanism with a new approach end the issue?"

Among his concerns: removing the existing serialization mechanism will take at least a couple of years. "The current approach to serialization is two decades old and is the foundation of hundreds of Java SE components," he wrote. "Even when an alternative approach becomes available, Oracle will likely keep native serialization as an option just to maintain backwards compatibility for a few more years."

He also worries that enterprise middleware, servers, and higher-level protocols (such as RMI, JMX, JMS, etc.), which depend on Java's native serialization, are going to be very difficult to change. Software vendors might need years to switch to any alternative technology. And backwards compatibility will be a big issue.

"Even if all the above issues are resolved, deserialization vulnerabilities are not going away," he wrote. "Java's native serialization is not the only flawed serialization technology. XML and JSON deserialization vulnerabilities exist and are real threats to enterprises. In the recent months, attackers exploited these vulnerabilities (such as CVE-2017-9805) to infect with crypto-mining malware their targets."

Deserialization reverses the process when the data is received. It can also be used to reconstruct an object graph from a stream.

While Oracle gets its arms around its serialization-removal plan, legacy servers and applications will continue to be vulnerable, Giannakidis warned. "It is difficult now for most organizations to keep pace with Java updates," he wrote. "Oracle's co-CEO Mark Hurd recently acknowledged that Java users typically run months to years behind in patching. Upgrading versions or rewriting apps takes even longer, if practical.

He also warned that non-Java shops should be worried about deserialization issues, because Java isn't the only platform affected by it. .NET, Ruby, PHP, Python, and others are all subject to deserialization vulnerabilities.

Posted by John K. Waters on 06/11/2018 at 1:04 PM0 comments


Enterprise Java in the Blogosphere

So much has happened in the enterprise Java space over the past few months that it kind of boggles the mind. Fortunately, the rockstars, gurus and industry watchers have been busily sorting out the whats and wherefores of this epic transformation in the blogosphere. (You thought it was just me, right?) Seems like a good time to pass along a bit of that wisdom with some recommended reading.

Mike Milinkovich, executive director of the Eclipse Foundation, should definitely go first here, because his was the calm and experienced voice in the middle of the early dear-god-don't-call-it-EE4J storm. His writing on the Eclipse Foundation's "Life at Eclipse" blog provided the urgently needed clarity of facts as the process of moving Java EE from Oracle to his organization stirred a blinding cloud of rumors and fears. His blog was also often interactive, a place where the new regime reached out to the community for its opinions and concerns, at times literally surveying the people most directly affected by the changes. One of my fav posts: "On Complexity and Good Intentions." (Great title, too.)

Reza Rahman, long-time consultant, former Oracle Java developer evangelist and co-founder of the Java EE Guardians, is another must-read enterprise Java blogger in general, but he's doing something new that should get some extra attention: he's posting successful Jakarta EE adoption stories. His latest is from a young developer in the Czech Republic working on medical applications, who shares his experience with both Spring and Java EE applications. He also points to a long list of adoption stories curated on the Java EE Guardians Web site.

Mark Little, vice president, software engineering, at Red Hat, is another must-read blogger. On the subject of the open sourcing of Jakarta EE, he holds forth in a brief, but heartfelt post entitled "Jakarta EE is Officially Out," by which he meant "available." Red Hat has been among the leaders of this transition, and Little is often right out there at the forefront.

Tomitribe Founder and CEO David Blevins' post "Java EE to Jakarta EE" was another how-we-got-here-and-where-are-we-going piece about the rebranding. I reached out to Blevins early in this process, but he and his colleague elected to stay quiet until the ball was well and truly rolling. This post offers some insights into the renaming process early on, and makes the case for Jakarta EE. It's done deal, I know, but it's good to see some of thinking behind the changes.

I must mention another Tomitriber here: Richard Monson-Haefel, author, analyst, veteran Java developer, who's March 30 post, "I (heart icon) Jakarta EE" just made me feel good about the future of enterprise Java. It's the story of his journey from early enthusiast to disillusioned apostate and back again. Just a well written story that got me interested in his other posts. It'll do the same for you. (I also loved "Jakarta EE Into the Fourth Epoch." The guy is a good writer.)

In February, Lightbend senior developer James Roper posted a rich piece on the company's Tech Hub blog site called "What can Reactive Streams offer Jakarta EE?" In it, he shares his ideas on this topic with lots of detail, starting with a high-level use case. (Lightbend, of course, is the company behind Scala.)

Nice post by IBM's Ian Robinson on the developerWorks blog: "Jakarta EE – The new home for enterprise Java." Big Blue has a real stake in the Java space, and those with a long memory will recall that it was the original home of the Eclipse Project, which it open sourced way back in 2001. Plus, you gotta love a blogger who quotes an obscure Queen lyric.

Ivar Grimstad posted a nice clarifying piece called "The Relationship Between Jakarta EE, EE4J and Java EE." Grimstad's posts are informative and to the point, and this one is no exception. This particular post was listed in the FAQ section of the Jakarta EE Web site at launch.

Software evangelist David Delabassee published a nice, short piece in April entitled "The Road to Jakarta EE" on Oracle's official Aquarium blog, in which he offers a little roadmap, acknowledges his colleagues' efforts and shares a few insider observations on the process of moving Java EE to Eclipse.

Finally, you don't get much more nuts-and-bolts than Java rockstar and consultant Adam Bien's blog. Code snippets, on-the-ground examples and advice, video clips and tons of links; it's just a blog you should be reading. (But you knew that.)

This is just a handful. I'm hoping you'll let me know which ones I should have included, but didn't. (In the comments section or on Twitter @johnkwaters.) This is going to be a long conversation, and I, for one, think the more voices we hear from, the better.

Posted by John K. Waters on 05/30/2018 at 11:02 AM0 comments


Future of Jakarta Is in the Cloud, Not with the JCP: One-on-One with Mike Milinkovich

The Eclipse Foundation today unveiled its game plan for Jakarta EE, published the results of a community survey on the future of that technology platform, and explained the open source governance model it will use to manage its development going forward.

It almost goes without saying that taking over the responsibility for the development of enterprise Java is an enormous undertaking. But I didn't realize until I spoke with the Foundation's executive director, Mike Milinkovich, that his organization would also be taking over the responsibilities of the Java Community Process (JCP), guiding and approving the Jakarta EE technical specifications going forward.

I talked with Milinkovich about these changes last week.

Specification approval is fresh territory for the Eclipse Foundation. How are you dealing with this new responsibility?
This is the first time the Eclipse Foundation has had to put together a specification process. We don't even know what we're going to call it yet. We do know that new specification process is going to be different in many ways from the JCP's. The new versions of the JCP process have been open and transparent. However, the fact that the JCP was owned and operated by Oracle, and to participate you had to sign the Oracle contributor agreement and give the company joint ownership of your contributions were perceived as barriers to entry. Partners in partners in industry, individual developers, and everybody in between no longer accept this as state of the art, in terms of how you move an important technology platform forward.

How will your approach be different?
What we are going to be striving for in this new spec process is openness and transparency, of course, but also to provide a level playing field, in terms of the intellectual property flows, and absolutely state-of-the-art best practices for developing specifications, with the expectations of open-source and commercial implementations resulting from those specs."

Just to be clear, the Eclipse Jakarta EE Working Group is where the new specification process is going to be managed entirely, and the JCP is out of the picture. Right?
Right. The JCP is going to continue to exist, of course, but it will be focused entirely on the Java language platform, the JDK, the JRE, that level of the Java technology. The Eclipse Foundation and its members and the Jakarta EE Working Group will define the future evolution of cloud-native Java.

"Cloud-native" is already something of a mantra for Jakarta EE, largely because of the survey results, but you guys were already thinking along these lines, weren't you?
Ultimately, what we are trying to do here is to take a technology that is approaching its 20th birthday and give it a whole new life. I have to say, when I talk to people, whether it's in person or through the mailing list, there is still an enormous amount of energy and passion in the Java EE community. If we can tap into that and give developers the tools they need on this platform to be successful in this new cloud-native, microservices-centric kind of world, they're going to love what's coming out of the Jakarta EE projects. This is an opportunity for this community to get a whole second generation of technology and momentum, and that's really what we are working very, very hard toward.

What happens to the millions of people who are still using Java EE?
People using older versions of Java EE will continue to get support. This is not the end of Java EE. Java EE 8 just shipped. The existing vendors -- Oracle, IBM, Red Hat, Tomitribe, and others -- are going to be supporting Java EE 8 and previous versions under the Java EE brand for many years to come.

How involved are the big vendors with this new process?
One of the things that's different about the way we set up this working group, which I think is very important, is that we have explicitly carved out a role here for enterprises that are the big adopters of the technology. The big vendors that are contributing lots of resources to this are going to be on the steering committee to help guide the project.

Why are you going after enterprise adopters?
What we really want here is to get the big consumers of this technology actively engaged with this community and its projects and its governance. Even beyond Jakarta, I believe that this the next big wave in open source, to get the big consumers of the technology to move from being passive consumers to being actively involved with, and helping to sustain, the technologies that they rely on. That's something that we are going to working on, very hard, over the next year, to get the message out to enterprises that, if you are relying on this tech, come join in and become part of this community. Don't just sit there and download the releases when they're done. Open source gives you the opportunity to be a much more active participant than the historical vendor/customer relationship.

You've said before that "Jakarta" isn't really a rebranding of Java EE. Could you explain that statement?
There was a lot of controversy around Oracle's refusal to allow the use of "Java EE," but the truth is, keeping that brand would have been a bad idea. The Java EE brand, I believe, is cemented in developers' minds to the on-premise, monolithic app server model. But Jakarta EE is about cloud-native and microservices. This as an opportunity for us to use that new name and new brand to bring new value to developers. There are developers out there who would probably never take the time to try a new version of Java EE. But there's a good chance that they'll take the time to try a new version of Jakarta EE. And I think that's a good opportunity for all of us.

What's the status of "EE4J"?
Everyone was calling Java EE at Eclipse EE4J for a while because we had to call it something during the transition. Now, "EE4J" is simply an Eclipse Foundation organizational artifact. It's not the name of the technology or its brand. It refers only to the top-level project that things like Eclipse Glassfish and Eclipse Jersey fall under. Those projects live under the management of the EE4J Project Management Committee.

Does the fact that Java EE, which is one of the world's most widely used technology platforms, found its way to open source say anything the status of open source or the evolution of this kind of software?
I believe it's indicative of a trend. When you have a technology that has become an industry standard, as opposed to a company product, bringing it into an open-source organization like the Eclipse Foundation, the Apache Software Foundation, or the Linux Foundation is the best way to ensure that the entire ecosystem will trust your technology. It's what you must do if you want to inspire global adoption of your technology. This is an incredible endorsement of our respective institutions. And it's important that there is more than one, so we people have a choice.

Jakarta EE is another example of that trend, and a pretty big one. If we get this right -- and we will -- it's going to be one of the most amazing technology journeys to watch in quite a few years. We are extremely optimistic that we are going to be able to bring this platform forward with the support of a passionate and engaged community. And it's going to be a lot of fun.

Posted by John K. Waters on 04/24/2018 at 11:18 AM0 comments


Waratek Patch for Java and .NET Demo at RSA

The annual RSA Conference gets under way next week in San Francisco, which means the Moscone Center will be packed with infosec mavens from "the frontlines of the cybersecurity landscape." (So cool.)

The speaker list includes Kirstjen Nielsen, Secretary of the Department of Homeland Security, Christopher D. Young, CEO at McAfee, and RSA President Rohit Ghai. And topping my list of presentations: "The Five Most Dangerous New Attack Techniques, and What's Coming Next."

Expect tons of vendor announcements at this year's show, of course. One that I'm looking forward to for Java jocks comes from Waratek, the Dublin-based app security tools provider with a special focus on Java. The company announced this week that it will demo its new Patch tool for Java and .NET applications (booth #4341 in the North Hall).

Waratek Patch applies virtual patches for long-term and newly discovered vulnerabilities. It's a lightweight agent designed to allow security and development teams to create and apply custom patches based on scanning tools. Regular updates from Oracle, Microsoft, Apache, and other software developers can also be instantly deployed, the company said in a statement, using functional-equivalent "virtual" patches that operate just like a physical binary without delay and the risk of breaking an application.

In its announcement, the company used recent examples to underscore why application security should be a front burner issue in every organization:

"Cybersecurity breaches in the month of April are stark reminders of the need for organizations to secure vulnerabilities in their networks. Under Armour, Panera Bread, Delta Air Lines, retailers Best Buy, Sears, Saks Fifth Avenue, Saks Off Fifth, and Lord & Taylor stores are among companies reporting successful cyberattacks resulting in the loss of valuable customer data. The scale of these security breaches highlights the importance of detecting software flaws and patching vulnerable software before attackers have the chance to take advantage of a flaw."

BTW: This year's RSA includes a new "on demand" feature for those who can't make it, physically, to the City by the Bay. Lots of conference content included here, including my fav: The Cryptographer's Panel.

Posted by John K. Waters on 04/11/2018 at 1:57 PM0 comments


What Does Jakarta EE Mean for the Future of the Java EE Guardians?

Now that Oracle has handed off the technology formerly known as Java Enterprise Edition to the Eclipse Foundation, and the resulting EE4J Project will be developing that technology rebranded as Jakarta EE, I can't help wondering what will become of the group of enterprise Java jocks that, arguably, made this transition happen.

It was two years ago last month that the Java EE Guardians formally announced themselves, though its founding members had been meeting quietly for months before that. The group led a very public push to get Oracle to attend to its duties as steward of enterprise Java. Its members assembled and published evidence to support their assertion that Java EE is critical technology that needed more attention from Oracle. They launched a Web site, published a letter to the execs at Redwood Shores, followed up with a petition demanding action, and just generally became a thorn in Big Red's side.

Oracle might have offloaded Java EE on its own, eventually, but you've got to give the Guardians credit for throwing a spotlight on this issue and keeping it in front of the Java community.

Not surprisingly, the Guardians, themselves, have been wondering about their role in this brave new world. In fact, they recently took a vote on whether to stay together, disband or become an EE4J project. They voted overwhelmingly to keep on keepin' on.

I recently grabbed a few minutes between planes with the peripatetic Reza Rahman, senior architect at CapTech Consulting and former Oracle evangelist, who has been something of a driving force behind the Guardians, to ask him about the future of the group. He affirmed his personal desire to keep the organization together.

"I believe there will continue to be a valuable role for the Guardians to play in the ecosystem," he said. "Indeed, I had the idea to form a body like the Guardians while I was still at Oracle, long before the trouble with Oracle commitments to Java EE even began. The work on both the independent grassroots evangelism and activism fronts have been long-standing gaps the Guardians can help fill going forward."

The decision to keep the Guardians together was clear, but what the group will be called has yet to decided. In a recent vote, "Keep current name for now" edged "Rename to Jakarta EE Guardians" by one vote. (Rename to "JEE Guardians," "Java EE Evangelists" and "EE Guardians" came in a distant fourth, fifth and sixth, respectively.) The plan is to revisit the renaming question in a few months. Rahman says he has already secured "suitable domain names and Twitter handles."

"Honestly the renaming continues to be a hard pill to swallow for me personally," Rahman admitted in a discussion thread on the Guardians' Google Group site. "I've worked for so many years to advance the Java platform that the loss of the Java branding really feels like a tragedy. That's why not renaming or renaming to something ambiguous like JEE Guardians or EE Guardians continues to sound awfully good. [But] I really do think it's best to stand fully behind Jakarta EE and let a renaming reflect that support…."

How the Guardians will take part in the Java community in general and the Eclipse Foundation in particular is something the group is still working out. It appears that most members want to continue as an independent, grassroots Java EE advocacy organization. But for now, the membership has agreed to contribute to the Eclipse EE4J Project and the Eclipse MicroProfile Project as individuals, rather than as a group.

Meanwhile, Rahman said, the Guardians should avoid complacency, both in the long and short term. "Believe me I'd love to say Java EE is now out of the woods," he wrote, "but I just don't think that's true."

For example, the new standardization process for enterprise Java is still being worked out, he wrote, and the group should monitor the following:

  • When will the transfer process to Eclipse actually finish?
  • How open and effective are things actually going to be under this new standardization process?
  • What does the roadmap for Jakarta EE in the next few years actually look like?
  • How do we make sure this roadmap is what the community and industry actually wants vs. what vendors want?
  • How do we know how well-funded this new technology will be? Are we so sure we won't slide right back to the lack of investment situation we ran into with Oracle? (While it is nice to think the community will pick up the pieces if vendors drop the ball, we all know reality in a competitive industry is not so simple.)
  • How will EE4J and MicroProfile be aligned?

The Guardians are also in a unique position to do the following:

  • Make sure vendors are implementing Java EE 8, MicroProfile and Jakarta EE in a timely fashion. We can do this by actively tracking progress and regularly publishing our findings.
  • Hold vendors to higher implementation standards by routinely trying things out and publishing our findings. I think we should even compare implementations just like RebelLabs did.
  • Make sure Java EE is well supported by tools, on the cloud, etc., by routinely trying things out and publishing our findings. Again, we could do comparisons here to keep vendors honest.
  • When customers and users run into trouble with vendors, they should know they can come to us as a last resort and we will advocate collectively on their behalf.
  • We all know the next bit of anti-Java EE FUD is right around the corner from the usual suspects. When this happens, we will need to act quickly and effectively as a collective.

"None of this is easy or pleasant but all of this is important to make sure Java EE remains relevant or competitive," Rahman wrote. "The only people who can really effectively and credibly do this is us."

Rahman said he is also expecting the organization's leadership to expand in the new world of Eclipse Jakarta EE. "I have, perhaps, been more of a central figure than I'd originally planned to be," he said. "And I know there are Guardians who are interested in stepping up with time and energy for this important work. This is something I welcome and expect to see in the near future."

Posted by John K. Waters on 04/11/2018 at 12:50 PM0 comments


Java in 2018: The Year of Eclipse, Containers and Serverlessness

The coming year is going to be an interesting one for Java pros. Java EE is now an Eclipse project. Oracle has accelerated the release cadence of Java SE. And modularization, via the Java Platform Module System, better known as Jigsaw, has finally arrived.

John Duimovich, IBM Distinguished Engineer and Java CTO, has been watching the evolving Java ecosystem for more than 20 years. He recently shared some of his expectations about the future of Java in this new environment.

2018 will be the year of Eclipse
With key projects like EE4J and MicroProfile now under its stewardship, the Eclipse Foundation will become even more important in 2018. Look for accelerated innovation as the open community becomes more involved in these and other Java-related projects. Developers will want to keep an eye on the Eclipse Foundation next year.

Convergence with containers will accelerate
As part of the broader effort to simplify development and management, containers and runtimes like Java will become more tightly coupled. They’ll be optimized together to enable seamless management and configuration of Java applications. Consistent memory management and easier wiring between Java constructs and containers will take hold so developers can leverage the benefits of containers and Java runtimes, which are essentially they’re another form of containers.

Kotlin will become the next hot language
Kotlin is poised to become a major force in the programming world. Kotlin’s concise coding syntax and interoperability with Java have already made it popular for many developers. Now, it has first-class support on Android, which is bound to boost its use for mobile. Look for it to gain even more ground in 2018.

New release model will drive faster innovation
Developers rejoice. The new six-month release interval for Java will mean more frequent changes and faster introduction of features. Look for enterprising Java shops to take advantage of these features and use Java to solve new problems and enter new areas. Large organizations will likely wait for the support of the long-term releases, but they’ll now have a clearer roadmap. Community support also has the potential to rally around popular changes in interim releases.

Serverless will begin a major reshaping of Java
Demand is growing for serverless platforms – initially driven as a consumption model but now expanding from simple, event programming models to composite flow-based systems. This innovation will continue as cloud developers want to shift their focus on the application, and not worry about servers. This means Java runtimes will need to be optimized and re-architected for a serverless world where fast start-ups and smaller footprints matter even more.

Posted by John K. Waters on 02/14/2018 at 9:53 AM0 comments


Open Source Initiative Turns 20

The Open Source Initiative (OSI) will celebrate its 20th anniversary on Friday, Feb. 2, and the global non-profit organization dedicated to raising awareness and adoption of open source software is gonna par-tay. By which I mean, the OSI has scheduled activities around the world this year to commemorate the event. (I'm hoping there will be snacks.)

Current plans include celebrations coordinated with the leading open source conferences, as well as stand-alone community-led events, the organization announced this week. As of this writing, those events include: All Things Open, Campus Party Brasil, FOSDEM, FOSSASIA Summit, Linux.conf.au, LinuxFest Northwest, Open Apereo, Open Camps, OSCON, Paris Open Source Summit and SCALE16x. In addition to official events, the OSI is also supporting volunteer organizers who want to host local, community-led celebrations in their own cities.

The organization is also inviting members of the open source community to share their stories. They're looking for personal anecdotes that "highlight the significant accomplishments and contributions that have made open source software a valued asset and community for your organization." Some are already posted. The OSI's anniversary Web site will also provide an opportunity for supporters to share events, videos, interviews, articles, timelines, and social media.

Also, as part of the celebration, the OSI is launching OpenSource.Net, which will serve both as a community of practice and a mentorship program. "The goal is to further promote adoption of open source software over the next twenty years as issues shift from open source's viability/value to issues around implementation and authentic participation," the Web site reads.

I received an e-mail from the OSI about this anniversary this week, and along with it, a little history lesson. I learned, for example, that the term "open source software" was coined at a strategy session held on Feb. 3, 1998, in Palo Alto, California. I looked around the Web and found several references to this moment in history, so it might very well be true. The OSI was founded "as a general educational and advocacy organization to raise awareness and adoption for the superiority of an open development process" that same month, the OSI stated. Shortly thereafter, the group set about drafting the Open Source Definition (OSD), which is considered by many a gold standard of open source licensing.

It's easy to forget that there were powerful forces arrayed against the open source movement back in the day. The OSI's initial mission was to counter "fear, uncertainty, and doubt" (FUD) generated by the shrink-wrap absolutists. But what started with Linux, Sendmail, Perl, Python, and Apache, and eventually, Java, has now won the imprimatur of, well, just about everybody. I was among the startled reporters who watched as Microsoft's then newish CEO, Satya Nadella, declared "Microsoft loves Linux!"

So let me say, happy birthday OSI. Save me a piece of cake.

Posted by John K. Waters on 01/30/2018 at 4:11 PM0 comments


Azul Steers Clear of 'Support Cliffs' Caused by Faster Java Releases

Azul Systems unveiled a new support roadmap for users of Zulu Enterprise, the commercially supported edition of its flagship Java runtime. The roadmap lays out the company's plan to cope with what it calls "support cliffs" that will be created in the ramp up to Oracle's new faster release cadence for the Java SE Platform and OpenJDK.

Oracle's new, faster release schedule provides for a feature release every six months, update releases every quarter, and a long-term support (LTS) release every three years.

The accelerated cadence was greeted by the Java community largely as a positive development. But Scott Sellers, Azul Systems president and CEO, points out that, in the short run, the process of implementing this new schedule will leave two versions of Java without long-term support. If the next LTS release after Java 8 is going to be Java 11, Java 9 and Java 10 are effectively skipped. Java 11 is expected in September of this year on the new schedule. The next LTS version after that -- three years later -- will be Java 17, which gets released in September 2021.

"You almost need a decoder ring for all this," Sellers said.

Oracle has said that it will provide public updates for only six months after a given release has been made available. "What that means is, for a version like Java 8, which has been in the market for a long time and is by far the most widely used version of Java, come September 2018, public updates will cease," Sellers said. "We call this a ‘support cliff.' After that date, you either have to use an immature new release like Java 11 or continue using a version that will have more and more vulnerabilities that won't get a security update."

Azul plans to keep its customers from being driven off "support cliffs" by aligning Zulu Enterprise releases with Oracle's and OpenJDK's scheduled GA for all releases of Java SE, while also providing overlapping support coverage from one release to the next. The Zulu Enterprise LTS release will include bug fixes and security updates for a period of at least eight years from the GA date. The company is also offering Medium-Term Support (MTS) for certain Java releases, which enables practical use in production deployments of the new capabilities available in feature releases without having to wait for the next LTS release. The company will designate one MTS release per year in the years between LTS releases, and provide support, bug fixes, and security updates for 18 months past the GA date of the following LTS release. And there's also a Short-Term Support (STS) option for the remaining Java SE feature releases. STS support allows users the earliest access to new Java features with support and updates designed to allow a smooth transition to a newer JDK release.

"None of this is not a knock on Oracle, by any means," Seller said. "There's no doubt that the faster release cadence is good for Java. And there's also no doubt that maintaining backwards compatibility is a challenging thing that can limit the ability to evolve the platform on a rapid schedule. But the decision to break compatibility at will, from release to release, create challenges for users."

Zulu is free to download, use, and redistribute from the Zulu Community Web site. Azul provides support via Zulu Enterprise, a Java platform based on OpenJDK. The company also offers Zulu Embedded, a build of OpenJDK aimed at Java developers in the embedded systems and Internet of Things (IoT) space. Both editions are 100 percent open source.

Sunnyvale, Calif.-based Azul bills itself as the only vendor focused exclusively on the Java and the Java Virtual Machine (JVM). The company's Zing JVM is based on Oracle's HotSpot, a core component of Java SE. It's a "no-pause" JVM designed to eliminate Garbage Collection (GC) pauses, a long-standing challenge for Java developers. This pauselessness, which Azul calls "generational pauseless garbage collection" (GPGC), enables Java app instances to scale dynamically and reliably. Sellers, CEO has called GC "the Achilles heel of Java."

Posted by John K. Waters on 01/30/2018 at 3:14 PM0 comments


Java in 2018: Eclipse Rises, Containers Converge, Kotlin Heats Up, More

The predictions just keep coming! Honestly, I haven't seen this many tech-savvy industry watchers and execs ready to weigh in with their expectations for the coming year ... well ... ever. I think it speaks to the times we live in that so many of us seem to be focused on the future.

Among those execs is John Duimovich, Java CTO and Distinguished Engineer at IBM (and perennial attendee fav JavaOne keynoter and session leader). Duimovich has been working with Java for all of its 20 years, and he shared his predictions for the language and platform in the coming year via e-mail. Thought I'd pass them along.

Prediction 1: 2018 will be the year of Eclipse
With key projects like EE4J and MicroProfile now under its stewardship, the Eclipse Foundation will become even more important in 2018. Look for accelerated innovation as the open community becomes more involved in these and other Java-related projects. Developers will want to keep an eye on the Eclipse Foundation next year.

Prediction 2: Convergence with containers will accelerate
As part of the broader effort to simplify development and management, containers and runtimes like Java will become more tightly coupled. They'll be optimized together to enable seamless management and configuration of Java applications. Consistent memory management and easier wiring between Java constructs and containers will take hold so developers can leverage the benefits of containers and Java runtimes, which are essentially they're another form of containers.

Prediction 3: Kotlin will become the next hot language
Kotlin is poised to become a major force in the programming world. Kotlin's concise coding syntax and interoperability with Java have already made it popular for many developers. Now, it has first-class support on Android, which is bound to boost its use for mobile. Look for it to gain even more ground in 2018.

Prediction 4: New release model will drive faster innovation
Developers rejoice. The new six-month release interval for Java will mean more frequent changes and faster introduction of features. Look for enterprising Java shops to take advantage of these features and use Java to solve new problems and enter new areas. Large organizations will likely wait for the support of the long-term releases, but they'll now have a clearer roadmap. Community support also has the potential to rally around popular changes in interim releases.

Prediction 5: Serverless will begin a major reshaping of Java
Demand is growing for serverless platforms -- initially driven as a consumption model but now expanding from simple, event programming models to composite flow-based systems. This innovation will continue as cloud developers want to shift their focus on the application, and not worry about servers. This means Java runtimes will need to be optimized and re-architected for a serverless world where fast start-ups and smaller footprints matter even more.

Posted by John K. Waters on 01/16/2018 at 12:21 PM0 comments


Upcoming Events

AppTrends

Sign up for our newsletter.

I agree to this site's Privacy Policy.