Page tree
Skip to end of metadata
Go to start of metadata

This document describes the Shibboleth project's policy with regard to the many different available distributions of the Java Development Kit used to develop and deploy the project's Java products.

The audience for this document is the project itself; its purpose is to specify the level of testing given to each distribution during the development and release of new versions of the products, and to indicate the level of support provided to deployers relying on each distribution.

Deployers will find that the Requirements section of the documentation for each product will be more suitable to their needs than this document, which inlcudes many technical details relevant only to developers.

Each version of the Java SE Development Kit (JDK) required to build or run Java software from the Shibboleth Project is available from several distribution sources. Different distributions of the same JDK may be licensed under different terms, may be built from different source trees, or may incorporate patches specific to that distribution. This document serves to collate information about different JDK distributions, and to indicate how each is treated by the Shibboleth Project.

For a given Product Platform, one distribution is designated as the primary distribution and is used by the Shibboleth Project as its reference:

  • The primary distribution will be used for building product artifacts.
  • The primary distribution is the basis for most of the continuous integration testing we perform (e.g., the standard, -nightly  and -site  jobs in Jenkins).

Specific distributions are fully supported for use with the software. This means:

  • The community may report bugs with the expectation that we can attempt to reproduce and investigate problems related to this distribution.
  • Members of the Shibboleth Consortium may request technical support  related to this distribution.
  • Each such distribution will also be tested as part of the Jenkins -multi  jobs. For distributions provided by operating system vendors, this regular testing may be userspace-only (e.g., within a container) if the project does not maintain a permanent machine or VM running that specific operating system.
  • The project will maintain the ability to replicate the complete environment, including operating system at the VM level, for debugging purposes.

Additional distributions may be partially supported for use with the software. This means:

  • The community may file bugs but may commonly be expected to reproduce unusual or esoteric problems on a fully supported distribution before further investigation takes place.
  • Members of the Shibboleth Consortium may request technical support related to this distribution.
  • Such distributions may be tested as above but possibly with reduced regularity or completeness.
  • The project may have lesser ongoing ability to replicate the complete environment but will do so when necessary to support Consortium members reporting issues.

Further distributions will be tested at the project's discretion as part of the Jenkins -multi  jobs. The purpose of this testing is to make the project aware of potential incompatibilities in advance of any requirement to address them.

The following specific distributions, and any others not covered above, are neither tested nor supported:

  • Any distribution of Java 9 or Java 10
  • Any distribution of the Java JRE (as opposed to the JDK)

When not specified:

  • Reference to a specific version of a Java distribution should be taken to refer to the most recent generally available release. For example, a reference to Java 11 at the time of writing refers to 11.0.3; previous versions (11, 11.0.1, 11.0.2) are not tested and not supported.
  • Reference to a specific version of an operating system should be taken to refer to the most recent generally available release.
  • Reference to a generic operating system ("Linux", "Windows") should be taken to mean that we will test under a specific version of the operating system (currently CentOS 7 for Linux, Windows Server 2016) but believe that such testing will be representative of similar systems as long as they are reasonably recent. "Linux", for example, would cover any reasonably recent operating system distribution incorporating a Linux kernel, but not FreeBSD.
  • Only 64-bit variants of the JDK are covered.
  • Only 64-bit Intel architecture variants (amd64, also known as x86_64) of operating systems are covered.

Java Distributions for the Java 11 Platform

The Java 11 Platform is used by:

  • Identity Provider v4.x
  • OpenSAML v4.x.
  • Metadata Aggregator v0.10 and v1.0.

The primary distribution for this platform is Amazon Corretto 11 for Linux.

The following distributions are fully supported:

  • Amazon Corretto 11 for Linux
  • Amazon Corretto 11 for Windows
  • Red Hat's OpenJDK 11 for Linux as supplied under Red Hat Enterprise Linux 7

The following distributions are partially supported:

  • Debian's OpenJDK 11 as supplied under Debian 10 "buster"

We will also test the following, although they are not supported:

  • Oracle Java SE 11 (LTS) for Linux (from the Oracle Technology Network)
  • Oracle Java SE 11 (LTS) for Windows (from the Oracle Technology Network)
  • All versions of Oracle Java for Linux with versions > 11 currently available from the Oracle Technology Network (currently: 12)
  • All versions of Oracle Java for Windows with versions > 11 currently available from the Oracle Technology Network (currently: 12)
  • Any Oracle OpenJDK builds currently available from jdk.java.net which are in the early access "Rampdown Phase One" phase or later. Note that we will not necessarily always test the most recent release of these builds, given the high frequency of release. (currently: 13)

Java Distributions for the Java 7 Platform

The Java 7 Platform is used by:

  • Identity Provider v3.x
  • OpenSAML v3.x
  • Metadata Aggregator v0.9.x
  • Java XML Security Tool v2.x 

The primary distribution for this platform is Oracle Java 7 for Linux (from Java SE 7 Archive Downloads).

The following distributions are fully supported:

  • Amazon Corretto 8 for Linux
  • Amazon Corretto 8 for Windows
  • Amazon Corretto 11 for Linux
  • Amazon Corretto 11 for Windows
  • Oracle Java 8 for Linux (from the Oracle Technology Network)
  • Oracle Java 8 for Windows (from the Oracle Technology Network)
  • Red Hat's OpenJDK 8 for Linux as supplied under Red Hat Enterprise Linux 7
  • Red Hat's OpenJDK 11 for Linux as supplied under Red Hat Enterprise Linux 7

The following distributions are partially supported:

  • Debian's OpenJDK 8 as supplied under Debian 9 "stretch"
  • Debian's OpenJDK 11 as supplied under Debian 10 "buster"

We will also test the following, although they are not supported:

Rationale by Distribution

This section discusses each distribution so as to give a brief rationale for its level of support.

Oracle JDK

We have historically recommended the use of Oracle's "standard" JDK on all platforms. Prior to Java 8, one reason for this was that some deployers have had problems with the OpenJDK implementations shipped by various vendors, including memory leaks.

Since that time, however, two important changes mean that we no longer take this position:

  • A licensing change means that although Oracle's JDK releases are still available for free use by developers, they are no longer free for production use.
  • The Oracle JDK and OpenJDK code bases have come much closer together, such that we no longer anticipate large functional differences between the two.

As a result, we no longer anticipate that the majority of our deployers will go to production using Oracle's product, and it therefore makes less sense for us to regard it as the "canonical" version of Java in production. At least for our customers, that is now more likely to be some flavour of OpenJDK. 

Oracle OpenJDK

Oracle produces OpenJDK builds through the early development phases of each new version of Java. As these provide the best available indication of the contents of the new version, we test these builds as part of our long term support of the evolution of Java, but we do not support these builds for production use.

Note that Oracle OpenJDK builds only exist during the early access stage of a new release to around six months after general availability. After this time, Oracle ceases OpenJDK builds and the previous ones are no longer available.

Amazon Corretto

Amazon Corretto provides builds of both OpenJDK 8 and OpenJDK 11 for our two most important deployment platforms (Linux and Windows) in both "real installer" and "tarball" packages. This makes it a good distribution for us to recommend to our deployers. In addition, they provide similar builds for macOS, which is important to several of us as developers.

The Corretto documentation provides information about the specific patches applied by Amazon to the upstream generic OpenJDK release, which provides a reassuring level of transparency.

There is no cost to use Amazon Corretto in production. It is used internally by Amazon for its own services.

We have selected Corretto as the current best all-round Java distribution for our own use, and for our deployers.

Red Hat OpenJDK

Red Hat have a critical role in the JDK updates projects for both Java 8 and Java 11. They provide only two OpenJDK builds themselves, however: for Red Hat Linux, and for Windows.

We anticipate that Red Hat's "vendor" OpenJDK (both OpenJDK 8 and OpenJDK 11) for their own Red Hat Enterprise Linux will be used by many of our deployers simply because of the convenience factor. We therefore support the use of Red Hat's OpenJDK release in this context.

We do not support Red Hat's OpenJDK releases for Windows at this time, and we do not test against it. 

Debian OpenJDK

The previous stable version of Debian (Debian 9, also known as "stretch") ships a vendor-supplied OpenJDK 8 only. This is partially supported for the Java 7 platform and IdP v3, but is obviously ineligible for any support for the Java 11 platform and IdP v4.

Note, however, that Amazon Corretto 11 is fully supported under Linux generically and is available in .deb  packaging. It may therefore be suitable for deployers using Debian 9 but we do not test this specific combination.

The current stable version of Debian (Debian 10, also known as "buster") ships a vendor-supplied OpenJDK 11 only.This is partially supported for both the Java 11 platform and IdP v4, and for the Java 7 platform and IdP v3.

AdoptOpenJDK

AdoptOpenJDK provides automated OpenJDK builds for a wide variety of target architectures and operating systems, and with a choice of JVMs (HotSpot or OpenJ9).

We think AdoptOpenJDK is a good (and sometimes the only) source of OpenJDK for niche environments, but we do not currently support or test AdoptOpenJDK builds.

GraalVM

GraalVM is an emerging alternative Java VM which shows promise particularly for mixed-language environments. It is currently only available for Java 8, although Java 11 support is planned.

Note that GraalVM also includes a different JavaScript engine than was shipped with Java 8 or Java 11.

We do not test against GraalVM, and we do not support it for production use.


  • No labels