Following months of concerns over the security of the Java platform, Oracle have finally acted, by introducing a new Java Development Kit (JDK) numbering scheme for future patches.
Currently, security fixing Critical Patch Updates (CPUs) only arrive every three months, to suit the needs of enterprise administrators, while Limited Updates add new functionality and non-security updates. However, with vulnerabilities and emergency patches becoming ever more frequent, Oracle’s hand has been forced to change the structure.
As announced in a company bulletin last Tuesday, the company explained the type of releases wouldn’t change but their frequency and numbering would.
From now on, Limited Update releases will be numbered in multiples of 20, while CPUs will be in multiples of 5 following on from the prior Limited Update, adding one when it falls on an even number.
Therefore, the upcoming schedule for JDK 7 is as follows:7u40 then 7u45, 7u51, 7u55.
The cycle after that will be Limited Update 7u60, succeeded by CPUs 7u65, 7u71 and 7u75.
Oracle say the new strategy allows them to insert security patches when necessary, without having a knock-on effect later in the order. The solution also retains backward compatibility with legacy systems.
Java’s steward admitted that the solution was a “compromise” with “a more elegant” option of “changing the version format of the JDK to accommodate multiple types of releases” impossible until a future major release comes along. It would be a seismic shift which would cause incompatibilities and would also need adequate time for developers to adjust.
While some might be confused by this approach or say that it doesn’t go far enough, it’s the only option left on the table for Oracle. Continuing to endure the negative press and the wrath of the community as more security vulnerabilities are found isn’t ideal, but neither is more upheaval than necessary just at the moment. With Java 8 falling foul of security issues last month, it’s now or never.