| 27 Mar 2025 |
 Tomodachi94 (they/them) | This is a very good question. I think we should, but only if support will end during the support period of 25.05 | 02:59:58 |
 msgilligan | Support on non-LTS ends as soon as a new non-LTS is released, so that pretty much means they all get dropped during the support period of 25.05. | 03:01:45 |
| msgilligan | So 24 is the newest non-LTS and it will go out of support in September | 03:02:47 |
| msgilligan | https://www.oracle.com/java/technologies/java-se-support-roadmap.html | 03:03:14 |
| msgilligan | (And there's a long lecture about there being no such thing as LTS OpenJDK, it depends upon each vendor, etc. But for practical purposes I'm pretty sure there is no Open Source OpenJDK release that supports non-LTS releases longer than Oracle) | 03:05:36 |
| msgilligan | So by this logic it should be:
25.05: 8, 11, 17, 21
25.11: 8, 11, 17, 21, 25 (unless people agree that 8 can be dropped) | 03:14:20 |
| msgilligan | For reference here's output from my SDKMAN! on macOS:
$ sdk list java | grep tem
Temurin | | 24 | tem | installed | 24-tem
| >>> | 23.0.2 | tem | installed | 23.0.2-tem
| | 22.0.2 | tem | local only | 22.0.2-tem
| | 21.0.6 | tem | installed | 21.0.6-tem
| | 17.0.14 | tem | installed | 17.0.14-tem
| | 11.0.26 | tem | installed | 11.0.26-tem
| 03:15:00 |
| msgilligan | They don't support 8. You can see that 22.02 is "local only" which means it has disappeared from their servers. And the 23 and 24 releases are currently available/active. | 03:16:50 |
| msgilligan | This is roughly the behavior I would like to see on unstable | 03:17:24 |
| msgilligan | 24.11 has jdk23 even though it is now unsupported | 03:19:50 |
 emily | it's sorta Oracle's own poor decision that they offer no overlap in support period | 03:22:22 |
| emily | even we manage a month | 03:22:27 |
| emily | I get the impression they essentially see non-LTS releases as previews rather than something production oriented | 03:22:54 |
| msgilligan | Here is Temurin's policy:
https://adoptium.net/en-GB/support/ | 03:24:00 |
| emily | I think most of the downstream builds have the same policy because it's essentially a matter of what commits Oracle will do | 03:25:22 |
| msgilligan | They use the word "Availability". There is a difference between "availability" and support. | 03:25:31 |
| msgilligan | For Nix, I would define availability as existing on master, but one could argue it is still available from an earlier hash. | 03:26:25 |
| emily | I don't think there really is. "End of Service/Support Life - this code stream is no longer being maintained. No further builds of Eclipse Temurin are planned." | 03:26:29 |
| msgilligan | * For Nix, I would define availability as existing on master or unstable, but one could argue it is still available from an earlier hash. | 03:26:44 |
| emily | ultimately, as soon as the next non-LTS is out, the next security advisory doesn't include patches for the previous one | 03:27:08 |
| msgilligan | Well, the question is whether the unsupported builds are available for download. | 03:27:13 |
| emily | that's the reality that Oracle decides and everyone else is constrained by | 03:27:21 |
| msgilligan | I'm happy to use an unsupported build for a month or two. | 03:27:32 |
| emily | would you be, if a critical severity CVE comes out days after it leaves support? | 03:28:10 |
| msgilligan | Well, yeah actually maintaining the JDK is a lot of work. But other vendors can do it and I think some of the big ones do for paid support. | 03:28:24 |
| emily | because you can look at the stream of advisories and see that it's really like clockwork. it just comes down to gambling in the end | 03:28:43 |
| emily | we don't like to gamble with users' security | 03:29:02 |
| msgilligan | I'd move really fast to the new one. But having releases deleted automatically, in the same PR as the new release seem excessive. | 03:29:14 |
| msgilligan | Well, I'm talking about availability on unstable. And saying that marking them as knownVulnerabilities immediately even if there aren't any. | 03:30:24 |
| msgilligan | I'd say users of NixOS who are not paying anything and using non-LTS releases on the unstable branch that are out of upstream support are gambling with their own security. And personally, I'm willing to do that because my main use case is developing alpha software that will eventually run on the stable branch. | 03:31:59 |
