OpenJDK for Briefcase

The documentation for Briefcase mentions that Oracle JDK should be used instead of OpenJDK due to encryption shortcomings. How old is that information, and how would the shortcomings show themselves?

The reason for asking, is that updated versions of Oracle JDK will not be free for commercial use from 2019, making it difficult for me (and probably many other users) to have access to anything else than Open JDK in the new year (unless we keep an old version without security fixes). However, looking at https://bugs.openjdk.java.net/browse/JDK-8170157 it appears unlimited cryptography was enabled in Java 9 in 2016, and backported to Java 8 in October 2017 - so if the recommendation is older than that, it may no longer be true.

I have tried to pull data from Aggregate 1.6.1 on Google App Engine, with Briefcase 1.13.1 using OpenJDK 1.8.0_171, without any obvious problems. Unless I hear about some showstopper, I will try to push some data tomorrow (I'm located in UTC+1).

1 Like

@danielh The errors we've seen happen on exporting encrypted files. ODK Briefcase Not Setting Up Properly after Download and https://github.com/opendatakit/briefcase/issues/627 are the places we've documented it.

I put that warning in the docs because we haven't had a chance to test OpenJDK rigorously. Naturally we want to support OpenJDK, but if we can't get it to work, Oracle Java 9 is an easy upgrade and is free and will continue to be free.

We do need help, so maybe you can try OpenJDK and see if it works?

Setup and pull with Briefcase works fine with OpenJDK 1.8.0_171 on Linux. No encrypted forms though, and I will not be able to test encrypted forms for at least 2 weeks (sorry).

With Java 9, Oracle changed to a rolling release for Java, with only the latest version (and possible LTS versions) receiving security updates. Java 9 has not been patched since Java 10 was released in march 2018, which in turn reached EOL in September 2018. So at the moment, only Java 11 and Java 8 LTS receives security updates. Oracle Java 11 is only free for non-commercial use, and Oracle Java 8 will require a commercial license to receive security updates from January 2019 if you are in a commercial setting. This means that those of us who are considered to be in a commercial setting (this includes universities) have the following choices:

  • Keep existing (and unpatched) versions of Java
  • Pay for a commercial license (which is not as simple as it may sound)
  • Use OpenJDK (which is Open Source and will stay free)

From Java 11, the non-commercial version of Oracle Java should be identical to OpenJDK - all the closed tools previously available to everyone are now only available to paying customers.

Sorry for this slightly off-topic rant, but considering there will only be various releases of OpenJDK avaliable without a commercial license after December 2020 (when non-commercial updates of Java 8 will end), I think it will be a good idea to plan for a shift to OpenJDK as soon as possible, and avoid Oracle Java due to the limited number of users who will have access to it in the future.

I can also confirm that pushing data works fine for me with OpenJDK 1.8.0_171 on Linux (against Aggregate 1.7.1 on Google App Engine), in case someone is curious. Still no encrypted forms though.

1 Like