Version and Security

Paul Benedict pbenedict at
Mon Jan 11 20:47:55 UTC 2016

I'd like to offer a suggestion. I am late to the game with this idea, but I
think it's worth mentioning. Right now I think the proposed encoding is too
complex and would like an alternative.

I don't think the JDK version string should include any special encoding
for security. I believe product versioning and security patch versioning
should be made clear by 2 different system properties. There should be an
additional "security patch level" property that corresponds to the version
(or date) of either OpenJDK and/or Oracle for whatever their statuses are.

Example strings:

How to interpret this example:
Java 9.0.1 has all security patches from OpenJDK since 2016-01-02 and,
because my example is using an Oracle JDK, it includes their own
proprietary security patches up to 2016-01-11.


More information about the verona-dev mailing list