		JTC 1/SC 22/WG 23 Java Vulnerability Discussions    WG 23 N1317
		August 23 2023


Participants
   Larry Wagoner - USA
   Sean MdDonagh - USA
   Erhard Ploedereder - Liaison
   Tullio Vardanega - Italy


Actions:

Notes from Larry:

   Thanks for the reminder. Haven’t made much progress since I was on vacation for a couple of weeks and
   just catching up now. That (excuse) said, I did look at it some. Java has gone to a 6 month release
   cycle. In 2020, they were on Java 13. Now they are just about to release Java 21 next month, so the
   releases aren’t making massive changes, just small incremental steps. From what I have read, many
   companies are still sticking with Java 8 since it is an LTS (long term support version (estimate is
   that 69% of programmers still use it as their main application. I looked over the changes between
   Java 13 and 20 which raises a couple of questions:
 
      1. How do we handle “incubator changes” “Incubator modules are a means of putting non-final APIs and
      non-final tools in the hands of developers, while the APIs/tools progress towards either finalization
      or removal in a future release.” Since these smell like experimental features that may only be
      temporary, should we ignore them or treat them like any other feature?
      
      2. Java is a little different than other languages in its control/ownership and its having LTS
      versions. Should we stray from our stated principle of looking at the latest version and instead
      look at the latest LTS? And if we go for the later, should we go with Java 8 which is what a
      majority of programmers use, or Java 11, 17 or 21 (all LTS versions)? Java 8 has the longest free
      public support (latest end of life date) of December 2030, and only Java 21 has a slightly later
      extended support date of September 2031 (Java 8 has a date of December 2030).
      See: https://en.wikipedia.org/wiki/Java_version_history tosee the table of versions.
 
   Java seems to be quite unusual in its releases and support. Possibly this is because it is treated as a
   quasi-commercial product.
 
   In looking over the features, the ones that I am most curious about are incubator features (see my
   question 1) that add virtual threads (Java 19) and foreign function and memory (Java 17 and 20).
   See https://www.marcobehler.com/guides/a-guide-to-java-versions-and-features# if you want to see a
   recap of what has been added in each Java version.
 
   I have not heard anything from the Java reviewers. That could mean that they haven’t had time to look
   at it, or that they are still looking it over. I told them that if it was really out of date to not
   waste their time and just send it back with that comment. Based on what I have found about the Java
   versions, I don’t believe that the version we gave them is drastically out of date. But we will have to
   resolve the two questions above – perhaps we can discuss them at today’s meeting.

Discussed Java release cycle. We will only document LTS releases.

Also discussed how we handle changes. Suggestion is to document all flaws and put as mitigations
fixes implemented after version 8.

We will wait for another 3 weeks to see if the Oracle people get back to Larry.