Could someone provide a TL;DR on the major patches/benefits that Corretto has over Adopt or other community driven JDK implementations? It is unclear from the documentation but I am assume they have some secret sauce for faster boot for their Firecracker VM instances.
Adoptium is not "community driven" (it's made by IBM), and there is only one OpenJDK implementation, the one led and primarily developed by Oracle, with contributions from other companies. What Amazon or IBM do is build the source and distribute the binaries (look at the licence).
"...Eclipse Adoptium, built by IBM, which is the only distribution built by a team that isn't involved with the OpenJDK project, isn't very familiar with it, and isn't a member of the OpenJDK Vulnerability team, and so get security patches only after the other vendors have delivered their builds. "
My understanding is that ties between the Eclipse Foundation and IBM are loose enough by now to not call this project an IBM thing. Eclipse did originate at IBM, but that was close to 20 years ago.
That may be so, but >90% of the work on this particular Eclipse project is done by IBM. Just as many companies contribute to OpenJDK but it is primarily an Oracle project, and Oracle does most of the work, Adoptium is an IBM project. That, in itself is not good or bad (although it is somewhat bad because, unlike other JDK distributors, IBM is barely involved with OpenJDK and the IBM team that makes the Adoptium builds is not particularly familiar with OpenJDK), but it is certainly not a "community led" distribution -- it is, de facto, an IBM-led one. It did not start out this way, but it has been this way for several years now (they did the same with https://en.wikipedia.org/wiki/Apache_Harmony).
Are we talking about the (Open)J9 flavor here? It was featured more prominently on the AdoptOpenJDK page, but has now all but disappeared on the Adoptium site. J9 is something that I can definitely associate with IBM, what I'm having a hard time with is connecting the work on HotSpot builds to the company.
I'm talking about the Adoptium (née AdoptOpenJDK) builds, which are made by IBM. IBM aren't involved much with OpenJDK, but they can still run `make` on server farms. Although Eclipse OpenJ9 is yet another IBM project.
I worked at AWS and Corretto came out towards the end of my tenure there. At the time (Java 8), it included in house patches that upstream haven’t or due to politics refused to adopt.
Now that I don’t work at Amazon any more I still advocate for the distribution for the LTS model, and the fact that it contains fixes that are only discovered when running in production at the scale of Amazon and AWS.
Which has been a staple of long-term JVM production guys for a long time. You can use their releases free of licensing but can get commercial support if/when you need it.
You probably shouldn’t. Last I checked the OpenJdk docker images use the Debian builds of OpenJdk and there’s been multiple times where they’ve shipped vulnerable builds. [0] You should probably just use the Zulu builds.
Wow, that's awesome - 8 had a handful of custom patches and some backports, 11 had only backports, and 17 has nothing. This is kind of the best possible story for a distribution fork!