Arch Linux: jre19 openjdk EOL dependency

D3vil0p3r · April 29, 2023, 11:15am

Hello, I'm using Elasticsearch on Arch Linux, version 8.7.0, but this latest version use jre19 openjdk that reached its EOL ( Java/OpenJDK | endoflife.date) so, on Arch Linux it cannot be installed anymore because this dependency has been removed from Arch repositories. If I'm not wrong, Elasticsearch 8.7.1 should use JRE OpenJDK 20, but on GitHub project page it is not still released.

When the new Elasticsearch compatible with JRE OpenJDK 20 will be released?
The current version of Elasticsearch is compatible with JRE OpenJDK 8 or 11 or 17 (that have LTS)?

DavidTurner · April 29, 2023, 12:04pm

Each Elasticsearch distribution comes bundled with its own JDK, and that's the one we recommend to use. It should not depend on an external JDK so it should be unaffected by the fact that this version is now technically EOL.

If you insist on using a custom JDK then the support matrix indicates that you can use OpenJDK 17 with 8.7.0 too. But to repeat: the bundled one is the recommended one.

D3vil0p3r · April 29, 2023, 12:19pm

Thank you @DavidTurner I'm just concerned to use a dependency that reached EOL mostly for security concerns. This is the main reason I would prefer to avoid it. Your answer is efficient and thank you for the support matrix link. I hope the new version of Elasticsearch will be released asap with bundled Java 20.

DavidTurner · April 29, 2023, 12:28pm

That's the advantage of using the bundled version: it's not a dependency that you need to track separately. It's just part of the product, similarly to Lucene and Log4J and Jackson and all the other libraries on which Elasticsearch depends. Elastic looks after the security side of things, so a vulnerability(*) in the bundled JDK would be reported as an Elastic Security Advisory.

(*) NB not all vulnerabilities reported in a dependency are vulnerabilities in the dependent product. For instance most Elasticsearch releases were not vulnerable to the famous Log4J bug reported in CVE-2021-44228. Similarly, there have been a number of Jackson vulnerabilities that did not affect Elasticsearch because Elasticsearch did not use the vulnerable features in the library.

DavidTurner · May 2, 2023, 4:13pm

Elasticsearch versions 7.17.10 and 8.7.1 have now been released, and both come bundled with JDK20:

$ ./elasticsearch-7.17.10/jdk.app/Contents/Home/bin/java -version
openjdk version "20.0.1" 2023-04-18
OpenJDK Runtime Environment (build 20.0.1+9-29)
OpenJDK 64-Bit Server VM (build 20.0.1+9-29, mixed mode, sharing)
$ ./elasticsearch-8.7.1/jdk.app/Contents/Home/bin/java -version
openjdk version "20.0.1" 2023-04-18
OpenJDK Runtime Environment (build 20.0.1+9-29)
OpenJDK 64-Bit Server VM (build 20.0.1+9-29, mixed mode, sharing)

system · May 30, 2023, 4:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.