Canonical’s OpenJDK builds promise Java devs more speed and a whopping 12 years of security support

ZDNET’s key takeaways

• With Ubuntu Pro, Canonical’s OpenJDK build includes 12 years of support.
• ‘Chiseled’ builds are faster, more secure than other OpenJDK builds. 
• Canonical is aligning Ubuntu’s and OpenJDK’s release cadences.

Canonical, the company behind Ubuntu Linux, has announced the introduction of its own certified OpenJDK builds. With 90% of Fortune 500 companies relying on Java for their backend development, this move is designed to address the growing complexity and security demands faced by Java developers. 

It starts with Canonical committing, via an Ubuntu Pro subscription, to up to 12 years of security support for all OpenJDK Long Term Support (LTS) releases. This will extend the life cycle of legacy applications for the foreseeable future. 

Also: I’m a Linux power user, and the latest Ubuntu update put a smile on my face

For example, Java 8, which was released in 2014, is still used in approximately one-third of production deployments even though Oracle discontinued Premier Support in March 2022. Canonical, on the other hand, has extended security support for Java 8 until at least 2034. That’s eight years longer than Red Hat and four years longer than Azul Zulu.

You can rely on the Canonical OpenJDK releases for as long as you need them to be supported.

Beyond that, the standout feature of Canonical’s OpenJDK initiative is its Chiseled Open Java Runtime Environment (OpenJRE) containers. These “chiseled” images are designed to provide only the essential components needed to run Java applications. 

This approach has two significant advantages.

First, they’re much smaller images, making them ideal for Continuous Integration and Continuous Delivery (CI/CD) pipelines and cloud-native deployments. How much smaller? These containers are up to 56% smaller than the popular and comparable Temurin OpenJDK images. For example, the compressed image size for Chiseled JRE 8 is just 37MB (AMD64) and 38MB (ARM64), while Chiseled JRE 17 is 44MB (AMD64) and 42MB (ARM64). 

While they are smaller, they’re not slower. Despite their reduced size, these images maintain equivalent startup and throughput performance compared to full-size Java runtime images. Indeed, other new features, detailed below, actually make them faster than traditional Java VMs.

Also: 5 Linux distros I recommend to help businesses cut costs and boost security

In short, chiseled containers are Canonical’s take on “distroless” images such as Chainguard OS. They are built using an open-source tool called Chisel, which extracts only the required “slices” (portions) of Ubuntu packages, ensuring that only the runtime and its direct dependencies are included.

The second, and to my mind, far more important advantage: The attack surface of these chiseled images is significantly reduced compared to traditional Java runtime containers. According to the Datadog “State of DevSecOps” 2024 report, 90% of Java services have at least one critical or high-severity vulnerability. That’s nearly double the average (47%) for all technologies studied, and higher than JavaScript (75%), Python (64%), and .NET (50%). 

Also: 5 command line backup tools every Linux user should use for desktops and servers

Moreover, of those security holes, the vast majority (63%) of high- and critical vulnerabilities arise from indirect dependencies — third-party libraries that are included, often unknowingly, in application builds. In short, the less third-party code in the image, the smaller the chances you’ll need to deal with a security issue. Canonical chiseling out potential security holes is a major win for companies relying on OpenJRE.  

You can still tailor these images to your specific application needs. The choice is yours.

This means all major versions of LTS OpenJDK will be supported via Ubuntu Pro until at least 2034.

In addition, Canonical’s OpenJDK builds for versions 17 and 21 are tested for correctness using the Eclipse AQAvit testing framework and the official Technology Compatibility Kit (TCK). This ensures reliable, predictable runtime behavior across a broad range of architectures, including AMD64, ARM64, s390x, ppc64el, and RISC-V.

For regulated industries, Canonical is also offering cryptographic compliance: openjdk-11-fips with FIPS 140-2 certified BouncyCastle (which has nothing to do with your seven-year-old’s birthday party and everything to do with open-source cryptographic APIs) is available now. Canonical is also working on a dedicated OpenSSL-FIPS Java provider that is undergoing FIPS 140-3 certification.

Besides security, Canonical is addressing Java’s traditional challenge of slow startup times by packaging and supporting both GraalVM and Coordinated Restore at Checkpoint (CRaC). GraalVM enables ahead-of-time (AOT) compilation, producing native executables with dramatically faster startup and reduced memory usage. Canonical provides GraalVM as a snap for easy installation and updates.

Also: 5 of my favorite Linux system-monitoring tools – and why I use them

CRaC enables developers to checkpoint a running, pre-warmed JVM and restore it in milliseconds. This greatly speeds the performance of containerized and serverless Java applications. Canonical is packaging CRaC-enabled OpenJDK builds and providing long-term security maintenance support, starting with Ubuntu 26.04. This is the next LTS version of Ubuntu and will be released in April 2026.  

Looking ahead, Canonical is aligning Ubuntu’s release cadence with OpenJDK’s biannual release cadence. This ensures that new OpenJDK LTS releases are included in each subsequent Ubuntu LTS release. Interim Ubuntu releases, which appear quarterly, will feature the latest non-LTS versions of OpenJDK. This enables you to experiment with new language features and APIs as soon as they become available, without sacrificing stability for production workloads. You get the best of both worlds: stability and access to the latest features. 

In summary, with its own OpenJDK builds, Canonical is positioning Ubuntu as a premier platform for secure, high-performance, and compliant Java development. By offering extended security, predictable release cycles, optimized container images, and support for cutting-edge Java technologies, Canonical aims to simplify Java lifecycle management for enterprises and empower developers to innovate with confidence.

Also: A Linux terminal app for native Android development? Here’s why I’m bullish

You can download the images from these public registries: Dockerhub or Amazon Container Registry (ECR). You may also download the OpenJRE containers and install the GraalVM snap. Finally, you can learn more about Canonical builds of OpenJDK or check out Canonical developer documentation. 

Get the morning’s top stories in your inbox each day with our Tech Today newsletter.