The Adoptium Working Group has published their Eclipse Adoptium: 2022 in Review and 2023 Roadmap document that provides a retrospective for their accomplishments in 2022 and what developers can expect in 2023. Eclipse Adoptium provides Eclipse Temurin JDK and JRE binaries and introduced the Adoptium Marketplace in 2022 for third party runtimes. Adoptium produced 166 releases last year, each one verified by thousands of tests for the various supported platforms.
The AdoptOpenJDK project, introduced in 2017, joined the Eclipse Foundation in 2020 and was rebranded as Eclipse Adoptium. The first Temurin JDK builds were released in 2021 and supports the (Alpine) Linux, Windows, macOS, AIX and Solaris operating systems for various architectures such as x64, x86, aarch64 and arm.
Adoptium Quality Assurance (AQAVit), an open source test suite, was improved last year with features such as new tests, new test pipelines with remote triggers and Jenkins auto-rerun. The Java Test Compatibility Kit (TCK) is a set of tools and documentation used to verify whether a Java implementation is compatible with the Java specification. Adoptium introduced the Adoptium Marketplace in 2022 which provides TCK- and AQAVit-verified runtimes from organizations such as Red Hat, Microsoft, Azul, IBM, Huawei and Alibaba Cloud. In the past AdoptOpenJDK also offered binaries for other projects such as Eclipse OpenJ9.
Google and Rivos joined founding members Alibaba Cloud, Microsoft, Red Hat, Azul Systems, Huawei and Karakun as Strategic Members of the Adoptium Working Group. The organizations view Adoptium's solutions as critical to their future. The members may be part of the steering committee or other subcommittees such as marketing, branding, quality assurance or infrastructure. Together they ensure that Adoptium Temurin continuous as a secure, trusted and high quality distribution for organizations and developers which is available for free and supported for a long time.
The Secure Software Development Framework (SSDF) is a set of development practices to establish secure software development processes to reduce vulnerabilities. This is published by the National Institute of Standards and Technology agency of the US Department of Commerce’s Computer Security Resource Center division. Eclipse Adoptium already uses the OWASP CycloneDX Bill of Materials (BOM) standard which reduces the risk in the supply chain. The standard includes the Software Bill of Materials (SBOM), which are produced as JSON files for the Temurin builds. A GitHub issue is still open to discuss future improvements for the SBOM. Adoptium started working on reproducible builds, which are binary identical and may be built by third parties. This verifies that Adoptium built the binaries in a correct way and the build and distribution process hasn't been compromised. GPG signatures were introduced, next to the already existing SHA checksums, for each build which may be used to verify that the artifacts weren't changed after being built by Jenkins. Two factor authentication and two person reviews are now activated for all critical repositories on GitHub.
Supply chain Levels for Software Artifacts (SLSA) is a security framework that includes a check-list of standards and controls to improve the integrity of artifacts. Eclipse Temurin reached SLSA level 2 compliance which means the project started to prevent software tampering and added minimal build integrity measures. There are four levels in total, where the fourth level assures the highest build integrity and measures for dependency management should be in place.
For 2023, the focus is on growth as less than a hundred people currently work on the projects which have millions of downloads per week and thousands of users on Slack. Eclipse Adoptium plans more community involvement especially to collect feedback, for example, via the Slack channel. The project also wants to encourage users of open source solutions to consider Eclipse Adoptium which hopefully results in usage of other Adoptium projects. Lastly, they aim to increase collaboration with other Eclipse projects to increase the Adoptium community and receive more feedback. This hopefully also results in support from the community in order to improve infrastructure components, such as the automation with AQAvit.
The Adoptium website offers Temurin binaries as well as Marketplace binaries for various other projects and their documentation provides more information.
More information about the results for 2022 and the plans for 2023 can be found in the blog Eclipse Adoptium: 2022 in Review and 2023 Roadmap.