Eliya Lifecycle & Support

Supported versions

Version	Upstream	First GA	LTS support through	Status	EOL notice
`eliya-25`	`openjdk-25u`	2026-06-10	2029-09	Active	12 months
`eliya-29`	`openjdk-29u`	2027-09 (planned)	aligned	Planned	-

Eliya publishes the latest LTS. JDK 21 is not a published target; anyone needing JDK 21 in production today is already on an established vendor distribution (Corretto, Temurin, Zulu). Eliya will become multi-version naturally when JDK 29 LTS lands in September 2027.

Non-LTS releases (JDK 26, 27, 28) are not published. Eliya ships LTS only. Non-LTS releases stop receiving security patches six months after release; running them in production is operationally risky.

Eliya tracks upstream OpenJDK 25 LTS through Sept 2029. Extended LTS beyond that is a commercial-support consideration; for 8+ year windows on JDK 25, third-party extended-LTS providers (Azul, BellSoft) are available today.

Quarterly CPU calendar

OpenJDK publishes Critical Patch Updates on the third Tuesday of January, April, July, and October. From Eliya 25.0.4 onward, Eliya targets publication within two weeks of each upstream release.

Quarter	Upstream CPU	Eliya target	Release	Status
Q2 2026	2026-04-21	2026-06-10 *	25.0.3	Shipped
Q3 2026	2026-07-21	≤ 2026-08-04	25.0.4	Scheduled
Q4 2026	2026-10-20	≤ 2026-11-03	25.0.5	Scheduled
Q1 2027	2027-01-19	≤ 2027-02-02	25.0.6	Scheduled
Q2 2027	2027-04-20	≤ 2027-05-04	25.0.7	Scheduled
Q3 2027	2027-07-20	≤ 2027-08-03	25.0.8	Scheduled

* 25.0.3 was the first GA; 25.0.4 onward targets within two weeks. Upstream CPU window: third Tuesday of January, April, July, and October.

Patch numbers follow OpenJDK's JEP 322 time-based versioning: the $UPDATE field increments by one per CPU (25.0.3 → 25.0.4 → 25.0.5 …).

Upstream verification: OpenJDK Vulnerability Group, Oracle Critical Patch Updates calendar.

Out-of-cycle CVE rebuilds

When upstream OpenJDK publishes an out-of-cycle patch for a critical CVE (typically CVSS ≥ 9.0 or actively-exploited per Oracle Security Alerts), Eliya targets one week to ship the corresponding rebuild.

Eliya tracks upstream's out-of-cycle releases; Eliya does not unilaterally determine what constitutes a critical CVE. If upstream treats an issue as quarterly-cycle, Eliya does too. This alignment ensures Eliya users get the same CVE response timing as upstream OpenJDK consumers.

What changes between CPUs

Each quarterly release includes:

All upstream OpenJDK security fixes and stability patches for the quarter.
Any java.security updates upstream applies. Eliya inherits these unchanged; there is no Eliya-specific security overlay.
No behavioural changes to -XX:EliyaProfile=Production unless explicitly noted in CHANGELOG.
No API changes, strictly CPU semantics.

Version pinning recommendations

Four patterns cover how operators pin Eliya, two mutable (the tag moves under you) and two immutable (the bits never change once pinned):

Pattern 1 — LTS-track moving tag :25-lts (mutable, every CPU and respin)
Pattern 2 — CPU-track moving tag :25.0.4 (mutable within the CPU window; respins inside the window are picked up automatically)
Pattern 3 — per-build immutable handle :25.0.4-r1 or eliya-jdk-25.0.4+7-r1-linux-x64.tar.gz (immutable, 25.0.4 onwards)
Pattern 4 — cryptographic content pin via OCI digest @sha256:<digest> or SHA-256 from the signed SHA256SUMS.txt.asc (immutable, byte-exact; required by compliance buyers and supply-chain auditors)

See the four pin patterns on the versioning page for the full breakdown with copyable commands and the audit-framework mapping. For upgrade procedures, see the migration guide.

Lifecycle across phases

Phase 1 (current). Eliya tracks upstream OpenJDK 25 LTS with the quarterly CPU cadence documented above.

Phase 2 (next major release, target H2 2026). Adds:

FIPS variant (eliya-25-fips): separate artifact with a FIPS-validated provider. FIPS variants typically have longer CPU lag than non-FIPS (CMVP recertification of cryptographic modules adds weeks); target one CPU cycle behind standard Eliya.
Bundled diagnostic tools: Eclipse MAT (headless) and async-profiler. These have their own upstream releases independent of OpenJDK; Eliya tracks their stable branches and bundles a refresh in each quarterly CPU.
macOS aarch64 variant: quarterly CPU aligned with Linux variants.

Phase 3 (target 2027). Asymm Forensics ships with its own SemVer cadence independent of the Eliya JDK: cross-correlation analysis improvements ship more frequently than the JDK's quarterly CPU; pattern-detection library updates align with quarterly CPUs.

Phase 4 (demand-gated). Compliance profile values ship as the underlying frameworks require. Profile content is aligned with the framework's own revision cycle (PCI DSS major version every ~3 years, HIPAA periodic, etc.). When a framework updates, the corresponding profile is refreshed in the next available CPU.

Phase 2+ platform lifecycle. When the macOS aarch64 variant (Phase 2) and Windows x64 variant (Phase 3) ship, they follow the same quarterly CPU cadence as the Linux variants. Each CPU publishes all platforms simultaneously where possible; rare platform-specific delays are noted in release notes.

End-of-support policy

When JDK 25 LTS reaches end-of-support (Sept 2029 per upstream OpenJDK Vulnerability Group cadence), Eliya will:

Announce sunset 12 months in advance on the release-notes feed and via the release announcements mailing list.
Continue shipping quarterly CPUs for the remaining support window.
Publish a final CPU at the end-of-support date.
Provide migration guidance to JDK 29 LTS in the migration guide.

For organisations requiring extended support beyond Eliya's Phase 1 commitment, third-party LTS providers (Azul, BellSoft) offer 8+ year LTS windows for JDK 25. When Asymm Systems offers commercial support in Phase 2+, extended LTS becomes an in-scope contractual deliverable for paying customers.

back to Eliya