The Swiss government is using the Threema Work version as its official internal messenger [1]

They also provide a transparency report about metadata shared with government agencies through court orders, requests have been going up in the last years [2]

[1] https://twitter.com/ThreemaApp/status/1095675070922534912?s=...

[2] https://threema.ch/en/transparencyreport

This situation is still a bit hard to understand for me as a simple Java dev. Until now I thought that there were 3 kinds of "LTS":

1) OpenJDK Updates binary builds: they take the source code of the project, build it, and provide binaries. Examples I know are AdoptOpenJDK and the free Azul OpenJDK distribution.

2) Open source LTS: they take the OpenJDK Updates project, then add bugfixes they did for their PAYING customers. They publish the source code of the result. Here I see RedHat OpenJDK (such as the OpenJDK 8/11 builds distributed with RHEL 7/8). Those are then made available for free in binary form as well, such as part of CentOS. If you want a big fixed in those versions you have to pay, but you can benefit from bug fixes made for others. "LTS" here means as long as the RHEL version lives.

3) Paid LTS with custom support. Those do the same as 2, but don't release the source or binaries to the public, only to paid customers. Maybe there are even custom builds for specific customers. That would be Oracle mainly, and Azul and IBM as well.

What's unclear to me is if fixes from 2 flow into 1. Also, I don't know which kind Coretto is (Probably 1).

Is that a correct assessment of the situation?

Almost, although I have to say you know much more than most. Because OpenJDK itself is open-source, all versions are open, except for Oracle's for its paying customers, because Oracle, as the main developer of OpenJDK, owns the source code.

There are other differences, too. Adopt, made by a particularly amateurish team at IBM that is barely involved with the OpenJDK project and quite unfamiliar with its workings, isn't a member of the vulnerabilities team and so gets access to security fixes later than all other vendors (and that's not the only thing that makes their build more problematic than all others). Among those that do participate in OpenJDK to varying degrees, including Amazon, there are differences in how much of the changes to their branded forks they upstream to OpenJDK Updates (RH upstreams more; Azul less).

Anyway, the important thing to know is that there is only one version that is fully supported for free -- the current one, and so the safe choices are either some paid LTS or the current version.

Maybe you should call not LTS but "Oracle's LTS" ? OpenJDK is open so any company should be able to provide own "LTS" but it's differ from Oracle's LTS and you argue that Oracle's LTS is superior than others. (I agree Oracle has great resource to maintain LTS and still manages CVEs)

> Anyway, the important thing to know is that there is only one version that is fully supported for free -- the current one, and so the safe choices are either some paid LTS or the current version.

It looks like overstatement for me but reasonable perspective for Oracle employee.

What I'm saying is that you can buy LTS from Oracle, Red Hat, Bellsoft, or Azul -- that's how all of them make their money off of OpenJDK -- but not a single one of them offers it for free (and neither does Amazon, whose JDK staff is smaller than or similar to Bellsoft's).