> NEVERTHELESS, software supply chain is important. Whatever JVM one chooses should have a good answer to how they handle it.
We do agree on that. We also agree that Linux distributions & Docker official images have been doing shitty job in the past which is what your article is talking about. Thanks to Gil Tene continuous efforts to raise awareness about this issue, situation has somewhat improved.
My point is that AdoptOpenJDK has been specifically created to tackle those issues. Your initial comment seems very unfair to them and could misguide some people.
Everyone is free to pick the JDK build of their choice. Several projects do a good job at providing quality builds of OpenJDK. Most OpenJDK distributions are upstream first, so the determining factor is the trust you put in their build, test & QA processes. From that point of view and in a long term vision, supporting AdoptOpenJDK / Adoptium Temurin looks like a smart move because their tooling & processes are open source and which keeps the OpenJDK ecosystem in a safe state as it doesn't rely on a few private companies as sole providers for the community. History taught me that over reliance on Amazon or Azul might not be a good idea. Lets thanks them for their contributions, but lets no depend on them without viable alternatives.
> Your initial comment seems very unfair to them and could misguide some people.
Agreed, alas I cannot edit it anymore.
I was wrong in my understanding as to how the 'mystery meat' got into the flow. Having looked at the AdoptOpenJDK repos it's clear they do their work in the open. That's no guarantee, but is the best choice over the long term. And a JVM is a long term thing.
NEVERTHELESS, software supply chain is important. Whatever JVM one chooses should have a good answer to how they handle it.