JavaOne 2026 Session

Summary

Every production Java application depends on a myriad of binaries somebody else built, patched, tested, and certified. But who funds that pipeline?

And what happens when parts of it go dark?

This session maps the real economics of open-source sustainability through the Java ecosystem: the infrastructure costs behind certified binaries, the EU Cyber Resilience Act's 2026 compliance deadlines, and the mounting pressure on maintainers from AI-generated noise.

Java's layered ecosystem: coordinated quarterly security, vendor-neutral distributions, foundation governance, and strong commercial stewardship - is better equipped for this moment than any other platform. But even here, your open-source stack is accumulating risk in ways you might not expect.

We'll challenge some comfortable assumptions about how open-source software is really maintained and secured, including a blind spot most organisations miss entirely: end-of-life dependencies your scanners report as clean, because nobody upstream ever checked.

You'll walk away with a method for finding EOL components your scanners miss, and a clear view of when third-party EOL support makes more sense than a rushed migration.