Being able to independently upgrade openJDK would allow customers to meet their security needs as the CVEs appear. The current situation is that they must wait for a release of Automate or Chef Infra Server. This is less than ideal, as it requires tedious to create and sometimes impossible to get waivers. Well-formed waivers generally have an expiration date.
Companies also often have a drop-dead date, beyond which the system must be shut down when found out of compliance.
Wherever openJDK is installed in Chef kit, it should have these properties
* Independently upgradeable. No package builds or installations needed, unless they are packageable and installable on-site at the customer site
* Rollback function to the original version that shipped with the present Chef Software, Inc version of whatever software to allow quick repairs if something goes wrong
* Documentation for installs/rollbacks with examples