Eliya - Asymm Systems [asymm} systems<br>JDK 25 LTS · 25.0.3 released<br>Eliya<br>Eliya is an OpenJDK 25 distribution from Asymm Systems for compliance-conscious production. One flag turns your JVM into a forensic recorder. Diagnostic data stays inside your perimeter.<br>All downloads User guide
Why Eliya Engineered for operational discipline<br>Four core properties define the platform across all four phases, built into Eliya's foundation rather than sold as add-ons.
Observability by Design<br>Heap dump on OOM, native memory tracking, crash log path, and JFR one flag away, all configured by default via -XX:EliyaProfile=Production. Continuous 24-hour recording and unified GC logging land in Phase 2, putting the last day of execution profile on disk before failure. Performance impact: ~1–2% steady-state.
Local-Only Diagnostics<br>All diagnostic capture and (Phase 2) analysis runs on your infrastructure. No SaaS dependencies, no telemetry, no phone-home. Runs alongside whatever APM you're already using; Eliya provides forensic data APM tools structurally cannot.
Conservative Engineering<br>Eliya tracks the upstream OpenJDK source tree (openjdk/jdk25u) exactly, preserving API semantics. Based on TCK-certified upstream OpenJDK 25; Phase 2 will publish an independent TCK run of the Eliya binary itself. It is a hardened build, not a diverging fork.
Operational Cadence<br>Security requires velocity. Eliya ships quarterly Critical Patch Updates within two weeks of each upstream OpenJDK release. Critical CVEs target one-week turnaround. GPLv2 with Classpath Exception, same licence as upstream.
Engineering What's actually different from upstream OpenJDK 25<br>Here's what Eliya changes vs. a vanilla OpenJDK 25 build, and what stays exactly upstream.
What Eliya gives you<br>One opt-in flag, -XX:EliyaProfile=Production, turns your JVM into a forensic recorder. Every run leaves audit-grade diagnostic data (JFR, heap dump on OOM, GC logs, native-memory accounting, crash artifacts) on disk in a predictable per-service path. ~1-2% steady-state overhead.<br>A diagnostic CLI on every install: asymm eliya info and asymm eliya doctor for fast triage. Diagnostic directory pre-created and writable by the running user.<br>Quarterly upstream sync within two weeks of every OpenJDK CPU; one-week target for out-of-cycle critical CVEs.<br>Honest TCK posture: built on TCK-certified upstream OpenJDK 25 today; independent TCK run of the Eliya binary is a Phase 2 deliverable.<br>Compliance-conscious by design: local execution only, no SaaS dependencies, no telemetry, no phone-home. Diagnostic data stays on your hardware.<br>Coexists with your existing APM. JVM forensic capture (HPROF heap dumps, JFR recordings, structured thread dumps) that APM tools structurally cannot produce. Runs alongside Datadog, New Relic, Dynatrace, AppDynamics, and Elastic APM without conflict. See JVM forensics vs APM for the architectural distinction.<br>Phased roadmap with named deliverables: FIPS 140-3 variant (Bouncy Castle FIPS, CMVP cert #4943) and bundled diagnostic tooling (Eclipse MAT headless, async-profiler) in Phase 2; Asymm Forensics cross-correlation platform in Phase 3; compliance-aligned profiles (PCI DSS, HIPAA, SOX, FedRAMP, GDPR, ISO 27001, SOC 2) plus combined profiles for industries spanning multiple frameworks (Healthcare-Payment, Financial-SaaS, Federal-Defense) demand-gated for Phase 4. Full trajectory: roadmap.
What stays exactly upstream<br>GC selection: JDK 25 ergonomics decide; Eliya does not pick a collector or set MaxGCPauseMillis.<br>JIT, class loader, module system: identical bytes, identical behaviour.<br>java.security in the standard build is bit-identical to upstream JDK 25. SSLv3 / TLS 1.0 / TLS 1.1 disabled, weak ciphers blocked, NIST-aligned key sizes: these are upstream defaults. Eliya does not duplicate them as “hardening” because performative duplication is dishonest. The file is bit-identical to upstream, verifiable with diff. Compliance-aligned profiles (PCI DSS, HIPAA, SOX) are a Phase 4 deliverable, demand-gated by customer signal.<br>SunJCE provider order in the standard build. The Phase 2 FIPS variant is a separate artifact (eliya-25-fips.tar.gz) with Bouncy Castle FIPS pre-installed; FIPS is not a configuration toggle on the standard build.<br>Java APIs, standard library, runtime semantics: built from the same source tree (openjdk/jdk25u). If your application runs on upstream OpenJDK 25, it runs on Eliya unchanged.<br>GPLv2 with Classpath Exception, same licence as upstream OpenJDK.
Full enumeration with exact flag values and patch locations: Differences from upstream OpenJDK 25
Quick start Install and activate observability<br>Install paths for every deployment shape. Docker image (multi-arch) is ready now; tar.gz from GitHub Releases works on any Linux; DEB / RPM packages for production servers target Q4 2026; SDKman for developer machines is Phase 1 (submission in progress, target Q2 2026).
# Run on Docker (multi-arch image)<br>btn.innerText = orig, 2000);"...