
Oracle’s Java 11 trap - haimez
https://blog.joda.org/2018/09/do-not-fall-into-oracles-java-11-trap.html
======
paradite
Is this actually a trap? The "trap" page has a huge warning section that
clearly tells you license has substantially changed and how to get open JDK,
and what license it has.

> With JDK 11 Oracle has updated the license terms on which we offer the
> Oracle JDK. The new Oracle Technology Network License Agreement for Oracle
> Java SE is substantially different from the licenses under which previous
> versions of the JDK were offered. Please review the new terms carefully
> before downloading and using this product.

> Oracle also offers this software under the GPL License on jdk.java.net/11

[https://www.oracle.com/technetwork/java/javase/downloads/jdk...](https://www.oracle.com/technetwork/java/javase/downloads/jdk11-downloads-5066655.html)

This information is either deliberately or accidentally missing in the post.
If we assume the author did his research before writing this piece, I can only
believe this was done with purpose.

~~~
jodastephen
Not everybody reads warnings. Many will go to that page and just go straight
to the download. In addition, the warning doesn't say "not for commercial use"
\- you have to click through and read a long legalese to find it. Oracle could
still choose to make it clearer...

~~~
paulie_a
It's just another license to ignore. I'll personally do whatever I want
regardless of what is in the EULA.

~~~
StreamBright
Not sure where you live or what sort of company you work for but in my country
& our company we cannot just have a fuck all attitude towards software
licenses.

~~~
paulie_a
The USA and I've been doing it for two decades, honestly copyrights and
licenses are not important to me. I have taken a fuck all attitude without
consequence and will continue to do so forever.

~~~
misabon
Haha the plethora of GPL violations that exist without consequence sort of
illustrate your point quite well.

~~~
StreamBright
You think if Oracle's legal team is after your company you get a free get out
of license violation card?

~~~
misabon
Haha, I’m not playing that game because I’m lawsuit averse but I’m not
surprised people are successful at it. This JDK includes telemetry so it just
got a lot more dangerous to play but otherwise I’d guess license violations
are pervasive at small shops.

~~~
malka
even at big ones.

------
floatboth
> Download Oracle JDK (because that is what you've always done, and it is what
> the web-search tells you)

What I've always done is install OpenJDK from the system's package manager :P

~~~
Leace
And that's good that package managers ship only openjdk. When I migrated to
Linux I didn't know better but as "openjdk" was easier to install than Oracle
JDK I used "openjdk". It turns out it works very well, actually I can't tell
the difference.

~~~
cesarb
Unfortunately, many people add a repository with Oracle JDK to their package
managers and install the JDK from there, due to some perceived better
compatibility and/or extra bug fixes. (And in my experience, this is true for
the Java plugin; the "official" plugin seems to work better than the IcedTea
plugin.)

~~~
djsumdog
Confluence is an example of a piece of software that wouldn't run correctly at
all under OpenJDK.

Even today on the Atlasian docs, they provide a Docker image of Confluence to
evaluate, but if you buy a production license, you are required to build an
OracleJRE Docker container (they provide instructions) for production.

It's been years and they still can't support OpenJDK ... it makes me wonder
what weird proprietary crazy reflection shit they're doing in there.

~~~
vbezhenar
Last time I tried to run Jira with OpenJDK, I stumbled upon some encryption
algorithm not supported in OpenJDK. I didn't research further. But that was a
long time ago, nowadays I bet that OpenJDK will work just as well.

~~~
ganeshkrishnan
The encryption algos are not supported with Oracle java either. The stronger
algos have a separate licence and needs to be downloaded manually for either
java sdk

------
electrotype
An interesting thing about AdoptOpenJDK is that it seems they may provide
builds with DCEVM + HotswapAgent integrated, in the future [0]! And maybe
become a very good and easy to use alternative to the way too expensive
JRebel.

[0]
[https://github.com/HotswapProjects/HotswapAgent/issues/218#i...](https://github.com/HotswapProjects/HotswapAgent/issues/218#issuecomment-403580956)

~~~
ptx
That's great news! Properly working code reloading would improve the
development experience enormously.

Why wouldn't it be integrated directly in the upstream OpenJDK source, though?
It sounds like it would be a separate patched build that I'd have to download,
and wouldn't be available if I just "apt-get install openjdk-11-jdk" in
Debian?

------
sgt
This is not new, and as per:
[https://www.oracle.com/technetwork/java/javase/terms/license...](https://www.oracle.com/technetwork/java/javase/terms/license/index.html)
it was put in place in 2017 already. Seeing that the "LICENSE" of Java 8
simply points to their website, it means that they effectively changed it for
Java 8 as well.

So that means that even if you're running Java, you have three options: (1)
Continue using it illegally, it will probably be a low risk. This is not
advisable especially for larger corporates. (2) Purchase JDK license (3)
Switch to OpenJDK

~~~
repolfx
The situation is confusing but not that confusing.

Java 8 has commercial features that are locked by default. You can unlock them
by passing a command line flag that looks like -XX:+UnlockCommercialFeatures,
so pretty hard to miss.

If you use those in production, you're meant to pay. But virtually nobody does
use them. In fact Oracle open sourced them all for Java 11, perhaps because of
that fact.

Now in Java 11 there are two JDKs, that are virtually identical. OpenJDK and
Oracle JDK. The latter is the same as the former but commercially supported.
If you use it in production at all, you're meant to pay. But the only reason
to do that is you want commercial support, from what I understand. There are
no longer any special features. If you can support yourself (like most can)
you just switch to OpenJDK as part of your Java 11 upgrade.

They have not changed the license for Java 8 users "on the fly", I'm not even
sure that's legally possible.

~~~
raquo
The difference is that OpenJDK N will stop receiving security fixes the moment
OpenJDK (N+1) is released. LTS releases are only LTS for Oracle JDK.

So no, OpenJDK by itself is not suitable for production use. To put a Java app
in production securely you now need to either pay Oracle or find someone to
provide security fixes to OpenJDK beyond what Oracle provides for free.

~~~
jodastephen
Security patches will be available for Java 11 via Red Hat, IBM and others
(who have promised to do so). And the binaries will be built and made
available here [https://adoptopenjdk.net/](https://adoptopenjdk.net/) as well
as via other OpenJDK build farms (eg. Azul Zulu).

~~~
riku_iki
Is there any path for security updates/LTS for deb based linux distros?..

------
srgseg
I notice that the OpenJDK build is only available as a .tar.gz and not as .rpm

This means that to upgrade from Oracle JDK10 -> Open JDK11, you'll have to
write a script yourself to modify the symlinks e.g. to redirect the existing
"/etc/alternatives/java -> /usr/java/jdk-10.0.x/bin/java" to the new
installation. There are 46 of these symlinks that need changing (for javac,
jstack, etc etc).

I hope that's the only change that is required and that I'm not missing
something. Anyone know if there is anything else necessary?

Edit: here is the script I just wrote to print out the commands required to
change the symlinks:

    
    
      #!/bin/bash
    
      existingJdkBinPath=$(dirname `readlink /etc/alternatives/java`)
      newJdkPath="/opt/jdk-11"
    
      find /etc/alternatives -type l | while read link; do
        target=$(readlink "$link")
        targetPath=$(dirname $target)
        targetFile=$(basename $target)
    
        if [[ $targetPath = $existingJdkBinPath ]]; then
          newTarget="$newJdkPath/bin/$targetFile"
          echo ln -snf "$newTarget" "$link"
        fi
      done

~~~
djsumdog
The OpenJDK build is GPL and should find its way into official package
repositories. Oracle may have stopped creating the rpms for that reason.

Most distros use the IceTea builds for OpenJDK. Hmm . IceTea3 is Java8.
There's no Java9 IceTea4 build yet. I can't find any roadmap info on their
site ...

------
blunte
This is surely no mistake on Oracle's part.

Remember, this is the same company that for years grossly knowingly
overcharged the US government for licenses, resulting in hundreds of millions
later paid in fines.

Their focus is pure bottom line. If that means cheating, so be it. If it means
the equivalent of a bait and switch, sure why not.

It's really a shame that circumstances are what they are now. Sun may have had
warts, but in comparison it was highly admirable.

~~~
jodastephen
Maybe. But they have also provided a $free alternative. This is solely a
battle of getting Java users weened off Oracle JDK and onto an OpenJDK build.

------
baud147258
Java 11? At work we haven't even started to look at the migration from Java
8...

~~~
dzdt
We just made it TO Java 8.

~~~
nonconvergent
Java 8 is EOL in January for public support/security patches. Java 7 was EOL
in 2015. What have you been doing for 3 years?

I could guess, because I've been at companies doing the same. Active
development and support on the product, but no time for tech debt.

Java 9 and up I understand people getting frustrated with a more frequent LTS
release and these weird microreleases every year.

~~~
snuxoll
Red Hat and AdoptOpenJDK will be supporting OpenJDK 8 for quite some time yet.
Oracle's JDK and JRE will stop getting public support, yes, but OpenJDK 8 will
be alive and well for many years to come.

~~~
nonconvergent
I was not referring to that. I was referring to the matter that they weren't
ready to jump TO JDK 8 when JDK 7 was EOL, nor the next year, nor the next
year after that.

What did they do with security updates when they were available for the
version they were on?

Questions.

Don't get me wrong, they're not the only ones ice skating uphill on this.

------
exabrial
It's really simple: Don't use Oracle's JDK 11 in production. Use one of the
open source distributions. Commercial software really isn't that complicated.

------
paradox_hunter
>You may not: use the Programs for any data processing or any commercial,
production, or internal business purposes other than developing, testing,
prototyping, and demonstrating your Application;

From what I understood, I as a student could still use java 11 from Oracle, as
I wouldn't be using it for "production". Is that correct? Or are there other
implications that I am missing here?

~~~
MaxBarraclough
I suspect you're right, but does Oracle JDK really add any appreciable value
over OpenJDK, for a student?

I'd go for OpenJDK simply to form good habits.

~~~
djsumdog
Yea ... and if you do start to build something and decide to release it
commercially, you don't want to run into any weird Oracle/OpenJDK weirdness at
that point .. so best to start with OpenJDK.

------
JoshuaAshton
Oracle seriously needs to be fought in court about this and their other
actions.

They're actively hostile to the whole tech community and their entire business
model is based on trapping people into paying for things by not making their
licenses clear or changing their licenses.

I don't know why anyone would use any software made by Oracle these days, the
alternatives and open implementations of their own systems tend to be faster -
and their "unbreakable Linux kernel" is a joke and a legal disaster waiting to
happen.

~~~
Cthulhu_
> by not making their licenses clear

How is that? The license is pretty clear, as stated in the article:

> You may not: use the Programs for any data processing or any commercial,
> production, or internal business purposes other than developing, testing,
> prototyping, and demonstrating your Application;

If you cannot understand that language you should not download or use the JDK.

~~~
craigsmansion
Of course an Eldritch Horror apologist is going to take Oracle's side. Have
you ever considered being eaten first isn't all it's made out to be?

~~~
AnimalMuppet
I downvoted and flagged you for this comment. Then I caught the GP's user
name, and undid both...

------
bimbam
I believe the article is mistaken. Their License says:

>"Program(s)" refers to Oracle software provided by Oracle pursuant to this
Agreement and any updates, error corrections, and/or Program Documentation
provided by Oracle.

Not programs you create using the JDK

~~~
zelos
I thought that too: this just affects companies running JVMs, not companies
that ship Java software, right?

~~~
AnimalMuppet
Well, if you ship Java software, it has to run on a JVM. You often ship the
JVM you want with the software, or else help the customer get the JVM
installed. If you install or help them install Oracle's JVM, you may still
have a problem.

------
foolfoolz
This sounds like total FUD. Sure the terms have changed but oracle has been
open about it and told people to download openjdk. If you are going to run a
commercial business and not pay any attention to the software you depend on
and it’s licenses then you have another problem.

------
wheresvic1
I'm not sure Java is worth the effort at this point. If I'm going to have to
keep updating every 6 months, I would rather use Go, which seems to have all
that Java has to offer + the backing of a huge corporation.

~~~
Aaargh20318
> I would rather use Go, which seems to have all that Java has to offer

Really ? What is the Go equivalent of J2EE ? Do Go appservers exist that offer
all the features that something like Payara (Glassfish), JBoss or WebSphere
does ?

~~~
ofrzeta
What's the point of J2EE or an application server? You can get functionality
such as templates, management, monitoring, persistence through other means as
well.

~~~
randomsearch
Think the point is that the Java ecosystem is vastly greater than Go. And
ecosystem mattes.

~~~
thdespou
That may change in a few years. Currently, a ton of new software is built with
Go.

Kubernetes, Istio, Prometheus, All the Hashicorp stuff, hyperledger, traefik ,
kong you name it.

------
tyler274
as long as openjdk remains open i dont mind

~~~
bitL
OpenJDK used to have some incompatibilities that tended to blow up in
production (rare case "enjoyment") - is it now 100% compatible with original
Oracle SDK? Otherwise companies would be forced to use commercial one in order
not to disrupt their legacy systems.

~~~
bradleyjg
Not 100%. There's still some weird edge cases having to do with the swing and
crypto libraries. But the big performance regressions that we used to see are
gone and with the release of flight recorder in Java 11, the last major
commercial feature is now in openJDK.

------
keymone
interestingly, openjdk is the top link on google for me for "java 11" search.

did google do that?

~~~
kjeetgill
It's been like that for years. OpenJDK had been the site that all development
and JEP news goes through for a long time now.

------
bborud
As many have pointed out, you can argue if this is a trap or not and you can
make the case for both sides. But I think that discussion in itself clearly
begs the question: do you want to deal with a company that makes it easy to
make a potentially immensely expensive mistake?

If anything, Oracle have demonstrated that if they feel you owe them
something, they will take you to court.

I changed what primary programming language I use as a conscious decision that
took years to make. First I had to find a language that was a good replacement
and then I had to make the switch. Both require care.

It was easier than I had thought though. And I'm very happy I did.

Am I sure the my new primary language won't grow these problems? No. But I do
know that I'd do it again if needed. There is no shortage of programming
languages. There is a shortage of programming languages that have a
sufficiently good ecosystem around them though.

~~~
bodono
Which language did you pick?

~~~
bborud
It was down to Rust and Go and I picked Go.

(I mostly write server software, command line utilities and embedded software
(embedded software in C/C++). If I wrote more embedded software on Cortex-M
than server software om AMD64 I think I'd really like to use Rust.)

------
JustSomeNobody
This is going to come off sounding a bit like victim blaming, but seriously,
any business large or small must have a person or people whose responsibility
it is to audit all installed software so that nobody gets into a situation
such as described in the article.

A business cant afford to let devs just install software willy-nilly like.

~~~
crispyambulance
Yet "willy-nilly" installations happen.

It remains to be seen whether they'll "go after" the whales who can actually
afford compliance staff (but screwed up anyway), or after the small-fish
companies that just stood up a web-app to get started, or businesses in
between.

~~~
bloodgain
It's not really the developers installing their own toolchain you have to
worry about here, though. The folks working on the official builds and
deployment should be far more aware of what's happening, because that's what
has to be supported. If you're letting B&D do things willy-nilly, that's a
serious business problem.

I aware they're often the same folks (DevOps), but your senior engineer and/or
project manager should be watching what's going out.

------
ofrzeta
What about compatibility? Recently I installed PDFsam on Windows 10 that
required a JRE. I installed OpenJDK but the application didn't start. With
Oracle JRE it did work. I didn't bother to debug the startup problems, though.

------
ronkwan
there is a GPL2 version of jdk11 here, does it make any difference?

[http://jdk.java.net/11](http://jdk.java.net/11)

~~~
crispyambulance

        > http://jdk.java.net/11
    

That's an "OpenJDK" build provided by Oracle.

But it is easy to get mixed up since it doesn't ACTUALLY say "OpenJDK" on that
page.

~~~
chungy
All the links say and point to OpenJDK if you hover over them. It doesn't seem
that obscure.

~~~
crispyambulance
One would expect that the page provided by Oracle from which one could
download OpenJDK would have the word "OpenJDK" in a header in 16+ point font--
and not visible only in link hover text box.

It's just weird.

------
meandmyself0
Question : this implies that Oracle 'knows' that you're using their JDL in
production. Which implies a spy of some sort. Which is barely legal, is it ?
unless it's at least duly stated in the licence. Is it so ?

------
yogeshlor
How much control Oracle has on OpenJDK development & support? Can they control
some features which will never be shipped with OpenJDK?

------
bmurray7jhu
Are there any substantive differences between the GPL and proprietary licensed
versions of Java 11?

~~~
mcguire
One requires you to pay money to Oracle?

------
_Codemonkeyism
Currently happy about Azul OpenJDK.

~~~
MaxBarraclough
'Zulu', right? What's their angle?

~~~
ptx
They originally built it for Microsoft to run Java apps on Azure:
[https://www.azul.com/successstories/microsoft/](https://www.azul.com/successstories/microsoft/)

I guess they later figured it could be more generally useful and they could
sell support for it.

~~~
MaxBarraclough
I had no idea Azure used it.

From the article: _They wanted to offer Java on the Microsoft Azure Cloud,
unencumbered by complex licensing or end-user restrictions._

What are Oracle doing that their shiny enterprise offerings just have too much
baggage attached even for Microsoft?

------
sqd
If you're relying your business on something, you'd better read the damn
license.

------
sheeshkebab
It’s unfortunate Java is turning into modern day COBOL.

~~~
Nasrudith
Really I think the best thing for Java at this point is getting it out of
Oracle's greedy clutches. They are debasing the ecosystem of the language as a
whole at this point.

~~~
jcadam
I'd love to see the Java community fork OpenJDK and just leave Oracle behind.
I wonder if the licensing of OpenJDK makes this possible? If so, the only
(albiet huge) problem is getting a critical mass of support behind one
particular effort.

------
Tistel
My hat is off to Larry E. with respect to his business prowess. But. ding ding
ding. alarm bells. Run away. Don't mess with that guy.

The dude owns an island:

[https://en.wikipedia.org/wiki/Lanai](https://en.wikipedia.org/wiki/Lanai)

[https://www.bloomberg.com/news/features/2016-04-13/four-
seas...](https://www.bloomberg.com/news/features/2016-04-13/four-seasons-
manele-bay-lanai-hawaii)

Stick with free/open source. Vendor lock in is a nightmare. _edited_ for
clarity.

~~~
pimlottc
You should clarify that you are referring to Larry Ellison, the head of
Oracle, and not Stephen Colebourne, author of the article.

~~~
jodastephen
Yes, I definitely don't own an island!

~~~
Tistel
sorry, I was not clear. I am also not knocking owning an island. Thats a great
situation to be in. If I am successful full enough in life, I will buy one! I
am just saying don't mess with the dude. He tends to win.

