
Oracle's Newest Audit Tactic: Focusing on Java - Garbage
https://www.forbes.com/sites/danwoods/2019/01/31/oracles-newest-audit-tactic-focusing-on-java/#fc0556854960
======
pjmlp
Intel's newest audit tactic, focusing on illegal installations from VTune,
Intel C++, Intel Fortran, ....

Want to use commercial software? Pay accordingly.

Not wanting to pay for it? Plenty of options available.

[https://adoptopenjdk.net/](https://adoptopenjdk.net/)

[https://aws.amazon.com/corretto/](https://aws.amazon.com/corretto/)

[https://www.azul.com/downloads/zulu/](https://www.azul.com/downloads/zulu/)

[https://www.eclipse.org/openj9/](https://www.eclipse.org/openj9/)

[https://developers.redhat.com/products/openjdk/download/](https://developers.redhat.com/products/openjdk/download/)

~~~
tyingq
That's not exactly the same. Oracle is infamous for bait and switch, where
it's free at first. With Java, they first snuck in some extra components that
triggered license requirements, then later, just changed the whole jdk
license.

They are very aware that big companies wouldn't be nimble enough to switch to
openjdk in time to avoid the license fees.

Additionally, they know that companies have 3rd party software that bundles
what was once "free" oracle jdk. The end user gets to foot the bill for that
rather than the 3rd party.

~~~
pron
Old JDKs, bundled or not, require an explicit flag
(`-XX:+UnlockCommercialFeatures`) to enable commercial features.

As to new JDKs, Oracle has open sourced (or discontinued) all previously
commercial features so that now OpenJDK and Oracle JDK are _the same software_
: [https://blogs.oracle.com/java-platform-group/oracle-jdk-
rele...](https://blogs.oracle.com/java-platform-group/oracle-jdk-releases-for-
java-11-and-later)

Infamous or not, the licensing situation is now clearer and better than ever
before: Oracle offers the same software under a commercial license for those
who wish to buy support, or under a free license to those who don't. The
download pages for either option clearly identify the license, and point the
user to the other option, if that's what they want:

* [https://www.oracle.com/technetwork/java/javase/downloads/ind...](https://www.oracle.com/technetwork/java/javase/downloads/index.html)

* [https://www.oracle.com/technetwork/java/javase/downloads/jdk...](https://www.oracle.com/technetwork/java/javase/downloads/jdk11-downloads-5066655.html)

* [https://openjdk.java.net/projects/jdk/11/](https://openjdk.java.net/projects/jdk/11/)

~~~
tyingq
The companies that were caught up in this are, for the most part, the ones on
Oracle JDK 8, which is substantially different than OpenJDK.

The "UnlockCommercialFeatures" doesn't catch everything either. For example,
Oracle once added a clause about "embedded devices" needing a commercial
license. With a very broad definition of embedded.

This is pretty clearly a cash grab.

Also, If the bits are truly the same as of version 11... what's the point of
making people download a duplicate codebase where the only difference is one
text license file?

~~~
pron
> For example, Oracle once added a clause about "embedded devices" needing a
> commercial license. With a very broad definition of embedded.

No, field-of-use restrictions had applied under Sun, too, as licensing Java to
mobile/embedded devices was Java's income source. Later, various commercial
features were also a source of income. Oracle has now completely opened the
JDK (and there are no field-of-use restrictions for the free license), opened
all commercial features, and has switched to a support model.

Like all companies providing open source runtimes/languages, Oracle, too, must
fund Java somehow (as I explained in another comment
[https://news.ycombinator.com/item?id=19069655](https://news.ycombinator.com/item?id=19069655)).
You're free to think that the funding model now is less preferable to you
personally than the previous ones, but I don't think anyone can claim it is
any more of a "cash grab" than the previous monetization strategies.

I think that if anyone claims that recent changes to Java's licensing and
release models are not for the better, then they are either misled or
misleading.

~~~
tyingq
Ahh, yes, you're right. The clause was there. But Sun, in practice, applied it
to things that most people would call "embedded". Oracle used a broader
definition that included PC hardware in many situations.

Not sure I understand the whole funding argument. Swift, golang, v8,
typescript, etc, seem to be fine as open source.

~~~
pron
Golang, V8 and TypeScript are _tiny_ projects compared to OpenJDK. Oracle
employs _hundreds_ of full-time OpenJDK contributors. Swift is funded through
iOS (just as .NET is funded through Windows and Android through, well,
Android). I don't know if this is true anymore, but the number of people
developing Golang at Google is (or used to be, last I heard) close to the
number of people there modifying OpenJDK for their internal use. V8 is also
funded through Chrome, BTW.

~~~
tyingq
I'm mystified as to why Java is so much bigger than any pure open source
language implementation.

In any case all this jockeying around with the license will certainly reduce
the user base. From talking to my peers at other companies, we're all putting
together our "get off of java" plans now.

~~~
pjmlp
Most of the companies I work with are either Java or .NET shops, moving away
from any of those platforms means rebuilding their business, for some of them,
even the services that they sell, throw out worldwide trainings moving the
whole company into a new stack.

A large majority of corporations aren't that allergic to software licenses,
they have other issues on their top list.

~~~
tyingq
It's not the license by itself. It's the relationship with that vendor.

~~~
pjmlp
On the enterprise space there are much worse vendors than Oracle, still
everyone is buddy with everyone.

------
jarym
Having worked there myself before and leaving in disgust this is definitely
how it goes down.

Further, I always suspected some kind of dodgy dealing at some clients I’d
visit since there’d be an army of their employees who’d be negative about
Oracle but always a single big-wig that managed to be super passionate about
Oracle.

Of course I never found evidence of anything dodgy - just a number of clients
where this was a notable pattern.

~~~
wil421
I’ve worked at BigCorp(s) and seen similar things but from the other side.
Most people absolutely hated oracle from the director who ran the teams to the
admins and devs.

The only people who liked Oracle were VP and above. They were so short sighted
they signed a deal with Oracle after they drastically cut support costs the
first year. They were so shocked in year 2 when costs went north of 1 million.
Making Oracle much much more expensive than the competitors who also bid.
Everyone knew the competitors were less expensive in the long run and actually
good products.

Not to mention the time they were audited and owed big time due to a
webservice sending changes to our ERP system.

------
dana321
Once Oracle bought Sun Microsystems, i became dis-interested in Java all
round. I would rather use a programming language not licensed by a huge
corporation.

The reason they are a huge company is the way they are predatory towards their
customers. Probably why sun didn't survive as well, its kind of sad that this
is the way of the world.

~~~
nicoburns
You should give C# a try. It's pretty open these days (bonus: it's a much
nicer language than Java)

~~~
thefounder
Or better use Go! It's 100% open/BSD license.

~~~
j16sdiz
Go is good for system-level tools. But the web-facing / framework-wise is
weak. The dependancy hell is not fully fixed yet.

~~~
mustardo
This x1000 If you want to make a little cross platform binary for some utility
sure maybe Go is the right choice, but most of the time people are building a
"Web Application" in which case there are dozens of better languages to use

~~~
thefounder
I found Go a better fit than Java & Python for my web APIs/micro-services. I'm
not sure what web application are but Go compiles to WASM so it would make it
an even more complete solution once WASM gets DOM access.

------
raesene9
When there are so many software options that don't involve buying from
companies that use these kind of tactics, it's difficult to see how this will
work out for Oracle in the long term.

Sure in the short-term they'll rinse companies for large amounts of money, but
people tend to remember when that's been done to them, and aren't exactly keen
to have it happen again.

Whilst I have no direct experience, a quick search indicates that IBM have
similar practices. I wonder when/if that'll bleed across into Redhat.

~~~
pjmlp
Easy, Oracle bashers keep forgetting that Oracle and IBM pay the majority of
salaries on OpenJDK developers.

Then again, there are plenty of other JVMs available since the 2000's, and
many customers do pay for them.

~~~
raesene9
That's an interesting characterization, that people who don't agree with
Oracle's approach to licensing are "Oracle Bashers"?

Do you feel that the surprise audit approach to license compliance is a good
one?

~~~
pjmlp
Yes, it quite common in the industry to track down on piracy use, Oracle is
not alone in doing surprise audits.

There are even international organizations that collaborate with national
police on that regard, [https://www.bsa.org/](https://www.bsa.org/)

~~~
raesene9
Indeed it happens, but my question was more given your initial post, do you
think it's a good way to manage licensing?

To me it provokes an adversarial relationship between software vendors and
their customers and is quite likely a factor in the rise of the use of Open
Source software in enterprise.

If the propietary software industry is to continue to prosper, it seems likely
that annoying their customers with this approach to licensing is not a good
one.

Now you could argue that this will have a knock on effect on Open source as
many devs are employed by software companies, but that won't necessarily stop
it happening.

~~~
pjmlp
The failure of pure open source, moving away from GPL and increase in dual
licensing for enterprise software proves otherwise.

~~~
raesene9
Ah well if we're arguing that kind of point, I'd say that in my line of work
(Security tester) I'm seeing faaar more open source software than I did 10-15
years ago even in traditionally enterprise software friendly environments
(e.g. banks/public sector)

The demise of proprietary unix in favour of Linux is one striking example.

another is the rise of open source products like Docker and Kubernetes. They
are being heavily deployed in organizations that might once have considered
more proprietary software options instead.

~~~
pjmlp
I mentioned failure of pure open source, the GPL dream, not open source as
such.

~~~
raesene9
I'm not sure I'd agree that GPL compatible licenses have failed.

To take one example Kubernetes, one of the most popular projects around at the
moment is Apache 2 licensed which has been agreed with the FSF is an open
source license. Other popular projects like Tensorflow also use this license

Likewise very popular projects like Visual Studio code, React Native and
Angular make use of the MIT license which is also GPL compatible.

~~~
pjmlp
None of those licenses are copyleft, a company can pick any of those projects
listed by you, sell a closed source product with their improvements, without
giving even a semicolon back to upstream.

------
karianna
Hi all - I help run [https://adoptopenjdk.net](https://adoptopenjdk.net) \- I
genuinely think that the article is spreading some FUD, but I also understand
if folks feel strongly about looking at alternatives then you can read the
full background [https://medium.com/@javachampions/java-is-still-
free-c02aef8...](https://medium.com/@javachampions/java-is-still-
free-c02aef8c9e04) and I'm happy to answer Q's here as well

------
gst
I actually think that is the best long-term approach for all of the parties
involved:

In the past OpenJDK was missing critical features so that companies often used
the commercial closed-source Oracle JDK. At the same time even then Oracle JDK
was somewhat of a trap when it comes to licensing, as it included features not
covered by the free licence that might be accidentally used by developers.

With Java 11 there is finally feature parity: Oracle contributed missing
features to OpenJDK. Features that couldn't be contributed (due to licensing
issues) were removed from the commercial Oracle JDK. So starting with Java 11
those two versions of the JDK are pretty much equal.

With Java 11 there's no reason to use the commercial Oracle JDK. Most of the
companies that used the Oracle JDK before are better served by using one of
the open-source OpenJDK builds: Either Oracle's OpenJDK build (which is only
going to provide support for 6 months after each release), or one of the
third-party builds that most likely are also going to track LTS releases such
as Azul's Zulu or AdoptOpenJDK.

Oracle is very upfront about those changes: When you try to download Java 11+
from Oracle's website there's a huge yellow box with a warning about the
license changes. In addition, that box also links to the GPL-licensed OpenJDK
version.

As a Java developer I'm very happy about that new approach: With the feature
parity between OpenJDK and the commercial release it's finally possible to
develop and run Java applications on a 100% open-source stack, which is
something that was much harder to do with earlier OpenJDK releases.

------
jmartrican
I see articles like this and then see a bunch of comments about not wanting to
use Java because of Oracle. But these articles are somewhat misleading in that
there are free versions of Java out there. I think the authors of said
articles just wants to stir the pot. This is old news and not really relevant
with all the free alternatives. Even on our Ubuntu builds, when we install
Java it's the open jdk variant that gets installed by default.

~~~
brown9-2
There’s a response to this in the article - those free versions are only
supported for 6 months.

~~~
IntelMiner
I think what they mean is OpenJRE, versus Oracle JRE

~~~
ethbro
To expand: in the waning days of Sun, they open sourced large parts of the
Java development kit (JDK). This became OpenJDK, and is GPL v2 licensed (with
a linking exception).

Initially, not all code was available under a GPL license.

Separately at the same time, Apache led the Harmony project to produce an open
source implementation of Java SE 5 & 6\. This was successful.

As time passed, Sun (and maybe Oracle) open sourced more code into OpenJDK,
leading to supporters switching from Harmony to OpenJDK. Additionally, Sun
made the unfriendly move of licensing the TCK in a way that precluded any non-
OpenJDk release from ever being able to claim Java compatibility. In response,
Apache resigned from the Java board. And as of 2011, the Harmony project was
stopped.

Because of the platform-independent goal of Java, there's a lot of ancillary
"not-Java, but needed" libraries to build and run Java. These were not all
open sourced by Sun / Oracle, but were reimplemented by RedHat under a project
called IcedTea.

So, in summary, you can run OpenJDK/IcedTea and tell Oracle to pound sand.

The primary risk is that Oracle withdraws the things they do still control
from the OpenJDK project, or stops working with the project to coordinate new
releases. But they'd be shooting themselves in the foot if they did.

~~~
j16sdiz
It is more then that.

Many java-relate patent grant require passing the TCK.

~~~
pron
Not if you're using OpenJDK, which is licensed under the GPLv2.

------
engineer_uk
I don't know anyone who buys new softwares from Oracle. Only few large
companies are going after Oracle new services and software, mostly because
some selfish company executives.

~~~
arethuza
"I don't know anyone who buys new softwares from Oracle."

I do - I doubt that there are many organisations licensing just the Oracle
database these days - I suspect most of their sales are in the ERP/finance
areas where there are relatively few competitors.

How many competitors are there for Hyperion FM/Planning?

Edit: Note that I'm definitely not defending Oracle, but the market for their
products is quite complex and much wider than a relational database engine.

~~~
toyg
Do I know you? :)

As for competitors to hfm/epm: there are a few (onestream, tagetik, whatever
sap is peddling...). But it doesn’t matter, all this thing about auditing will
go away when every Oracle customer is forced at gunpoint to move to cloud
versions - where they can be squeezed for more money at the touch of a button.
Hfm licenses, for example, are basically not sold anymore unless you get
special blessing from an Oracle VP; it’s FCCS or nothing.

~~~
arethuza
Its been ~4 years since I was involved in that area - I know at that time
Oracle was trying to recruit some of my colleagues for their cloud team. I
don't think anyone took them up on the offer!

I did a lot of integration work with HFM for my previous employer - I was
actually rather proud of the reporting solution we built on top of HFM,
infinitely better than the reporting tools that Oracle provided. I sometimes
wish that we'd productized that and sold it!

------
nova22033
Huh?

>That’s why I think Oracle is sort of hedging its bets with Java audits and
not going in there as strongly. It’s too soon. Give it five years when you’re
stuck in Oracle’s ecosystem and Oracle needs money. Then they’ll start
auditing.

This is burying the lede...

------
thecleaner
Lets assume that as an individual I want to move away from Java for backend
development and currently I use Spring. Is there another ecosystem with a
great IDE, type safety (or just type annotations), limits that allow one to
not shoot yourself in the foot, a good debugger, memory safety and lastly
speed ? Python really shines in most of the above except for the speed part.

~~~
djhworld
Why not just use openJDK? Seems a bit drastic to do a full rewrite.

~~~
thecleaner
I agree. I wouldn't consider a full re-write but for further development.

------
theredbox
Oracle wanted to be the apple of enterprise to offer an all in one oracle
package that would be deeply integrated but they failed to assess the market.

It is not about Oracle not having competitive producta or services but about
Oracle being stuck with their thinking in the 1991-2008 era.

------
pron
As someone who works at Oracle on the JDK (i.e. OpenJDK), I’d like to point
out a couple of things, as the interviewee was someone who directly benefits
from any fear, uncertainty and doubt regarding Java (but this is not an
official comment, and I speak only for myself):

* Under the old BCL license the Oracle JDK was a mix of free and commercial features. Using the commercial features required explicitly turning them on with the flag `-XX:+UnlockCommercialFeatures`. You could not use them accidentally. Current JDKs no longer contain any commercial features, as explained below.

* Starting with JDK 11, Oracle has completed open sourcing the JDK[1], which no longer contains any commercial features. Rather than a mixed free/commercial license, Oracle now offers _the same_ software under two different licenses, the commercial OTN lincense, intended for those who wish to but a support subscription from Oracle, and a free and open-source license, for those who don't[2]. The commercial license download page[3] clearly states the different options:

 _Oracle Customers and ISVs targeting Oracle LTS releases: Oracle JDK is
Oracle 's supported Java SE version for customers and for developing, testing,
prototyping or demonstrating your Java applications._

 _End users and developers looking for free JDK versions: Oracle OpenJDK
offers the same features and performance as Oracle JDK under the GPL license_
(with the non-viral "Classpath Exception")

The page also links to the free option. The particular commercial JDK download
page[4] also contains a big bright warning and links to the downlad page for
the free license.

* That Oracle now only offers six months of free support (as oppsoed to before) is misleading. For at least the past seven years, Java had a major release every 3 or so years, and "update releases" (containing substantial new features, but no language or API changes) every six months, plus quarterly security and bug fixes[5]. The releases were also not supported for more than six months, and to be up to date on security, one was always required to upgrade to the semi-annual update releases. What changed recently, due to community demand, is how the features are distributed among the releases. _There are no more major Java releases_. The last one (ever) was JDK 9. Starting with JDK 10, the semi-annual releases are _not_ major releases but "feature releases," that are allowed to contain API and language changes, but are small, so that instead of a major upgrade every three years, the upgrade process is more gradual (e.g. compare JDK 9, the last major release, with JDK 11, a feature release[6]). The feature releases are therefore somewhere between a major release and an update release but much closer to the latter. While major releases were supported for a number of years and the feature releases only for six months, the feature relases are by no stretch of the imagination major releases.

* Similarly sized runtimes/languages -- Apple's Swift/iOS, Google's Android and Microsoft's .NET -- are all part of ecosystems entirely or largely under the control of the companies owning the projects, and that generate billions of dollars annually, and so fund the development of the platform. Oracle has no control over the Java ecosystem, and so must fund the development of OpenJDK somehow. This is now done by offering long-term support for some of the feature releases, for companies that don't wish to upgrade to every feature release (in the past the funding came partly through the commercial features, which have now all been open sourced, and the annoying search toolbar that came with the JRE, which is gone now, too).

* Oracle employs hundreds of full-time developers who manage the OpenJDK project and contribute the lion's share of OpenJDK development[7]. While Oracle developers will continue to contribute most of the work, including security updates to current OpenJDK versions, they will not commit to backporting those contributions to old feature releases via OpenJDK's "JDK update" projects. Other companies have said they will do that work, so that there will likely be OpenJDK update releases for some feature releases, probably those that correspond to Oracle's LTS versions. Oracle encourages other members of the OpenJDK community to contribute even more.

[1] [https://blogs.oracle.com/java-platform-group/oracle-jdk-
rele...](https://blogs.oracle.com/java-platform-group/oracle-jdk-releases-for-
java-11-and-later)

[2] [http://jdk.java.net/](http://jdk.java.net/)

[3]
[https://www.oracle.com/technetwork/java/javase/downloads/ind...](https://www.oracle.com/technetwork/java/javase/downloads/index.html)

[4]
[https://www.oracle.com/technetwork/java/javase/downloads/jdk...](https://www.oracle.com/technetwork/java/javase/downloads/jdk11-downloads-5066655.html)

[5]
[https://java.com/en/download/faq/release_dates.xml](https://java.com/en/download/faq/release_dates.xml)

[6]
[https://openjdk.java.net/projects/jdk9/](https://openjdk.java.net/projects/jdk9/)
vs.
[https://openjdk.java.net/projects/jdk/11/](https://openjdk.java.net/projects/jdk/11/)

[7] [https://blogs.oracle.com/java-platform-group/building-
jdk-11...](https://blogs.oracle.com/java-platform-group/building-
jdk-11-together)

~~~
jtdev
Wow, so with Java, rather than developing software... I can spend my time
reading through piles of legalese, trying to figure out which incantation of
vague licensing/use language I’m beholden to.

~~~
pron
The JDK is under the same license as Linux, so however closely you pay
attention to the Linux legalese, that's as much attention you need to pay to
Java's.

~~~
jtdev
All JDKs are GPL?

~~~
pron
All JDKs built from the OpenJDK project have the same license as the OpenJDK
project, which is GPLv2 with the Classpath Exception (that means the license
does not infect Java programs running on top of the JDK).

[http://openjdk.java.net/legal/gplv2+ce.html](http://openjdk.java.net/legal/gplv2+ce.html)

(The same JDK is also offered by Oracle under a commercial license for those
who wish to buy a support subscription from Oracle, and other companies
license the code to make their own commerical JDKs, e.g. Azul's Zing).

~~~
jtdev
Sounds...complicated.

------
elygre
But then the four last sentences say that they don't actually audit so much --
but they will, in five years' time!

 _It’s too soon. Give it five years when you’re stuck in Oracle’s ecosystem
and Oracle needs money. Then they’ll start auditing. Right now, there’s so
much buzz going on around Java, they don’t have to audit._

~~~
brown9-2
That’s the trap the author is trying to warn people about falling into.

------
thomasdullien
Perhaps this is a stupid question, and someone please enlighten me - but would
not the vast majority of JVM deployments be on either CentOS or Debian-derived
base images with good support for an OpenJDK package?

I thought that the main differences between OpenJDK and Oracle java was the
nicer font rendering and some Swing-ish stuff, is there a good comparison as
to why people even use the Oracle Java?

------
exabrial
Or... Just run openjdk! Problem solved

------
chris_wot
Thank goodness LibreOffice split from OpenOffice.org. A true blessing in
disguise!

------
suyash
Another biased article by Java hater who has no clue what he is talking about.
Make Java Great Again!

