Hacker News new | comments | show | ask | jobs | submit login
Oracle’s Java 11 trap (joda.org)
478 points by haimez 50 days ago | hide | past | web | favorite | 236 comments



Is this actually a trap? The "trap" page has a huge warning section that clearly tells you license has substantially changed and how to get open JDK, and what license it has.

> With JDK 11 Oracle has updated the license terms on which we offer the Oracle JDK. The new Oracle Technology Network License Agreement for Oracle Java SE is substantially different from the licenses under which previous versions of the JDK were offered. Please review the new terms carefully before downloading and using this product.

> Oracle also offers this software under the GPL License on jdk.java.net/11

https://www.oracle.com/technetwork/java/javase/downloads/jdk...

This information is either deliberately or accidentally missing in the post. If we assume the author did his research before writing this piece, I can only believe this was done with purpose.


Not everybody reads warnings. Many will go to that page and just go straight to the download. In addition, the warning doesn't say "not for commercial use" - you have to click through and read a long legalese to find it. Oracle could still choose to make it clearer...


Many people are very used to clicking through Oracle's tedious licensing maze to download previous JDKs.


It's just another license to ignore. I'll personally do whatever I want regardless of what is in the EULA.


Oracle is notorious for auditing compliance with their database licenses, and shaking down their users for extra money in the event the auditors find something even slightly questionable. There are external consultants that make a pretty good living just preparing companies to withstand those audits.

They haven't been doing that with JDK licenses, so far -- as long as Java had licenses which didn't allow for this kind of gamesmanship. But now that the license has changed, it's a completely legitimate thing to get worried about.


The moral argument that code should not be restrained by artificial license, like we treat ideas, is a strong one but not made clearly here.

If code was treated more like ideas or recipes we'd all still have jobs.

If you believe that strongly enough, civil disobedience through ignoring licenses is one approach. No one should risk more than they're willing to lose on the position because you will lose if it's costing someone else enough.


It's not an act of civil disobedience. I just flat out give a shit. Also apparently I don't need to.


Not sure where you live or what sort of company you work for but in my country & our company we cannot just have a fuck all attitude towards software licenses.


The USA and I've been doing it for two decades, honestly copyrights and licenses are not important to me. I have taken a fuck all attitude without consequence and will continue to do so forever.


Haha the plethora of GPL violations that exist without consequence sort of illustrate your point quite well.


You think if Oracle's legal team is after your company you get a free get out of license violation card?


Haha, I’m not playing that game because I’m lawsuit averse but I’m not surprised people are successful at it. This JDK includes telemetry so it just got a lot more dangerous to play but otherwise I’d guess license violations are pervasive at small shops.


even at big ones.


Though it "sounds bad", this is a wonderfully practical approach. Why waste a lot of time with this BS?


Because it’s a good way to get yourself sued


Unless you're a very large firm, it's actually not. They'll negotiate with you long before lawyers are involved.


That won't work if your company goes through due diligence or ends up getting a licenses review from Oracle. You'll have to settle up then and it won't be cheap.

The Oracle license police live for situations like this.

p.s., If it's just personal use you are within the terms of the license.


There's no "long legalese."

The new license (https://www.oracle.com/technetwork/java/javase/terms/license...) is very clear. It states in plain English: "Further, You may not: use the Programs for any data processing or any commercial, production, or internal business purposes other than developing, testing, prototyping, and demonstrating your Application;".

How is that not clear?

This entire article is just pure FUD. Oracle has stated over and over and over how the new licensing model works. It's clear to anybody who spends a couple of minutes reading the documentation.


If you want to claim that 2000+ word terms are not legalese then so be it. Suffice it to say, I disagree. What is needed here is a summary in the warning box on the main page. Something like "Do not download this unless you want to pay us".


> How is that not clear?

You'd think it's clear, and yet I've joined projects where software with such terms was included in production builds because "it was downloaded with npm so it's open source."


Huge difference legally between running:

    npm install package
And having a user certify that they read a license agreement. I'll leave it to lawyers to talk about whether a user actually agrees to a license when they run "npm install", but Oracle's site at least requires the user to accept the license agreement by physically clicking a button. And I've worked at a lot of companies that drill into you that you do not click that button without approval from legal.


But you've had approval from legal the last 27 times you downloaded the Oracle JDK.


I get your point, but npm has the same issue even if you didn't accept the license. I mean, if you didn't accept the license that it comes with, then what license gives you a right to use it at all?


IMO, there's an argument that you implicitly license others in making your code available in a package manager such as NPM which requires no authentication or license clickthrough to incorporate code in your project, unlike the .net or other PMs where license terms are presented and require click-through agreement.

Not saying anyone should stake any bets on that argument winning, just that it wouldn't likely be summarily dismissed in court and would at the very least factor into the damages calculation.

Will be interesting to see if any cases like this ever get adjudicated and precedent set.


What implicit license, though? GPL? BSD? Something else? I feel like developers have a tendency to gloss over these things as if all FOSS licenses are the same, but they really aren't.


What's unclear to me is how I would be running afoul of the licensing terms if I used the non-free version of the JDK to develop Java software. Because "developing, testing, prototyping, and demonstrating [my] Application" is exactly what I'd be using the JDK for.


Not a lawyer, but my assumption is that the clause state you can develop an application, but cannot run it in production/sell it.


Easy loophole, infinite open beta, continuous integration, rolling release. At which point, with which release would it turn from beta to commercial full gold master? Slippery Slope that. A better wording would be "if you make money, we want a cut, or you get a cut, got it?"


Not a lawyer either, but the license says that the "Programs" (meaning the JDK) may only be used for these purposes. Once I write my application, it will be running on the JRE, not the JDK.


Iirc there is no jre in 11, just jdk, also Oracle is not dumb they likely have a clause covering your "loophole". Finally why would you develop on Oracle jdk and run on open. Seems like an easy way to get bugs.


Ah. I wasn't aware there was no separate JRE.


The majority of people don't download the JDK via this method (eg. a package manager) and will miss that big box about a license change.

Edit: Plus even if they aren't you still have the general mindset of "next next install close" where people are so normalized to getting something like that, to test or deploy it would be very easy to miss - given the license of the previous versions it would be an expectation that you would also be able to use the next version for commercial use also.

Although Oracle are perfectly within their rights to change the license, that doesn't mean it's not a dick move and a scummy thing to do.


Anyone installing JDK via a package manager would be installing the GPL version.


Absolutely not. We are installing via a package manager the Oracle issued RPM for example. I would have missed the licensing story if Joda was not writing an article about it.


How is that possible? Are you going to the Oracle download page and downloading the RPMs? Are you specifically adding a repository that includes Oracle software?

There are certainly no default repositories that include this code. The whole point (and it's been this way for years) is that you can't download the Oracle jdk without clicking through a license.


New JRE/JDK gets released -> somebody from our company goes and downloads the RPM after accepting the license -> she uploads the RPM into our internal repository -> somebody from another department changes the build scripts to use the new JRE/JDK -> few minutes later we are running the dev clusters with the new JRE/JDK.

In this process the person who downloads the new RPM (aka me) has to be 100% sure that the new JDK is ok to be used. Which I completely missed (my bad) I was wondering about the GPL stuff a bit but I was thinking that Oracle came to their senses and started to distribute the JRE/JDK under a license that is better than the previous one. Again, my bad that I paid attention more to the performance improvements, modules, ZGC etc. than to the license changes. This is why I was surprised when I saw the article from Joda (his real name is Stephen?) and also upvoted, sent around to all my Java peers to be aware that this is absolutely, 100%, pure fuckery that Orcle just dumped on us.


Sounds like your company needs a better processes on how proprietary code is distributed internally. Most companies have a review process for thins like this.

The download page [1] has a large bold warning that the license terms have changed. What else would you like them to do?

[1] - https://www.oracle.com/technetwork/java/javase/downloads/jdk...


Hmmm. At most you're mad because the bright yellow warning box that tells you specifically to re-read the license because it changed is not clear enough for you, even though apparently being sure about exactly that is your job.

I'm not sure you can blame Oracle for this. They could I guess give you a tl;dr summary in the box. But, how long would it take you to study the new situation? A few minutes?


I am not mad. I am thankful. And yes I am a ignorant engineer who cares more about features than legal crap. The only thing I am 100% sure is that I am not alone.


If you don't care about all aspects of your software, including security, ethics, and legality, you are not an engineer. Engineering implies professionalism.

It's debatable whether there are any true software engineers (we're certainly not licensed like traditional engineers), but all software professionals should be concerned about licenses. It's part of the job, as are all ethical considerations of your work.


It's fairly common to automate that stuff away, and not just for Oracle.

For example, if agreeing to TOS was neccessary, Let's Encrypt could no longer be "totally automated". Therefore certbot has an "--agree-tos" option, present in oh so many ansible repositories.


How do you automate that? You need some kind of cookie to download JDK and you're getting it by clicking a button. The only way to automate it is to simulate "agree" click.


I'm not saying I'd write an "I Agree" bot, but I've certainly written scrapers of comparable or greater complexity, and I'd be quite surprised if there was nobody that did this.

If you haven't written a bot, but you habitually download the JRE/JDK from Oracle's website, accepting the license manually each time, is there really a difference? How many people are rereading the license each time they do this? I would guess the number of people that do this is roughly a rounding error above 0.


Writing an "I Agree" bot without checking out what the license was...


Entering a contract without checking out who the customer was ...


Curl lets you keep a cookie jar around, for example, so yes, it's pretty simple. It's also a terrible idea, but doesn't seem to stop people.


You'd have to update the URL anyway because the v8 JDK hasn't changed, from what I remember. So those scripts wouldn't be affected.


The new Java has telemetry. Oracle will be coming for you. One of the reasons we don't run it is so we don't send them telemetry from prod... Nor so that we have a risk of the telemetry send breaking prod.


They won't be coming for you. What prevents you from blocking outgoing telemetry?


It's not just telemetry.

It's also social media.

Online surveys.

Everybody and your servers needs to keep mum about it or otherwise you'll get a call.

You think I'm making this up? I've worked at two places where we were in contact with Oracle police because they thought we used (more of) their software.


These are likely biz dev / sales reps trying to drum up extra business, not lawyers. Calls and emails are easily ignored. I do it every day.

You ignore it, they move on to the next sucker. The people responding are the ones they'll work with.


I think license changes are common enough that the reaction to such a thing is often "yeah, whatever." Most of the time, these sorts of things are not actually that substantial


So they're turning a well known product that was free for decades into an expensive enterprise offering. And you're saying that calling it a "substantially different" license is a warning?

In my book this is not a warning at all. This is clearly an attempt to mislead without breaking any laws.


> Download Oracle JDK (because that is what you've always done, and it is what the web-search tells you)

What I've always done is install OpenJDK from the system's package manager :P


And that's good that package managers ship only openjdk. When I migrated to Linux I didn't know better but as "openjdk" was easier to install than Oracle JDK I used "openjdk". It turns out it works very well, actually I can't tell the difference.


OpenJDK is the reference implementation now so if you did find a functional difference, Oracle is in error.


Good to hear that!

Just in case someone is interested in references Wikipedia has them near the text:

> OpenJDK is the official reference implementation of Java SE since version 7.

Source: https://en.wikipedia.org/wiki/OpenJDK


I honestly don't know why anyone would keep using Oracle's version of the JDK over the OpenJDK, other than them just being used to it.


I work with many Linux Minecraft players and we recommend using Oracle Java if OpenJDK refuses to play nice with the proprietary drivers.


Huh. I've used OpenJDK since the very early days of Minecraft, never had an issue.


Because you are stuck to use Oracle Java 8?


Unfortunately, many people add a repository with Oracle JDK to their package managers and install the JDK from there, due to some perceived better compatibility and/or extra bug fixes. (And in my experience, this is true for the Java plugin; the "official" plugin seems to work better than the IcedTea plugin.)


Confluence is an example of a piece of software that wouldn't run correctly at all under OpenJDK.

Even today on the Atlasian docs, they provide a Docker image of Confluence to evaluate, but if you buy a production license, you are required to build an OracleJRE Docker container (they provide instructions) for production.

It's been years and they still can't support OpenJDK ... it makes me wonder what weird proprietary crazy reflection shit they're doing in there.


Last time I tried to run Jira with OpenJDK, I stumbled upon some encryption algorithm not supported in OpenJDK. I didn't research further. But that was a long time ago, nowadays I bet that OpenJDK will work just as well.


The encryption algos are not supported with Oracle java either. The stronger algos have a separate licence and needs to be downloaded manually for either java sdk


I ran Jira with OpenJDK 8 on FreeBSD, everything worked fine.


On ARM openjdk has a lot of issues while oracle jdk/jre runs smoothly. Many apps will just crash under openjdk and if they run are much slower also on intel. It should be easy to benchmark this.

It is a reason why we moved to .net core entirely. I have nothing running Java anymore. Shame as I liked Clojure somewhat.


A few years ago, Minecraft simply wouldn't run nearly as good on OpenJRE, not even the server - it was several times slower. Not sure how it is today since I've stopped playing around 5 years ago.


JavaFX is difficult to use under OpenJDK. I think it has become a library on Java 11, so at least that's a step in the right direction.


Yes, it has its own website now.

https://openjfx.io/


I've seen issues with really minor difference in OpenJDK and Sun JDK, that forced people to stick with Sun JDK (like some library somewhere doesn't properly work with OpenJDK).


An interesting thing about AdoptOpenJDK is that it seems they may provide builds with DCEVM + HotswapAgent integrated, in the future [0]! And maybe become a very good and easy to use alternative to the way too expensive JRebel.

[0] https://github.com/HotswapProjects/HotswapAgent/issues/218#i...


That's great news! Properly working code reloading would improve the development experience enormously.

Why wouldn't it be integrated directly in the upstream OpenJDK source, though? It sounds like it would be a separate patched build that I'd have to download, and wouldn't be available if I just "apt-get install openjdk-11-jdk" in Debian?


This is not new, and as per: https://www.oracle.com/technetwork/java/javase/terms/license... it was put in place in 2017 already. Seeing that the "LICENSE" of Java 8 simply points to their website, it means that they effectively changed it for Java 8 as well.

So that means that even if you're running Java, you have three options: (1) Continue using it illegally, it will probably be a low risk. This is not advisable especially for larger corporates. (2) Purchase JDK license (3) Switch to OpenJDK


The situation is confusing but not that confusing.

Java 8 has commercial features that are locked by default. You can unlock them by passing a command line flag that looks like -XX:+UnlockCommercialFeatures, so pretty hard to miss.

If you use those in production, you're meant to pay. But virtually nobody does use them. In fact Oracle open sourced them all for Java 11, perhaps because of that fact.

Now in Java 11 there are two JDKs, that are virtually identical. OpenJDK and Oracle JDK. The latter is the same as the former but commercially supported. If you use it in production at all, you're meant to pay. But the only reason to do that is you want commercial support, from what I understand. There are no longer any special features. If you can support yourself (like most can) you just switch to OpenJDK as part of your Java 11 upgrade.

They have not changed the license for Java 8 users "on the fly", I'm not even sure that's legally possible.


The difference is that OpenJDK N will stop receiving security fixes the moment OpenJDK (N+1) is released. LTS releases are only LTS for Oracle JDK.

So no, OpenJDK by itself is not suitable for production use. To put a Java app in production securely you now need to either pay Oracle or find someone to provide security fixes to OpenJDK beyond what Oracle provides for free.


Security patches will be available for Java 11 via Red Hat, IBM and others (who have promised to do so). And the binaries will be built and made available here https://adoptopenjdk.net/ as well as via other OpenJDK build farms (eg. Azul Zulu).


Is there any path for security updates/LTS for deb based linux distros?..


Pardon me but AFAIK all JDKs are backwards-compatible. Unless you're doing some weird sh*t which exploits JRE bugs (oh, sorry.. features). But that just makes you a bad dev as you tie yourself to the implementation rather than specification. The _unsafe_ part being removed is not bckw_compat, I give you that. But if you're tied to this hole you're doomed to become legacy code maintainer as it's not coming back.

Just upgrade to OpenJDK_v(N+1) whenever it's out. Get rid of Karaf, Liferay or whatever is holding you back. Don't become a legacy app developer.


Thanks for clarifying. I went back to the BCL and it is indeed correct that the commercial features are listed under the supplemental license terms. Excerpt:

THE LICENSE SET FORTH IN THIS SECTION 2 DOES NOT EXTEND TO THE COMMERCIAL FEATURES. YOUR RIGHTS AND OBLIGATIONS RELATED TO THE COMMERCIAL FEATURES ARE AS SET FORTH IN THE SUPPLEMENTAL TERMS ALONG WITH ADDITIONAL LICENSES FOR DEVELOPERS AND PUBLISHERS.


How is this possible? I have an app that runs in the JVM which is also bundled with a JRE in some platforms. Does this mean that I cannot freely distribute it anymore?


Where I work we hit this 4 years ago, the basic outcome was that we could not use the JRE for anything without getting license.


I notice that the OpenJDK build is only available as a .tar.gz and not as .rpm

This means that to upgrade from Oracle JDK10 -> Open JDK11, you'll have to write a script yourself to modify the symlinks e.g. to redirect the existing "/etc/alternatives/java -> /usr/java/jdk-10.0.x/bin/java" to the new installation. There are 46 of these symlinks that need changing (for javac, jstack, etc etc).

I hope that's the only change that is required and that I'm not missing something. Anyone know if there is anything else necessary?

Edit: here is the script I just wrote to print out the commands required to change the symlinks:

  #!/bin/bash

  existingJdkBinPath=$(dirname `readlink /etc/alternatives/java`)
  newJdkPath="/opt/jdk-11"

  find /etc/alternatives -type l | while read link; do
    target=$(readlink "$link")
    targetPath=$(dirname $target)
    targetFile=$(basename $target)

    if [[ $targetPath = $existingJdkBinPath ]]; then
      newTarget="$newJdkPath/bin/$targetFile"
      echo ln -snf "$newTarget" "$link"
    fi
  done


The OpenJDK build is GPL and should find its way into official package repositories. Oracle may have stopped creating the rpms for that reason.

Most distros use the IceTea builds for OpenJDK. Hmm . IceTea3 is Java8. There's no Java9 IceTea4 build yet. I can't find any roadmap info on their site ...


This is surely no mistake on Oracle's part.

Remember, this is the same company that for years grossly knowingly overcharged the US government for licenses, resulting in hundreds of millions later paid in fines.

Their focus is pure bottom line. If that means cheating, so be it. If it means the equivalent of a bait and switch, sure why not.

It's really a shame that circumstances are what they are now. Sun may have had warts, but in comparison it was highly admirable.


Maybe. But they have also provided a $free alternative. This is solely a battle of getting Java users weened off Oracle JDK and onto an OpenJDK build.


Java 11? At work we haven't even started to look at the migration from Java 8...


As odd as it sounds given how things used to work, in the new model you are generally expected to go from 8 to 11. So you're not especially behind. That said, this transition will be rougher than most because of modules.


Yes, a collegue and I have both taken a look to the situation when version 9 was released and it's going to take some work to do the migration. But as it is I don't if we're going to 9 or directly to 11, but I think it's on the roadmap of the next version.


They switched to a different release model with major releases more often, but not all of those releases are LTS. Java 11 if the first LTS release since Java 8.


We just made it TO Java 8.


Java 8 is EOL in January for public support/security patches. Java 7 was EOL in 2015. What have you been doing for 3 years?

I could guess, because I've been at companies doing the same. Active development and support on the product, but no time for tech debt.

Java 9 and up I understand people getting frustrated with a more frequent LTS release and these weird microreleases every year.


Red Hat and AdoptOpenJDK will be supporting OpenJDK 8 for quite some time yet. Oracle's JDK and JRE will stop getting public support, yes, but OpenJDK 8 will be alive and well for many years to come.


I was not referring to that. I was referring to the matter that they weren't ready to jump TO JDK 8 when JDK 7 was EOL, nor the next year, nor the next year after that.

What did they do with security updates when they were available for the version they were on?

Questions.

Don't get me wrong, they're not the only ones ice skating uphill on this.


Sometimes it's your clients that are painfully slow to update. I know a client that (a few years ago), after a lot of issues and wasted time, we discovered that they had a Sun JVM 1.5 with some bug on String.length ! And the worse thing is that they not like the idea of update to Java 1.7


There are still plenty of systems out there on Java 7, usually due to external dependencies.


Our only java webapp is running on Java 6 or 7, JBoss EAP 6.1. Maintenance mode, no money to upgrade.


The hell? You should just be able to take your code and compile and run it on Java 8. There aren't any major comparability breaks. Just try switching JVMs and run all your unit/integration tests (you do have tests right?)

Java 9 is the one that breaks nearly everything. We attempted Java 9 at our last shop and almost every dependency we used had some exception from a removed deprecated function down there in the stack.


We're already on java 8, the migration was done before I arrived, so I don't know how it went. But we've already taken a look at the java 9 migration and there's a lot of thing to fix. And we'll also have to remove the last java applets from the website...


Java8 changes the order hash maps return keys in. Those were never supposed to be stable, but because they were in practice, you're app may think they are.


You won't be for a long time either because the introduction of modules and the removal of the Unsafe class broke a lot of frameworks apparently.


Unsafe wasn't removed, just a few methods on it.


We are migrating from Java 8 to Typescript. Yeah a rewrite.


What does your product do that you consider Typescript as a replacement for Java?


It's really simple: Don't use Oracle's JDK 11 in production. Use one of the open source distributions. Commercial software really isn't that complicated.


Oracle seriously needs to be fought in court about this and their other actions.

They're actively hostile to the whole tech community and their entire business model is based on trapping people into paying for things by not making their licenses clear or changing their licenses.

I don't know why anyone would use any software made by Oracle these days, the alternatives and open implementations of their own systems tend to be faster - and their "unbreakable Linux kernel" is a joke and a legal disaster waiting to happen.


> by not making their licenses clear

How is that? The license is pretty clear, as stated in the article:

> You may not: use the Programs for any data processing or any commercial, production, or internal business purposes other than developing, testing, prototyping, and demonstrating your Application;

If you cannot understand that language you should not download or use the JDK.


Of course an Eldritch Horror apologist is going to take Oracle's side. Have you ever considered being eaten first isn't all it's made out to be?


I downvoted and flagged you for this comment. Then I caught the GP's user name, and undid both...


When they reference "programs" does this apply to the JRE (i.e., the java binary as well) as well? Is this a JDK license or a JRE license issue?


You missed the rest of the quote.

> or changing their licenses.

It was never clear they were going to change their license after years of making it $free to something not $free.


They have been communicating the changes in how OpenJDK and Oracle JDK work for a year now, through many public talks, announcements, blog posts and so on.

Moreover the changes are good for the community. OpenJDK is now the reference implementation and equivalent to the old Oracle JDK in every way. The only reason to use the Oracle JDK now is to get commercial support from Oracle.

Calling this a "trap" is dumb. Not only did Oracle change the licenses to be better for end users, they are highlighting the changes in a big yellow box and the license is written clearly. OpenJDK is regular GPL + an exception so you don't have to GPL your own apps.

To repeat, Java is getting more free not less.


"Testing" is pretty vague. I'm testing in production.

(Actually, I'm sticking with JDK 8 for now.)


> Oracle seriously needs to be fought in court about this and their other actions.

The problem is, to win in court (not just go to court), you need actual grounds. What would be the grounds for suing Oracle in court?

For hiding the terms of the license? They didn't; the new terms have been as plain as any terms are in software licenses.

For changing the terms of the license? But Oracle was never obligated to supply new software on the old terms (unless the old license or some other contract obligated them to, but I don't think that's the case).

For changing the license terms on Java 8? But they had no obligation to continue to supply Java 8 under the old terms. (If you have an old copy of Java 8, the old license continues to apply, unless the old license specifies that Oracle gets to change it. Even if the old license does say that, it's not grounds for a lawsuit.)

So, specifically, on what grounds could you realistically sue Oracle?

Note well: I'm not an apologist for Oracle's behavior. I just don't think there's actual grounds for a lawsuit here.


> Oracle seriously needs to be fought in court about this and their other actions.

The problem is that very few companies have the desire or resources to do this. The community certainly doesn't have the resources. We'd need tens of millions of dollars of legal resources to fight their terrible behaviour.


As if Sun made everything available for free before.

Or any other major player in the Java space like IBM.


We don't need legal resources

Customers' wallets will decide their faith


>You may not: use the Programs for any data processing or any commercial, production, or internal business purposes other than developing, testing, prototyping, and demonstrating your Application;

From what I understood, I as a student could still use java 11 from Oracle, as I wouldn't be using it for "production". Is that correct? Or are there other implications that I am missing here?


Yes, that is correct. This trap is for hobbyist and professional developers whose typical workflow involves downloading Oracle's JRE to deploy their app, probably not noticing the new trap clause deep within the license agreement.

My professional advice to a newcomer to the industry: stay away from Oracle. It is a blight on the software industry. Oracle is a monopolistic anti-consumer patent troll that treats its employees like shit and whose only business ethic is "make money by any means available".


Seconded. I only wish it was easier to convince management that the cost of switching from Oracle products is worth it.

Vendor lock in is a real bitch.


I suspect you're right, but does Oracle JDK really add any appreciable value over OpenJDK, for a student?

I'd go for OpenJDK simply to form good habits.


Yea ... and if you do start to build something and decide to release it commercially, you don't want to run into any weird Oracle/OpenJDK weirdness at that point .. so best to start with OpenJDK.


Nothing really, I was just curious about that.


I believe the article is mistaken. Their License says:

>"Program(s)" refers to Oracle software provided by Oracle pursuant to this Agreement and any updates, error corrections, and/or Program Documentation provided by Oracle.

Not programs you create using the JDK


"Further, You may not:

- use the Programs for any data processing or any commercial, production, or internal business purposes other than developing, testing, prototyping, and demonstrating your Application;"

To me this reads as, "you can use javac.exe and java.exe in development, but you can't use java.exe in production."

This is a huge change that I probably would not have noticed.


I thought that too: this just affects companies running JVMs, not companies that ship Java software, right?


Well, if you ship Java software, it has to run on a JVM. You often ship the JVM you want with the software, or else help the customer get the JVM installed. If you install or help them install Oracle's JVM, you may still have a problem.


So, when one reads unclear language from the part of Oracle, one does not interpret it in the most antagonistic way possible?

Has Oracle been restructured recently, or are you expecting me to ignore the entire company's history?


This sounds like total FUD. Sure the terms have changed but oracle has been open about it and told people to download openjdk. If you are going to run a commercial business and not pay any attention to the software you depend on and it’s licenses then you have another problem.


I'm not sure Java is worth the effort at this point. If I'm going to have to keep updating every 6 months, I would rather use Go, which seems to have all that Java has to offer + the backing of a huge corporation.


Right, what is the equivalent of the following in Go?

import org.apache.hadoop.*;

import org.rapidoid.net.Server;

In case you are wondering people not only using languages for language features but also for the quality/quantity of libraries available in those languages. This is why is very hard to bootstrap a new language. Java has a ton of great libraries that are essential to big data and high performance backend services that you do not have in Go. I could mention tooling as well but we can skip it for now, the aforementioned library situation is enough to not to consider go already. Btw. the new OpenJDK releases are just fine for running Java and many companies use it extensively already (like AWS EMR for example) to run production code.


  import (
  	"net/http"
  	"github.com/labstack/echo"
  )
For Hadoop I guess it depends on what you want to do. For instance there are modules for HDFS but also several module by Hortonworks: https://de.hortonworks.com/blog/go-hadoop-err-hadoop-and-go/


But you still need jre/jdk to serve HDFS ;) Also, there are tons of other missing products like ElasticSearch, Kafka, Spark...


Sure, but fight the battles you can win. The database I use wasn't written in C. That doesn't mean I have to write applications in C.


*was written in C


Yeah, I don't doubt that there are many more Java libs. But for most uses cases today there are Golang libs as well. There's a Kafka client by Confluent, Elasticsearch client etc.


We used the same argument a decade ago with Perl, look where that got us.

Java in 2018 is Perl in 2008, roughly.


Actually I never used this argument for Perl. Perl was not really used for things like big data or high performance backend applications. You can use this reasoning for C++ or C# on the other hand and it stands. Many "big data" things re in C++ and a lot of high performance projects out there.

If you want to compare nifty scripting languages than you can compare Perl with Ruby or Python. In 2008 I was happily using Ruby for most of things we used to do in Perl, a bit slower yes, but who cared and it was much more readable.


> If you want to compare nifty scripting languages than you can compare Perl with Ruby or Python.

Perhaps even compare with Perl 6 :-)


How is that any different than updating a Go app? If a security issue arises in an older version of Go, it doesn’t magically fix in your app until you recompile it.

Java also has a multi decade history of remaining backwards compatible across major version upgrades. Barring known exceptions for things explicitly being removed, I don’t see that changing.


>Java also has a multi decade history of remaining backwards compatible across major version upgrades.

And Google has a history of starting and scrapping products without much attention to the remaining userbase. I'm not saying Go is one of these.


Then what are you saying?


That Go may or may not be a trustworthy foundation to build on for the future you can't say it yet, but Google isn't very trustworthy on this front, while for Java oracle has been very boring but stable.


Having an statically linked a.out which depends only on ABI is such a bliss.


Having a self-contained single JAR that doesn't even depend on the host's ABI or OS and requires exactly one system dep - a JVM - is even nicer. And if you do want a statically linked self-contained ABI-OS specific binary Java give you that too now.


Personally, I wish Swift had a larger server-side ecosystem around it. I love the language, and some of the new web app frameworks (Vapor, Perfect, Kitura, etc.) are really great. However, there just aren't as many open-source, third-party libraries as there are for Java. To me, that's really Java's strength. There are libraries or clients for EVERYTHING.


I like Swift, too, and if it's a rap battle between Swift and Java, I think Swift has to emphasize C interop, and more recently (or perhaps "soonly"?) Python interop.

But regardless, we're gonna have to give it a few years to get a Swift ecosystem even trying to get on the mic in the same venues as Java/JDK.


I don't think this is gonna happen. There's no huge momentum behind Swift on the server. And when IBM is losing interest it will be reduced by 50 percent. Apple doesn't seem to be too much interested in Swift on a server (apart from releasing SwiftNIO, that's about it). When you take a look at the commit stats of Vapor on GitHub you will notice that there's not much going on either.


Java has 2 release cycles. A yearly release with all the latest and greatest available without waiting but whose support stops right after the next release is out. Java 9 went out of support when 10 was released and 10 went out of support when 11 was released.

Then there is still the regular one, release that get support for a very long time. That LTS releases and Java 11 is the first LTS release since Java 8. Java 8 will still be supported for a while even though Java 11 is out, giving you years to update.

So basically if you like how it worked before, in the days of Java 1.4, 5, 6, ... you just need to only look at LTS releases.


We use both at work and they really are two different beasts.

Especially if you use Java for desktop applications rather than server-side. And Generics was not part of Go's plan for a long time.

I enjoy both but would not say Go offers all that Java has or vice versa


> I would rather use Go, which seems to have all that Java has to offer

Really ? What is the Go equivalent of J2EE ? Do Go appservers exist that offer all the features that something like Payara (Glassfish), JBoss or WebSphere does ?


What's the point of J2EE or an application server? You can get functionality such as templates, management, monitoring, persistence through other means as well.


Think the point is that the Java ecosystem is vastly greater than Go. And ecosystem mattes.


That may change in a few years. Currently, a ton of new software is built with Go.

Kubernetes, Istio, Prometheus, All the Hashicorp stuff, hyperledger, traefik , kong you name it.


For Go, what are those means? (I'm just starting with Go so it would be useful to see how we get all that stuff)


Go templates come with the standard library, an ORM could be GORM, for monitoring you can get metrics of the runtime through the package of the same name also in the standard library or on an application level use the Prometheus client API to make your application talk to the Prometheus monitoring system.


I think the premise of JEE is that you label your class by @SessionBean annotation, and everything is installed automatically for that class: RPC, load balancing, security, monitoring, and you don't need to shop for individual components and find the way how to glue them together. How this premise is implemented is another story. I am not sure about quality because didn't use jee for last 10 years, but when I was using it, IBM stack was far ahead of everything on the market, and was like your private PaaS with cloud functions, but with high license fees of course.


That sounds good. I wonder how it is implemented, though. I read through the WildFly feature list and there are several features you mention, such as clustering or failover. I wonder how you get to bridge the gap from the application to the underlying infrastructure, though.

EDIT: I see from the docs http://docs.wildfly.org/14/High_Availability_Guide.html that you need to configure an Infinispan cluster, what looks like a non-trivial operation.


Paraya uses HazelCast for clustering by default. IIRC all it needs is for the servers to be in the same network.


> What is the Go equivalent of J2EE ?

I consider not having a suffocating bureaucratic "framework" that can be replaced by simpler and more straightforward constructs most of the time a feature and not a bug

But those that grow up under a bureaucracy tend to miss it


The parent said Go has all that Java has to offer. I would be surprised if the standard library was in the same magnitude of size.


Yes, exactly. Having used Java and many other languages for years Java's strongest point is tooling - there are high quality tools for any aspect of software lifecycle. A lot of them available for free.

Of course new languages are quickly getting more and more tools but sometimes I feel that they are just reinventing the wheel (sometimes squared). For example: it's easy to host a mirror Maven repository, the file structure is very simple, even with per-project setting. It's not that straightforward with npm or cargo, they push you into centralized model with paid private repositories (npm).


> I consider not having a suffocating bureaucratic "framework" that can be replaced by simpler and more straightforward constructs most of the time a feature and not a bug

All those 'simpler and more straightforward' constructs cost a lot of extra time and effort, there's a lot of reinventing the wheel going on. Can you do something similar to just adding a field annotated with @PersistenceContext or @Resource and having a database connection injected ? Does it also allow for complete decoupling between the configuration of that datasource and the application itself ? Can it resize the database connection pools live, and then push that config change to an entire cluster, without writing a single line of extra code ?


What is the Go equivalent of J2EE?


This Chinese character means "nothing, not at all" for you people who do not speak Chinese.


You seem to confuse the language Java and the JVM. Updating the JVM (which you are not forced to do) does not mean that you need to update your code base. That's actually Java's main strength (and weakness), it is compatible all the way to version 1.0


Aha, you are correct - this is only JVM related.

In theory, the changes should really be minimal but to be sure we would need to have a very strong CI and stress testing platform to be sure about upgrading.

All good projects should have this in place anyways.


go ahead and try building a sufficiently large project written in java 6 on the java 9 jdk and tell me how backward compatible it is. Go ahead, I'll wait.


Maybe you can point us towards which parts would break compatibility. Go ahead, I'll wait.


The applet library.

Back in college, I created a small desktop app that played a WAV file when any key was pressed, but could be closed silently with the mouse. (Its purpose, along with a recording of me screaming, was to train my cats not to sleep on my laptop.) It would have been written in Java 1.4 or maybe 1.3. The applet library was a pretty standard way to open and play an audio file, because it was simple.

Fast forward a few years, I came across the app again and decided to see if it still worked. It didn't work with the existing JRE on my box. So I rebuilt it with a more recent JDK (1.6, I think). It built, but it still didn't work.

See, Java 1.5 AKA "Java 2" had a new memory model, deprecated a lot of things (like applets), and started modernizing heavily. They attempted to maintain backward compatibility, giving us things like the awful erasure-based generics, but it really wasn't fully BC. They really should have just done what Python did with Python 3 and make Java 2.0 non-BC.

This isn't an isolated incident, either. A major project I worked on updated from Java 1.6 to 1.7 and it broke several things. They were fixed pretty quickly, but it still wasn't truly backwards compatible. It's just like the Java claim that you can write once and run anywhere, which is only half-jokingly referred to by devs as "write once, debug everywhere".


That's not what they claimed...


Why do you have to "keep updating every 6 months"? Lots of projects stuck on java6, 7 or 8 without updating for years.


That's probably a misconception based on the new Oracle JDK release and support cycles; new release every 6 months, at which point support for the -1 version is immediately stopped (unless you have a commercial license or something). This LTS version is probably different (hence the name LTS), but it's also commercial.

Anyway it's a misconception because it only applies to the Oracle JDK, OpenJDK still follows a different support structure I believe.


Yeah. I'm kinda with you. You've got .NET Core and Go as reasonable contenders for new projects, but it's hard to justify moving an existing product away from Java. Not to mention, it seems that Java's still got a huge head-start on existing libraries vs Go / .NET.

Er... Well, I'm with you for a different reason than updating... I'm thinking that Oracle is just shifting the licensing ground too much for my comfort.


But why all the effort needed when you can simply use the open-source Java version called OpenJDK? It's virtually identical to Oracle's JDK, only without commercial support, and it's licensed the same way those other alternatives you're suggesting.

Besides, dotnet core would not be a better replacement: it's got a large corporation behind too, so nothing prevents them to do the same in the future.


Why does Go not have updates? Has Go been abandoned?

This is an LTS release. It will be available for more than a few months.


So Go is somehow immune from a similar fate? What's the reasoning behind this?


+ the backing of a huge corporation.

Poor little Oracle & IBM.


Let me just try that nice Go UI framework, oh wait...


as long as openjdk remains open i dont mind


As long as OpenJDK remains open and maintained for a reasonable length of time, I don't mind. Right now it's looking good, but only thanks to Red Hat (et al.) and not Oracle.


So many companies have a vested interest in maintaining Java alive (Google, IBM, etc.) that I'm not too worried about maintenance of OpenJDK.


When did Red-Hat hired all Oracle developers working on OpenJDK?


They have quite a few developers working on OpenJDK


Yes they do, but the large majority are Oracle employees, which many seem to keep forgetting.


Oracle can easily stop or delay updates to OpenJDK if they want. Remember how things worked out for OpenSolaris?


OpenJDK used to have some incompatibilities that tended to blow up in production (rare case "enjoyment") - is it now 100% compatible with original Oracle SDK? Otherwise companies would be forced to use commercial one in order not to disrupt their legacy systems.


Not 100%. There's still some weird edge cases having to do with the swing and crypto libraries. But the big performance regressions that we used to see are gone and with the release of flight recorder in Java 11, the last major commercial feature is now in openJDK.


In addition to compat, is performance on par too? I know the JVM is highly performant and was wondering if there were any patent restrictions that would prevent an open JRE (I assume there is such a thing) from being as performant as the Oracle JRE.


I've found that as of Java 8 the compatibility is pretty good, and I use OpenJDK exclusively now. Prior to that, it definitely had issues and I always used the Sun/Oracle JDK.


Legacy is most of Oracle's business model nowadays


I'm sure all the Linux distros are thinking the same thought.

The 'default' JVM for Ubuntu is OpenJDK, right? You'd have to go out of your way to get your hands on Oracle JDK.


Yes. Back in jdk6 days there were more problems requiring oracle jdk, this days is a no brainer to use the default openjdk.


Agreed, it's what I've been using in production all along and maybe the rise of docker will mean that fewer people are directly installing the JDK on their production machines. Still, I bet there will still be some unfortunate souls that run the Oracle JDK in production without knowing the rules have changed.


interestingly, openjdk is the top link on google for me for "java 11" search.

did google do that?


It's been like that for years. OpenJDK had been the site that all development and JEP news goes through for a long time now.


I get the same. When I do the same search on DDG, the top result is Oracle.


As many have pointed out, you can argue if this is a trap or not and you can make the case for both sides. But I think that discussion in itself clearly begs the question: do you want to deal with a company that makes it easy to make a potentially immensely expensive mistake?

If anything, Oracle have demonstrated that if they feel you owe them something, they will take you to court.

I changed what primary programming language I use as a conscious decision that took years to make. First I had to find a language that was a good replacement and then I had to make the switch. Both require care.

It was easier than I had thought though. And I'm very happy I did.

Am I sure the my new primary language won't grow these problems? No. But I do know that I'd do it again if needed. There is no shortage of programming languages. There is a shortage of programming languages that have a sufficiently good ecosystem around them though.


Which language did you pick?


It was down to Rust and Go and I picked Go.

(I mostly write server software, command line utilities and embedded software (embedded software in C/C++). If I wrote more embedded software on Cortex-M than server software om AMD64 I think I'd really like to use Rust.)


This is going to come off sounding a bit like victim blaming, but seriously, any business large or small must have a person or people whose responsibility it is to audit all installed software so that nobody gets into a situation such as described in the article.

A business cant afford to let devs just install software willy-nilly like.


Yet "willy-nilly" installations happen.

It remains to be seen whether they'll "go after" the whales who can actually afford compliance staff (but screwed up anyway), or after the small-fish companies that just stood up a web-app to get started, or businesses in between.


It's not really the developers installing their own toolchain you have to worry about here, though. The folks working on the official builds and deployment should be far more aware of what's happening, because that's what has to be supported. If you're letting B&D do things willy-nilly, that's a serious business problem.

I aware they're often the same folks (DevOps), but your senior engineer and/or project manager should be watching what's going out.


What about compatibility? Recently I installed PDFsam on Windows 10 that required a JRE. I installed OpenJDK but the application didn't start. With Oracle JRE it did work. I didn't bother to debug the startup problems, though.


there is a GPL2 version of jdk11 here, does it make any difference?

http://jdk.java.net/11


    > http://jdk.java.net/11
That's an "OpenJDK" build provided by Oracle.

But it is easy to get mixed up since it doesn't ACTUALLY say "OpenJDK" on that page.


All the links say and point to OpenJDK if you hover over them. It doesn't seem that obscure.


One would expect that the page provided by Oracle from which one could download OpenJDK would have the word "OpenJDK" in a header in 16+ point font-- and not visible only in link hover text box.

It's just weird.


Question : this implies that Oracle 'knows' that you're using their JDL in production. Which implies a spy of some sort. Which is barely legal, is it ? unless it's at least duly stated in the licence. Is it so ?


How much control Oracle has on OpenJDK development & support? Can they control some features which will never be shipped with OpenJDK?


Are there any substantive differences between the GPL and proprietary licensed versions of Java 11?


One requires you to pay money to Oracle?


Currently happy about Azul OpenJDK.


'Zulu', right? What's their angle?


Azul sells their own high-performance Java runtime (Zing).

Taking a guess here, they probably realized there's demand among their customer base for plain OpenJDK builds with cheaper and/or more reasonable support offerings compared to Oracle's. And once you need to deliver those builds, it doesn't cost too much to let just anyone use them.


They originally built it for Microsoft to run Java apps on Azure: https://www.azul.com/successstories/microsoft/

I guess they later figured it could be more generally useful and they could sell support for it.


I had no idea Azure used it.

From the article: They wanted to offer Java on the Microsoft Azure Cloud, unencumbered by complex licensing or end-user restrictions.

What are Oracle doing that their shiny enterprise offerings just have too much baggage attached even for Microsoft?


It's openJDK but with a relatively affordable support agreement.


It's the default from sdkman I think.


Modified openjdk with high perf. GC, JIT, tooling etc. It is very nice.


Zing and Zulu are not the same. Zing is a commercial JVM that has no open source equivalent, and has a completely bespoke design from my understanding -- calling Zing a "modified openjdk" is a stretch, from what I understand (especially considering OpenJDK is GPLv2.)

Zulu is Azul's build of open-source OpenJDK, and no different than any other OpenJDK such as one from jdk.net or AdoptOpenJDK -- it doesn't have a special JIT or special GC, but you can buy a support contract for Zulu (or use it at no cost). It's basically just another OpenJDK build, as far as most people are concerned.


I was talking about Zing, yes. The parent said Zulu and I din't want to go into details. And yeah... it is more than a modified openjdk, I think we can agree and say it is based on openjdk.


If you're relying your business on something, you'd better read the damn license.


It’s unfortunate Java is turning into modern day COBOL.


I think it turned into modern day COBOL as soon as J2EE came out.

And I wonder if it's inevitable. I wonder whether any language that successfully plays in that space will necessarily suffer the same fate.


Really I think the best thing for Java at this point is getting it out of Oracle's greedy clutches. They are debasing the ecosystem of the language as a whole at this point.


I'd love to see the Java community fork OpenJDK and just leave Oracle behind. I wonder if the licensing of OpenJDK makes this possible? If so, the only (albiet huge) problem is getting a critical mass of support behind one particular effort.


My hat is off to Larry E. with respect to his business prowess. But. ding ding ding. alarm bells. Run away. Don't mess with that guy.

The dude owns an island:

https://en.wikipedia.org/wiki/Lanai

https://www.bloomberg.com/news/features/2016-04-13/four-seas...

Stick with free/open source. Vendor lock in is a nightmare. edited for clarity.


You should clarify that you are referring to Larry Ellison, the head of Oracle, and not Stephen Colebourne, author of the article.


You are right. I was just writing a flippant joke. The author of the post wrote a great article. I am also not insulting Larry Ellison. He (Larry E) is an interesting, very successful, guy. I am just saying he tends to win in competitions. Once you are locked in, you have to pay.


Exactly the misconception that I had


Yes, I definitely don't own an island!


sorry, I was not clear. I am also not knocking owning an island. Thats a great situation to be in. If I am successful full enough in life, I will buy one! I am just saying don't mess with the dude. He tends to win.


The only people who "own islands" are James Bond-type villains, right? Right?


The dude owns an island, so he obviously can't be trusted. It follows reason.


Sorry, thats not what I meant. I was half joking/flippant. I meant to imply that Larry Ellison is very good at his job. His job is getting people locked into expensive proprietary languages (embrace and extend java) and DBs. Once your company thrives it becomes very difficult to get off their proprietary tools (which are excellent btw). Then you are forced to pay the man. I actually like the guy. His sailboat racing is really great tech.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: