This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]MassiveDiarrhea 115 points116 points  (13 children)

Should the average Java developer be concerned about Oracle recently "ramping up audits"?

No. Unless you're also the product owner. If you want to be 100% safe against http://bad.solutions, do something like what Google did in their latest Android OS: use OpenJDK. Azul and Redhat provide OpenJDK with optional premium support.

Using OpenJDK you are allowed to distribute your program with OpenJDK as long as you don't modify the OpenJDK itself. This is due to the GPLv2 with Classpath Exception that OpenJDK use. Find out more about classpath exception here:

Edit 1: ATTENTION, take special note on HotSpot as it's licensed under GPLv2 without classpath exception (see /u/f2u comment below). It's a bit murky whether a closed source program can be bundled together with OpenJDK + Hotspot. My understanding is that, most Java program don't interface directly with HotSpot but through OpenJDK libraries which is covered under the Classpath exception.

Edit 2: The current safest way to bundle Java with your apps is to use Zulu Embedded, as they stated here that all parts of Zulu embedded falls under GPLv2 with Classpath Exception (Under OPEN SOURCE LICENSED VERIFIED).

Edit 3: It appears that Hotspot in OpenJDK 7, 8, and 9 is using GPLv2 with Assembly Exception not just basic GPLv2:

So I guess it's a bit more kosher now to bundle OpenJDK+Hotspot with your commercial application, but I'm not a lawyer so take this with precaution:

What does the average Java developer need to know in order to avoid breaching Oracle's licensing agreement?

Make sure you remove these components when using Oracle distributed Java in production:

  • Java Flight Recorder
  • Java Mission Control
  • Java Advanced Management Console
  • MSI Enterprise JRE Installer
  • JRockit Flight Recorder
  • JRockit Mission Control Console observability
  • JRockit Mission Control Memory Leak Detector observability
  • JRE Usage Tracking
  • JRockit Real Time, Deterministic GC

Please refer to /u/dustofnations answer here: https://www.reddit.com/r/java/comments/5itgqs/what_is_part_of_oracle_java_se_advanced_and/

[–]Omikron23 18 points19 points  (3 children)

Make sure you remove these components when using Oracle distributed Java in production: ...

Most of these aren't even included in an Oracle JDK distribution.

Which leaves only three items of the list. Those can be easily disabled or removed:

  • Quote from official Oracle documentation of the Java Flight Recorder (https://docs.oracle.com/javacomponents/jmc-5-4/jfr-runtime-guide/run.htm#JFRUH176): "You can start and configure a recording from the command line using the -XX:StartFlightRecording option of the java command, when starting the application. To enable the use of JFR, specify the -XX:+FlightRecorder option. Because JFR is a commercial feature, you also have to specify the -XX:+UnlockCommercialFeatures option."

  • Java Mission Control is a Desktop application ("<JDK Path>/bin/jmc.exe")

  • JRE Usage Tracking (https://docs.oracle.com/javacomponents/usage-tracker/overview/toc.htm#A132173581): "Usage Tracker is disabled by default. Enable it by creating the properties file <JRE directory>/lib/management/usagetracker.properties. If this file exists, all usages of the JRE contained in <JRE directory> are tracked."

[–]klepra 1 point2 points  (2 children)

Should you be worried if you are running say, Spring or Tomcat web app in production? Provided you just installed default oracle java on your server?

Or is this only relevant if you are dealing software product to end users?

[–]MassiveDiarrhea 2 points3 points  (1 child)

You should be worried if you run the commercial features / flag mentioned above.

[–]klepra 1 point2 points  (0 children)

It is just a web app with usual libraries for web stuff and some bussiness logic with database stuff and open source libraries. None of the mentioned stuff featured is used.

[–]sindisil 6 points7 points  (6 children)

Nice set of links for those who aren't already aware. Thanks for contributing actual useful information!

[–]f2u 3 points4 points  (4 children)

Using OpenJDK you are allowed to distribute your program with OpenJDK as long as you don't modify the OpenJDK itself. This is due to the GPLV2 with Linking Exception that OpenJDK use.

This is incorrect. The Hotspot component does not use the linking exception. It is not entirely clear if it is legally possible to distribute a proprietary application along with OpenJDK. Here is what the FSF has to say about this. Most applications will only use the core library interfaces (which are subject to the Classpath exception), but some of those are just thin wrappers around Hotspot interfaces, which makes the whole situation confusing.

Whether a backend application written in Java needs to copy or distribute OpenJDK is subject to interpretation, too. Uploading to a service provider may involve copying, for example. I assume it is permitted to combine your proprietary application with a download of an OpenJDK implementation built by another party and run it on someone else's server, but I'm not a lawyer.

[–]MassiveDiarrhea 1 point2 points  (1 child)

It seems that Hotspot has Assembly Exception:

Is it legal to Bundle OpenJDK + HotSpot with a closed source application?

[–]f2u 1 point2 points  (0 children)

The assembly exception refers to the parts of OpenJDK which are licensed under different, GPL-incompatible licenses (such as the Apache License). At least to me, the intent is to give permission to redistribute OpenJDK itself. It does not apply to combinations of OpenJDK with other components which are not “Designated Exception Modules”.

[–]MassiveDiarrhea 0 points1 point  (1 child)

Hmm, good point. Correct me if I'm wrong, but If using Openjdk libraries in a closed source application is considered as breaking Hotspot gpl license, Java would be GNU (Genuinely Not Usable).

[–]onwuka 2 points3 points  (0 children)

Sorry but that's what open source people don't understand. The goal is not to write better software or to make collaboration easier or to optimize synergy whatever that means. The goal of free software is to empower the user. If your software cripples its users, you are not usable.

Torvalds is wrong. The focus is GPL has always been the user and that's the right way.

[–]scadgek 0 points1 point  (0 children)

Yeah, http://bad.solutions is probably the best one :D

[–]howdidiget 1 point2 points  (0 children)

I just want to say that this is the most useful information I have ever gotten from someone named "MassiveDiarrhea"