Users advised to review Oracle Java use as Big Red's year end approaches Experts are warning of an increase in Oracle Java audits - as the tech giant nears its year end - following a switch to a per-employee license model that could see costs grow by up to five times. saleswoman knocks on door Lords of May-hem: Seven signs it is Oracle's year end READ MORE Oracle introduced a paid subscription …
On a more serious note (hence the "meh" icon") there are some features in Oracle Java that may be useful in some contexts.
We use (ok I know don't s*it on me) Java Web Start and the open-source alternative for that sucks giant donkey 'nads. There are also some close-source profiling components in Oracle Java.
No I don't say it's not worth moving away from Larry's but there can be a certain amount of pain or cost involved.
Unless you run a very tight ship IT wise, just a single person downloading Oracle Java is going to cost you an arm and a leg. Many companies are going to pay up just to avoid the Oracle headaches in case one employee does. (My employer is - but being public sector we've got a large discount off list price)
Whereas it may well be advisable to avoid wrangling with Oracle's lawyers under any circumstance - and IANAL - there's an interesting legal principle here.
Courts can bind a company to a contract made without the company's authority by one of its employees acting as its agent, but the contracting party has to have a reasonable belief that the employee was acting with the authority required. That reasonable belief depends on, for example, the employee's job title, the nature of the order and how the order was placed. If a catering supervisor signs a contract for an executive jet, the aircraft company is probably not going to be able to rely on their apparent authority. If someone claiming to be the managing director of Google calls from a withheld number and orders the same jet without any other form of corroboration, it would be difficult to hold Google to the contract. If someone calls up a stationery supplier and places an order for 2 years worth of copier paper using a company credit card, the company could probably be made to take delivery and pay because the simple possession of the card implies authority.
Oracle might have a good argument that an individual downloading a software package that was clearly labelled as being chargeable could result in their employer being liable for the individual's use of the software. It's a much harder argument to make that a random individual is likely to have the power to bind the company to a licence calculated on the company's total number of employees. That's something you would reasonably expect to be reserved to a senior executive so the threshold for "apparent authority" would presumably be higher. There's a bit of UK case law that's relevant:
If a person dealing with an agent knows or has reason to believe that the transaction is contrary to the commercial interests of the agent’s principal, it is likely to be very difficult for that person to assert with any credibility that he believed that the agent had apparent authority, and lack of such a belief would be fatal to a claim that he did.
Not that I expect to see it ever come to court...
One of my clients has big managed desktop environment (35000+ seats) with software only allowed to be deployed by software package.
Special administration accounts are used for any ad hock package installs.
This all the techs with that access were explicitly warned and signed off that if they install it without an escalation for review they would have their access (and maybe their job) revoked.
Logs are checked every month for installs.
Been working great so far.
> just a single person downloading Oracle Java is going to cost you an arm and a leg.
One of my last tasks before retirement was ripping out Oracle Java from the software that my team used (open versions now being usable where needed).
Along with the regular security sweeps there was a check for any Oracle Java - it was outlawed big time.
All software published by a company should be signed by a certificate. Linked, if technically necessary to their local root/intermediate. So one can use package managers/group policy/orchestration/configuration managers etc to
1 inventory the software and
2 block it.
Try to block chrome, for example, play whack a mole as it uses every technique to evade blocks. Ditto Java. Want to block Oracle? Job done if we had a single root key.
As it is, one needs to get the cert of the day, as the intern doing that build uses a different cert and chain to all the other interns doing the build.
Not sure if that would help for software that embeds oracle java inside it. Java is installed as part of the larger app and is otherwise not visible to be selectively uninstalled and you may not even be aware of it unless you dig into the filesystem.
Also relying on certs is a double edged sword, certs expiring or arbitrary changes as far as what algorithms are accepted or not would make life for many a lot more painful.
I looked into this Oracle license stuff earlier this year and it seems according to their FAQ that the paid license is only for versions newer than xyz. If you have an old java installed from say 5 years ago or something I don't think the new scheme applies to you.
Look for "Oracle No-Fee Terms and Conditions License for All Users"
https://www.oracle.com/emea/java/technologies/javase/jdk-faqs.html
I for one am not a fan of the proliferation of cert/code signing stuff restricting control users have over the software on their computers. At least in cases that doesn't allow the user to override in some way.
"I for one am not a fan of the proliferation of cert/code signing stuff restricting control users have over the software on their computers. At least in cases that doesn't allow the user to override in some way."
Home users, owning their own PC, are not the target of this. But rather, a laptop issued by a company for use by the company's minions. That device is owned by the company and can get the company in hot water. (So many users tend to think of the device as 'their laptop' - dispel that myth right now). If the user is at a BYOD company, that's another story.
I mean, risk "avoidance 101" is that users should not be Administrators. Executable running from non-standard locations should be blocked. But again I point to the tactics used by Google, and then lately by Microsoft itself (Teams, especially) and you see that locking these things down is a royal PITA. Necessary, but a PITA.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
