Are you still struggling to understand how to remain secure and compliant with the recent Oracle license announcement on Java SE 8? Learn how to navigate through these changes in our joint Snow and SoftwareOne webinar.
Java is one of the most popular programming languages in the world with millions of Java-based applications created and many more applications that won’t work without Java being installed. When Sun first released Java, it did so under a proprietary software license but in 2007, Sun re-licensed Java under a General Public License making Java free to all under an open source model.
Oracle acquired Sun in 2010 and part of the agreement was that Oracle would continue to make Java available free of charge under the open source model, which Oracle has done under its Oracle Binary Code License Agreement. However, Java licensing began to get complicated when Oracle started to develop commercial features specifically for Java and make them available as separately licensed products – Java SE Advanced and Java SE Suite. In 2014, Oracle introduced a new desktop license – Java SE Advanced Desktop.
Oracle has announced that from January 2019, Java SE 8 public updates will no longer be available for business, commercial or production use without a commercial license although it will remain free for general purpose computing usage. Personal users will be able to utilize Java for the most common computing tasks on personal desktops, notebooks, smartphones and tablets, but if Java is being used in a commercial or production environment then a license will be required. An example would be opening a web page or developing an application for education. For any usage outside of this, a valid license must be in place.
Java SE is made up of several features and components and under the terms of the Oracle Binary Code License Agreement, these are available free of charge. However, if any of the commercial features that Oracle has developed, and made available with Java SE, are used in a business, commercial or production environment, the appropriate license will need to be in place. One of the most common commercial features is the MSI Enterprise JRE Installer. Many end users use this to distribute Java Runtime to desktops and laptops but should be aware that it requires a license if it’s being used for internal business operations, production or commercial purposes. However, if the commercial features are being used to design, develop and test programs then no license is required.
Before organizations rush out and buy licenses to cover their Java usage they should look carefully at existing entitlements. Oracle licenses typically cover a suite of features and components and within some of them, WebLogic Server Standard Edition for example, is the right to use Java SE. Nor is this right just within Oracle licenses – IBM WebSphere and SAP® NetWeaver™ also include Java SE rights.
ORACLE JAVA SUPPORT ANNOUNCEMENT
Oracle’s announcement that there will be no more Java 8 public updates for business, commercial or production use means that organizations should review the support they have in place and compare it to their requirements. Oracle classifies customers for support into three types:
- Oracle customers – Oracle customers with an active Java subscription or valid support contract
- Commercial customers – Non-Oracle customers who use Java SE for business, commercial or production purposes as part of a Java application developed internally or delivered by a third party
- Personal users – users using Java SE to develop applications as a hobby or for educational purposes or to play games or run applications.
This classification is important because for personal users, public updates will be available until December 2020, but for commercial users these updates are no longer available. In essence this means that Oracle will no longer provide security patches and updates other than under a support contract to those classified as Oracle customers. In addition to this, Oracle has moved to a six-monthly release cycle from the release of Java 9, with one out of 3 releases designated to receive long term support (LTS). Prior to this, free public updates were provided free for years after the release and usually after the release of the next version. As you can see from the table below, those releases that are not flagged as LTS will only receive free updates for 6 months.
ORACLE JAVA SE SUPPORT ROADMAP
Oracle has pointed out that the six-monthly release cadence isn’t new – previously these would have been released as point releases. SE8u20 and SE8u40 were six months apart. Oracle Java SE8 is the last “major” release in the old terminology.
By releasing every six months, Oracle believes it will be easier for customers to update to new versions and it should “almost take overnight.” There were approximately 19000 source code changes between SE8 and SE9, whereas between SE9 and SE10 there were only 2700 so later upgrades should be less complex.
Oracle plan to release Oracle JDK and Open JDK releases at the same time and as of 11, the content is virtually the same so Open JDK should no longer be looked on as a second-rate product. Oracle will release security patches for both releases for six months but no longer refer to them as public updates.
WHAT ARE THE ALTERNATIVES FOR CUSTOMERS USING JAVA?
Businesses can choose to:
- Stay with Java SE 8. While this is an option, this could make you a potential target for hackers as this product will not be updated with the latest security patches
- Use the personal version of Java SE 8 and take the public updates until 2020. Organizations should realize this option puts them at risk of an audit. We’ve heard rumours that Oracle is not going to target Java audits until after their year-end in May 2019, but it’s highly likely that Oracle will start auditing after that
- Migrate to a later version and update every 6 months
- Migrate to an OpenJDK version and accept that accept that it will be supported by the community after the 6 months or upgrade every 6 months to the latest version.
- Pay Oracle for support and updates
- License Java through another product, such as Oracle WebLogic or SAP® NetWeaver™
- Pay another company (example: Azul Systems) to provide support for Oracle OpenJDK 8
- Use free builds of Java 8 from AdoptOpenJDK. Be aware that as this is a community release there is no warranty or support available. The community team at AdoptOpenJDK plans to provide Java 8 builds that are certified compatible with the Java SE specification until at least September 2023.
HOW CAN SNOW HELP?
Organizations need to know in which of their environments they are using Java together with who is using it and the versions in use. Snow can identify whether JDK or JRE is deployed on a machine; which commercial features are enabled and the update versions installed so you can see which ones could require licensing immediately. To find out how Snow can help you get the information you need to make the correct decision for your business, watch our webinar on-demand: Java SE 8 Is No Longer Available Without A License. What Next?