[Owasp-board] Oracle targeting Java SE non-compliance

Kevin W. Wall kevin.w.wall at gmail.com
Tue Dec 20 23:27:45 UTC 2016

I'm sending this out because I hoping that someone on one of these
lists with a legal clue can answer my concerns. This potentially could
become an issue for any OWASP project that is developing projects or
APIs in Java.

It looks as though Oracle is hitting up users of Java SE for "commercial
use" even when many were not aware they were in violation:


I'm especially concerned about the last part of this article that ends with:

    "If you download Java, you get everything - and you need to make
sure you are installing only the components you are entitled to and
you need to remove the bits you aren't using," our anonymous expert

    "If you [already] have Java, make sure of the specific components
you are really using and how they are being used and based on that,
validate if you are having issued before Oracle figures it out."

I just took a quick look at there license associated with their Java
SE downloads (see
and I'm not even sure I can figure out which bits are the "commercial
features" in order to remove them. (OTOH, given that I've only
downloaded Synaptic Package Manager on Linux Mint, how am I even
supposed to know what they installed?)

I certainly will do whatever to comply, but for me personally that
would mean uninstalling Java before paying for it. My bigger concern
is for all those in FOSS-land who develop Java applications or APIs.
Being the project co-leader for OWASP ESAPI, I fall into that

The Register article doesn't provide much details. would be nice if I
know which part the "commercial features" were in so I could delete
them. Otherwise, looks like going back to OpenJDK. (Or is it subject
to this license issue as well?)

Anyone know?

Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the Owasp-board mailing list