[Owasp-board] [Owasp-leaders] Oracle targeting Java SE non-compliance

Kevin W. Wall kevin.w.wall at gmail.com
Wed Dec 21 04:45:45 UTC 2016


Bjoern,

Hi. Thanks for the info. I wouldn't exactly call it a "panic"...more
like due concern. What concerned me was that according to the article
in The Register, the commercial parts were supposedly bundled with
Java SE and not some additional add-on product binary. And knowing
about Oracle's aggressive litigation with Java (ahem, Google), I
thought maybe they might pull a SCO (to rephrase Ian). I wasn't sure
if there was just some way that one could accidentally use these
commercial features unknowingly or not. But based on your #2, it seems
as though that is doubtful. And given that I had never even _heard_ of
the JVM "-XX:+UnlockCommercialVMOptions" option before, I'd say it's a
pretty safe bet that one is not likely to walk into it accidentally.
Which is a good thing considering that according to Oracle's BCL for
Java SE, one is not permitted to repackage the binaries (e.g., to
delete specific classes), so it appeared to me that the only
resolution to this was to uninstall Oracle Java SE.  However, thanks
to you, that no longer seems necessary. For what I use Java for, I
have no need of any of the commercial features and thus have no intent
of ever using them.

So, great info. Thanks for the reply. This was exactly the sort of
thing I was looking for.

-kevin

On Tue, Dec 20, 2016 at 8:31 PM, Bjoern Kimminich
<bjoern.kimminich at owasp.org> wrote:
> This seems like one of those panic posts that occur from time to time. Like
> "groundhog day", just bi-anually or so...
>
> 1. The commercial parts of Java are listed here:
> http://www.oracle.com/technetwork/java/javase/terms/products/index.html
>
> 2. As long a you don't use "-XX:+UnlockCommercialVMOptions" on your JVMs,
> there should be nothing to worry about, neither for OSS projects nor
> commercial software. And if you do and expect no bill from Oracle, well...
> (^_-)
>
> Cheers,
> Bjoern
>
>
> Am 21. Dezember 2016 00:35:29 MEZ, schrieb Ian Gorrie
> <ian.gorrie at owasp.org>:
>>
>> I'd say that sticking to FOSS is going to be your best long term strategy
>> and to treat hostile players like Oracle formally in your risk management
>> process.
>>
>> I don't like at such things usually, but they very much seem to be taking
>> the SCO approach as they appear to be falling behind in many of their
>> concerns.
>>
>> If your organization doesn't track dependencies and related licenses in
>> your technology stack (using a commercial tool if needed), this may be a
>> good time to focus in on that conversation with business leaders.
>>
>> -i
>>
>> On Dec 20, 2016 3:28 PM, "Kevin W. Wall" <kevin.w.wall at gmail.com> wrote:
>>>
>>> I'm sending this out because I hoping that someone on one of these
>>> lists with a legal clue can answer my concerns. This potentially could
>>> become an issue for any OWASP project that is developing projects or
>>> APIs in Java.
>>>
>>> It looks as though Oracle is hitting up users of Java SE for "commercial
>>> use" even when many were not aware they were in violation:
>>>
>>>
>>> http://www.theregister.co.uk/2016/12/16/oracle_targets_java_users_non_compliance/
>>>
>>> I'm especially concerned about the last part of this article that ends
>>> with:
>>>
>>>     "If you download Java, you get everything - and you need to make
>>> sure you are installing only the components you are entitled to and
>>> you need to remove the bits you aren't using," our anonymous expert
>>> warned.
>>>
>>>     "If you [already] have Java, make sure of the specific components
>>> you are really using and how they are being used and based on that,
>>> validate if you are having issued before Oracle figures it out."
>>>
>>> I just took a quick look at there license associated with their Java
>>> SE downloads (see
>>> http://www.oracle.com/technetwork/java/javase/terms/license/index.html)
>>> and I'm not even sure I can figure out which bits are the "commercial
>>> features" in order to remove them. (OTOH, given that I've only
>>> downloaded Synaptic Package Manager on Linux Mint, how am I even
>>> supposed to know what they installed?)
>>>
>>> I certainly will do whatever to comply, but for me personally that
>>> would mean uninstalling Java before paying for it. My bigger concern
>>> is for all those in FOSS-land who develop Java applications or APIs.
>>> Being the project co-leader for OWASP ESAPI, I fall into that
>>> category.
>>>
>>> The Register article doesn't provide much details. would be nice if I
>>> know which part the "commercial features" were in so I could delete
>>> them. Otherwise, looks like going back to OpenJDK. (Or is it subject
>>> to this license issue as well?)
>>>
>>> Anyone know?
>>>
>>> Thanks,
>>> -kevin
>>> --
>>> Blog: http://off-the-wall-security.blogspot.com/    | Twitter:
>>> @KevinWWall
>>> NSA: All your crypto bit are belong to us.
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>> ________________________________
>>
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders



-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


More information about the Owasp-board mailing list