Nearly 3 Out of 4 Oracle Java Users Say They've Been Audited in the Past 3 Years

A survey of 500 IT asset managers in organizations that use Oracle Java has found that 73% have been audited in the last three years. From a report: At the same time, nearly eight out of 10 Oracle Java users said they had migrated, or planned to shift, to open source Java to try to avoid the risk and high costs of the dominant vendor's development and runtime environments.

Oracle introduced a paid subscription for Java in September 2018, and in January 2023, it decided to switch its pricing model to per employee rather than per user, creating a steep price hike for many users. In July 2023, Gartner recorded users experiencing price increases of between two and five times when they switched to the new licensing model.

Two years later, the survey conducted by market research firm Dimensional Research showed only 14% of Oracle Java users intended to stick with the vendor's subscription model.

Crude joke

[TWX]

There was a crude joke back in the day, that Java was great because it worked on all computers exactly the same way that anal sex was great because it worked on all genders.

Little did we know exactly how prescient that crude joke was going to be as Oracle hadn't yet taken over.

Re:

[registrations_suck]

Never heard that joke.

But here is maybe a less crude version:

Java is great because you can fuck everybody with it.

NOT REQUIRED TO COMPLY

[gavron]

I once worked at a public company that was told by the BSA they wanted to audit us.

We said our offices were a secure facility and no audits would be allowed.
They claimed the EULA said they could. We said their EULA doesn't override our confidentiality agreements
with customers or our public statements to our shareholders.

They moved on to the next sucker(s).

Re:

[Valgrus Thunderaxe]

Why do your confidentiality agreements override your other agreements to the license holder of the software? Very curious.

Re:

[omnichad]

I think the important thing was that it worked. Obviously a company can't accept a EULA that they can't legally honor, meaning they click I Do Not Agree when installing and don't get to use it. But it worked on the auditor.

Re:

[Valgrus Thunderaxe]

Can we apply this same logic to a software license like the GPL? You don't have to comply because you're "unable to", and just use the software anyhow?

I don't think logic would fly here, or anywhere else.

Re:

[StormReaver]

The GPL is not a usage license, so there is nothing with which an end user has to comply.

Re:

[Valgrus Thunderaxe]

Yes, but that's not my point. You just can't decide not to follow a software license because you don't like the company (or persons) who made the software.

Re:NOT REQUIRED TO COMPLY

[ebunga]

It's under the broad stroke of something callled tortious interference. The auditors' mere presence would cause the target of their audit to violate other contracts. They can't do that without going through the hassle of litigation and a court order allowing one contract to override any other contract.

Re: NOT REQUIRED TO COMPLY

[ihavesaxwithcollies]

But Valgrus Thunderbird on the internet says you are wrong. He is an expert atâ¦.acting like an expert on the internet. Pretty soon he will be giving medical advice.

Depends on Laws

[Roger W Moore]

Why do your confidentiality agreements override your other agreements to the license holder of the software?

My understanding is that in many (most?) countries outside the US EULA's have no legal authority unless you agree to them before purchase. If you buy some software and then, after the fact, you then have to agree to some random crap in order to be able to run it that's not a legal contract so you have no agreement.

Re:

[PPH]

Why do your confidentiality agreements override

Not my confidentiality agreement. It's the guy with the M-16 and MP on his uniform at the gate who insists.

Re:

[Chris Mattern]

Because EULAs are hot air. Software manufacturers will back down if you call their bluff if you look like you have the necessary lawyers to back it up. The last thing they want is a definitive legal ruling on EULAs, because it will establish a legal answer and likely won't be in their favor.

Re:

[MightyMartian]

It means the next time they show up, they'll need a court order to do so.

Re:

[UnknowingFool]

If it was a secure government facility, I would also turn that around to say their auditors are welcome to visit as long as we could conduct full background checks on every single of them. Also they would not be allowed to bring any recording devices into our facilities and strip searches would be required before and after. This is after we get approval from the appropriate agencies to allow them in. That should only take 6 months for them to review their applications.

Re:

[Valgrus Thunderaxe]

The US government has to respect software licenses. Look at the whole issue with a company called "Harvard Graphics" that was put out of business because the US government pirated their software prolifically (they bought one copy and the military had it installed on something like 200,000 computers).

This case is the reason you see the "US Government Restricted Rights" tag line in software copyright messages. That's where it came from. You can't steal the software because it's used in some type of clas

Re:

[Anonymous Coward]

You can do what most people do: Click through the EULA and don't give a fuck. EULAs are inherently questionable because you've already bought the product. In many cases, there is a restriction preventing you from returning it if you don't agree. So someone sells you a product, and then you have to agree to a bunch of crap after you've bought it. If you don't agree, you can't return the product and you can't use it. So nobody reads this disgusting 18 pages of shit and hits "I agree." I think a jury would agr

Re:

[GoTeam]

I'd think they'd just argue that you should be aware of the agreement before you purchase the license. But I don't have a strong idea of how the courts would handle it in various jurisdictions...

Re:

[caseih]

Not sure what your point is. No one said anything about not honoring the licenses. He was talking about a random person wanting to come into a secure government department to do an audit. A government department very much might have to demand background checks and security clearances for the auditors to even enter the premises. If the company demanding the audit believes that the department is pirating software, and if they cannot physically be on the premises, they can go to court to compel discovery (a

Re:

[dnaumov]

Just one problem. This is not how any of this works. You waived your rights to placing any such restrictions on the auditors by accepting the license terms of the software you decided to use.

Re:

[HiThere]

Before or after you bought it? If it's afterwards, it's an agreement made under duress.

Re:

[flink]

If it was a secure government facility, I would also turn that around to say their auditors are welcome to visit as long as we could conduct full background checks on every single of them. Also they would not be allowed to bring any recording devices into our facilities and strip searches would be required before and after.

Maybe somewhere there is a facility or SCIF that requires a strip search to enter, but I've never been in one and I never heard of such. I doubt that a bunch of BSA auditors would ever even know about the existence of that kind of place anyway, let alone need to enter one.

But the DoD procurement process also is pretty slow an thorough. They don't purchase until the vendor has the cleared support staff available to service the software. If that includes auditors, you can bet that will be in the contract.

Who stilll uses Oracle java?

[zendarva]

I've spent the last 11 years doing devops work in java shops.

No one uses oracle.

It's all adoptium.

Re:Who stilll uses Oracle java?

[Anonymous Coward]

I worked for a large financial services company a few years ago. We had to block Oracle's website at the corporate level to keep folks from downloading Java from Oracle. Oracle would show us download metrics and ask to pay for all the downloads. We switched to 100% Azul Java.

Re:

[Anonymous Coward]

No one uses oracle.

No one uses oracle *willingly*

I push openjdk to our base desktop image.
Every so often however a piece of 3rd party software pops up on the inventory radar warning that it has oracle java embedded with their software.

UPS Worldship is still a headache to this day.
Their software checks executable signatures, which is great normally, except we can't drop-in a different JRE as it fails signature checks.

To put that into perspective, they only just upgraded their log4j libraries in January. Jan 2025.
Almost 4 year

Re:

[caseih]

So Oracle is demanding payment when you use third-party software that embeds Oracle Java in it, rather than talking to the third-party that's doing the distributing?

Re:

[angel'o'sphere]

Almost 4 years after the very publicly well known CVE was out there.
That vulnerability only works for "inside jobs", and even then it is complicated enough to set up that there is no known case, that it ever got exploited.

sticking your other thumb in the propeller

[Pseudonymous Powers]

Oracle customers are like the frog who carried the scorpion across the river on his back. Well, no. Actually they're more like the sixteenth frog in line at the riverbank, patiently loading up his own scorpions despite the thirty-six sting-related drownings he's witnessed in the last hour.

Re:

[leonbev]

Yeah, if you haven't switched to OpenJDK or some other open source Java variant at this point, you pretty much deserve the auditing pain that's going to be inflicted upon you.

I mean, come on... you have had years of warning at this point.

slightly OT, but interresting Java fact

[Casandro]

By now most Java instances are SIM-cards. Almost every SIM card in the world has a Java VM running on it, while only part of mobile phones and very few desktop computers or servers have Java VMs running on them.

If you talk about Java and it's frameworks, keep in mind that those probably won't run on the majority of Java VMs out there. SIM cards, from what I've heard, don't even seem to support strings.

So it's not "write once - run anywhere", but more like "write once - run on Linux". Most of those x-Billion

Re:

[drinkypoo]

SIM cards, from what I've heard, don't even seem to support strings.

You used to be able to store phone directories on SIM cards, albeit not with very many entries. On my Motorola Triplets and RAZR phones (original RAZR obviously, not the ones where they reused the name) you could easily choose whether you wanted them stored on SIM or locally. Maybe they don't know how to process strings, though, only store them. Or did they remove that functionality? I haven't tried to use it in many years, so I wouldn't know personally. Looking around I see that sometimes even SMS was stor

Re:

[Casandro]

Well the phone book is a "filesystem" feature of the SIM card, it actually predates Java by (more than) half a decade. I'm refering to the ability of most modern SIM-cards to execute Java software. That software cannot use standard string functions because of limitations in the VM.

Re:

[angel'o'sphere]

A phone SIM card does not execute Java (or any other) software.
People keep mixing that up with "Java Cards"

Re:

[Casandro]

Well yes it does, it's a smart card, it has not only storage and cryptographic primitives, but also the ability to run software.
Even for E-SIMs:
https://laforge.gnumonks.org/b... [gnumonks.org]

Here's just one random vendor:
http://www.logossmartcard.com/... [logossmartcard.com]

The use is, for example, to re-format phone numbers, so if someone roaming abroad enters a national number from his home country, the SIM card will intercept the call and change the formating into something the foreign network will understand. (there are also other ways t

Re: slightly OT, but interresting Java fact

[drinkypoo]

They have always run firmware. I don't think it was always Java, but it has been for a long time.

Oracle believes in open source Java

[ebunga]

That's why they made the official Oracle Java product as unappealing as possible. Switch to the better alternatives, or pay the stupid tax.

We got grilled

[Anonymous Coward]

We use openjdk for a single in-house server application, and somehow oracle got my company's info because at some point someone probably downloaded a copy of java from oracle. They began persistently emailing individual email addresses at our company trying to find out if we were using oracle jdk without paying the subscription fee until I answered.

I replied that we were using openjdk (which is true) and they left us alone. I was so irritated, that if hypothetically we would have been required to pay oracle

Re:

[MachineShedFred]

You've really gotta be trying to fuck yourself to get into a position where you're being license-audited.

For a lot of people, it only takes signing one contract with Oracle, which grants them rights to audit you on anything and everything, and make you pay out the ass if they find anything.

That's kind of their business model.

Re:

[PPH]

For a lot of people, it only takes signing one contract with Oracle

We have a homeless guy who takes cash and buys stuff at the local computer store for us.

Oracle was doing this 30+ years ago

[linuxguy]

We were trying out Oracle database for a web backend in 1995 or so. I don't recall if payment was required during the dev/trial period back then. It is not these days with most commercial databases. Anyway, we got a call from Oracle. They wanted to audit us. We took that as a sign of things to come and immediately threw out anything with Oracle in the name and never looked back.

I do not fully understand the mindset of current Oracle customers. Why would anyone intentionally feed the beast that is Oracle?

Re:

[pak9rabid]

Why would anyone intentionally feed the beast that is Oracle?

Idiot PHB's who think that if it's free then it must be worthless. They also like to think paying for support will get them anything useful.