Just one data point: our IT has now blocked the whole java.com domain. Oracle Java is now primarily seen as an infection you get through the Java Updater. Yes, I know of OpenJDK and I'm currently in the process of migrating machines to it, but I can assure you the damage to Java is very real.
OpenJDK is the name of the JDK developed primarily by Oracle.
java.com is the website for "consumer-side" Java -- i.e. the desktop JRE. The JRE and "consumer Java" no longer exist (as they've been replaced by jlink), and so the website is out of date and largely irrelevant. I hope someone soon figures out what other use to put it to.
You might not like it, but java.com/download is still the first result when searching for Java.
I am aware what OpenJDK is and who develops it, and I can handle the changes to our systems just fine, but I'm an engineer, not a manager. I can assure you that the confusion around Java is very real, as well as IT departments worrying about machines updating to a Java version requiring a commercial license.
I don't think that the desktop JRE's autoupdater can automatically update to versions (of the old JDK 8) that now require a commercial license, but I'm not sure. I'll ask. But I understand and agree that communication/websites can and should be clearer/easier to find.
EDIT:
I asked about the JRE autoupdater, and got this answer:
Before update, it will offer to change the license to personal use (or to get a commercial one) or remove the software. It will default to remove. You can also choose not to upgrade and not to remove and keep using an out-of-date version. And if you accidentally remove, you can still get the old free versions from the Java archives.
This is the core piece of crucial information in all this, and I haven't found it anywhere else.
We have Java installed. As far as I know, we never told the installer if our use was planned to be commercial or personal. But in a few days, personal-use-installations will get a free update and commercial-use-installations will...
A) not get updates, through the updater using heuristics and mind-reading to divine that the installation is not personal?
B) get the update and thus be expensively out of compliance with the license?
C) have the updater present the problem to the end user and expect them to carefully consider the legal situation?
I think many people have assumed that the answer is B and are currently busy uninstalling Java everywhere, but if I understand you right the answer is actually C?
Is there more information on this anywhere? Most importantly, what is the correct official way to tell the updater ahead of time to keep the old version and never update? (We have a legacy application that uses applets.)
The answer is C.
I got prompted with a Java update and just went ahead with it, without much consideration; I mean, it's just a Java update, I don't even use Java for anything on this machine but w/e. This morning I got a panicked email from our IT, sent to a significant portion of the company about the fact that we now run a commercially-licensed version.
There is no longer a parasitic Java installation on my computer.
> I asked about the JRE autoupdater, and got this answer:
Thank you for asking! It all depends on the warning that is displayed, of course. I still think that our IT has a good point in blocking the update completely.
Dude java.com has been irrelevant for as long as Java Applets have been on the way out - approximately 15 years.
There are reasons not to use Java (such as it being legacy tech and the PITA that is using Spring and Maven when those are supposed to make life easier), but historic Java Applet vulnerabilities aren't one of them.
Dude, this is not about applets. This is about the Java Updater possibly updating to a version requiring a commercial license. It may be that the updater does not do this by default, but I've not yet seen any official statement about this.
