Remove JDK due to legal problems with Oracle. #2621
Conversation
|
@citibeth I took a look at this. This PR rips out Java and doesn't even fix packages that depend on it. That breaks, among other things, the entire I also looked at other distros and what they do to package Java. Homebrew, which is far more popular and widely used than Spack, does this: Then I looked at Gentoo. You can find their java page here. They bundle three versions of Java including the Oracle JDK. If you look at Gentoo's ebuild for the Oracle JDK, they require users to download Java manually and put it in a tarball directory. This is like what we do for Intel Parallel Studio and some other tools that @adamjstewart has packaged. I am inclined to do what Homebrew does for now, and print a similar message. Then we can package RedHat's IcedTea/OpenJDK or some other decent open implementation, and make |
|
@tgamblin I think the above could be a grave mistake, for the following reasons:
I see that some things do depend on Java; claiming that it breaks the entire What got me really concerned is the article above in The Register: even organizations that DID download Oracle's JDK and thought it was "free" are later in for a nasty (and expensive) surprise. That's different from MATLAB, where you know it's proprietary, and by the time you have the tarball you already know what it will cost you and have paid for it. It feels like a booby trap, and I just don't think we should be doing auto-anything with a package that could cost organizations large amounts of money if they install it (possibly without even realizing they installed it). Yes, we need to get serious about non-booby-trapped alternatives. But until we manage that, I really believe we are better safe than sorry. Even if we take the most extreme step of removing Java, I believe only a very few users will notice. But really.. we should at least consider merging #1298 |
|
In the long run, I agree that we need to package OpenJDK, make java a virtual dep, and set OpenJDK as the default. We should also remove the auto-download/auto-accept feature for Oracle JDK, à la #1298. I think the only thing stopping us from doing this is that no one has packaged OpenJDK yet. Let me take a look at it tomorrow and see how much work it would be to do. It can't be that hard. |
|
Nvm, just noticed #2622 |
|
@adamjstewart: I started packaging IcedTea (bootstrapper for OpenJDK), so also check that out in #2624. |
|
I am not a lawyer. I've sent this upstream within my organization. Amongst the reasons that I find Java tiresome is the marketing and branding confusion that they've created. Packaging the software with an implicit booby-trap is doubly irritating. I'm reasonably confident that we're not using any of the licensed tech (but not so comfortable that I haven't raised the question). I will be very sad if it is ripped out entirely. I can live with (sigh...) a package that requires me to download the tarball in person (satsifying @citibeth's point #2 above) and then automagic'ing the rest. @tgamblin -- If "someone" just did (pardon my realtime python...) def fetch(self):
print "You must download the tarball to %s" % blah.foo.bar()
# raise an error here....Would that be enough to disable the automagic and force a person to accept the license? I don't know if the OpenJDK would work for our users, but Murphy's law makes it unlikely. |
|
Have we seen this anyplace other than The Register? Fake news, etc.... A bit of quick googling isn't turn up anything. I haven't seen a fuss on Hacker News and don't follow Slashdot or Reddit these days but if this were a conflagration I'd expect to have seen flames... |
|
@hartzell: we've actually had pretty good luck with OpenJDK here. Atlassian even supports it for their rather complicated suite of applications, so I think it is pretty solid. I'm reasonably convinced it's the answer to the Java issue, and we'll make Java virtual so that if you must have Oracle's JDK you can drop it in. The nasty thing about OpenJDK is getting it to build. But at least Spack is reasonably good at that part... |
|
I'm not the java Decider, it'll be up to those who are to see what makes them happy. I'm glad that spack enables so much! #1298 seems to be red. Is someone polishing it up? |
|
@hartzell: it is a reasonable response. Although I would rather just get OpenJDK dropped in so that there is SOME automatic solution. @adamjstewart said I should ping him about that today. |
|
I thought I rebased that pr yesterday. Will lrrk at it tonight and fix up.
…On Dec 19, 2016 1:05 PM, "George Hartzell" ***@***.***> wrote:
@citibeth <https://github.com/citibeth> -- Does #1298
<#1298> [still] seem like a reasonable
response to the issue?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#2621 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AB1cd8D9EPGQcx1NmDTvQ12mNiLiEbwBks5rJsdNgaJpZM4LQN6y>
.
|
|
@citibeth -- Great and Thanks! |
|
#1298 is ready for review. |
@tgamblin
The Oracle JDK is surrounded by murky legal issues, and Oracle is now suing users for licensing fees. The current advice is that potential users should seek advice from their legal departments before downloading or installing Oracle JDK. Ignoring this advice could be costly for a typical HPC center, with thousands of nodes in its parallel cluster. Spack (LLNL) could be sued as well.
http://www.theregister.co.uk/2016/12/16/oracle_targets_java_users_non_compliance/
The safest action for Spack would be to remove JDK from its repository (this PR). I would recommend we do that immediately, pending an opinion from LLNL legal department. We should then consider merging #1298. Removing legal liability should take precedence over getting the perfect PR here (which can be done later).