Oh man, when it rains, it pours.
Today, my ZDNet colleague Ed Bott published a scathing investigative report of how Oracle partners with shovelware companies in order to monetize the distribution of the Java JRE.
Given that I work for a company that competes with Oracle in the software development arena with its own programming languages and various other software products, I don't want to give the impression that I am slamming a competitor by endorsing Ed's article.
However, strictly from a personal standpoint, I am shocked that a wealthy company such as Oracle would seek to monetize Java in such a fashion when its licensing efforts are (almost certainly) far more lucrative than collecting perhaps 30 cents (or even less) for every Ask.com install side-loaded on an end-user desktop as a result of each Oracle Java JRE install.
I do feel that Ed's investigative work speaks for itself and as an end user, you should be thinking very carefully about whether or not you should be installing Java on your system given the knowledge that he has now supplied you with.
You should also be aware of advisories from Homeland Security in recent days that detail vulnerabilities in the software you should be legitimately concerned with if you have PCs with the software installed.
That being said, if you must use Java, do not use the one that comes from Java.com, which is the variant that includes the shovelware install that Ed has written about. Instead, use the one that software developers use.
Specifically, you want the Java SE Runtime Environment 7, for x86 Windows 32-bit (offline install) as depicted in the header graphic of this article and linked above. This is the one that includes the required plug-in to make the 32-bit versions of Internet Explorer, Chrome, and Firefox work with web pages that use Java Web Start (JNLP) apps.
What's the difference? Well, this one is targeted toward software developers that write applications written in Java, versus end users who install Java because they are prompted by any random web page that says they are missing a required plug-in.
The JRE code that it uses is identical, but the installers are quite different. The software developer version does not have the tricky shovelware installer that Ed has written about.
While we are on the subject of JREs, I'd like to point out there are other implementations of Java that the industry should consider using going forward if Oracle's icky practices like those that Ed describe continue along with said security vulnerabilities.
Firstly is OpenJDK, which is an open-source project that is sponsored and hosted by Oracle but has the participation of individual contributors and other companies that include IBM and Red Hat.
At the moment, there is no pre-baked Windows installer for OpenJDK of current vintage, but it would not be a significant effort for one of the open-source groups that was interested in an independent JRE installable implementation to spin one of these every time a major patch release of Java comes out.
The next is IBM's own J9, which is a high-performance Java 2 SE/J2EE JRE that is distributed with the company's various enterprise software packages that use Java, such as Websphere and the Lotus Notes client.
IBM does not distribute an easy end-user Windows installer for J9 on the web that just works out of the box, but it does distribute it as part of its Eclipse Developer Kit.
As a former IBMer, I know this software works perfectly well with Java Web Start apps, and it would not be a significant effort for IBM just to package this up with no implied end-user desktop support to garner good will.
What's in it for IBM, you say? Happy customers.
There are also third-party "Java-like" VMs which contain no actual Java code and are not Oracle Java certified that the industry might consider porting their apps to if the security and ethical distribution of Oracle's JVM becomes an ongoing concern.
One is Apache Harmony, which is what Google's Dalvik VM in Android was originally based on. Harmony is currently in a stable milestone release that dates back to 2010. Apache halted development on Harmony in 2011 when IBM lent its support to OpenJDK instead.
I have not done enough testing with Harmony to know which JNLP apps work and which ones do not, so your mileage may vary. While the software is no longer actively developed, there may now be renewed interest in the project given recent security concerns with Oracle's own JRE code.
A second option the industry may wish to pursue is Dalvik itself. Given the popularity of the Android OS in mobile, it would not be a stretch nor a wasted effort to start an open-source project that uses Dalvik as the basis of a "Java-like" VM for the purposes of launching re-compiled Java applications in a browser on desktop OSes that run using Dalvik bytecode.
Ultimately, I would like to see Google lead this effort, perhaps as part of the overall Chrome/Chromium browser project.
Should the industry pursue alternatives to Oracle's own JVM for running Java applications on the web? Talk back and let me know.