Universities should also have adjusted: Java has been commercial for long now, and there are many other popular, less commercially-aggressive programming languages that would fit curriculum nicely: Python, Golang, etc.
The top programming languages by popularity or job openings seem to be a toss-up between python, JS (or things that compile to JS), and SQL. Other less used languages might lead to steeper career advances - there's still a market for COBOL programmers for example with more demand than supply - but that's not what I would like a college to start out with as a first language.
As a teaching language for top-end CS degrees, going python-first would be an experiment. Theory says it'll turn out badly; in practice I'm not sure especially if there is an emphasis on good coding practice. Python for a degree with a bit of programming but not full CS is in my opinion the correct choice, but that doesn't mean we should ban it for CS degrees.
If I had to choose a language for teaching a module on object-oriented programming, I'd go with golang, not Java or C#. Not because of licences, but because we've learnt things about subclassing and exceptions and design patterns to get around language restrictions that golang mostly fixes so it's easier to pick up the spirit of modern OOP.
golang should not be on the list of corriculums. Neither should any language owned by a corporation.
The only language that can be on the list are open standards language that has multiple implementations, and is "free" (as in libre).
Not to mention it should be a language that demonstrates an idea - such as python for procedural, haskell for functional, and LISP-likes for well, lisps.
Oracle threatened our organization with 10m in fines because of some rogue apps here and there, gave us 5 days to remediate it. I believe they went with a mix of OpenJDK & Corretto. (100k+ org)
Yes, the previous company I worked at redirected the Oracle download pages to a custom page explaining the problem and offering alternatives. That was nice.
it's surprising that Oracle doesn't see that it has become it's own risk. sure they have a lot of legacy lock in, but who in this day and age is making the choice to buy Oracle.
I've worked in this sector (not at a university specifically, but a scientific lab in the UK). There are going to be two main issues here.
First off, many researchers from other institutions come on site and they'll be downloading and using whatever software they are used to with no controls whatsoever. These scientists basically act independently of the institution, in some cases not even having the same line management and being paid by someone else.
Secondly they get site licenses for a lot of what would normally be extremely expensive software (think CAD packages, EDA) for very low prices because of their educational status. If I was to guess, some of this uses Oracle Java. They won't have good tracking around what software is or was used where.
This all gives them an open-ended liability if Oracle come knocking, as apparently they did, so they'll be keen to remove "legal uncertainty" by paying the Danegeld.
Because some students (or teachers), not knowing any better, downloaded it / are using it on the university network. The university has no idea who and no real way to get them to stop.
Am I right in thinking this resembles the the "bracelet scam"? A person (in this case a big company) gives you something, acts like it's free, then demands money.
Universities do not need Java per se, leave alone Oracle Java.
Other than uninformed, spurious Oracle JDK downloads, what usually happens is an academic or a faculty have purchased an app or a software product in the past that performs features A, B and C important to them[0], and that app or product, unbeknownst to them, bundles the Oracle JDK/JRE in. The Lord of Java has now trapped their butts and demands that universities fork out quiet a bit as Oracle wants a per student licence fee for each such app, even if it is just one faculty who uses the app.
[0] Or at least they think so – software duplication is a rampant problem in universities due to oftentimes poor architectural governance and oversight.
Same thing happens in Latin America with Microsoft. They give schools free Windows licenses, so we're expected to teach students how to code using C# instead of Python
When I first time had Linux class twenty years ago at a secondary school first thing the often gentoo ltsp server compiling teacher told us was how he wrote a bookkeeping program using some proprietary tech and then had to pay so much for like the rest of his life that it wasn’t funny at all,
Now I know firsthand why rms calls cellphones tracking devices etc
We are in the Middle Ages of software or something :D
I heard a story (unconfirmed) that at the time Oracle was buying Sun, it was pretty obvious that owning Java then suing people, most notably Google, was the whole point.
Google not buying Sun may go down as one of their poorest decisions. I mean rumor has it, Google offered $6 billion to buy GroupOn (which they turned down). If GroupOn is worth $6B (it isn't) then owning Java is worth $7.5B.
I suspect Google believed they had an implicit license from Sun to use Java on Android, otherwise this was a massive licensing failure. While Sun still existed, even buying a token license would've been cheap.
Now Google ultimately prevailed in their lawsuit setting an important precedent but at what cost? It was over a decade of uncertainty and cost who knows how much in legal fees. And while it was ongoing, Android was under a cloud and Google had to abandon a bunch of things it was otherwise doing with Java.
I'm not super versed in the detailed, but as a result haven't Android's Java and OpenJDK diverged substantially at this point? As far as I understand you can't just run Java code (post version 8 I think) on Android. It's why you can't for instance write a Clojure app for Android.
Maybe someone who knows more could fill in the details
Do not fall into the trap of anthropomorphising Larry Ellison. You need to think of Larry Ellison the way you think of a lawnmower. You don't anthropomorphize your lawnmower, the lawnmower just mows the lawn, you stick your hand in there and it'll chop it off, the end. You don't think 'oh, the lawnmower hates me' -- lawnmower doesn't give a shit about you, lawnmower can't hate you. Don't anthropomorphize the lawnmower. Don't fall into that trap about Oracle
From "Fork Yeah! The Rise and Development of Illumos" by Bryan Cantrill at LISA'11 [1]. Utterly amazing talk and I almost feel like it is given a disservice by everyone simply quoting that (albeit great) line.
I actually think that it does a disservice to not go to Nazi
allegory, because if I don't use Nazi allegory when referring
to Oracle there is some critical understanding that I have
left on the table; there is an element of the story that you
can't possibly understand.
In fact, as I have said before and I emphatically believe, if
you had to explain the Nazis to somebody who had never heard
of WWII but was an Oracle customer, there's a very good chance
that you actually explain the Nazis in Oracle allegory.
So, it's like: "Really, wow, a whole country?"; "Yes, Larry
Ellison has an entire country"; "Oh my god, the humanity! The
License Audits!"; "Yeah, you should talk to Poland about it,
it was bad. Bad, it was a blitzkrieg license audit."
It’s similar to the Oracle database. It's easy to mistakenly use an extra feature, and later, you are hit with non-compliance that can go away with a new purchase.
I’m a founder of Quesma to make migrations easier, and regularly hear horror stories. It
I love the idea of a dense foliage of companies that offset the licensing practice of Oracle. It's such and odd and unexpected occurrence, yet I can't think of any other way to eat oracle's lunch.
You're basically betting on Oracle being evil, Corporations still buying their product, and those same corporations being surprised when Oracle screws them over. That seems like a sure thing to me.
What you get is a distribution of OpenJDK, one of which is by Oracle. There’s also one by RedHat and by Eclipse and others.
You may be thinking of the Hotspot JVM and the answer is that Hotspot offers negligible difference and I’m not sure even exists for the later versions of Java.
If you use Oracle OpenJDK in production (past a specific patch point for some versions) to the best of my knowledge you are probably still on the hook for the licensing fees.
(They allow it in development in order to get you to use it in production at which point the lawyers pounce).
At my company we use RedHat OpenJDK on RedHat VMs and Eclipse Temurin OpenJDK in docker containers.
(Other JVMs include Graal (also owned by Oracle)).
OpenJDK includes HotSpot and the class libraries. OpenJDK licences do not cost money, even if you use the one from Oracle past a certain patch point. Builds of OpenJDK from other vendors like Red Hat and Microsoft are based on the OpenJDK source code from Oracle.
Oracle JDK is the non-free version that shares the same code base as OpenJDK. Oracle provides a restricted licence for this build, under which it is free to use in certain cases, up until specific patches. Later patches (usually a few years after the initial release date) require a licence fee. This does not apply to Oracle OpenJDK, which is released under the GPL.
If you want to avoid HotSpot altogether, the other options include Graal (used with OpenJDK class libraries), IBM OpenJ9 and IKVM.NET.
Thanks for the explanation -- back when I wrote Java, it was a choice between "Oracle Java" (i.e. Oracle JDK) and the OpenJDK -- where you downloaded was different and what you agreed to download was different.
> If you use Oracle OpenJDK in production to the best of my knowledge you are probably still on the hook for the licensing fees.
I'd be surprised by this but I guess that is par for the course.
> At my company we use RedHat OpenJDK on RedHat VMs and Eclipse Temurin OpenJDK in docker containers.
Thanks for clarifying -- do you find any differences that were important? Or is it more you've never needed the Oracle distribution so you never had reason to find out?
I'm just wondering why anyone would choose Oracle's distribution in this day and age. Who are their main customers that are happy to be customers?
I would assume universities had clever enough people to use OpenJDK distributions instead of Oracle Java installers.
It is like complaining they are paying for Visual Studio and Apple XCode developer licenses (Apple tax, anual membership, whatever you feel like calling it), instead of using plain GCC or clang.
But hey, lets hate Oracle for the universities broken decision making process.
I think it’s ok to tsk at both parties. The universities should’ve known better, and Oracle shouldn’t have gone after them even if they’re technically allowed to. I mean, I know the latter is like getting mad at a dog for eating a steak laying on the floor. That’s just what they do. But still.
You have Java software, you need Java, you say “Download Java”, first link is on Java.com which owned by Oracle. When you open the link there’s zero mention of potential million fees for using it.
Oracle is doing scummy business here, just acknowledge it.
I would expect universities to have a skill level beyond that basic knowledge of street level people that equate the English Java word with coffee beans.
The comments make it sound as if Oracle can just demand money from any Java user. That's not the case, if you were already paying for Oracle Java and support, there seems to have been a change of terms.
If you don't need the support, just use openjdk, what's the problem? What's with the insistence on providing something for free or however much you want to pay for it? Get better terms or switch vendors! Java is an abundant ecosystem with multiple paid support providers.
I still don't understand why companies keep using Java.
It's like they are masochistically believing in a religious entity or something.
Risk assessment over the years says: Never use Java. I wouldn't risk my company over something as stupid as choosing an SDK from Oracle. As a company I would DNS block all Oracle domains and services by default and write it down in the contracts to make using Java a hostile action against the company.
There are better open/libre alternatives, even when you are too stubborn to use a lower-risk-to-the-company language.
At this point, even Perl is a lower operational risk because at least you won't get sued for using it.
Edit: to prevent confusion I am mentioning now that Java(tm) is not the same as Java, the language. And that's the legal risk I am talking about, which Oracle used in their lawsuits a bunch of times, including in the Oracle vs Google case where Oracle tried to make APIs (such as OpenJDK or Kotlin) patentable.
There are legitimate use cases where you would want first-party support from Oracle and would be willing to pay for it. I know we clown on those who didn’t just start with OpenJDK but let’s not forget that Oracle actually sells a top-tier product for those who need it.
This is so backwards, it's hard not to take it as a troll.
There is zero risk to using Java. People standardly use OpenJDK builds, which are freely and widely available under open source licensing (GLPv2 + classpath exception). In regards to maintenance, Java continues to be one of the most highly invested languages in existence.
In addition to the licensing risks there's significant technical risk, IME. Chief among them is making sure your colleagues are sufficiently literate to have read Bloch's and Goetz's (et al.) books, and sufficiently tasteful to synthesize those lessons into code which isn't horrible. This is exceedingly rare in practice. So there's the same risk, approximately, as with every other programming language and that's reckless Dunning-Kruger ass programmers.
It's not about Java but Oracle and their shady licencing practice.
Java (and it's derivatives) is an amazing language and JVM is nothing short of an engineering miracle. It's highly useful in building reliable enterprise services.
I remember when my university had a relationship with Sun that let us see Java (Oak) early.
And then -- given that Java was smart, OO, in the Web browser, going big, and free -- built an intro CS curriculum around it. Like many universities.
That history of universities promoting the adoption of Java, and training a generation of Fortune 500 corporate coders in it, has not gone unpunished.
Universities should also have adjusted: Java has been commercial for long now, and there are many other popular, less commercially-aggressive programming languages that would fit curriculum nicely: Python, Golang, etc.
The top programming languages by popularity or job openings seem to be a toss-up between python, JS (or things that compile to JS), and SQL. Other less used languages might lead to steeper career advances - there's still a market for COBOL programmers for example with more demand than supply - but that's not what I would like a college to start out with as a first language.
As a teaching language for top-end CS degrees, going python-first would be an experiment. Theory says it'll turn out badly; in practice I'm not sure especially if there is an emphasis on good coding practice. Python for a degree with a bit of programming but not full CS is in my opinion the correct choice, but that doesn't mean we should ban it for CS degrees.
If I had to choose a language for teaching a module on object-oriented programming, I'd go with golang, not Java or C#. Not because of licences, but because we've learnt things about subclassing and exceptions and design patterns to get around language restrictions that golang mostly fixes so it's easier to pick up the spirit of modern OOP.
4 replies →
golang should not be on the list of corriculums. Neither should any language owned by a corporation.
The only language that can be on the list are open standards language that has multiple implementations, and is "free" (as in libre).
Not to mention it should be a language that demonstrates an idea - such as python for procedural, haskell for functional, and LISP-likes for well, lisps.
18 replies →
Oracle threatened our organization with 10m in fines because of some rogue apps here and there, gave us 5 days to remediate it. I believe they went with a mix of OpenJDK & Corretto. (100k+ org)
Does anyone block oracle domains to prevent a rogue employee accidentally downloading java?
Yes, the previous company I worked at redirected the Oracle download pages to a custom page explaining the problem and offering alternatives. That was nice.
[dead]
Yes, we redirect to Open JDK
Yep!
Our company does this too, but it sucks when you are googling for some info and it’s on oracle page. Still there is no better solution unfortunately
Using anything from Oracle as a business risk
it's surprising that Oracle doesn't see that it has become it's own risk. sure they have a lot of legacy lock in, but who in this day and age is making the choice to buy Oracle.
Yeah surprised they haven't released a paid product to block other Oracle products.
Government.
They make enough sales, so it's obvious from the evidence that their strategy isn't hurting them.
1 reply →
Why would universities need Oracle Java specifically?
I've worked in this sector (not at a university specifically, but a scientific lab in the UK). There are going to be two main issues here.
First off, many researchers from other institutions come on site and they'll be downloading and using whatever software they are used to with no controls whatsoever. These scientists basically act independently of the institution, in some cases not even having the same line management and being paid by someone else.
Secondly they get site licenses for a lot of what would normally be extremely expensive software (think CAD packages, EDA) for very low prices because of their educational status. If I was to guess, some of this uses Oracle Java. They won't have good tracking around what software is or was used where.
This all gives them an open-ended liability if Oracle come knocking, as apparently they did, so they'll be keen to remove "legal uncertainty" by paying the Danegeld.
Because some students (or teachers), not knowing any better, downloaded it / are using it on the university network. The university has no idea who and no real way to get them to stop.
Am I right in thinking this resembles the the "bracelet scam"? A person (in this case a big company) gives you something, acts like it's free, then demands money.
4 replies →
Universities do not need Java per se, leave alone Oracle Java.
Other than uninformed, spurious Oracle JDK downloads, what usually happens is an academic or a faculty have purchased an app or a software product in the past that performs features A, B and C important to them[0], and that app or product, unbeknownst to them, bundles the Oracle JDK/JRE in. The Lord of Java has now trapped their butts and demands that universities fork out quiet a bit as Oracle wants a per student licence fee for each such app, even if it is just one faculty who uses the app.
[0] Or at least they think so – software duplication is a rampant problem in universities due to oftentimes poor architectural governance and oversight.
Same thing happens in Latin America with Microsoft. They give schools free Windows licenses, so we're expected to teach students how to code using C# instead of Python
Pay the money. Make it day 1 case study in CS class on why selecting your tech stack carefully matters.
Can probably use it for law classes too. And ethics.
When I first time had Linux class twenty years ago at a secondary school first thing the often gentoo ltsp server compiling teacher told us was how he wrote a bookkeeping program using some proprietary tech and then had to pay so much for like the rest of his life that it wasn’t funny at all, Now I know firsthand why rms calls cellphones tracking devices etc We are in the Middle Ages of software or something :D
I heard a story (unconfirmed) that at the time Oracle was buying Sun, it was pretty obvious that owning Java then suing people, most notably Google, was the whole point.
Google not buying Sun may go down as one of their poorest decisions. I mean rumor has it, Google offered $6 billion to buy GroupOn (which they turned down). If GroupOn is worth $6B (it isn't) then owning Java is worth $7.5B.
I suspect Google believed they had an implicit license from Sun to use Java on Android, otherwise this was a massive licensing failure. While Sun still existed, even buying a token license would've been cheap.
Now Google ultimately prevailed in their lawsuit setting an important precedent but at what cost? It was over a decade of uncertainty and cost who knows how much in legal fees. And while it was ongoing, Android was under a cloud and Google had to abandon a bunch of things it was otherwise doing with Java.
Oracle is just the worst.
The legal fees were small change to Google
I'm not super versed in the detailed, but as a result haven't Android's Java and OpenJDK diverged substantially at this point? As far as I understand you can't just run Java code (post version 8 I think) on Android. It's why you can't for instance write a Clojure app for Android.
Maybe someone who knows more could fill in the details
Do not fall into the trap of anthropomorphising Larry Ellison. You need to think of Larry Ellison the way you think of a lawnmower. You don't anthropomorphize your lawnmower, the lawnmower just mows the lawn, you stick your hand in there and it'll chop it off, the end. You don't think 'oh, the lawnmower hates me' -- lawnmower doesn't give a shit about you, lawnmower can't hate you. Don't anthropomorphize the lawnmower. Don't fall into that trap about Oracle
From "Fork Yeah! The Rise and Development of Illumos" by Bryan Cantrill at LISA'11 [1]. Utterly amazing talk and I almost feel like it is given a disservice by everyone simply quoting that (albeit great) line.
[1]: https://youtube.com/watch?v=-zRN7XLCRhc
Thank you for sharing the attribution and link. Quote begins around 38m28s:
https://www.youtube.com/watch?v=-zRN7XLCRhc&t=2308s
He's a 4A: An Asshole Amongst Assholes. That's how Oracle and Microsoft made their fortunes: unrestrained greed.
More like "lack of effective competition."
I actually think that it does a disservice to not go to Nazi allegory, because if I don't use Nazi allegory when referring to Oracle there is some critical understanding that I have left on the table; there is an element of the story that you can't possibly understand.
In fact, as I have said before and I emphatically believe, if you had to explain the Nazis to somebody who had never heard of WWII but was an Oracle customer, there's a very good chance that you actually explain the Nazis in Oracle allegory.
So, it's like: "Really, wow, a whole country?"; "Yes, Larry Ellison has an entire country"; "Oh my god, the humanity! The License Audits!"; "Yeah, you should talk to Poland about it, it was bad. Bad, it was a blitzkrieg license audit."
https://www.youtube.com/watch?v=79fvDDPaIoY&t=1459s
The actual Nazis went with IBM though. Oracle wasn't born yet.
There is a lineage argument as Java built on IBM's CORBA.
1 reply →
Could they use Amazon Corretto instead?
Of course, but making multi-million 'deals' makes them feel important. It's not coming out of their salary anyway.
It’s similar to the Oracle database. It's easy to mistakenly use an extra feature, and later, you are hit with non-compliance that can go away with a new purchase.
I’m a founder of Quesma to make migrations easier, and regularly hear horror stories. It
I love the idea of a dense foliage of companies that offset the licensing practice of Oracle. It's such and odd and unexpected occurrence, yet I can't think of any other way to eat oracle's lunch.
You're basically betting on Oracle being evil, Corporations still buying their product, and those same corporations being surprised when Oracle screws them over. That seems like a sure thing to me.
Can anyone who still uses Java opine a bit on where it's better to use Oracle versus OpenJDK?
OpenJDK isn’t a thing you can get.
What you get is a distribution of OpenJDK, one of which is by Oracle. There’s also one by RedHat and by Eclipse and others.
You may be thinking of the Hotspot JVM and the answer is that Hotspot offers negligible difference and I’m not sure even exists for the later versions of Java.
If you use Oracle OpenJDK in production (past a specific patch point for some versions) to the best of my knowledge you are probably still on the hook for the licensing fees.
(They allow it in development in order to get you to use it in production at which point the lawyers pounce).
At my company we use RedHat OpenJDK on RedHat VMs and Eclipse Temurin OpenJDK in docker containers.
(Other JVMs include Graal (also owned by Oracle)).
OpenJDK includes HotSpot and the class libraries. OpenJDK licences do not cost money, even if you use the one from Oracle past a certain patch point. Builds of OpenJDK from other vendors like Red Hat and Microsoft are based on the OpenJDK source code from Oracle.
Oracle JDK is the non-free version that shares the same code base as OpenJDK. Oracle provides a restricted licence for this build, under which it is free to use in certain cases, up until specific patches. Later patches (usually a few years after the initial release date) require a licence fee. This does not apply to Oracle OpenJDK, which is released under the GPL.
If you want to avoid HotSpot altogether, the other options include Graal (used with OpenJDK class libraries), IBM OpenJ9 and IKVM.NET.
Thanks for the explanation -- back when I wrote Java, it was a choice between "Oracle Java" (i.e. Oracle JDK) and the OpenJDK -- where you downloaded was different and what you agreed to download was different.
> If you use Oracle OpenJDK in production to the best of my knowledge you are probably still on the hook for the licensing fees.
I'd be surprised by this but I guess that is par for the course.
> At my company we use RedHat OpenJDK on RedHat VMs and Eclipse Temurin OpenJDK in docker containers.
Thanks for clarifying -- do you find any differences that were important? Or is it more you've never needed the Oracle distribution so you never had reason to find out?
I'm just wondering why anyone would choose Oracle's distribution in this day and age. Who are their main customers that are happy to be customers?
If you've got an old Dell EqualLogic PS Series SAN, then you'll need Oracle Java for running the admin GUI: https://www.dell.com/support/kbdoc/en-us/000139168/dell-equa...
Thank you! This is a great example -- interesting that a SAN would be a cause for this kind of requirement, but I can understand that.
I would assume universities had clever enough people to use OpenJDK distributions instead of Oracle Java installers.
It is like complaining they are paying for Visual Studio and Apple XCode developer licenses (Apple tax, anual membership, whatever you feel like calling it), instead of using plain GCC or clang.
But hey, lets hate Oracle for the universities broken decision making process.
I think it’s ok to tsk at both parties. The universities should’ve known better, and Oracle shouldn’t have gone after them even if they’re technically allowed to. I mean, I know the latter is like getting mad at a dog for eating a steak laying on the floor. That’s just what they do. But still.
You have Java software, you need Java, you say “Download Java”, first link is on Java.com which owned by Oracle. When you open the link there’s zero mention of potential million fees for using it.
Oracle is doing scummy business here, just acknowledge it.
Remember when installing Java would install malware too? White smoke I think it was called
I would expect universities to have a skill level beyond that basic knowledge of street level people that equate the English Java word with coffee beans.
2 replies →
I imagine if they had a preinstalled OpenJDK policy, they'd be stuck on a horribly out of date version.
Let’s think about Cory Doctorow‘s idea about IP rights
https://pluralistic.net/2025/02/26/ursula-franklin/
It's the end times for Oracle..?
The comments make it sound as if Oracle can just demand money from any Java user. That's not the case, if you were already paying for Oracle Java and support, there seems to have been a change of terms.
If you don't need the support, just use openjdk, what's the problem? What's with the insistence on providing something for free or however much you want to pay for it? Get better terms or switch vendors! Java is an abundant ecosystem with multiple paid support providers.
Universities should be setting a moral standard.
They should have never been ilegally using Java in the first place.
They should have never been using (Oracle) Java in the first place.
They should set the standard that it's wrong to pay Oracle for anything. That's rewarding bad behaviour.
The only problem with what they did is that they ultimately paid Oracle in the end. They should have stolen and then gotten away with it.
This is probably one of those stupid online jokes, but I’ll bite: what should they use instead?
They should have properly licensed it from the start or have used another runtime.
2 replies →
[dead]
I still don't understand why companies keep using Java.
It's like they are masochistically believing in a religious entity or something.
Risk assessment over the years says: Never use Java. I wouldn't risk my company over something as stupid as choosing an SDK from Oracle. As a company I would DNS block all Oracle domains and services by default and write it down in the contracts to make using Java a hostile action against the company.
There are better open/libre alternatives, even when you are too stubborn to use a lower-risk-to-the-company language.
At this point, even Perl is a lower operational risk because at least you won't get sued for using it.
Edit: to prevent confusion I am mentioning now that Java(tm) is not the same as Java, the language. And that's the legal risk I am talking about, which Oracle used in their lawsuits a bunch of times, including in the Oracle vs Google case where Oracle tried to make APIs (such as OpenJDK or Kotlin) patentable.
There are legitimate use cases where you would want first-party support from Oracle and would be willing to pay for it. I know we clown on those who didn’t just start with OpenJDK but let’s not forget that Oracle actually sells a top-tier product for those who need it.
A top tier product isn't one that changes its licensing terms this way.
1 reply →
This is so backwards, it's hard not to take it as a troll.
There is zero risk to using Java. People standardly use OpenJDK builds, which are freely and widely available under open source licensing (GLPv2 + classpath exception). In regards to maintenance, Java continues to be one of the most highly invested languages in existence.
The question to you in response is:
Are you talking about Java(tm) or Java, the language? Because that is a big operational risk difference.
Edited my original comment.
In addition to the licensing risks there's significant technical risk, IME. Chief among them is making sure your colleagues are sufficiently literate to have read Bloch's and Goetz's (et al.) books, and sufficiently tasteful to synthesize those lessons into code which isn't horrible. This is exceedingly rare in practice. So there's the same risk, approximately, as with every other programming language and that's reckless Dunning-Kruger ass programmers.
It's not about Java but Oracle and their shady licencing practice.
Java (and it's derivatives) is an amazing language and JVM is nothing short of an engineering miracle. It's highly useful in building reliable enterprise services.