Oracle tries to destroy free java – now what?

Seems Oracle bought Sun to become a java patent troll. Trying to destroy the alternative free java implementation that is part of android. Sun used to be agnostic towards Free Software in the past, then became a huge fan on java liberation day. Now that Oracle is in control and starts its quest to destroy the free java world, we are back to the dark ages. So, now what?

Oracle is still distributing a free version of java itself through OpenJDK on which IcedTea is based. Implementations derived from that source base are safe against copyright and patent claims as long as one follows the obligations of the GPL. That is of course only for patent and copyrights Oracle holds or can pass on (through its stewardship of the JCP). To protect against claims by unrelated companies or when you have a free implementation of java not based on code distributed by Oracle, like GNU Classpath, try to get your implementation covered by a Free Software friendly patent pool. For example gcj/libgcj/GNU Classpath (as are some parts of the apache and eclipse java stacks) are part of the “System Components” of OIN (and Oracle has joined OIN).

Finally if you contribute to any Sun/Oracle java implementation demand that they change their Contributor Agreement to be truly reciprocal, not just for copyrights, but also for any patent claims covering the project you contribute to. So that anybody that wants to share the project you contributed to will always and irrevocably get all the rights to do that (not just for the GPL version). Point 3 in the current Sun/Oracle Contributor Agreement isn’t reciprocal, you grant a perpetual, irrevocable, non-exclusive, worldwide, no-charge, royalty-free license to any patent claims you might have to Sun/Oracle, but they are not granting back to you or the wider community any they hold on the project as a whole.

WordPress 3 rocks

WordPress 3.0 integrated Multisite support! I only maintain two blogs, but it was already handy to put them under the same “Super Admin” install. WordPress really is pretty smooth these days and highly customizable.

GNU Hackers Meeting and GUADEC

I’ll be at the GNU Hackers Meeting this weekend and at GUADEC next week.

GNU Hackers Meeting

IcedTea6-1.8 release

Matthias Klose released IcedTea6 1.8. He still doesn’t have a blog (or is that old fashioned already in these web 3.0 micro-message-blogging days). So here is the release announcement he made:

IcedTea6-1.8 release

We are proud to announce the release of IcedTea6 1.8.

The IcedTea project provides a harness to build the source code from OpenJDK using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

New in release 1.8 (2010-04-13):

  • Updated to OpenJDK6 b18.
    • Nimbus Look ‘n’ Feel backported from OpenJDK7.
    • JAXP and JAXWS now external dependencies rather than being in-tree.
    • Updated timezone data
    • Addition of security updates applied in IcedTea6 1.6.2.
    • Many bug fixes
  • Latest security updates and hardening patches:
    • (CVE-2010-0837): JAR “unpack200″ must verify input parameters (6902299)
    • (CVE-2010-0845): No ClassCastException for HashAttributeSet constructors if run with -Xcomp (6894807)
    • (CVE-2010-0838): CMM readMabCurveData Buffer Overflow Vulnerability (6899653)
    • (CVE-2010-0082): Loader-constraint table allows arrays instead of only the base-classes (6626217)
    • (CVE-2010-0095): Subclasses of InetAddress may incorrectly interpret network addresses (6893954)
    • (CVE-2010-0085): File TOCTOU deserialization vulnerability (6736390)
    • (CVE-2010-0091): Unsigned applet can retrieve the dragged information before drop action occurs (6887703)
    • (CVE-2010-0088): Inflater/Deflater clone issues (6745393)
    • (CVE-2010-0084): Policy/PolicyFile leak dynamic ProtectionDomains. (6633872)
    • (CVE-2010-0092): AtomicReferenceArray causes SIGSEGV -> SEGV_MAPERR error (6888149)
    • (CVE-2010-0094): Deserialization of RMIConnectionImpl objects should enforce stricter checks (6893947)
    • (CVE-2010-0093): System.arraycopy unable to reference elements beyond Integer.MAX_VALUE bytes (6892265)
    • (CVE-2010-0840): Applet Trusted Methods Chaining Privilege Escalation Vulnerability (6904691)
    • (CVE-2010-0848): AWT Library Invalid Index Vulnerability (6914823)
    • (CVE-2010-0847): ImagingLib arbitrary code execution vulnerability (6914866)
    • (CVE-2009-3555): TLS: MITM attacks via session renegotiation
    • 6639665: ThreadGroup finalizer allows creation of false root ThreadGroups
    • 6898622: ObjectIdentifer.equals is not capable of detecting incorrectly encoded CommonName OIDs
    • 6910590: Application can modify command array in ProcessBuilder
    • 6909597: JPEGImageReader stepX Integer Overflow Vulnerability
    • 6932480: Crash in CompilerThread/Parser. Unloaded array klass?
  • Old plugin removed; NPPlugin is now the default and is controlled by –enable/disable-plugin. As with the old plugin, it produces a library rather than
  • Dependence on the binary plugs mechanism removed. The plugin and NetX code is now imported into the JDK build in the same manner as langtools, CORBA, JAXP and JAXWS.
  • Fix for plugin buffer overflow:
  • Fix issue with ant -diagnostics on ant 1.8.0 due to changed exit code
  • Zero/Shark
    • Shark is now able to build itself.
    • For ARM, add Thumb2 JIT.
    • Fixed Shark sharkCompiler mattr memory corruption bug when using llvm 2.7.

The tarball can be downloaded here:

The following people helped with this release: Gary Benson, Deepak Bhole, Andrew John Hughes, Mark Wielaard, Nobuhiro Iwamatsu, Matthias Klose, Ed Nevill, Pavel Tisnovsky, Xerxes Rånby, and many others.

We would also like to thank the bug reporters and testers!

To get started:

$ hg clone
$ cd icedtea6-1.8

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-visualvm --with-openjdk --enable-pulse-java --enable-systemtap --enable-nss ...]
$ make


Jonas looks at Roos

Jonas got a little sister, Roos

Fosdem SystemTap Interview

Did an interview for FOSDEM about SystemTap. It discusses a wide range of topics. About when I got involved with Free Software, working for Red Hat, how FOSDEM helped the libre Java community, getting Fedora more observable by adding static markers into programs, the history of observation tools (tracers, profilers, debuggers) on GNU/Linux, comparisons to other tools like DTrace, GUI frontends, Eclipse integration, the future of SystemTap and of course why you should come to FOSDEM.

Fosdem talk – Full System Observability with SystemTap

I'm going to FOSDEM, the Free and Open Source Software Developers' European MeetingReally looking forward to Fosdem next month. This year I will be giving a talk What is my system doing – Full System Observability with SystemTap during one of the main tracks. There will be some demos of the new systemtap java and python tracing support that I blogged about earlier.

FOSDEM, the Free and Open Source Software Developers' European Meeting

Michael Meeks on Copyright Assignment

Michael Meeks published a though provoking essay called Some thoughts on Copyright Assignment. It is a must read when working with Free Software projects that request legal assignment of contributions to a corporation.

It contains sane recommendations both for individual contributors, project leaders and corporations seeking assignments.

Next step – SystemTap java hotspot jstack() support

Just checked in support for getting java backtraces from hotspot through systemtap. This is the next step in making not just the kernel and native programs observable, but also runtime based languages with SystemTap. And it is pretty powerful. It allows you to answer the question “How did I get here?” in combination with any of the SystemTap tapsets for VM level tracing, Java method entry/exit tracing, Native methods (JNI) tracing, or any other basic SystemTap function, statement or process probe that points into your java process. Just add one of the print_jstack() variants to your code (possibly including native frame and method signatures) and suddenly it is really easy to see what triggered a particular code path:

$ stap -e 'probe hotspot.jni.CallObjectMethod { log (probestr); print_jstack() }' -c 'java ModalTest'


You currently need both IcedTea6 from mercurial and Systemtap from git to play with it. But both projects are planning new releases soon.

FudCon Success – Systemtap meets Python

At FudCon, David Malcolm, Jon VanAlten, Will Cohen and I sat down, had some fun and made tracing python methods through systemtap possible:

0 python(20122): => search_function in Lib/encodings/
15 python(20122):  => normalize_encoding in Lib/encodings/
37 python(20122):  <= normalize_encoding
170 python(20122):  => <module> in Lib/encodings/
193 python(20122):   => IncrementalEncoder in Lib/encodings/
206 python(20122):   <= IncrementalEncoder
251 python(20122):   => IncrementalDecoder in Lib/encodings/
264 python(20122):   <= IncrementalDecoder
310 python(20122):   => StreamWriter in Lib/encodings/
323 python(20122):   <= StreamWriter
340 python(20122):   => StreamReader in Lib/encodings/
353 python(20122):   <= StreamReader
367 python(20122):  <= <module>
391 python(20122):  => getregentry in Lib/encodings/
410 python(20122):   => __new__ in Lib/
429 python(20122):   <= __new__
440 python(20122):  <= getregentry
462 python(20122): <= search_function

The coolest part is that it works through the existing patch to python for adding dtrace support. Some small tweaks to the autoconf detection was needed, but the rest was used as is.

If you want to learn how to add static user space probes to your program/package please see Will’s excellent guide. Adding User Space Probing to an Application: A simple example adding markers to a user-space application with SystemTap.