Voted Best Answer
May 15, 2019 - 12:09 AM
1) No--you don't necessrily have to pay for a subscription for everyone on Java 7u40 (through to Java 8u202); only those who may be using commercial features. this isn't a classic Oracle 'installed and/or running' decision ; the BCL is clear--it does not cover use of the commercial features. So, if no $$ features being used and <8u202, you are likely covered under the BCL.
2) You may struggle to ensure all your business applications support OpenJDK plus the OpenJDK release from which most people really want the JRE is non-trivial; far, far less well adopted or packaged than Oracle's JRE.
Your choices are probably more like (I'm assuming no commercial feature use)
1) do nothing, don't apply security patches - continue as is on any release up to Java 8_u201
2) remove Oracle Java from people who aren't using it, buy subscriptions for the rest
3) attempt to get OpenJDK to replace Oracle Java
> In the second case it becomes difficult to identify who are the users running applications that require Java with regular updates.
The majority of third party applications in our experience do not NEED the later security updates -- it is your decision to make based on risk / security policies.
RE: Automatic updates: there's some mixed messaging on this, Oracle also state "Oracle does not plan to migrate desktops from Java SE 8 to later versions via the auto update feature." but they also state " All Public Updates for all Java versions, i.e. those marked (Public) in the below list, have AU turned on by default. "
Also see question 7 here which suggests Java detects whether it is being used (I'm not sure what update this was released in)
There's probably a mixed approach required here: education of users and disabling of access to Oracle's download site so that the auto-updater cannot check nor download updates.