Sunday, August 26, 2012

Clarification on Oracle XE licensing - really free for any usage?

There is an updated version on my new blog: http://dietmaraust.com/repost-clarification-on-oracle-xe-licensing-really-free-for-any-usage


Since Oracle XE was initially released in January 2006 I believed there was no usage restriction whatsoever with regards to the type of application you could build with Oracle XE and especially in combination with Oracle Application Express (Oracle APEX).

Just recently a customer of mine was told by an Oracle sales rep in Germany that certain usage scenarios are not covered by the Oracle XE license and he therefore would have to purchase a regular Oracle (at least Standard One) license for that purpose.

This sales rep argued that once you build an application as a hosted solution storing customer data in this database, this is no longer covered by the XE license.

I was stunned and couldn't believe that. Then I had a close look at the official license agreement: http://www.oracle.com/technetwork/licenses/database-11g-express-license-459621.html

There I noticed that this usage scenario wasn't covered explicitly and I wasn't 100% sure any more. I have checked the forum again and there I saw, that these questions do come up once in a while, here are just a few examples:
https://forums.oracle.com/forums/thread.jspa?messageID=1454706&#1454706
https://forums.oracle.com/forums/thread.jspa?messageID=2775638&#2775638

Thus I decided to get some official statement from Oracle.

Oracle authorities from Database Product Management and Oracle Pricing responded to my request and confirmed that any application-specific usage of Oracle XE is covered by the license agreement and there is no usage related restriction imposed on Oracle XE.

I have explicitly asked for the following use cases:

1) A web application for the internal staff only: A calendaring application where one could record his times of absence. The application is reachable via the internet but protected by a login. Only the employees of the company running Oracle XE are allowed to access the application.

2) A web application used by everybody, no customer content stored in the database: This could be a company website which is built on Oracle XE / APEX. This application is reachable over the internet by everybody. Content is only provided by the company running Oracle XE.

3) A web application used by customers on their own data (no manipulation through website): This could be an application similar to the UPS or DHL tracking of parcels. Information is processed in other backend systems and published to Oracle XE to allow a customer to query for his/her own data.

4) Supporting a business process via a web application among several of my customers: This could be a portal allowing a customer to invite other parties to bid on a public project (like building a railroad track). This portal (built using Oracle APEX and Oracle XE) supports the communication between all parties and allows the upload / download of files with regard to specific parts of the bid.

5) A web application used by customers to provide services to others: This could be multi-tenant shop system where different customers open their own shop and upload their product catalogs in order to resell them to their own customers.

Aside from that you would still have to comply to all other elements of the license agreement: http://www.oracle.com/technetwork/licenses/database-11g-express-license-459621.html ,
i.e. you have to comply to the export restriction, your end customers would have to agree to the XE license agreement and so forth.

Cheers and enjoy Oracle XE and Oracle APEX!
~Dietmar.

17 comments:

John Scott said...

Dietmar,

Great breakdown - I have to say I'm a big fan of seeing licenses detailed in the type of use-cases you listed, rather than the 'lawyer-speak' that you typically see.

Hopefully the sort of use-cases you listed could be listed as part of an official XE FAQ since as you say there can be a lot of confusion around what is/isn't permitted.

Like you, I've heard some very incorrect statements made about the licensing so it's great to be able to point back at an official source.

John.

Unknown said...

Hi John,

thanks.

Yes, it is always difficult for me to understand the "lawyer speak" as well. And sometimes, even the "translations" aren't really helpful either ;).

>Hopefully the sort of use-cases you listed could be listed as part of an official
>XE FAQ since as you say there can be a lot of confusion around what is/isn't
> permitted.
Yes, I would hope for that but I am not sure this will actually happen.

I strongly believe that this is Oracle's duty to provide clarification on licensing questions/issues, even for a cost-free product.

Unfortunately, since Mark Townsend passed away, nobody official from Oracle seems to monitor the Oracle XE forum any more.

And yes, all clarifications should be added to the official Oracle licensing statement hosted on an official Oracle site.

This is what we have to shoot for.

Nevertheless the statement I have received is pretty clear, I have especially asked for a statement that I could post on my blog.

Cheers,
Dietmar.

Niall Mc Phillips - Long Acre said...

Thanks Dietmar. As a user of XE since its first release back in 2005, I find this blog post to be a very clear and useful synopsis of XE licensing.

Making XE freely available has greatly benefited Oracle, as it has allowed developers to choose Oracle over other free alternatives. Back in 2005 we were working on a project in Africa using open-source databases, and then OracleXE was released so we quickly changed direction and went live on 10gXE. The stability and robustness of Oracle was a key factor in this project becoming a success. It is still running in production today.

Developer adoption of XE is a win-win situation for Oracle - they get greater market share AND higher potential future revenue from upgrades to SE and EE.

All the best.
Niall.

Buzz Killington said...

The only problem I have with the XE product is that it doesn't get patched like any of the regular products.

If I'm using it on my own machine for prototyping..etc, not a huge concern. If I were to use that for a commercial app, the no patching thing would concern me.

What is your take on that?

Unknown said...

Hi Niall,

thanks for sharing.

And yes ... I have had similar experiences.

Cheers,
~Dietmar.

Unknown said...

Hi Buzz,

>If I'm using it on my own machine for prototyping..etc, not a huge
> concern. If I were to use that for a commercial app, the no
>patching thing would concern me.

I don't consider myself a security expert, you should rather adress this question to Niall Litchfield, Alexander Kornbrust or Anton Nielsen.

My take on that? Well, what does security mean anyway? You have different layers which can be attacked:
1) the http server
2) your apex application
3) the apex framework
4) the oracle database
5) the operating system

What would I recommend?
1)
- use a current Apache (this one can be hardened)
- use the APEX listener through AJP as a back-end for the Apache http server
- secure the APEX listener: http://krisrice.blogspot.de/2012/05/apex-listener-jdbcsecurity-setup.html
- use SSL
- lock down the ports, i.e. traffic to your machine is only allowed on port 443 (the default ssl port)

2)
- use session state protection
- don't trust anything being sent from the client
- take care of sql injection and cross site scripting attacks
- use a security checker for APEX like sumneva sert or http://www.recx.co.uk/apexsec-security-for-oracle-apex.php

3)
- install the apex runtime only version (no development)
- patch regularly to the latest APEX releases

4)
- lock down direct access to the Oracle XE database
- disable the XML DB http server
- use VPN setups or at least an ssh tunnel to access your database

5)
- never done that but many tools / tutorials available

In addition to that you could even add a web application firewall (waf) and hire a professional security expert trying to hack your site.


Looking at the different layers, typically YOUR OWN application is the weak spot.

Hope that helps,
~Dietmar.

Unknown said...

Hi.. thanks for your post, very helpfull.
However mi case is a little different and though i think i know the answer for my question i'd like to confirm it.

i'd like to build a solution for the gym business (not my gym) and i'd like to charge for the service (clients control, body conditions monitoring and paids basically)

my question might be a little silly but i'm starting as a developer and i'd like to build the application using apex+oracle XE.

So the question is: do i have to buy a licence for standard oracle database? is there any way i could do it without paying?

Thanks, and sorry about my english

Unknown said...

Hi Leonardo,

from my personal point of view your endavour is perfectly legal and wouldn't require a license from Oracle. The APEX listener doesn't require a separate license and comes with APEX. So once you would have a license for the Oracle database, you are all set.

And Oracle XE is free to use for your purpose. Just make sure to follow the XE license requirements, I believe you might have to add certain text from there for your customers (so that your customers accept Oracle's license agreement as well), just read it closely. But you won't need a license. If the limitations of XE are sufficient for you, you are all good to go.

Once again, this is no actual legal advice ... you cannot sue me for that ;).

Cheers,
~Dietmar.

Anonymous said...

Hi,

What kind of license restrictions would exist to use the headers (gimh.h/gimp.h) from the OracleXE edition to write commercial applications.

These are headers which describe the functions to check the database health.

When creating standalone programs one needs to links against "libdbtools11.a" and libclntsch.so

Thanks!

Unknown said...

Hi,

I am sorry but I cannot tell you the answer here ... highly specific question.

The only pointer I can give here is the list of all available features: http://docs.oracle.com/cd/E17781_01/license.112/e18068/toc.htm#BABJBGGA

Cheers,
~Dietmar.


alin said...

Hi guys,
helpfull blog.
I read the license for oracle XE and in Trademarks and Copyrights
You agree not to use Oracle trademarks (including "ORACLE") or potentially confusing variations (including "ORA") as a part of your product name(s), service name(s), company name, or domain name(s). In marketing, promoting, or distributing the programs, you agree to make it clear that Oracle is the source of the programs. You shall include on all copies of the programs used or distributed by you: A. A reproduction of Oracle's copyright notice; or
B. A copyright notice indicating that the copyright is vested in you containing the following:
1. A "c" in a circle and the word "copyright";
2. Your name;
3. The date of copyright; and
4. The words "All rights reserved."
Such notices shall be placed on the documentation, the sign-on screen for any software incorporating the programs, and any media containing the programs.


I am willing to do this in my Online application. I want to add this on Log in page but I am not sure what those mean.

what is Oracle's copyright notice; Can you give me an example?

I guess for point B it will work something like:© Copyright My company name 2014 All rights reserved.

BUt how would this 'help' Oracle?

Thanks

Unknown said...

Hi alin,

I don't believe you have to put it on your Online Application, because the agreement reads:

"You shall include on all copies of the programs"

But when you create a SAAS application (online accessible only by your clients) you are not shipping copies of the software.

The major point is that when YOU downloaded Oracle XE you have legally agreed to the terms of Oracle.

By forcing you to include the license agreement in all copies of your program (which you give to OTHER people), they thereby ALSO agree to the license terms themselves.

I think this is the reason why.

Hope that helps,
~Dietmar.

alin said...

Thank you.
they are saying:
"Such notices shall be placed on the documentation, the sign-on screen for any software incorporating the programs, and any media containing the programs."
I guess sign-on screens are for online applications.
I can put something there in order to be safe:
http://docs.oracle.com/cd/E28593_01/doc/dcommon/html/cpyr.htm
can this be the link to Oracle's Copyright?

What do you say?

Thanks again

Unknown said...

Hi there,

Very informative and useful post.

Something still I couldn't make it clear though.

Does running only 1 database instance on the server mean the Physical Hardware? Or virtual host created on it?

Assuming I have a web based application which I want to get customer to use it for free. I will host it on the cloud, and on cloud Oracle XE will run on some virtual machine.

I am good with running only one database instance on that virtual machine, but I have no idea how many other servers are running on that same physical server, maybe some other oracle XE editions might be running as well.

How does this Oracle XE license restriction work with virtual server operating systems like VMWARE or Acropolis or Microsoft VM?

Regards,

Unknown said...

Hi Murat,

this is a very important question and I don't have the answer. I would assume it does not matter. But to be safe I will contact Oracle to get an official view of things.

Cheers,
~Dietmar.

Unknown said...

I have just contacted Oracle on Twitter ... let's see how they respond: https://twitter.com/daust_de/status/923441630362861568?conversation_id=923441630362861568

Gerald Venzl said...

Hi Murat, hi Dietmar, hi everyone else,

You are allowed to run one instance of XE per server, regardless whether that server is virtual or physical.
Or, in other words: Yes, you are allowed to run an XE instance per virtual server.

The restriction stated in the license agreement ("1. Express Edition is limited to a single instance on any server; ") doesn't explicitly call out that it is only per physical server, hence it is allowed.

Thx,