One might call EHCache (the Java caching library everybody loves) ET-Cache, since it keeps phoning home during startup. While probably just implemented as a usability feature, I find it quite nefarious, especially since Quartz (the job queuing library everybody loves) does *exactly* the same.

The culprit lies in net.sf.ehcache.util.UpdateChecker and org.quartz.util.UpdateChecker.

Information sent to Terracotta HQ include:

  • a client ID taken from your local IP
  • java.version
  • os.arch
  • QuartzVersion
  • EhCache version
  • something about source
  • uptime-secs
  • patch level from Quartz/EhCache

Needless to say, this is something that should not be enabled by default, and only with a big opt-in questionnaire... This also sparks the question if the cache doesn't send *more* information home than just the update information? It is after all a product designed to send information across the network—what is one extra node more in the grand scheme of things? Has anybody audited the code for nefarious code?

In any case: to disable phoning home everybody should start their applications with the following command line parameters:

  • -Dnet.sf.ehcache.skipUpdateCheck=true
  • -Dorg.terracotta.quartz.skipUpdateCheck=true

Or you can configure it in your ehcache.xml according to the user manual. Quartz is similarly configurable in the

According to Alex Miller, a former Terracotta employee, it is not evil and a price we need to pay to use open source software.

I disagree strongly: this undermines the premise of trustworthy open source. The download page doesn't mention the phoning home, neither does the announcement of ehcache 2.2 (last july), it is summarily mentioned in the configuration part of the manual, which you typically don't read when you just upgrade your dependency to the latest version and see that everything still works as usual. The same goes for Quartz: it was apparently added in quartz 1.7.3, but no mention of this in the release notes. Neither of the possibility to disable phoning home which was added in quartz 1.8.

In my opinion, this is unacceptable behavior for any open source product, which severely undermines the trust we spent building in the last couple of years making open source a viable alternative to closed software.