Slashdot Mirror
Will Sun's Java Go Open Source?
Ritalin16 writes "CNet report that Sun Microsystems wants to send Java closer to the open-source world, yet keep it safe from harm. "Project Peabody" adds two licenses that make it easier for outsiders to see the code. But Sun stops short of embracing open-source. Sun's licensing practices for Java are closely watched. Proponents of making Java open-source argue that a different license and development process will help accelerate usage of Java, which faces ongoing competition from Web open-source scripting tools, such as PHP, and Microsoft's .Net line of tools."
Hey, is anybody using the gnu java compiler much? How's the performance on java programs made with it? Obviously there'd be some positive side effects, but exactly how much could the community benefit from having Sun's compiler open-sourced?
I already ditched java a long time ago. After trying some .net, settled on python, who wants to write 10 lines of code, and have to pass through 2 layers of variables to open a file?
Python: open(filename,r/w,0)
Java: JSKALDAHSJKDHLSA;
ASDJH(ASLDHJKLASH);
ASJHDJAKSHDJHASD();
REALLYLONGBUFFERNAME();
"Project Peabody" is really the code name for Sun's secret development of The Wayback Machine to send Scott McNealy back to a time when Sun was relevant.
__ Someday, but not this morning, I'll finally learn to use the preview button.
signs point to yes
"Sun has elected not to use an open-source license at this time because its commercial customers are concerned with "forking," or the creation of incompatible editions of the base Java software" Currently, Java seems to be close to, if not the lead in cross-compatibility. They do not seem like they want to lose their integrity as a stable cross-platform language.
Sun has a lot of tight control of java. But I believe IBM also has their own java implementation, and I think that version has alot of proprietary and licensed code. But most of the jvm is not available for all different platforms.... anyone seen a 64bit jvm ?
Open sourcing java seems good, but the reason Sun may not want to do that is because sun wants to milk the embeded devices market where java can be a real breakthrough.
No
No
No
No
No
No
Maybe
Haha... No
Slightly off-topic, but what impact will Sun's open-sourcing of the JVM have? We already have several Open Source JVMs, Kaffe and IBM's RVM(Research Virtual Machine). Since the Java specs are anyway open, is there any point if Sun opens up the JVM implementation?
Because it doesn't need to. Java is now so big and so corporate that stability is far more valuable to its constituents than innovation.
It will be the development system of choice for corporate development for another decade, providing jobs for all the new and soon-to-be CS graduates who aren't taught anything else. Yet Java is already completely ossified.
If it were up to me (I know it's not, so shut up ;_; ), I would put it in the public domain and pretend I wasn't the one who wrote it. Then I'd be all "Oh wow, Java's so cool, you can even download all the source code for it!"
And then I'd get featured on slashdot as "Sun's Java Went Open Source" instead of some silly speculation that Sun might make up some magical license that lets you look at the code but not do anything w/ it.
Will open sourcing Java source code mean that the language will get submitted to a standards organization like ECMA or ISO or something?
[o]_O
Why does everybody in IT have to be a fortune-teller. First, google is not going to create a global internet filesystem for the entire world and eliminate the computer. If you are a software developer. You only look 6-9 months ahead and google's take away the computer plan won't happen for 900 years. Second, Java is a simple language. Java mainly benefits from the amount of libraries and other tools that are already on the market. We have been looking at Java's source for the last several years now anyway. Nobody really gets excited. I would watch the language tools that are already out there, so don't wet your pants on java being open-sourced. Yay or nay, it probably won't effect the market too much. Geeks who live in dim-lit caves will probably have something new to play with, that is all
---- Berlin Brown http://www.newspiritcompany.
Sun is in trouble because GCJ is getting so much better. It has a strong chance of becoming the "defacto" version on Linux very soon. RedHat engineers already have Eclipse built and running on it, and tightly integrated with Gnome and Glade development. It's starting to look really nice, and SWT compiles natively into Linux binaries. Sun will likely maintain the lead on Windows pretty easily, but they stand a big chance to lose out to GCJ on Linux. No biggie, because Linux isn't a real server platform after all, right Sun? ;)
If Sun wanted to make themselves insanely relevant very quickly, they would fully embrace Debian and support it extremely well. Then, they should work to standardize on http://www.autopackage.org/, or something very similar to it. Then, they should work to get Java much better integrated into Firefox and vice versa. Here is a good article on it the level of integration between the JVM and the browser, which is just pathetic at the moment:
http://www.softwarereality.com/soapbox/swing.jsp
I wish there were a sane event model to share between Java and the Browser so that I could use the browser as a display technology and have access to all of the Java class libraries for networking and such.
As soon as Java goes open source, I plan on forking it. Job 1 will be to add first class support for COM and XPCOM objects. After that's done, I'm planning on adding Delegates for event-driven programming. Good RAD-Designer support is important too.
Of course, there might be some minor incompatibities with other JVMs, and the initial releases will be Windows-only, but since Java is such a neat and productive environment to program in, I think people will overlook these issues. Anyone interested in joining this project, please contact me.
Whenever I hear the word 'Innovation', I reach for my pistol.
How exactly do you propose to make it "simpler"? Its a language not an "addon" to your current browser.
And secondly java "allows websites to exploit IE" by a malicious website asking you to run a program. You have to click "Yes run this software I know nothing about and cannot verify its source". Its not a weakness in java or firefox, its PEBKAC.
Acaila
Growing Old is Inevitable; Growing Up is Optional.
By "simpler", do you mean "not compatible with all applets"? It's hard to imagine what features you could take out and still be compatible.
It is exploiting a clueless user that doesn't know enough to click "No" when presented with a warning dialog that says that an untrusted application is trying to make changes to the local filesystem, and it asks permission from the user if this should be allowed. Previously, it had been assumed that a user would be ever so slightly clueful enough to not actually permit an untrusted application to do this, especially since they are getting a nice and friendly warning dialog, but hey... I guess user stupidity reaches new lows every week. The people that are vulnerable to this are the same people that think it's a good idea to run native exe attachments in emails from unverified sources.
File under 'M' for 'Manic ranting'
Anyone who reads Jonathan Schwartz's blog will know that Sun is gonna open-source java. He's been hinting about it for a while now, interspersed with hyping up the open-source release of solaris. Sun seems to understand that going open-source is there best chance of survival in the software world.
A Multiplayer Strategy Game for Mac OS X, Windows, and Linux
You have to click "Yes run this software I know nothing about and cannot verify its source".
Both Microsoft and Firefox have made UI enhancements to make it more difficult for users to just reflexivly click "Yes" on every modal permission dialog that pops up.
I think it's perfectly fair to hold Java to the same standard, since it turns out that Java really is not safer than "native" extentions like ActiveX or XUL or Plug-ins (despite years worth of propaganda saying otherwise). "PEBKAC" is a cop-out.
Whenever I hear the word 'Innovation', I reach for my pistol.
It would be great if the Java JDK were open-source, or at least distributed with a less restrictive license. Installing Java on "unsupported" platforms is a nightmare. Take FreeBSD, for example. First, I have to install the Linux version of Java, because for some reason, the native Java port requires the Linux version for bootstrapping purposes. Next, I have to manually fetch the sources for Java from Sun (since Sun prohibits redistribution other than from Sun's site, and the latest precompiled package for Java is for FreeBSD 4.x, which doesn't work under FreeBSD 5.3; not to mention that I can't really do anything with the sources other than compile them; the license is very restrictive). Finally, I have to compile them, which took me 18 hours to compile on my computer (I'm not trolling; the fastest computer I own is a 475MHz K6-2 with 64MB RAM; I'm poor). For Sun to advertise that programming in Java is about "writing once and running everywhere," I guess "everywhere" is defined by Sun's view on the world. The only reason why I compiled the JDK in the first place is because I need it for my upcoming classes.
It would be great for all developers if Java were open sourced under an agreeable, OSI-compliant license. Developers of "unsupported" platforms would be able to port the JDK to their favorite operating systems (and redistribute sources and binaries of the JDK, too), which would raise the number of developers using Java, which in turn raises the number of people using Java-based applications. Next, I don't think Sun has to worry much about Java being forked. Look at C, C++, Python, Perl, and Ruby. C and C++ are ANSI-certified, and Perl, Python, and Ruby are open source. As far as I know, there aren't any forks of C, Perl, and the other languages that I've listed.
In the meanwhile, I wonder how good are the free, open source interpretations of Java and how they stack up to the Sun JDK?
Get rid of all the consoles and stuff that java installs, and just give the basics that it needs to function.
It seems to me there's a completely obvious solution to this: only allow patches against their version to be distributed, not already-modified versions. And don't let modified versions use the trademark. That way it would be completely obvious which was the real java.
I am trolling
Acknowledged, Java has some downfalls (slow, etc) and it is not a native programming language, but overall, Java is a great way to go. Java applications developped for a website is a powerful tool, instead of using php. And Java games are very popular in the cell phone industry right now, not flash. Overall, I think the possibilities that Java offers are enough in itself to warrant making it open-source. But I'm biased... I just started learning it.
Foxed Design
There's certainly nothing to stop someone from making a bytecode compiler for any language that can run on the Java VM. I do recall that NetRexx was a language like that.
The world's burning. Moped Jesus spotted on I50. Details at 11.
You could make it a straight interpreter rather than a fancypants "JIT compiler". I'd expect that would simplify things, though at a cost to performance
I am trolling
I'd like to see an open source, "simpler" version of java as an option in FireFox. Currently, I don't have java installed because there are exploits for it (for example, java allows websites to exploit IE even if the user is using another browser, such as FireFox or opera). I don't really need it for anything, either, but I'd use a stripped down version. It just seems too bloated now, for the uses.
.jar after installed also then installed several Windows malware programs.
.exe's in the .jar file then the JVM should make the data available to OS security inspection with an OS specific security call, even if the API to call has to be provided by the Java Community to, for example, provide a program to invoke identified default AV, etc.
.jar is Java, and although may have been given permission to write files, not assumed that those files are Windows .exe's.
.jar, so is not onerous to a user. It also should not involve a lot of overhead as its only the OS API commands to create or rename files to or with an executable extension.
If that simpler Java implementation allowed the user to say yes when asked if they trust a company to install software, then that "exploit" would still exist.
You may envision something simpler that can only run in the Java sandbox, but probably a browser option limiting users from permitting the install makes more sense, and let the user decide.
This is a suggestion on that I posted to Sun's home page comments box yesterday. Whether the new JUIL licensing makes this easier to consider I don't know, but these kind of things need to be agreed upon by the community and stay standard.
rd
Beyond rewording the Java install security warning into potential consequences, which is much needed as pointed out, is the problem that the
If they were
Also, for many of us it is assumed that what is in a
Whether explicitly named as an executable file or renamed with an OS API call, in addition to the above trusted stuff Java should ask for permission to create an OS native executable which is way beyond the permission we intended to give to access files on the OS disk!
It is just a one time deal on an install, or in this worst case, several from the
If any malware was subsequently downloaded and installed by the just installed Java program then another layer of permissions need to be asked for each additional install.
In other words, it is insufficient to ask if Java can be trusted, then let it install native OS programs unsupervised.
I am a Java programmer for the past year (writing my own stuff, unemployed) and have a program I plan to deploy, so this is very important to me that users can trust that Java will monitor what they have authorized to get out of the sandbox.
May not be fair, but Java will earn even more trust from users doing this. Let's make lemonade out of this lemon.
rd
Dude, would they just make up their minds? They keep saying they may then they wont then they may then they wont etc. etc. Sun, please stop teasing those of us who actually would like to see Java improved.
Students should be forced to learn in a bondage-and-dicipline language like Java. Once they understand a type system, they can better understand when to break the rules.
We've already been down the Python/PHP "typeless" road with teaching Visual Basic, and the end result is a lot of sloppy programmers.
Netscape opened Mozilla up to the world, and see how far that has reached?
Had AOL controlled Mozilla every step of the way, Mozilla wouldn't be where it is now. Sure, Mozilla had its ups and downs, and experienced many random forces, but they survived.
If Sun truly cares about Java, they are free to create something like the W3C, where other companies and developers have a voice, to make sure there is a standard for Java. Any rogue developer whose JVM chooses not to follow the standard will be ignored because the JVM would not work with the majority of Java applications out there.
Let's see: we have kaffe, gcj, and a handful of other open source attempts to clone java, all of which are not exactly one-hundred percent compatible, and none of which would exist if java had been open source in the first place. We have MSFT pushing their own completely incompatible java-like system.
Now, lets look at some fairly popular languages that have been open-source since the beginning: perl, python, tcl, ruby. Gee, not one of them has shown the faintest sign of forking. My conclusion? Sun is run by a bunch of idiots. (Really too bad, because I used to be a big fan back in the eighties.)
Whats the harm in going open source? Dosnt the principle apply that the more you give the more you get in return! Just Look at Linux!
Perhaps if you could tell us why you thought Eclipse and Netbeans suck it would be easier to come with a suggestion?
Anyway, some of the most popular would probably be JBuilder, JDeveloper, IntelliJ IDEA, KDevelop...
If you prefer more light-weight IDEs, you can always use ANT together with something like Emacs or JEdit.
Being bitter is drinking poison and hoping someone else will die
Considering that Byte Code is essentially open, you can construct a language how ever you want and have it compile to Byte Code so that the JVM will execute it. So, in this regard it's open.
.NET.
As for opening it to a standards committee, I hope Sun never takes this route. The committee mind for just about anything is terrible. Many great artists won't work with committees and I think Java is better served if Sun calls the shots on it.
I don't know much about the licensing of J2EE but for people that don't want to pay (do you have to?) you can always use something else or pay for
I don't care one way or the other really if Sun "Opens" Java but I'd rather them or a small group of people call the shots on the language. Gosling et all for instance. Whatever they do, I hope Java doesn't fall victim to ANSI or IEEE or whatever as the language will never advance.
"If you are a dreamer, a wisher, a liar, A hope-er, a pray-er, a magic bean buyer
... GONE.
...
Proponents of making Java open-source argue that a different license and development process will help accelerate usage of Java,
would - (slashdot spelling: wood). Ok, WTF.
CC.
TaijiQuan (Huang, 5 loosenings)
So what you're really saying is that you don't know COBOL either? :) You could at least have started with the proper IDENIFICATION DIVISION line.....
There are some of us who still remember COBOL (the 6th language I ever learned, I believe, although it's been too many years ago to remember).
Most of us won't admit it any more, though!
If you're not living on the edge, you're just taking up space!
While i haven't done much research, a little casual testing suggests that opensource JREs run a lot more java software than mono runs .net software.
Why would they be worried about Mono? It's open source after all. :) I don't even think Mono is on the radar. It will always be held back by licensing concerns by the stain of Microsoft. Sure, everyone is going to blabber about how it's immature to reject something just because it's Microsoft. That's what MS does to everyone else, so I think it's appropriate to treat them the same way. ;)
I wrote a brief article on systems that scale down, with programming languages in mind. You are correct that all the Java baggage comes into its own when you start writing larger programs, but for beginners, or people just wanting to whip something together, it is baggage.
http://dedasys.com/articles/scalable_systems.html
http://www.welton.it/davidw/
Because Java is being deployed in businesses everywhere. Many of the ancient IBM mainframes are being replaced with servers running Java applications on them. Java of 2005 is compared to COBOL of the 1960s-70s because of its popularity and widespread use in businesses. Businesses like Java's enterprise tools, scalability, and employability (since it seems that most universities are teaching Java as a first language now of days, so the fresh college grads would already get to work coding Java apps).
Technically, Java != COBOL, though. The only similarity that these languages have is there popularity in businesses. Other than that, they are very different languages; it would be like comparing C and BASIC (gotos, line numbers and all).
Practically everybody, unfortunately.
http://michaelsmith.id.au
They'd be worried because it does what java does and does it better. Really.
I am trolling
I've been using gcj to develop Hecl ( http://www.hecl.org/ ) with, and so far I've been pretty happy. I found one compiler bug, which I reported and which was then promptly fixed. At FOSDEM, I also had occasion to go visit the Free Java developer room, and the impression I get is that these guys are making enough headway that it doesn't matter what Sun does at this point. Redhat had something like 3 or 4 very sharp developers (Tom Tromey, for instance) working more or less full time on gcj and ClassPath. Sure, Sun has way more people, but for now, all the free guys have to do is play catch up with the spec, not surpass Sun. That comes next;-)
By the way, I don't think blackdown is actually open source in that it's based on the Sun code.
I'm curious - does the new Fedora actually ship with gcj and gij as 'Java'? That will be an interesting development to watch.
http://www.welton.it/davidw/
Both Microsoft and Firefox have made UI enhancements to make it more difficult for users to just reflexivly click "Yes" on every modal permission dialog that pops up. I think it's perfectly fair to hold Java to the same standard
You're clearly just trying to save face if this is all you can complain about. Not all vulnerabilities involve users clicking Yes in security dialogs.
since it turns out that Java really is not safer than "native" extentions like ActiveX or XUL or Plug-ins (despite years worth of propaganda saying otherwise).
The "years worth of propaganda" was probably referring to Java's immunity to buffer overflow vulnerabilities and other attacks that exploit the machine-level details of C-style calling conventions. Or it could have referred to the sandbox security model under which applets can be run safely without even requiring a security dialog- as opposed to ActiveX for example, which is typically implemented in "unmanaged" (but digitally signed) C++, has a security model consisting of nothing but a security dialog, and which must run either with full privileges or not at all- based on whether you feel you can trust the author. You can run Java code in a sandbox and not have to trust anybody. The sandbox has such restrictive security, in fact, that it partly (along with install base and JDK versioning issues) led to the demise of applets relative to ActiveX.
I highly doubt anyone will be able to create an environment that can be both useful for people of all levels while still being accomodating for user stupidity.
File under 'M' for 'Manic ranting'
Lots of people use PHP instead of JSP, even for "enterprise*" applications.
*PS: The word "enterprise" in any software context is bogus.
--
the strongest word is still the word "free"
Something that can be fixed right away if your using the JRE 1.5. Just go to the Java Control Panel, go to the "Advanced" tab, expand the security tree, then uncheck "Allow user to grant permission to content from untrusted authority". Most of the time, this is sufficient because the makers of the exploit are using self-signed certificate. If exploits that were signed by a trusted CA starts appearing, then one should uncheck "Allow user to grant permission to signed content" as well. Anyway, to most users, unchecking both will not be affected. Unless of course you happen to be using a signed applet. Signed applets are not often used, and they are used, they are usually only used for internal, corporate stuff at work.
Already done: Jython
cpghost at Cordula's Web.
Until now, you are only allowed to distribute the JRE with Java software. This has always been an problem for creators of Linux distributions who like to include Java in their distribution.
I seems Sun is gonna change their license at this point so every Linux distribution can distribute the JRE and support Java out of the box.
This is probably the most important part of the license change and I hear nobody about it.
Me
Java is crossplatform. Runs on Windows 2000 AND Windows XP.
Java is a langauge and say it is prorietary is like saying C or C# are proprietary. I have read the freely available documentation on Java and you'd be surprised how complete it is. There is no need to reverse engineer anything since JavaDoc spells it all out for gou, and heck Sun provide the source code to the files too! It bugs me that people perfer Mono'a C# over Java because it's "more free". Well it's only free because people coded it up. If they spent half the time coding a JVM that they've spent coding a Mono they'd be done years ago. And if Sun keeps their own implementation proprietary, well they own so let them. You can use IBM's or Apple's or your own. Why don't people stop using C since Intel still offers it's own closed source compiler? Java is really spread wide open from letting people participate with JSR (though just like in democracies unless you are with someone big you won't get heard.. but you are free to try), and even poke around with the source. Is there some big piece that I'm missing that would bother anyone besides GPL Zealots?
Your CPU is not doing anything else, at least do something.
Surely the most important thing is that there is choice! Java is not about to die a death, and it's good that there's competition because it makes Sun make Java better!
I don't care whether it's open source or not. What practical difference would it make to me? Absolutely none!
No it doesn't. Have you even used mono?
However, the biggest problem with the GNU compiler is the lack of compliant class libraries. The GNU Classpath project, which aims at creating an open source cleanroom implementation of the Sun class libraries are severely behind. My optimistic guesstimate would place them at being about 3 years from full 1.5 compatibility, at which time we're probably using the beta of 1.7.
However, GNU Classpath has an easier job ahead of them than the Mono folks, which begs the question as to why they chose to go with the Microsoft technology in the first place.
Seriously. Why, oh why, did Sun put it in the base J2SE?
While the parent was marked as a troll, I think the author was actually serious.
Here's some more facts:
+ In bed with Microsoft? That would be why they produce StarOffice - a competitor to MS's main cash cow.
+ In bed with SCO? Sun really doesn't seem to want any more lawsuits - that's why they bought a SCO licence, and that's why they paid off Kodak.
+ Despite you whining bastards constant Sun-bashing, Sun has tried to be nice to the OSS community - there's no way they're going to start lawsuits - see the comment above, too.
+ Sun's licence is incompatible with the CPL entirely because they don't want Solaris merged into Linux, and can you blame them?
What's the harm in going Communist? Doesn't the principle apply that the more you give the more you get in return? Just look at Russia!
Something about a cease and desist from archive.org.
Not only does this one-language narrow approach limit the teacher and student, but the whole proprietary aspect of it just acts as a kick in the face.
Many of the ancient IBM mainframes are being replaced with servers running Java applications on them
Businesses don't have to do this - they can deploy J2EE apps directly on your so called ancient IBM mainframes. The same Java and WebSphere code runs directly on big blue iron.
catch (ModDownException mde) {post.modUp("Interesting")}
I've had the same problem with Java. First, there's no exploit, as far as I know, to circumvent the "Click Yes to install" screen that would appear when trying to install software from java. Also, Firefox has the option to disable java, which I did.
I'll do the stupid thing first and then you shy people follow...
Dijkstra's argument against GOTO, Hoare's against pointers, and Nygaard's for the object-oriented approach were also all in the "1960s-70s".
In a few more decades we might actually have an industry using higher-order functions, inductive datatypes, a generalised inclusion polymorphism not crippled by being tied to code reuse via 'inheritance' and, who knows, maybe even dependent types. Then people might actually realise that the comparisons being drawn between imperative languages are pretty insubstantial and more about library and IDE support than language features.
Emacs!
Seriously though, IBM has an article on it here.
I, for one, am really sad.
SUN used to be a great computer company, hugely innovative and a major donor to the community.
Gosling's FUD and marketspeak cannot hide the fact that 3 months after OpenSourcing at least 20 of the most annoying bugs and the huge bloat of the current Java implementation would be gone.
Two simple examples, which pose NO risk of INCOMPATIPILITY: (a) a '\n' to JDB does nothing, it should repeat the last command so n '\n' '\n' ... would step through a program like it does in Perl, (b) add a pre-fork option to JVM startup so executing "Hello World" didnt take 5-10 seconds an the average laptop. This would change the face of development by making much of the containerisation un-necessary.
As one who uses C, C++, Perl and Java in my everyday work I cannot stress too strongly that tools developed behind a baracade quickly suffer from the prejudices of a small team, while, in the OpenSource arena natural selection means that good ideas are quickly adopted.
Finally, the fear of forking and incompatibility relating to Java is a reflection to SUNs FUDing in the past. Six months of creative matketing could easily reverse that. Many IT managers are realising that, as we all know, a tool does not a good programmer make! Many are beginning to turn away from Java. This is unwise but something must be done about the bloat and verbosity of the current Java paradigm.
"Open source versions are forked. Therefore, if it had been open source there would be no forks"?
Not quite - the different versions black-box reverse-engineered from the proprietary product aren't all perfectly compatible. The products which are open-source (and so can be intimately inspected by all) haven't forked at all.
There's a big difference between multiple re-inventions and forking a codebase - if you can't see how something works but try to copy it, you're going to make mistakes or have to make assumptions at some point, and those can introduce (unintentional) incompatibilities.
It think the grandparent was trying to show that if it's open-source (ie, you can inspect every line of code form the get-go), the evidence is that it's pretty very rare for anyone to intentionally fork the codebase.
Everything in moderation, including moderation itself
If they were .exe's in the .jar file then the JVM should make the data available to OS security inspection with an OS specific security call... Java should ask for permission to create an OS native executable which is way beyond the permission we intended to give to access files on the OS disk!
.jar file and warn the user about the contents. However (even in this case), what stops someone simply cutting-and-pasting the entire compiled code for the .exe into a string, then having their java code write this string to a file on disk? Bingo, instant executable file.
.jar file that can't be easily circumvented with even simple encryption.
I'm not overly familiar with the "exploit" you're talking about, but I can think of several ways around this suggested fix.
Probably the simplest problem is how does the JVM know if there are exe's embedded in the jar file? Now, if there were some standard "exe in jar" packaging scheme then yes, the JVM could look at the
Even if the JVM used some kind of heuristics (with the inevitable performance hit) What happens if you do something as simple as XOR the compiled code with a key stored in the file? I can't think of any practical way to determine if there's native-executable code in a
The only way I can think of is to totally prevent all code in any jar file from creating or modifying binary files - restrict them to creating text-only files and (IIRC) they can't drop native executables (or at least, the file won't execute properly under windows). However, I have the feeling there are plenty of situations where you'd want to write a binary file that has nothing to do with executable code (can't bring one to mind, but exercise left to the reader), and this would be prevented by blocking all binary file access.
IIRC there's nothing magical about executable files - they're just strings of characters like anything else. If you can write one type of file, you can pretty much write any kind of file to disk, so there's no way to stop this kind of thing fro mthe JVM...
Everything in moderation, including moderation itself
Where is the "+0, RMS Clone" moderation option? =)
Sun will only open source enough to hedge their bets against eroding their market foothold. And not a penny more.
Their stock sucks. From a Wall Street point of view, they are not a very healthy company. They are trying very hard to sell and re-sell themselves as a capable Enterprise solution for corporations. But it's getting harder to do.
At the high end, they are being eroded by the other high end hardware available through HP and IBM. Their reliability of hardware has suffered badly in the last decade and that's costing them market share in related products as people start moving to other platforms.
Erosion is also happening at the low end of the market by the likes of Linux where x86 architecture can compete.
If they make the use of JVM, through JRE, easy to use on the low end, they have some chance of getting a foothold on small companies before they turn into large corporations. This path is what they don't want because as a company grows, they may try to make their existing platform (PHP, Perl, Python) work in their more demanding environment.
This results in a drop in the market for Java developers.
This also affects the developer environment as well. If you have a linux box and want to write some code, you aren't very likely to spend an entire weekend trying to get some sofware running when you already have several good tools to choose from. One of the reasons I never really took up Java development was because of issues related to getting things working correctly at the JVM level on my distro of choice.
That being the case, developers will look to other platforms, starving the Java Market of designer resources.
Releasing JRE into a open license agreement addresses the issue of keeping the market space viable, but it doesn't address the issue of developing resources. Of course, with schools pushing Java hard and everyone older than 12 years old in India learning Java, they may not have to.
Perhaps it all makes sense in their grand scheme of world domination?
Mono and Java are running different races (client vs. server side), and both of the races are over.
Sun wrote off Java on the client and focused it as an enterprise server technology (which it is great at), which is why they've never done anything useful about the sucky AWT/Swing stuff.
Mono on the other hand seems mostly focused on the client side. While the technology really rocks, the taint of Microsoft licensing/patent fees will always make it problematic for many.
It's too bad but if Sun had open sourced Java and gotten on the SWT bandwagon it would have provided some competition and maybe kept Mono from getting momentum.
COBOL is just fine. For file handling, I don't know many languages that are better.
I'm not overly familiar with the "exploit" you're talking about, but I can think of several ways around this suggested fix.
.jar file and warn the user about the contents. However (even in this case), what stops someone simply cutting-and-pasting the entire compiled code for the .exe into a string, then having their java code write this string to a file on disk? Bingo, instant executable file.
/. thread, something like "Firefox used to exploit IE".
.jar which prompted Java to ask if the user wanted to trust this untrusted company, with a lot of yellow exclamation marks, at which point most people click ok and the .jar installed a boatload of adware/spyware/malware.
.exe's in the .jar. I suggested three things:
.jar software may perform.
.jar or downloaded to the system, so that a user is asked to trust each executable, not a carte blanche for some obscure and deliberately misleading malware company name to run amuck with an obscure OK.
Probably the simplest problem is how does the JVM know if there are exe's embedded in the jar file? Now, if there were some standard "exe in jar" packaging scheme then yes, the JVM could look at the
The so called exploit was covered a couple of days ago in a
Turns out it wasn't a Firefox exploit, or an IE exploit, or even a Java exploit. It was a site that downloaded a Java
After what you quoted, I described a scenario for checking for
1) The Java Community provide an OS dependent security call for the JVM to make that would make contents available to any available AV software for inspection.
2) Monitor calls that create or rename system files. This would be monitoring data flowing through JNI, and would be monitoring for and either disallow or request permission with specific file names OS dependent commands to create or rename files to executable extensions. This is native direct OS API stuff, not trying to determine what any program called might do.
3) Monitor in a similar way downloads that the
This is not guaranteed to be bulletproof, but it catches straightforward ways to transfer native executables out of a
I hope that clarifies. Thanks for the feedback.
rd
Why do "only fools" use JSP?
...and it is not a native programming language...
:)
Actually there are native compilers available for Java: Gcj, J2exe,
Excelsior JET and Manta.
There are downsides to using native compilers though, including a) the need to maintain separate platform versions of your app, and b) the loss of the ability to decompile back to Java source. But some developers don't mind a), and the more proprietary ones positively love b).
Kaffe, on the other hand, isn't a native compiler in the sense that the compilers above actually cough up an executable for you at the command line. But it has a just-in-time (JIT) compilation system which translates the bytecode to native machine code on a method-by-method basis as the application is executed. This really boosts Java app performance a lot.
The Data Division/File Section stuff just works. Want to know how an input file is laid out? It's all there in one place, and it's simple.
Not if it comes from IBM. We only hate the stuff from Sun, and we also like .NET in the form of Mono, because Miguel started that so it must be cool.
Stick Men
Many people don't realize that Sun is beginning to cash-in big amounts of dollars from Java. That's because any Java-enabled Phone, PDA, Digital TV set-top-box, or gadget-du-jour means a royalty to them, up to $1/box. There are already several millions of these gizmos, and a lot more are to come in the next years with the advent of HDTV. Sun is even lobbying to put Java within DVD players (in order to replace the crappy system used to author interactive menus, that is).
Why on earth would they open-source something that looks like the next goldeen goose ? That would be pure business suicide.
Waken up people. It's all about the money ! Not about "forking" and other stupid claims made to distract the open-source zealots from the real issue.
Sorry, A letter of intent from som MS lackey is not a legal document from the company.
And royalty-free RAND is not necessarily open source compatible. More than one Microsoft product has been licensed as "you use this library for any purpose except on open source applications" or "you use this library for any purpose but only on a Microsoft licensed operating system".
The browser option needs to default to off. I don't see any need for a browser applet to write to my disk. I don't think the people who get hit by this exploit would know to turn the option off.
I agree. The user was looking for Neil Diamond lyrics, not even installing anything. The default should be off. Those few who know they are using something in Java that will use their disk can check it on.
Java apps, that is native apps on the system, should not be so easily confused with the trusted Java sandbox applets with only a "do you trust this" prompt standing between the sandbox and anarchy.
The Java apps can be downloaded and installed more explicitly with the users prior knowledge and consent.
rd
Do we still hate Java or what?
Yes.
Save your wrists today - switch to Dvorak
How to make sure any released "derived works" of their JRE, JVM and JDK are 100% compatible with their official releases.
Look at what happened with microsoft, they took the sun JVM and did an "embrace, extend and break 3rd party compatibility" act on it and so Microsoft (up until sun forced Microsoft to remove it) was shipping a JVM that was incompatible with the official VM from sun (and people actually built java apps that only work on the Microsoft VM)
What sun should do (IMO) is to release the code under an Open Source licence. BUT, if you want to use the sun java trademark (e.g. to represent that what you have released is a java VM or whatever), you need to pass a compatibility test and get a stamp from sun. Then, they could release the compatibility test to the world so that everyone can test their code before it goes to sun for approval. The same test could apply to any java VM or compiler (e.g. GCJ).
People who want to modify (and share modifications to) the JDK, JRE and JVM can do so. (e.g. people wanting to port the JRE/JDK/JVM to a new platform/OS)
People who want to try out "unapproved" modifications can do so (with the full knowledge that they arent official and may not be 100% compatible with the official sun releases)
People who want "java" so they can run java apps can feel safe and only download stuff approved by sun.
If the licence was like GPL where source must be
released if binaries are released, it would help prevent what happened with Microsoft and the MSJVM (since any incompatible modifications would mean that you wouldnt get approval and couldnt call it "java" and also any modifications you make would need to be returned to the community).
Because of the rules for the use of the java name, there would be every incentive for anyone making changes to the JRE/JDK/JVM to do the compatibility test and get their changes approved (the licence, the trademark licence and the other factors would work against any incompatible forks showing up especially since companies like MS with an interest in incompatible forks would not want to use code under a licence like the one I suggest)
Developers would have a big incentive to write 100% compatible java code (since they would be instantly able to see that their development setup is not "compatible" and unless there is a good reason to use that incompatible VM (e.g. like what happened with the MS VM being used because it was shipped with windows, IE etc), they would be more likely to choose one that had the "java" name and sun "seal of approval".
And by having a dual licence and/or a "copyright assignment" like OpenOffice/StarOffice, they could also continue offering commercial licences for java like they do now (just like they use outside code contributions to OpenOffice in the commercial StarOffice product)
There are probobly holes in my plan somewhere through, something I havent thought of.
I thought the speed issue was largely addressed, and now the main issue is it's a memory hog.
What a fool believes, he sees, no wise man has the power to reason away.
Besides the fact that my favorite linux distributions cannot ship the sun jre/jdk out of the box (pls don't tell me about JDS) and I cannot emerge it without download it from the sun website.
Sun is right to make sure tha every jvm is compliant with every bytecode. Write once, runs everywhere need to be preserved by all cost.
Of cource FireFox and other browsers could just put a SecurityManager in place, that is called when the java code calls Runtime.exec("evil.exe") and deny it (or present the user with a choice... again).
.jar that I'm addressing. :)
This is already possible and _very_ easy.
I don't see a problem with that, maybe I'm missing something. "evil.exe" is already on the system, passed AV, was already requested to be installed, etc., so is inherently trusted. It's the creation of "evil.exe" from a
rd
One of the key thing that opening Java would give is the possibility to debug issues ourselves.
For example I have crashes with the official Sun's VM. I am unable to debug the problem properly without access to the code (and I won't do that with a proper license). For sun I have to go all the way to create a test case, which is not easy when it comes to isolate a problem in a complex application.
I am sure I would go faster with access to the code. Instead of spending time making a test case, which I am not sure Sun is going to have a look at.
Sneak teach kids Algebra using a game
Yes, we still hate it. They're trying to make us not hate it by pretending that the reasons we hate it don't really count. But they do. Until Java shows up in Debian main, keep hating it.
I am trolling
Your teller is probably using Java based software to bring up your account details and conduct your transactions.
This holds double true for brokerage trade executions , matches, and settlement.
And then there's your phone bill. Chances are that is touched by Java somewhere -- on the website, in the call centre, etc.
etc.
PHP is prevalent on the web, but not as prevalent in major business applications.
-Stu
This works. Is it awful? Eh, verbose, but otherwise ok... Python is certainly more compact. But frankly, the tasks one does in Java are usually very different from what one would do in Python. Very different emphases.
File[] fileList = new File(".").listFiles(new FilenameFilter() {
public boolean accept (File dir, String name) {
return name.endsWith(".gz"); }});
for (File eachFile : fileList) {
do something
}
-Stu
Maybe I'm wrong or just stupid but to me, a fork is forking an existing source tree to take it another direction.
Some examples:
Xorg is an Xfree fork
Cedega is Wine fork
I don't think a fork means to follow some specs and write some code, for example:
GJC is not a Java fork, its an implementation.
Nor is a fork downloading patches for your windows machine. (someone mentioned it)
I don't know where all these people are getting these crazy definitions of fork, my only guess is that some "informative" posts are spreading false information.
I mean, a lot of people talk about forks like if they exist, they creep their way into the servers at night and fuck things up. You don't have to use a fork if it exists and it will probably live and died without you even knowing about it.
Forking the code in another direction is good for open source because those developers who forked the code can now work under their own terms and when a developer does that, he usually does his best work. Are all forks successful? Hell no, but its possible some of the code will find its way back to the original project, or other projects, and thats how open source lives on and flourishes. Its the most insane code reuse technique ever created.
I've never understood the argument that open-sourcing java will convince people to choose it over .NET? Why would someone choose .Net over java because java is not open source?
... would be IBM's fork of Java. There would be enterprises that would adopt that, even if it was no longer called "Java".
IBM would soon "Eclipse" the Sun.
random underscore blankspace at ya know hoo dot comedy.
The problem is that Sun's Java is not installed by default in most Linux distributions. As a Java developer (also use Ruby, Lisp, and Python a lot) the best situation for me would be to have Java installed by default on Linux and Windows - like on OS X.
For server side Java (web apps), which is mostly what I do, it does not matter too much because setting up a JDK, Tomcat, etc. is easy enough. It is a different matter however for Java client apps. Java is not that bad anymore for GUI applications and it would be great to not have end users having to install a JRE themselves.
BTW, natively compiling Java applications with GNU gcj is really getting to be a viable alternative to running under the JRE. I have been playing with Java and SWT also - looks promising.
I actually asked my professor this. His answer was really simple.
Free runtime, free IDE, free docs.
Technology Consulting & Free Downloads
I at least partially agree with that. It *is* easier to write self-documenting code in COBOL.
;)
However, it's never been a panacea. I've seen some very obfuscated COBOL in the real world. And even e.g. the input file layouts can be pretty useless when there are 25 different record types in the file, and the field names are all "XYZ PIC X(5)."
There are some types of programs for which I'd still prefer COBOL. However, I try to avoid those projects.
I've long been a believer in using the right tool (or language) for the job. The problem I saw with COBOL is that shops which use it tend to use it almost exclusively. Which makes economical sense - it's harder to maintain a multilingual stable of programmers - but does force it into totally unsuitable applications.
If you're not living on the edge, you're just taking up space!
I assume you disabled JavaScript as well if you are genuinly concerned about security, you did, didn't you?
Java was long time _the_ VM. And because they were the only option they could make their game "we own java and we alone decide were we go".
But now time has changed.
There is another System C# and the CLI. People say that it has advantages to java. I'm not that deep in java and c# to confirm that. But for me it sounds logical. Java was the first VM and since them there was enough space to learn more about the concept and learn from the mistakes of java.
But i think that's not the main reason. I think both platforms are well enough for most of the usual tasks.
But MS will push .Net on windows and i'm sure that this will be one of the main platforms for developing on windows in the future. So you have a great integration in windows. On the other hand you have Mono. In most cases it will be compatible with .Net, so your programs runs on windows, unix and MacOS. .Net activeX, COM,...
But at the same time you can have full integration in one platfrom:
- windows:
- Unix: Gtk#, gnome#, gst#,...
- MacOS: coca#
so you have all options: best integration or portability.
And all this bases on a ISO standardised C# and CLI.
So the arguments for .Net:
- comparable to jave (maybe better)
- multi language support
- based on a open standard
- platform independend or best integration (depends on what costumer wants)
- Free solutions with Mono (were everyone can decide what to do with the software)
And what have sun to over?
That there name is not Microsoft? That may be an argument for some kidies but not for the whole IT market all over the world.
Java 1.1 = Java
Java 1.2 = Java2
Java 1.3 = Java2 version 1.3
Java 1.4 = Java2 version 1.4
Java 1.5 = Java2 version 5?!?!?!
I mean crykies, I'm almost in fear of what Java 1.6 will be named. And prepare to move into a bomb shelter when Java 2.0 comes out.
Web open-source scripting tools, such as PHP You can't make a fair comparison between the Java technology (whatever that means) and PHP.
PHP has its uses and Java has its uses. And Java is not a scripting language. Just because you can deploy a web site using JSP, you can't put Java in the same category as a web scripting language, me thinks.
Esta es una firma en Espanol.
COBOL is to Java what Neal Stephenson is to Issac Asimov. Both write good science fiction, but in the end they are really two different things entirely, syntax-wise.
(With applogies to the High School set who didn't have to endure analogies on the SAT this year...)
If I have to write lots of "rows and numbers" type programming, COBOL isn't bad. (but still not my first choice these days.) However, I don't think I want to write a GUI or the server side to a web site in it. Ditto for VB.
Of course, the whole comparison thing is meaningless unless you take into consideration what each language was designed for and when it was designed. COBOL has been around a LONG time (computer time wise), and certainly has been surplanted by new technology. There would be very few compelling reasons for me to start a new system in COBOL today. Java is (basically) a refinement of C++, with much better library support. As such, it's syntax is C based, which also has been around a long time. The C-like languages survive for two reasons: flexibility and terseness. (word?) C-like languages work on data structures, whereas COBOL-like languages work on 'business' or 'work' structures. That is the inherenet flexibility of the C-like languages vs. the COBOL-like languages. I can get C/C++/Java to work with basically any structure I want, but I'd have to bend over backwards to get COBOL to do a linked list. And I can do it in fewer characters to boot. (Programmers are lazy, ya know.)
You want your new whiz-bang language to survive? Make it flexible, make it terse, and make it fast. Perl met this criteria for many people. Java does too. VB was an aberation, surviving mostly on the sheer force of Microsoft's will. BASIC-like languages were certainly useful for what they were, but I'd argue today that a good scripting language like PHP is more appropiate for now.
}#q NO CARRIER
Well, isn't it obvious why Eclipse and Netbeas suck? Because the BileBlog said so! Sorry, I'm too lazy to find a quote on netbeans.
This of course makes no sense on a lot of levels. The choice of a tool is completely dependent on the environment in which it is being used. If I have a mostly Java based system, with business objects and a database layer, it makes a lot of sense to use JSP's over PHP. A lot of that choice comes from the magnatude of the system in development, developer skills, etc. I'd even consider mixing the two technologies under certain circumstances. Large multi-tier systems are complex beasts that can quickly get out of control, and JSP's fit nicely into that scheme. PHP is a powerful scripting language with many great features in its bag of tricks, but it's still a scripting language and should be used correctly.
}#q NO CARRIER
Recently I discovered a Gentoo feature that now IMHO makes it the most enterprise Java friendly distro.
Besides supporting bunch of JVMs, Gentoo integrates all the Java stuff in Gentoo way: you can just "emerge jboss" and you will end up with a complete server environment with all the scipts, etc. Very nice.
Hardly. Kaffe already does a lot of things better than the non-free implementation does on a variety of platforms, and so does gcj. If there is *any* good, maintainable code in Sun's implementation after they hypothetically licensed it under an open source software license and the license was GPL compatible, then someone would merge it in, and make it work well.
Kaffe and gcj are not 'Java'. They are in a lot of ways better than the non-free implementations. And they are catching up quickly in those areas where they are not.
Sun's source code is simply getting more and more irrelevant every day. And that's a good thing for the Java platform, as it needs a second leg to stand on.
cheers, dalibor topic
For the class libraries, please go ahead and start sending patches for the 1.5 branch of GNU Classpath.
cheers, dalibor topic
cheers, dalibor topic
cheers, dalibor topic
I don't think so....
When was the last time you saw an ad for some device claiming "midp v.X.X"?? If you buy a device (say a mobile) the seller usually have no idea of what version of midp the device is, heck most people don't know what j2me is.... Face it, in the beginning people was exited over the possibility of running "cool apps" on their phones...well some years down the line and most people learned that the chances of some "cool app/game" working on their device is slim, you have to d/l the app/game version for that particular device...
Having been close to j2me developers, I can tell you they HATE sun..see, to much of the api is "up to the implementation" , so the "write once run everywhere" is a sad joke... And people has realized that...none is going into a store and ask "is this midp 2.0?? does it have sockets, more than one?? server sockets, does it support jsrxxx?....
Head over to the j2me.org forum and you will see (apart from the same newbie questions over and over again) questions like "I would like to do this, and then the user can do this, then the software do zat, how do I do it?" to which an answer is posted - "it depends on which device you are using, but for the most part....nope..can't be done"..
To be honest I made some developing myself, but soon got fed up with it and moved over to Symbian, which limits the number of potential custormers - the device has to be a "smartphone"... but then again, doing it in midp x.x also limits the number of targeted devices... Oh, and I tell you, once you got your app through QA, some bug shows up, which you fix..and everything is dandy until you realize that you broke the builds for some devices you scream about bugs in the kvm, read the affected javadoc and realize that it is possible to interpret the api in great many ways and often it's "up to the implemntator"...
Good lord, I get to upset...can't spell, feel light headed..I need to take a nap.
To tell the truth, no, for two reasons:
1. I still trust Firefox's Javascript implementation
2. I visit some sites that need that (gmail is one of them)
I'll do the stupid thing first and then you shy people follow...
Java, which faces ongoing competition from Web open-source scripting tools, such as PHP
Is that a joke?
I mean PHP is great and all, but are there really fortune 500's out there going "you know what lets replace our entire java infrastructure with PHP"?
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
That the sound card won't work anymore. :(
I fault Microsoft. Microsoft's insecure formats for documents and spreadsheets have trained users to click "yes" to "Are you sure you want to open this?" messages. If I had to open 50 such files a day in the course of my work, as many people do, I probably would have clicked right through the applet dialog box myself.
Your employer's an idiot and has bought into the FUD. They should be infintely more worried about hiring somebody who worked at another company before, since that person is also "infected" and this time with secret IP of that other company. GPL code is allowed to be read and examined, this employee is far, far worse, since even looking at the code is illegal.
In fact if "infection" was a legal worry, all software companies would have to hire everybody when they are about 3 years old and train them in-house on a special company-developed curriculum, with no ability to leave the premises or contact anybody outside.
You can port Java to any OS you want, you just can't fork the language or VM specification. Your port has to pass Java compatibility tests before you release it to the public. Have a look at blackdown.org for some 3rd party ports. Maybe you are the one for OpenBSD port?
.Net has better cross-platform compatibility than Java. I am running NetBeans on my Mac without any trouble. Please present a Visual Studio 2005 (which is rewritten in .Net) screenshot running on Mono. Besides Windows.Forms is designed around existing Windows APIs, not how people would like to write UI applications. Swing on the other hand could be rescued with good visual design tools. I am tempted to write a translator for InterfaceBuilder projects.
And you are kidding that
Well..I know, and I do understand, I just had an itch to scratch...you know..really frustrated with the implementations of the apis...
However, the success of the java is dependent of the quality of the apis, and there is much (imnsho) to be improved... Myself, I wont touch java (for any serious project) ever again... As to how much money SUN is actually making from these royalties, I don't know.
Don't get me wrong - Java/JSP has its place. But for that matter, so do PHP and ASP (ugh, though), as well as .NET (double ugh - I just prefer open solutions). However, I don't think any company that has an established Java infrastructure and coders to support it is going to rip it out and replace it with PHP - unless they save money (ie, fewer developers needed, for example), time (takes less time to roll out new changes), or it give increased performance/security...
Reason is the Path to God - Anon
Yes, and Java. I haven't done big projects with either, but I've made a few applications, and Mono seems nicer.
I am trolling
I do.
cheers, dalibor topic
Nope. The JRL only allows research use -> no distributions. The JDL only allows distributing after passing the costly test suite -> no (volunteer based) distributions. The JIUL will only allow *internal* use -> no distributions.
cheers, dalibor topic
I think by harm they want to prevent it from being fragmented and risk losing a single standard.
Probably a reference to MS's attempt to create it's own 'enhanced' jvm
Indeed, according to the FSF, that's a major reason the open source movement exists:
Digital Citizen
Now, even though the rest of your post was wrong, you are correct that claiming that Mono has more cross-platform support than Java is silly.
java is suitable for enterprise applications, but
its too bloated to be useful for anything quickly deployable that is table. Java is highly unstable
across platforms.. Sun should open source just by virtue of how unstable java is, it could use some
optimization and simplification..
Personally I would be interested in reduced instruction set and resource constrained versions
of the java VM.. I have a plan for a concept called
a media object, which replace files with objects that contain methods with the code (open sourced by design) for the purposes of convering media formats to the simplest yet flexible implementation..
I think the future of file formats are object formats.. MOV, WMV, RA, MPG, etc ==> Movie Object,
which contains the methods to interpret the encapsulated movie data.. The methods implemented in open source (by definition, mechanism, otherwise it will not work). Use CRC and Public Key Encryption to protect the integrity of the object methods from manipulation. Applications that load the media objects would run the media objects atop a VM.. This VM could be the open sourced Java VM.. If so, it would do away with vendor-lockin and leveraging practices that are enabled with static file formats.. Object formats are harder to leverage, especially if the method sets are open sourced by definition. Also it keeps the files from be obsoleted, as the libraries that extract the data are with the data (the definition of a Object).
The purpose of this organization would be to encourage the convergence on a simple set of object
media container formats, that are flexible enough to
change without causing applications to become incompatible (by supporting the basic interface
at the very least).
Just say no to license servers!!
Read the fine posts before you press Submit.
cheers, dalibor topic
With the one liner, I so often reach for FileFilter and FilenameFilter that I overlooked the plain 'ol String[] list() for this example. My bad.
-Stu
:) Actually, I noticed that just after I hit submit, and have been waiting for someone to call me on it.
My response? That's what the compiler is for; to catch my typos!
If you're not living on the edge, you're just taking up space!
Yeah, I saw the article, but didn't read up on the in-depth details of how it worked at the time. Anyway...
.jar's contents available and crack any encryption or it'd be essentially worthless.
1) The Java Community provide an OS dependent security call for the JVM to make that would make contents available to any available AV software for inspection.
This still doesn't solve the problem of encryption (even something as simple as XORing). The problem is recognising native executable code as different from JVM bytecode, when all you're looking at is essentially a string of (optionally encrypted) characters. IIRC, you'd have to make the
2) Monitor calls that create or rename system files. This would be monitoring data flowing through JNI, and would be monitoring for and either disallow or request permission with specific file names OS dependent commands to create or rename files to executable extensions. This is native direct OS API stuff, not trying to determine what any program called might do.
Granted, this has a chance of working, but it would be a bit of a nightmare to keep the list of "executable files" up-to-date - straight off the top of my head I can think of exe, com, bat, vbs, js, wsh, pif, cmd and lnk files - any of which can be used to create or somehow launch executable code (and microsoft do seem to like frequently creating new executable types).
Assuming the list is kept up-to-date asking the user before creating or opening any of these filetypes would work, but you'd have to be careful to make the user understand what was happening, and we'd essentially end up with the same problem as before - user blithely clicks "yes" and the whole thing unravels...
The major problem is the naive user is in the loop. The "Firefox exploit" (sic) worked because the user didn't know any better than to click "yes, I trust this company" - replacing this simple question with a slightly more complex one ("yes, I trust this company to download/open/rename this file to that filename") doesn't stop the problem. If anything it only make it worse (since in my experience if a user doesn't understand a question they tend to just hit "yes").
Basically, to avoid naive user attacks you need to
1) Educate the user (not likely, at least in the short term - classic users are lazy and stupid), or
2) Take the naive user out of the loop - have some automatic way of detecting and preventing the exploit, so a naive user can't drop their spyware defences.
You can't fix a social exploit without educating the user or taking him out of the loop...
Everything in moderation, including moderation itself
This still doesn't solve the problem of encryption (even something as simple as XORing).
Anti-virus deal with that. They look for binary patterns, and yes much of it is encrypted. The point is to make the payload available for standard existing anti-virus inspection, just as any other payload coming onto the system is inspected.
The list of executable extensions is OS dependent and is already done by email monitoring for attachments. It is the same extension list, everything that is executable, which I was surprised to find out awhile back included the wallpaper extension.
These security checks would be handled by a JVM call to an Java Community OS security interface. None of it involves the user. They aren't supposed to click on executable attachments and they do, so many email systems have to ban executable attachments.
I contend the Java security dialogue is obscure at best. There is no way that I would know that that gives permission to install Windows programs. If I don't know that, I don't know how very many others would know it either.
But your points are well taken. It must be automatic, and I lay out three steps to make that automatic detection and stop it. The Java Community needs to act on it. Thanks.
rd