Oracle Removes Java Signatures, Breaking Webstart

sproketboy writes "It seems Oracle has decided in their infinite wisdom to remove digital signatures from the Java projects that they put into the open source community. Of course this breaks any application out there depending on Java Webstart using these libs. Looks like Java3D and JAI are currently affected — probably other APIs are as well. Oh Oracle! What are we supposed to do with you?"

Oracle only said they'd keep it open source

[Chrisq]

Oracle only said they'd keep it open source. They never said they'd let you use it.

Proprietary programming languages

[lordmetroid]

Why do we even need corporations to be involved and in control of our programming languages. Is it not time to rid ourselves as programmers from the tyranny of these greedy organizations by simply choosing to not use proprietary programming languages?

Security risk...sure.

from FTA:

It's been several years since Oracle (previously Sun) stopped providing support for the open source Java3D projects. It was decided that keeping binaries signed with old Sun signing certificates represented a potential security risk, and because of this, we have removed the old Sun signing certificates for the binaries on download.java.net.

Cause you know...that makes sense.

It's Their Culture

[WrongSizeGlass]

Oracle is used to dealing with very large corporations. Now that they have their hands on Java, which directly affects many users, web hosts (large and small), etc, etc they just don't know how to handle things. Forcing major changes onto companies that Oracle has by the implementation & licensing balls is one thing, but trying to force major changes onto the real world will only lead to a backlash and the adoption of alternatives to Java.

It will take a little time to untrench Java, but the intertubes won't stand for this type of reckless and disrespectful behavior. A change is a commin'.

Re:It's Their Culture

[ultranova]

Forcing major changes onto companies that Oracle has by the implementation & licensing balls is one thing, but trying to force major changes onto the real world will only lead to a backlash and the adoption of alternatives to Java.

Are there alternatives to Java? Mandatory bounds checking, garbage collection and all that implies, and inability to break type safety combined with good execution speed are not easy to implement, especially in a multi-platform way.

Re:It's Their Culture

[asdf7890]

Because, exactly as he states in the message you replied to, that expensive Oracle DB comes with a useful SLA-bound support contract where-as MySQL comes with nothing of the sort.

Re:It's Their Culture

[ultranova]

They removed casts and NULLs from Java?

Trying to cast an object into an incompatible type results in an exception. Trying to use a null pointer results in an exception. Both exceptions can be caught and handled. They don't leave the program into an undefined state, as they do in C or C++.

Re:It's Their Culture

[DaftDev]

His parser relies on JAI you insensitive clod!

Re:It's Their Culture

[binkzz]

Are there alternatives to Java? Mandatory bounds checking, garbage collection and all that implies, and inability to break type safety combined with good execution speed are not easy to implement, especially in a multi-platform way.

I hear good things about Flash. They just released a new version so I'm certain it'll be around for a while.

Re:It's Their Culture

[luis_a_espinal]

inability to break type safety

They removed casts and NULLs from Java?

By the way, Go and D seem decent alternatives.

Do they have a component model and architecture? Remote debugging out of the box? Ability to step through back and forth a stack call while on debugging mode? Management extensions? An similarly sizable application ecosystem?

Don't get me wrong, I think Go is a far superior language than Java, but it does not have anything of the sort mentioned above (whereas Java does). And as Google itself has said it, Go is a systems programming language intended to replace C and C++, not Java.

There is a lot more to development of applications and systems than language and language syntax. There is also run-time factors to take into account. Ergo, a good alternative for Java must provide everything that the JVM (and the ecosystem around it) provides (because people don't just use Java technology for the language, but for the JVM, the ecosystem and the extensive body of knowledge around it.)

Looking at languages alone is very narrow-minded if you ask me.

Re:Die!

[Chrisq]

Die Java! Die! Go Oracle! Kill this shitastic language! Once it's dead, the horde of Java "programmers" can go back to being fry cooks like they were before Java was created.

fry cook! If only .... I was a C++ programmer

Re:Die!

[TheRaven64]

Sure, just like how all of the crap programmers left the industry when COBOL, and VB6 went out of fashion...

Re:Die!

[ByOhTek]

There are plenty of good Java programmers. Yes there are more crap java programmers. But I can't think of any language for which that ISN'T true.

Re:destroying open source

[Lennie]

Actually, Oracle might not have bought Sun if they could not sue Android:

" Miguel De Icaza has provided a very interesting insight into the case. His report has been confirmed by James Gosling, known as the father of Java who left Sun right after the merger. Icaza speculates that the potential to monetise on Java by suing Google was pitched by Jonathan Schwartz during Sun's sales talks with Oracle. Oh boy."

http://techcrunch.com/2010/08/13/android-oracle-java-lawsuit/
http://tirania.org/blog/archive/2010/Aug-13.html
http://www.osnews.com/story/23684/De_Icaza_Sun_s_Schwartz_Pitched_Google_Lawsuit_to_Oracle

Re:Shot themselves in the foot

[headLITE]

If you have an HR webstart app that loads libraries from random servers on the internet, you probably deserve what you get...

Serves'em right

[Meneth]

Serves JavaWebStart coders right for relying on third-party, online systems.

In that vein, one can consider what would happen if Google suddenly stopped hosting JQuery: about half of the javascript-using websites in the world would stop working. :)

Re:Waiting

[Anrego]

Much as I love java, doing serial port comms with it sounds downright painful. I'd be using c/c++ for that if at all possible (and not through JNI ;p).

Re:FORK IT!

[mswhippingboy]

Right. Then just wait for the patent infringement suits to start rolling in. You can probably safely fork the language as long as you don't try to run the resulting binaries in a VM of any kind.

Will Google please buy Java?

[cowwoc2001]

For the love of god. Put Oracle out of its misery. They're killing a good thing.

Problem exaggerated

[prionic6]

I don't like oracle either. But if you are writing a webstartable application, you probably have the infrastructure to sign your own jars. So you could sign the Java3D-jars yourself and distribute them together with your application. Depending on availability of something like http://download.java.net/media/java3d/webstart/release/j3d/1.5.2/windows-i586/j3dcore-d3d_dll.jar - signed or not - isn't really advisable anyway.

Re:Problem exaggerated

Yea I don't see the big issue. I always thought it is VERY bad practice to depend on external links to libraries, especially if you're already providing some libraries yourself (e.g. your app). Who knows how long these links stay valid, it can lead to inconsistencies and so on. If they're not under your control, you shouldn't have any expectations.

If this breaks things for you, you did something wrong to begin with.

Re:Problem exaggerated

[prionic6]

  <resources os="Windows" arch="x86">
    <nativelib href="j3d/1.5.2/windows-i586/j3dcore-ogl-chk_dll.jar" download="eager"/>
    <nativelib href="j3d/1.5.2/windows-i586/j3dcore-ogl_dll.jar" download="eager"/>
    <nativelib href="j3d/1.5.2/windows-i586/j3dcore-d3d_dll.jar" download="eager"/>
  </resources>

  <resources os="Windows" arch="amd64">
    <nativelib href="j3d/1.5.2/windows-amd64/j3dcore-ogl_dll.jar" download="eager"/>
  </resources>

Re:Die!

[i_ate_god]

Python seems to think it isn't true.

Java assumes everyone is a bad programmer.

Re:destroying open source

[Bill_the_Engineer]

Miguel De Icaza has provided a very interesting insight into the case.

A proponent of Mono/C# has damning insight on Java... Color me shocked.

Re:Shot themselves in the foot

[pavon]

Many of the Oracle enterprise applications are Web Start applications.

But they don't use Java3D or JAI, and thus won't have this problem. Honestly, I'm not surprised at this move. Java3D and JMF have been neglected by Sun for years, and are pretty much considered to be abandoned APIs (for example JMF has no x86-64 support, and Java3D only supports the software renderer for x86-64). We have been moving away from them wherever possible.

Self-signed? Big Scary Warning!

[tepples]

It's a 5 minute job to package the jar yourself and sign it.

And a how many minute job to earn money to buy the certificate from a CA to sign your signature?

Re:Self-signed? Big Scary Warning!

[tepples]

Please pardon me for being a noob to code signing. From the linked page:

Before you continue, make sure, that you have at least two recent documents

It mentions both a passport and state ID. In the United States, not a lot of people have a passport because not a lot of people have a need to travel internationally. So most people carry only a state ID such as a driver's license. What second document should people who never leave their home country use?

And what should I do once I've bought the certificate, but I need to push out a security update after it has expired?

Re:Self-signed? Big Scary Warning!

[Short+Circuit]

I don't have a current passport, either. Mine expired years ago, even before 9/11.

Ultimately, I wound up sending them pictures of my state ID, birth certificate and cell phone bill. I tried sending two different photo IDs, but they sent me an email asking for a copy of the birth certificate. They're reasonably friendly and will work with you to identify the documents you'd need.

As for security updates...I don't know. It will depend on the context. Just a guess, but I imagine that, if you're using your own certs to verify updates, then push out an update including the new cert, before the old cert expires.

I got the StartSSL certs so I could have non-scary SSL certs for my website. It was only after I got the identity cert that I noticed they talk about certs for code signing. However, that's not something I've messed with.

Re:Self-signed? Big Scary Warning!

[Short+Circuit]

I don't know about Java and WebStart, but when I go to install or launch a signed-but-untrusted binary (such as something that's fresh out of a browser's download queue), Windows gives me the signer's name and other cert details, and asks me if I want to run code by them.

Cryptographically signing something only tells the end-user *who* it was signed by. You still have to decide whether or not to trust that Who. I expect the implementation details of that are going to be specific to WebStart and the JVM in question. Not my area of expertise.

Re:Self-signed? Big Scary Warning!

[Short+Circuit]

TL;DR version of my other reply.

So anyone can sign those java libraries

Sure.

and have them work without problems?

Probably not.

Sounds strange to me. What if someone signs a trojaned libary?

Was it someone you chose to trust? Then you're screwed. If it's not someone you chose to trust, then you still have the option of choosing whether or not to trust them before you run the library. In short, do your homework. Or let your package mantainer do it for you; your operating system should already be set up to ensure updates from upstream are trusted, and your package maintainer should be on the ball about being sure *his* upstream is trusted.

What do do?

[ShadowEFX]

Oh Oracle! What are we supposed to do with you?

Nuke it from orbit...it's the only way to be sure.

Webstart download these libs from where?

To blame is the infinite wisdom of developers that decide to reference libraries from Oracle servers. They could instead sign all the libraries themselves and put them on their own download servers. That has the added benefit that Webstart doesn't need to rely on dozens of third-party download hosts to be up and running, but only your own host must be up.

Re:Die!

[wezelboy]

INTERCAL.

Re:destroying open source

[Lennie]

And this has no merit ?:

"James Gosling, the father of Java who left Sun soon after it was acquired by Oracle, writes on his blog that Oracle was eying the Java patents as part of the Sun acquisition:

Oracle finally filed a patent lawsuit against Google. Not a big surprise. During the integration meetings between Sun and Oracle where we were being grilled about the patent situation between Sun and Google, we could see the Oracle lawyer’s eyes sparkle. Filing patent suits was never in Sun’s genetic code. Alas.

I hope to avoid getting dragged into the fray: they only picked one of my patents (RE38,104) to sue over."

http://techcrunch.com/2010/08/13/android-oracle-java-lawsuit/
http://nighthacks.com/roller/jag/entry/the_shit_finally_hits_the

Re:Die!

[Chrisq]

What landed on your head to make you switch to ....... java?*shutters*

If I'm honest it was money. But I don't miss pointers, references, destructors, the pre-processor and many other things in c++

Re:Die!

[GNUALMAFUERTE]

http://thedailywtf.com/Articles/Python-Charmer.aspx

There are bad programmers everywhere, but yes, the concentration of bad coders in Java, ASP, VB, C# and anything .net related is 10 times that of any other language.

Modula 3

[hendrikboom]

Yes. Modula 3, for example. has

Mandatory bounds checking, garbage collection and all that implies, and inability to break type safety combined with good execution speed

.

Re:Alternative!

[Cigarra]

They did it already.

Re:destroying open source

[Bill_the_Engineer]

Merit v. Motive.

There is no proof and neither James Gosling nor Jonathan Schwartz have said that the sole reason Oracle purchased Sun was to sue Google. Nowhere did I see the ability to sue Google being a requirement for the sale. I can see this legal issue being a sticking point because of the possible liability not that it was an asset.

Oracle does want to monetize Java (just like most open source providers of software) and one way is to protect their investment through patent enforcement. The topic of Google's possible infringement of these patents were brought up at the integration meetings as reported by Gosling. I put this in the "no shit sherlock" category of information. Only a total moron would not bring this subject up at the meetings. Did Sun provide a license to Google? No. Was Sun interested in providing a license to Google prior to the possible merger? No. Now that Oracle was purchasing Sun would they finally decide what to do about this infringement? Yes.

Oracle was inheriting some IP conflicts with the purchase of Sun. This is not uncommon when any large corporation purchase another large corporation.

So how do you spin this information? Evidently you can take the tabloid approach that uses some fact out of context to justify a hypothesis that was pulled out of his ass.

Hypothesis: The reason Oracle purchase Sun was to sue Google.

Evidence Provided: At an integration meeting the subject of Google's use of Sun's patents was brought up.

Miguel: The evidence is proof that Oracle purchased Sun to sue Google.

A more reasonable explanation: Oracle purchased Sun for the hardware and software portfolio that would shore up it's position in enterprise computing. During the merger process the subject of Google's use of Sun's IP was discussed. It was probably decided that this loose end needed to be tied up for accounting reasons. Either sell a license to use these patents to Google and record it as an asset (accounts receivable at the time of the merger) or failing that sue Google for the patent infringement and record it as a liability (accounts payable at the time of the merger).

But back to your question:

And this has no merit ?

Maybe not as much as you had hoped.

Motive?

To score points for Miguel's favorite platform: Mono.

Proof?

(From Miguel's blog)Too many engineering resources are devoted to Android at Google and at their partner companies, but I can not help to think that Google could migrate Android from Java to the ECMA/ISO CIL and C#.

Unlike the Java patent grant, the Microsoft Community Promise for both C#, the core class libraries and the VM only require that you have a full implementation. Supersetting is allowed.

Java won't be missed

[horza]

Though I've been a professional Java programmer I never enjoyed it as much as the other languages. It died on the desktop, it died on the web, but got a good foothold in the enterprise web services side. Mostly thanks to Sun driving it very hard, and it riding on their reputation of Sun's rock solid hardware and Solaris OS.

Oracle has done a good job of killing it. It is clear the owners don't care about it, it's sinking in a legal mire, and now it breaks in ways that would never have happened under Sun's stewardship. Time to move on.

Phillip.

Re:Java won't be missed

[sproketboy]

To what? Seriously. Point me to something that can replace Java.

Indeed.

[luis_a_espinal]

What landed on your head to make you switch to ....... java?*shutters*

If I'm honest it was money. But I don't miss pointers, references, destructors, the pre-processor and many other things in c++

Same here. Actually not but... anyways. For me it was from C/C++ (from the days of C++ without anything resembling the STL) to Java (for the money), and like you, I didn't miss the segfaults and the "ooops, I forgot to define my function args as references, causing accidental pass-by-values" or the stupidity of the throws clause (which fortunately it is being deprecated in C++0x). With the Java standard library, productivity went off the roof.

But 12 years later, now I'm back to C++ ... also for the money (good C++ + embedded software = moolah), but also because I got fed up of the crappy Java developers out there. There used to be a time that to be a Java developer you were among the leading edge sh*t dudes. Now, bleh. The JVM work landscape is only interesting and challenging if one is done Scala, Groovy, or Clojure.

But now that I'm in C++, there are also shitty programmers there. And oh man, do I miss the Java standard library (no, Boost doesn't match it), and more than that, oh, I do miss the JVM's clear exception semantics, the JVM enums (and their semantics and capabilities), the ability rewind a call on the call stack when debugging, remote debugging right off the box, arguments passed by values where all arguments (sans primitives) are references.

I have my grips with some of the design decisions in the Java language, but man, there is some really good advanced shit in there, superior than what is in C++. C++ is a convoluted, everything-and-the-kitchen sink programming language.

If I had my say, I would work with plain C instead. Don't anyone get me wrong, I enjoy working with C++, not because of the language, but because of the technical challenges of doing object-oriented systems development as opposed to object-oriented application development. But if you are really objective, C++ has a horrendous numbers of warts. Syntactically, sometimes it makes refactoring a bit harder than what one would naturally do in Java.

That's my opinion, so take it with a grain of salt.