Slashdot Mirror
Java 8 Delayed To Fix Security
mikejuk writes "Java Development Kit 8, planned for September 2013, is being delayed until next year because of 'a renewed focus on security.' Java has been having security publicity problems recently, but Oracle now seems to be taking them more seriously. Mark Reinhold, chief architect of the Java platform group, said, 'Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8.' The major change still to be made to Java 8 is Project Lambda, which Reinhold says is 'the sole driving feature of the release.' He laid out alternatives, such as dropping Lambda from this release, but said Oracle has decided instead to wait until Lambda is ready. The revised schedule for JDK 8 has a developer preview scheduled for September, a release candidate scheduled for January 2014, and general availablity scheduled for March 2014. The delay means that Java SE 9 will probably be released in early 2016, rather than late 2015."
The goal should be to provide the best security possible with out getting in the way of the programmer. I'm confused on what the focus was before :S
Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?
Sure, the JVM itself always got a reasonable amount of love, and the historically-comical nature of Windows security took some of the heat off browser plugins; but has the 'well, if we just add a sandbox, we can take something that works fairly well for instruction-set and OS abstraction of trusted workloads and adapt it to the 'run any old shit the internet throws at you' use case ever been anything but a bad idea waiting to bite?
What they should really do is reconsider if applets really is that important anymore and just scrap the concept completely. At least that's where the problem seams to be most of the time.
...an Ask toolbar I have to deselect whenever there's a security update (around twice a week), it's all good!
If security was at all a real concern, let alone a priority, java would never install itself as a plugin in every browser it can find, ready to run arbriary code from untrusted sources, by default and with every update. All credability here has been lost ages ago.
For everything, I suppose.
Not many other parasites sing such high praise for their HOSTS.
At the very least it should be either an optional (with the default set to "no") or separate install. There are still some systems that require it. I have an old HP JetDirect I still use to put an even older HP LaserJet 4 on our network, and it's interface is a Java applet.
The world's burning. Moped Jesus spotted on I50. Details at 11.
For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense?
I mean, sure, it's good Oracle is doing this. They're just way late, as usual.
Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?
Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.
I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.
Strange fortune cookie or whatever else that quote at the bottom of a Slashdot page is called:
To err is human; to forgive is simply not our policy. -- MIT Assasination Club
Seems somewhat awkward given events in Boston over the last 24 hours.
I feel like one of those UFO people standing in a field waiting for little green men to pop out of flying saucers on the second blue moon when the planets line up just right with the moon. I want to believe, really I do want to believe. But like the buffoon in the field waiting on the little green men I'm going to be waiting a very long time before Oracle /gets/ security.
It takes a lot more than simply delaying a given release of a given product to get your security ducks in a row. Here are some things Oracle needs to start embracing if they want to be taken half as seriously as Microsoft (never would have imagined saying that a decade ago).
Make it easy for security related people to get hold of you at any time of day on day of the year.
Make it easy for people supporting your products to know what is wrong with your products.
Release updates about what is wrong with your products in a timely manner.
There is never an excuse to take longer than 60 days to release a patch - ever.
Realize that the 'bad guys' don't operate on quarterly release schedules!
Provide workarounds for security vulnerabilities that make it easier to keep your product than remove your product.
Provide information about vulnerabilities faster than the news media, will they control the message or will you?
You can't stop the message from getting out, so at a minimum always provide a 'were working on this and we'll get it out asap' note.
Security through obscurity does not work in the real world, repeat until stop practicing this!
Make it easy to find out about vulnerabilities, navigating your website is only sanely done through Google.
Version control, automatic updates should NEVER move upgrade between major versions.
Oracle, I applaud that you are starting to take your head out of the sand, but you still don't get security and until I start to see some of the real world changes I listed above I'm going to continue to rank you one of the highest security risks any organization has to deal with.
... they've delayed it indefinitely?
It's too late for Java.... The damage has already been done and nothing they say or do will make me use java on anything!
It really should say Java 8 canceled to fix security.
They should update their version number with every security release so they can keep up with Chrome and Firefox.
For the love of god please optimize Java.
Agree 100%. Consider that applets were created back when Flash didn't exist, HTML 5 wasn't even a thought in someone's head and Javascript was a toy.
They've been superseded and should be dropped completely. A big step to improving security is simplifying the codebase.
Danske Bank requires Java browser plugin to access their online banking, because it supposedly "enhances security".
In reality: Online payment's have become nightmare to do cause it frequently crashes during payment, and it's not always clear how you can restart only the payment process to avoid doing duplicate order to web store.
For their defense I can say that after last bug/update cycles of Java they seem to have become so frustrated also that they've decided to scrap that requirement, and in few months or so they too are removing the Java requirement!
There is probably many crucial systems still relying on that browser plugin support, unfortunately.
There's not enough space on your computer screen for that revision number.
-It comes out almost as often as Flash
-I don't see sites using it
-LibreOffice doesn't need it (unless you use Base)
So I didn't install it on my new box back in July 2012.
To date: Not one site yet complaining about it not being there.
Java as web browser plug-in is no longer needed. It's done.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
But, still no fucking unsigned integers in Java! Jeezusfuckingchristalmighty!!
You can telnet into a JetDirect card to control it without the fancy web interface. Bonus if you make an application to simplify the process.
I am becoming gerund, destroyer of verbs.
Maybe if they hadn't let the featureset get so stale over the years, they wouldn't have to make a choice between cleaning up the mess that is Java vs. achieving parity with .Net. They should have added lambdas years ago, but it's like pulling teeth to get them to make major releases.
Why is Java still persisting with this notion that it should be a browser plugin? No one wants Java as a browser plugin and that's where the security vulnerabilities have been found. Meanwhile, in the area where Java is popular (the server and, to a lesser extent, desktop applications) and in need of the features that Java 8 was supposed to bring, these security problems are a secondary concern--there's very little need to worry about malicious code when you're not downloading it from an untrusted source.
It's time to retire Applets and Web Start entirely and leave Java to the things it's good at.
"Don't blame me, I voted for Kodos!"
It could be argued that if you are manipulating classes that represent some sort of number or mathematical type, using methods like add() or multiply(), instead of using arguably much more intuitive operators is just as unwieldy or unclear (while the only sustainable argument against operator overloading in Java is actually isomorphic to objections about poor naming conventions for identifiers, and has nothing to do with operators, specifically).
So why is it that they figure that they should make actual changes to the language to provide syntactic sugar for what can be accomplished with anonymous classes when they figure it's not appropriate to do the same with classes which happen to represent some sort of mathematical type, the number of actual cases for which are not bounded, since the dimensionality of such types is not restricted, and there may be cases where you want a class to only deal with a specific cases rather than be a more general class (eg, one might want to make use of a specific 3x3 matrix class instead of using a general matrix class, or a tuple of Complex or BigInteger values, instead of a tuple of double values).
File under 'M' for 'Manic ranting'
The problem is _WHERE_ java is actually used. For the most part that is "enterprise software" and embedded gear. At work its pretty much unavoidable, from the IP KVM's, and fibre switches with their java applets to enterprise middleware running all over the place. Its apparent what all those java developers have been doing for the last decade.
In many cases, simple HTML applications would have been much better but some organization hired a java programmer to write the back-end and the front-end ended up being java too. I can't tell you how often I've seen something as simple as a little monitoring app with a dozen configuration options that requires java and 500MB of memory to retrieve a dozen log messages a day and show a couple blinking lights.
For the home user its pretty easy to avoid java. public web sites rarely have java applets (can't even remember the last one I saw). The few consumer java applications almost always have competitors that are just as good (and generally perform better anyway). I refused to install java on my home machines ~7-8 years ago. I haven't missed it. Flash is nearly there too.
So in many ways, an IT guy could hide/avoid a lot of the java problems by disallowing java applets at the firewall/web proxy level. Personally, if I were a CTO or similar I would include a platform/java questionnaire in my RFP/purchasing matrix and deduct points if the item has java.
It might be possible to write good java applications, but from what i've seen applications written in java seem to be the lowest quality ones. Whether that is some kind of self selection process for java programmers, development managers, or something fundamental in the technology I can't say, but it does appear to be there.
Forget the screen, most processors can't handle numbers that large!~
If that's "always" the case mate, give up, and go back to burger king. You guys are just shit at it.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
They should update their version number with every security release so they can keep up with Chrome and Firefox.
I'm sorry, but I'm not turning on hugepages support on my desktop just to read a version number.
Quo usque tandem abutere, Nimbus, patientia nostra?
Don't forget everything Android.
They learn how to properly use launchd items in OS X if they are going to be supporting Apple. Learning how to use a preference .plist so we can remotely manage updates without having to write bash scripts and stuff would help to
"Slashdot, where telling the truth is overrated but lying is insightful."
Many people here are completely missing the point. First the ones that say that Java is insecure (it's not) and the ones correcting them saying that the Java Browser Plugin/Java Applets that are insecure (they are right on this) and should be removed from Java.
The problem with Java Applets is the same problem that you have with ActiveX, they suck because they run third party code in a sand-box like manner and isolating that kind of code from your precious system is pretty hard. The people that implemented these technologies are not incompetent, they just lacked the foresight to see this is unfeasible.
Now the people who says that Java Applets should be removed are right, BUT they can't see the legacy code that needs the functionality. Java has always been strong on the corporate world where it powers many, many applications. For a long time those applications used Java Applets to present end-user interfaces. If you ever worked at a corporation you know how slow they are to change their legacy systems, I mean, I live in an IBM world (as in I have to integrate lots of their solutions with solutions from another companies) and the amount of stuff they put out that requires the Java plugin on the browser astonishes me.
My company provide solutions to other companies, sometimes developing them from the ground-up and sometimes adapting solutions from other big companies (IMB, BMC, Oracle) to their clients. Now you have to deal with the IT department of the target company and man you would be surprised how often the only approved browser for internal use is Internet Explorer 8. And now you have three options, either you convince them that you have to install a desktop application on all their machines (crazy hard since they can have multiple operating systems), install a new browser on everyones system (crazy hard because they have tons of legacy systems that only run in ie9 and they don't want to provide support for two browsers) or simply to suck it up and develop for ie8 (you don't have to convince their IT departments since they already support that). Now if you want to show a little chart there you can either mess around with Javascript libraries that still support ie8 (good luck with that) or you can make a java applet (they already support the java browser plugin).
The biggest problem with Java Applets is that they are better than ActiveX. Crazy no? The biggest security problems of Java is that it's better than ActiveX. Since they are better they were used for more stuff and for a longer time and it's a lot harder to move away from them.
Some people say that they should just make two versions of java, or one with an optional to install the applet side. This would be nightmarish for users. The RIGHT way to do it is exactly what Oracle is doing, patching the stuff they find and moving people away from applets. But NEVER remove them from the JVM, just put a big, bold deprecated keyword on all applet-related classes.
So short story, Java Applets will go away when ie8 goes away. ie8 goes away when Windows XP goes away (Windows XP does not support ie9). So yeah, it's all Microsoft fault. I know you were all hoping for a +5 funny post, but I guess I will have to settle for +1 Informative.
Now that javascript is fast, that HTML5 is everywhere, that games can even run on Flash, please Oracle, kill the damn java browser plugin. Sure, Unity uses it. Do J2EE developpers around the world care about it? No, we do not care!
Kill the damn thing. It's slow to start and it will always be slow even with the Jigsaw vaporware. I don't wan't Java in my browser. We are in 2013, ActiveX was crap, Flash is crap, java applets were, are and will always be crap.
Disclaimer, I am a java/J2EE developper and I am totally tired of the reputation that java is getting because of this damn browser plugin.
Stupidity is the root of all evil.
Make note boys and girls: this is what happens when you try to have the language+compiler+VM make up for the holes in the OS+browser.
Of course there will be a transition phase where those vendors will have to change their behavior, but that's absolutely doable. People said the same thing about Flash, but it turns out that it wasn't much of a problem.
Delays seem to help languages. Perl 6 was the best thing that happened to Perl, since it allowed Perl 5 to become mature and widely used. Python 3 was the worst thing to happen to Python. C++ was miraculously stable for over a decade until the new 2011 standard. Even Java 7 was delayed for a long time with the Sun->Oracle move, and that helped Java 1.5/1.6 mature and be deployed instead of older versions.
It makes me a bit sad that Java in the browser never really took off to the extent that JavaScript did. These days we have people coming up with monstrosities like asm.js to make it possible to write fast, cross-platform applications, whereas the JVM is a compiler target that's been much better suited to the task for a decade and a half. I suppose its downfall was in its proprietary nature, lack of integration with the DOM, and slow start-up time. If the browsers had included an easily sandboxed subset of the JRE (simply leaving out any classes that could possibly interact with the rest of your system, for starters) in place of JavaScript I think frontend web development would be a lot nicer today. At the time, though, I doubt that Sun would have allowed such a thing. :(
Hindsight FTW.
Duct tape, XML, democracy: Not doing the job? Use more.
Can a HOST file block your incoherent rant? Greasemonkey can. Score: Greasemonkey: 1, APK: 0.
Keep embarassing yourself Jeremiah Cornelius http://slashdot.org/comments.pl?sid=3581857&cid=43276741 since you posted that using your registered username by mistake (instead of your usual anonymous coward submissions by the 100's the past 2-3 months now on slashdot) giving away it's you spamming this forums almost constantly, just as you have in the post I just replied to.
Its GPLv2 (and as far as I can tell there are no restrictions on distributing modified versions of Java, plenty of linux distros seem to do it) so why not fork it and give people who need Java for some reason but dont want the crap that goes with it (crappy bundle-ware, security holes that go unfixed for months etc etc) can get an alternative that doesn't suck.