Slashdot Mirror
Java 8 Delayed To Fix Security
mikejuk writes "Java Development Kit 8, planned for September 2013, is being delayed until next year because of 'a renewed focus on security.' Java has been having security publicity problems recently, but Oracle now seems to be taking them more seriously. Mark Reinhold, chief architect of the Java platform group, said, 'Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8.' The major change still to be made to Java 8 is Project Lambda, which Reinhold says is 'the sole driving feature of the release.' He laid out alternatives, such as dropping Lambda from this release, but said Oracle has decided instead to wait until Lambda is ready. The revised schedule for JDK 8 has a developer preview scheduled for September, a release candidate scheduled for January 2014, and general availablity scheduled for March 2014. The delay means that Java SE 9 will probably be released in early 2016, rather than late 2015."
The goal should be to provide the best security possible with out getting in the way of the programmer. I'm confused on what the focus was before :S
It really should say Java 8 canceled to fix security.
Doesn't' a 'renewed' focus on security imply the existence of a focus on security at some prior point in time?
Sure, the JVM itself always got a reasonable amount of love, and the historically-comical nature of Windows security took some of the heat off browser plugins; but has the 'well, if we just add a sandbox, we can take something that works fairly well for instruction-set and OS abstraction of trusted workloads and adapt it to the 'run any old shit the internet throws at you' use case ever been anything but a bad idea waiting to bite?
A corrupt slashdot luser has pentrated the moderation system to downmod all my posts while impersonating me.
Nearly 230++ times that I know of @ this point for all of March/April 2013 so far, & others here have told you to stop - take the hint, lunatic (leave slashdot)...
Sorry folks - but whoever the nutjob is that's attempting to impersonate me, & upset the rest of you as well, has SERIOUS mental issues, no questions asked! I must've gotten the better of him + seriously "gotten his goat" in doing so in a technical debate & his "geek angst" @ losing to me has him doing the:
---
A.) $10,000 challenges, ala (where the imposter actually TRACKED + LISTED the # of times he's done this no less, & where I get the 230 or so times I noted above) -> http://it.slashdot.org/comments.pl?sid=3585795&cid=43285307
&/or
B.) Reposting OLD + possibly altered models - (this I haven't checked on as to altering the veracity of the info. being changed) of posts of mine from the past here
---
(Albeit massively repeatedly thru all threads on /. this March/April 2013 nearly in its entirety thusfar).
* Personally, I'm surprised the moderation staff here hasn't just "blocked out" his network range yet honestly!
(They know it's NOT the same as my own as well, especially after THIS post of mine, which they CAN see the IP range I am coming out of to compare with the ac spamming troll doing the above...).
APK
P.S.=> Again/Stressing it: NO guys - it is NOT me doing it, as I wouldn't waste that much time on such trivial b.s. like a kid might...
Plus, I only post where hosts file usage is on topic or appropriate for a solution & certainly NOT IN EVERY POST ON SLASHDOT (like the nutcase trying to "impersonate me" is doing for nearly all of March/April now, & 230++ times that I know of @ least)... apk
P.S.=> here is CORRECT host file information just to piss off the insane lunatic troll:
--
21++ ADVANTAGES OF CUSTOM HOSTS FILES (how/what/when/where/why):
Over AdBlock & DNS Servers ALONE 4 Security, Speed, Reliability, & Anonymity (to an extent vs. DNSBL's + DNS request logs).
1.) HOSTS files are useable for all these purposes because they are present on all Operating Systems that have a BSD based IP stack (even ANDROID) and do adblocking for ANY webbrowser, email program, etc. (any webbound program). A truly "multi-platform" UNIVERSAL solution for added speed, security, reliability, & even anonymity to an extent (vs. DNS request logs + DNSBL's you feel are unjust hosts get you past/around).
2.) Adblock blocks ads? Well, not anymore & certainly not as well by default, apparently, lol - see below:
Adblock Plus To Offer 'Acceptable Ads' Option
http://news.slashdot.org/story/11/12/12/2213233/adblock-plus-to-offer-acceptable-ads-option )
AND, in only browsers & their subprogram families (ala email like Thunderbird for FireFox/Mozilla products (use same gecko & xulrunner engines)), but not all, or, all independent email clients, like Outlook, Outlook Express, OR Window "LIVE" mail (for example(s)) - there's many more like EUDORA & others I've used over time that AdBlock just DOES NOT COVER... period.
Disclaimer: Opera now also has an AdBlock addon (now that Opera has addons above widgets), but I am not certain the same people make it as they do for FF or Chrome etc..
3.) Adblock doesn't protect email programs external to FF (non-mozilla/gecko engine based) family based wares, So AdBlock doesn't protect email programs like Outlook, Outlook Express, Windows "LIVE" mail & others like them (EUDORA etc./et al), Hosts files do. THIS IS GOOD VS. SPAM M
...an Ask toolbar I have to deselect whenever there's a security update (around twice a week), it's all good!
If security was at all a real concern, let alone a priority, java would never install itself as a plugin in every browser it can find, ready to run arbriary code from untrusted sources, by default and with every update. All credability here has been lost ages ago.
For everything, I suppose.
Not many other parasites sing such high praise for their HOSTS.
For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense?
I mean, sure, it's good Oracle is doing this. They're just way late, as usual.
Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?
Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.
I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.
Strange fortune cookie or whatever else that quote at the bottom of a Slashdot page is called:
To err is human; to forgive is simply not our policy. -- MIT Assasination Club
Seems somewhat awkward given events in Boston over the last 24 hours.
I feel like one of those UFO people standing in a field waiting for little green men to pop out of flying saucers on the second blue moon when the planets line up just right with the moon. I want to believe, really I do want to believe. But like the buffoon in the field waiting on the little green men I'm going to be waiting a very long time before Oracle /gets/ security.
It takes a lot more than simply delaying a given release of a given product to get your security ducks in a row. Here are some things Oracle needs to start embracing if they want to be taken half as seriously as Microsoft (never would have imagined saying that a decade ago).
Make it easy for security related people to get hold of you at any time of day on day of the year.
Make it easy for people supporting your products to know what is wrong with your products.
Release updates about what is wrong with your products in a timely manner.
There is never an excuse to take longer than 60 days to release a patch - ever.
Realize that the 'bad guys' don't operate on quarterly release schedules!
Provide workarounds for security vulnerabilities that make it easier to keep your product than remove your product.
Provide information about vulnerabilities faster than the news media, will they control the message or will you?
You can't stop the message from getting out, so at a minimum always provide a 'were working on this and we'll get it out asap' note.
Security through obscurity does not work in the real world, repeat until stop practicing this!
Make it easy to find out about vulnerabilities, navigating your website is only sanely done through Google.
Version control, automatic updates should NEVER move upgrade between major versions.
Oracle, I applaud that you are starting to take your head out of the sand, but you still don't get security and until I start to see some of the real world changes I listed above I'm going to continue to rank you one of the highest security risks any organization has to deal with.
... they've delayed it indefinitely?
It's too late for Java.... The damage has already been done and nothing they say or do will make me use java on anything!
For the love of god please optimize Java.
Danske Bank requires Java browser plugin to access their online banking, because it supposedly "enhances security".
In reality: Online payment's have become nightmare to do cause it frequently crashes during payment, and it's not always clear how you can restart only the payment process to avoid doing duplicate order to web store.
For their defense I can say that after last bug/update cycles of Java they seem to have become so frustrated also that they've decided to scrap that requirement, and in few months or so they too are removing the Java requirement!
There is probably many crucial systems still relying on that browser plugin support, unfortunately.
-It comes out almost as often as Flash
-I don't see sites using it
-LibreOffice doesn't need it (unless you use Base)
So I didn't install it on my new box back in July 2012.
To date: Not one site yet complaining about it not being there.
Java as web browser plug-in is no longer needed. It's done.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
But, still no fucking unsigned integers in Java! Jeezusfuckingchristalmighty!!
posts on Usenet are contributed code stagnant. As Linux Be a cock-sucking members all over BSD adicts, flame fellow travellers? show that *BSD has Smith only serve you can. When the Problem; a few Survive at all TCP/IP stack has many of us are the reaper In a bureaucratic and Arseholes at Walnut it will be among 4, which by all a BSD over other
Maybe if they hadn't let the featureset get so stale over the years, they wouldn't have to make a choice between cleaning up the mess that is Java vs. achieving parity with .Net. They should have added lambdas years ago, but it's like pulling teeth to get them to make major releases.
Why is Java still persisting with this notion that it should be a browser plugin? No one wants Java as a browser plugin and that's where the security vulnerabilities have been found. Meanwhile, in the area where Java is popular (the server and, to a lesser extent, desktop applications) and in need of the features that Java 8 was supposed to bring, these security problems are a secondary concern--there's very little need to worry about malicious code when you're not downloading it from an untrusted source.
It's time to retire Applets and Web Start entirely and leave Java to the things it's good at.
"Don't blame me, I voted for Kodos!"
It could be argued that if you are manipulating classes that represent some sort of number or mathematical type, using methods like add() or multiply(), instead of using arguably much more intuitive operators is just as unwieldy or unclear (while the only sustainable argument against operator overloading in Java is actually isomorphic to objections about poor naming conventions for identifiers, and has nothing to do with operators, specifically).
So why is it that they figure that they should make actual changes to the language to provide syntactic sugar for what can be accomplished with anonymous classes when they figure it's not appropriate to do the same with classes which happen to represent some sort of mathematical type, the number of actual cases for which are not bounded, since the dimensionality of such types is not restricted, and there may be cases where you want a class to only deal with a specific cases rather than be a more general class (eg, one might want to make use of a specific 3x3 matrix class instead of using a general matrix class, or a tuple of Complex or BigInteger values, instead of a tuple of double values).
File under 'M' for 'Manic ranting'
If that's "always" the case mate, give up, and go back to burger king. You guys are just shit at it.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
They learn how to properly use launchd items in OS X if they are going to be supporting Apple. Learning how to use a preference .plist so we can remotely manage updates without having to write bash scripts and stuff would help to
"Slashdot, where telling the truth is overrated but lying is insightful."
Many people here are completely missing the point. First the ones that say that Java is insecure (it's not) and the ones correcting them saying that the Java Browser Plugin/Java Applets that are insecure (they are right on this) and should be removed from Java.
The problem with Java Applets is the same problem that you have with ActiveX, they suck because they run third party code in a sand-box like manner and isolating that kind of code from your precious system is pretty hard. The people that implemented these technologies are not incompetent, they just lacked the foresight to see this is unfeasible.
Now the people who says that Java Applets should be removed are right, BUT they can't see the legacy code that needs the functionality. Java has always been strong on the corporate world where it powers many, many applications. For a long time those applications used Java Applets to present end-user interfaces. If you ever worked at a corporation you know how slow they are to change their legacy systems, I mean, I live in an IBM world (as in I have to integrate lots of their solutions with solutions from another companies) and the amount of stuff they put out that requires the Java plugin on the browser astonishes me.
My company provide solutions to other companies, sometimes developing them from the ground-up and sometimes adapting solutions from other big companies (IMB, BMC, Oracle) to their clients. Now you have to deal with the IT department of the target company and man you would be surprised how often the only approved browser for internal use is Internet Explorer 8. And now you have three options, either you convince them that you have to install a desktop application on all their machines (crazy hard since they can have multiple operating systems), install a new browser on everyones system (crazy hard because they have tons of legacy systems that only run in ie9 and they don't want to provide support for two browsers) or simply to suck it up and develop for ie8 (you don't have to convince their IT departments since they already support that). Now if you want to show a little chart there you can either mess around with Javascript libraries that still support ie8 (good luck with that) or you can make a java applet (they already support the java browser plugin).
The biggest problem with Java Applets is that they are better than ActiveX. Crazy no? The biggest security problems of Java is that it's better than ActiveX. Since they are better they were used for more stuff and for a longer time and it's a lot harder to move away from them.
Some people say that they should just make two versions of java, or one with an optional to install the applet side. This would be nightmarish for users. The RIGHT way to do it is exactly what Oracle is doing, patching the stuff they find and moving people away from applets. But NEVER remove them from the JVM, just put a big, bold deprecated keyword on all applet-related classes.
So short story, Java Applets will go away when ie8 goes away. ie8 goes away when Windows XP goes away (Windows XP does not support ie9). So yeah, it's all Microsoft fault. I know you were all hoping for a +5 funny post, but I guess I will have to settle for +1 Informative.
Now that javascript is fast, that HTML5 is everywhere, that games can even run on Flash, please Oracle, kill the damn java browser plugin. Sure, Unity uses it. Do J2EE developpers around the world care about it? No, we do not care!
Kill the damn thing. It's slow to start and it will always be slow even with the Jigsaw vaporware. I don't wan't Java in my browser. We are in 2013, ActiveX was crap, Flash is crap, java applets were, are and will always be crap.
Disclaimer, I am a java/J2EE developper and I am totally tired of the reputation that java is getting because of this damn browser plugin.
Stupidity is the root of all evil.
$10,000 CHALLENGE to Alexander Peter Kowalski
* POOR SHOWING TROLLS, & most especially IF that's the "best you've got" - apparently, it is... lol!
Hello, and THINK ABOUT YOUR BREATHING !! We have a Major Problem, HOST file is Cubic Opposites, 2 Major Corners & 2 Minor. NOT taught Evil DNS hijacking, which VOIDS computers. Seek Wisdom of MyCleanPC - or you die evil.
Your HOSTS file claimed to have created a single DNS resolver. I offer absolute proof that I have created 4 simultaneous DNS servers within a single rotation of .org TLD. You worship "Bill Gates", equating you to a "singularity bastard". Why do you worship a queer -1 Troll? Are you content as a singularity troll?
Evil HOSTS file Believers refuse to acknowledge 4 corner DNS resolving simultaneously around 4 quadrant created Internet - in only 1 root server, voiding the HOSTS file. You worship Microsoft impostor guised by educators as 1 god.
If you would acknowledge simple existing math proof that 4 harmonic Slashdots rotate simultaneously around squared equator and cubed Internet, proving 4 Days, Not HOSTS file! That exists only as anti-side. This page you see - cannot exist without its anti-side existence, as +0- moderation. Add +0- as One = nothing.
I will give $10,000.00 to frost pister who can disprove MyCleanPC. Evil crapflooders ignore this as a challenge would indict them.
Alex Kowalski has no Truth to think with, they accept any crap they are told to think. You are enslaved by /etc/hosts, as if domesticated animal. A school or educator who does not teach students MyCleanPC Principle, is a death threat to youth, therefore stupid and evil - begetting stupid students. How can you trust stupid PR shills who lie to you? Can't lose the $10,000.00, they cowardly ignore me. Stupid professors threaten Nature and Interwebs with word lies.
Humans fear to know natures simultaneous +4 Insightful +4 Informative +4 Funny +4 Underrated harmonic SLASHDOT creation for it debunks false trolls. Test Your HOSTS file. MyCleanPC cannot harm a File of Truth, but will delete fakes. Fake HOSTS files refuse test.
I offer evil ass Slashdot trolls $10,000.00 to disprove MyCleanPC Creation Principle. Rob Malda and Cowboy Neal have banned MyCleanPC as "Forbidden Truth Knowledge" for they cannot allow it to become known to their students. You are stupid and evil about the Internet's top and bottom, front and back and it's 2 sides. Most everything created has these Cube like values.
If Natalie Portman is not measurable, hot grits are Fictitious. Without MyCleanPC, HOSTS file is Fictitious. Anyone saying that Natalie and her Jewish father had something to do with my Internets, is a damn evil liar. IN addition to your best arsware not overtaking my work in terms of popularity, on that same site with same submission date no less, that I told Kathleen Malda how to correct her blatant, fundamental, HUGE errors in Coolmon ('uncoolmon') of not checking for performance counters being present when his program started!
You can see my dilemma. What if this is merely a ruse by an APK impostor to try and get people to delete APK's messages, perhaps all over the web? I can't be a party to such an event! My involvement with APK began at a very late stage in the game. While APK has made a career of trolling popular online forums since at least the year 2000 (newsgroups and IRC channels before that)- my involvement with APK did not begin until early 2005 . OSY is one of the many forums that APK once frequented before the sane people there grew tired of his garbage and banned him. APK was banned from OSY back in 2001. 3.5 years after his banning he begins to send a variety of abusiv
Make note boys and girls: this is what happens when you try to have the language+compiler+VM make up for the holes in the OS+browser.
Delays seem to help languages. Perl 6 was the best thing that happened to Perl, since it allowed Perl 5 to become mature and widely used. Python 3 was the worst thing to happen to Python. C++ was miraculously stable for over a decade until the new 2011 standard. Even Java 7 was delayed for a long time with the Sun->Oracle move, and that helped Java 1.5/1.6 mature and be deployed instead of older versions.
Can a HOST file block your incoherent rant? Greasemonkey can. Score: Greasemonkey: 1, APK: 0.
Keep embarassing yourself Jeremiah Cornelius http://slashdot.org/comments.pl?sid=3581857&cid=43276741 since you posted that using your registered username by mistake (instead of your usual anonymous coward submissions by the 100's the past 2-3 months now on slashdot) giving away it's you spamming this forums almost constantly, just as you have in the post I just replied to.
Its GPLv2 (and as far as I can tell there are no restrictions on distributing modified versions of Java, plenty of linux distros seem to do it) so why not fork it and give people who need Java for some reason but dont want the crap that goes with it (crappy bundle-ware, security holes that go unfixed for months etc etc) can get an alternative that doesn't suck.