Slashdot Mirror
Java 8 Delayed To Fix Security
mikejuk writes "Java Development Kit 8, planned for September 2013, is being delayed until next year because of 'a renewed focus on security.' Java has been having security publicity problems recently, but Oracle now seems to be taking them more seriously. Mark Reinhold, chief architect of the Java platform group, said, 'Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8.' The major change still to be made to Java 8 is Project Lambda, which Reinhold says is 'the sole driving feature of the release.' He laid out alternatives, such as dropping Lambda from this release, but said Oracle has decided instead to wait until Lambda is ready. The revised schedule for JDK 8 has a developer preview scheduled for September, a release candidate scheduled for January 2014, and general availablity scheduled for March 2014. The delay means that Java SE 9 will probably be released in early 2016, rather than late 2015."
The goal should be to provide the best security possible with out getting in the way of the programmer. I'm confused on what the focus was before :S
What they should really do is reconsider if applets really is that important anymore and just scrap the concept completely. At least that's where the problem seams to be most of the time.
...an Ask toolbar I have to deselect whenever there's a security update (around twice a week), it's all good!
If security was at all a real concern, let alone a priority, java would never install itself as a plugin in every browser it can find, ready to run arbriary code from untrusted sources, by default and with every update. All credability here has been lost ages ago.
Not many other parasites sing such high praise for their HOSTS.
At the very least it should be either an optional (with the default set to "no") or separate install. There are still some systems that require it. I have an old HP JetDirect I still use to put an even older HP LaserJet 4 on our network, and it's interface is a Java applet.
The world's burning. Moped Jesus spotted on I50. Details at 11.
For chrissakes, will somebody just fork Java and have done with this persistent Oracle nonsense?
I mean, sure, it's good Oracle is doing this. They're just way late, as usual.
Why doesn't somebody just fork it (from back when it was easily forkable), then re-implement the security fixes?
Granted, it would take a lot of work to do that NOW, but if somebody had done it way back when it should have been done, it would have been lots easier.
I firmly believe that an active open source community would be a much better caretaker of Java. Oracle has proven again and again that it doesn't care much about people who actually use Java.
You can telnet into a JetDirect card to control it without the fancy web interface. Bonus if you make an application to simplify the process.
I am becoming gerund, destroyer of verbs.
Why is Java still persisting with this notion that it should be a browser plugin? No one wants Java as a browser plugin and that's where the security vulnerabilities have been found. Meanwhile, in the area where Java is popular (the server and, to a lesser extent, desktop applications) and in need of the features that Java 8 was supposed to bring, these security problems are a secondary concern--there's very little need to worry about malicious code when you're not downloading it from an untrusted source.
It's time to retire Applets and Web Start entirely and leave Java to the things it's good at.
"Don't blame me, I voted for Kodos!"
The problem is _WHERE_ java is actually used. For the most part that is "enterprise software" and embedded gear. At work its pretty much unavoidable, from the IP KVM's, and fibre switches with their java applets to enterprise middleware running all over the place. Its apparent what all those java developers have been doing for the last decade.
In many cases, simple HTML applications would have been much better but some organization hired a java programmer to write the back-end and the front-end ended up being java too. I can't tell you how often I've seen something as simple as a little monitoring app with a dozen configuration options that requires java and 500MB of memory to retrieve a dozen log messages a day and show a couple blinking lights.
For the home user its pretty easy to avoid java. public web sites rarely have java applets (can't even remember the last one I saw). The few consumer java applications almost always have competitors that are just as good (and generally perform better anyway). I refused to install java on my home machines ~7-8 years ago. I haven't missed it. Flash is nearly there too.
So in many ways, an IT guy could hide/avoid a lot of the java problems by disallowing java applets at the firewall/web proxy level. Personally, if I were a CTO or similar I would include a platform/java questionnaire in my RFP/purchasing matrix and deduct points if the item has java.
It might be possible to write good java applications, but from what i've seen applications written in java seem to be the lowest quality ones. Whether that is some kind of self selection process for java programmers, development managers, or something fundamental in the technology I can't say, but it does appear to be there.
Many people here are completely missing the point. First the ones that say that Java is insecure (it's not) and the ones correcting them saying that the Java Browser Plugin/Java Applets that are insecure (they are right on this) and should be removed from Java.
The problem with Java Applets is the same problem that you have with ActiveX, they suck because they run third party code in a sand-box like manner and isolating that kind of code from your precious system is pretty hard. The people that implemented these technologies are not incompetent, they just lacked the foresight to see this is unfeasible.
Now the people who says that Java Applets should be removed are right, BUT they can't see the legacy code that needs the functionality. Java has always been strong on the corporate world where it powers many, many applications. For a long time those applications used Java Applets to present end-user interfaces. If you ever worked at a corporation you know how slow they are to change their legacy systems, I mean, I live in an IBM world (as in I have to integrate lots of their solutions with solutions from another companies) and the amount of stuff they put out that requires the Java plugin on the browser astonishes me.
My company provide solutions to other companies, sometimes developing them from the ground-up and sometimes adapting solutions from other big companies (IMB, BMC, Oracle) to their clients. Now you have to deal with the IT department of the target company and man you would be surprised how often the only approved browser for internal use is Internet Explorer 8. And now you have three options, either you convince them that you have to install a desktop application on all their machines (crazy hard since they can have multiple operating systems), install a new browser on everyones system (crazy hard because they have tons of legacy systems that only run in ie9 and they don't want to provide support for two browsers) or simply to suck it up and develop for ie8 (you don't have to convince their IT departments since they already support that). Now if you want to show a little chart there you can either mess around with Javascript libraries that still support ie8 (good luck with that) or you can make a java applet (they already support the java browser plugin).
The biggest problem with Java Applets is that they are better than ActiveX. Crazy no? The biggest security problems of Java is that it's better than ActiveX. Since they are better they were used for more stuff and for a longer time and it's a lot harder to move away from them.
Some people say that they should just make two versions of java, or one with an optional to install the applet side. This would be nightmarish for users. The RIGHT way to do it is exactly what Oracle is doing, patching the stuff they find and moving people away from applets. But NEVER remove them from the JVM, just put a big, bold deprecated keyword on all applet-related classes.
So short story, Java Applets will go away when ie8 goes away. ie8 goes away when Windows XP goes away (Windows XP does not support ie9). So yeah, it's all Microsoft fault. I know you were all hoping for a +5 funny post, but I guess I will have to settle for +1 Informative.
Now that javascript is fast, that HTML5 is everywhere, that games can even run on Flash, please Oracle, kill the damn java browser plugin. Sure, Unity uses it. Do J2EE developpers around the world care about it? No, we do not care!
Kill the damn thing. It's slow to start and it will always be slow even with the Jigsaw vaporware. I don't wan't Java in my browser. We are in 2013, ActiveX was crap, Flash is crap, java applets were, are and will always be crap.
Disclaimer, I am a java/J2EE developper and I am totally tired of the reputation that java is getting because of this damn browser plugin.
Stupidity is the root of all evil.