Slashdot Mirror
Oracle Promises Patches Next Week For 36 Exploits In Latest Java
An anonymous reader writes "Oracle is posting patches for all its products next Tuesday, which include 36 exploits for Java alone and over 140 for all Oracle products currently supported, included over 80 that require no authentication to execute.These patches look to be critical for any administrator. Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."
Native code now
nt
that of the 36 Java related bugs, "34 of them (are) exploitable remotely without authentication".
"Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."
+
"Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier"
-> Muhahahaha,...
I will gladly patch you Tuesday for an exploit today.
it's only bad if you believe in secure computing and thought java was secure to begin with ;)
Java, one of the worst things to happen to computing, ever.
Nah, I doubt anything would be much better, if they were in position Java is now. If it were native code, anybody without the sources would be screwed, now only anybody with Java6 requirement and no sources to fix it is screwed (but they were the moment their software got tied to specific JRE6 version). If it were .net instead of Java, when do you think MS would get around to patching Linux versions? If it were some scripting language... ok, it couldn't be: duck typing is too fragile, performance is problem, no serious contenders for many (not most, but many) Java use cases.
In absence of Java, maybe something really better would exist now, but I very much doubt it. It's a paradoxical package deal.
*Javascript.
Java applets are way nicer than Javascript "apps": they're easier to program, they have a decent set of libraries, they're more fluid, and they have a more consistent UI. The only problem here is that a dying Sun and then Oracle left Java to rot, while the hundreds of bugs found in DHTML+Javascript over the last decade have been fixed at a pace steady enough to please people.
You want to know why there's a reduction in PC sales? Because Google+Apple have won the war of turning the PC into a lowest common denominator web browsing platform, even while more native platform specific software - in the form of "apps" - has been written than ever before, just not for Windows. Even Oracle doesn't seem to like the idea of Java on the desktop, hence meaningless changes to make it harder to run (e.g. requiring purchase of security certs now even though that does nothign to improve security). Because Oracle also wants you to keep everything in the "cloud", as that means someone somewhere purchasing its database engine.
Don't be fooled by the propaganda of salesmen.
I use Java for everything! I'm so screwed.............
Comment removed based on user account deletion
"Java 6 users who use equipment or programs that rely on older versions are SOL unless they sign up for a very expensive support contract, as these patches are for Java 7 only."
Anyone know if that includes Java for Mac OS X? I know Apple rolls Java 6 on Mac, and receives those updates (source) as part of their contract with Oracle.
Sun was very much responding to a need when they started developing Java all those years ago. Other groups largely left them to it as Sun was a company with an excellent reputation. Things would have been just fine but for one most unfortunate event.
Oracle bought Java.
We suddenly switch from famous to infamous. As far as I'm concerned, Java died on that day, and I've been far more interested in freer languages since then. I feel for those that continue to endure Java due to corporate inflexibility.
Java, one of the worst things to happen to computing, ever.
Unless you make/sell RAM.
In the free world the media isn't government run; the government is media run.
Who knew anyone could make a bytecode interpreter even more bloated than Emacs?
enjoy
Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.
It's all moonshine these days.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
. My memory is going now, but I seem to remember that in the 1990s all of the code for an early web CGI Oracle interface, including user validation would fit on a floppy.
What's a "floppy"?
? so the notion of storing (big (farce)) data about ALL of us on (easy to) open servers was already technically & ethically obsolete? are we daft? free the innocent stem cells. never a better time to consider ourselves in relation to our mom based new clear options...
How about that vulnerability where they package crap with the install? I had to clear a few spyware incursions on my father's machine resulting from the crap they stowed in the install including the ask toolbar. I don't care how many actual bugs there are. If you try to slide this shit by regular users like this, I just have zero respect for companies who do that.
Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.
Why? Do you just assume that slashdotters are incapable to change their point of view given more information?
Perhaps Java has gotten worse over the years? More bloat and more security holes compared to when it started out.
JavaScript is the new darling.
What's a "floppy"?
There are several meanings, both you'd understand if you were older.
In the Oracle world, patching does not affect version numbers. A different version means different or new functionality, even if it is the last part of the version.
Based on the version, you cannot determine if it is patched or not.
Java could have been fixed when they found out that their sandbox execution back in the early 2000's had so many holes that it made a sieve look like a glass. And by fix, I mean nuke it from orbit and rebuild it from the ground up instead of issuing bandage after bandage, on something they knew was already a mess.
Om, nomnomnom...
Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.
I don't think this is unique to Java; the same thing has happened here with Ubuntu/Canonical. Love can easily turn to hate whereas indifference rarely does.
.tar.gz for Linux and just unpack it to install, and for #3 there is always OpenJDK in the background to keep Oracle on the straight an narrow.
.NET, which for me (using Linux) would mean using Mono. Interestingly, open-source Mono seems to generate more hatred here on Slashdot than the closed-source and proprietary .NET does.
Concerning Java, I don't think it is Java per se that is the cause of the 'hatred', it is more (1) the insecurity of the browser plug-in, (2) the attempt to install the ask.com toolbar when installing the JRE and (3) a general distrust of Oracle.
I don't have a problem with any of these. For #1 this can be disabled, for #2 I just download the JDK
The only real alternative to Java is
You never know what is enough unless you know what is more than enough. - Blake
You should try writing a plugin for Atlassian Bamboo. Here's the ~120MB worth of dependencies you'll take on:
> several
> both
Choose one.
A lot of people can't/won't distinguish between "Java sandboxing isn't good", "Java the language isn't good" and "Java the platform isn't good".
Java sandboxing is clearly not good enough for real world use and most browser makers have realised this and disabled it. On the other hand, it's only in very recent times that browsers got sandboxes and some common ones like Firefox still don't. That fact was exploited recently to de-anonymize Tor users. So it's not like Java is alone here. Pretty much every attempt to sandbox malicious code has failed badly.
Java the language is mediocre at best, though its strength is not to be fun or pleasant but good for large projects with large teams. Lots of people try to build enormous codebases in PHP, JavaScript or Python which are dramatically worse for the task, so apparently that message hasn't really got through (unfortunately by the time a project notices this it's usually too late to switch to anything else).
Java the platform has got a lot better in recent years. The worst excesses of the "enterprise Java" world, with its ridiculously over-engineered libraries and XML config files everywhere, have largely been left behind. There are now quite a lot of slick and modern frameworks. The JVM has come to support other languages much better in recent years and there are now quite a few very cool and interesting languages like Scala, Ceylon or Kotlin targeting the JVM that have really good Java interop, so you have access to lots of libraries. There's an apt-get style dependency management system and central repository so depending on those libraries is a breeze, and Java IDEs (IntelliJ in particular) finally became really fast and slick. Also, JavaFX is turning into a really nice replacement for Swing, so your Java GUIs can finally feel modern and fit in natively amazingly well. JavaFX can be OpenGL/DX accelerated when the hardware supports it so you can get a consistent 60fps, it's got a great animation framework, a nice GUI builder tool, lots of visual effects along with the basics like charting components. And even an embedded WebKit if you want that. I've been playing with JFX in the Java 8 previews and it's really quite impressive.
Because Oracle got it, and Oracle is evil, therefore now Jave MUST be evil too.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.
Why? Changing your mind when presented with strong evidence is a sign of intelligence.
You should only be "amazed" when this doesn't happen (ie. religion, politics...)
No sig today...
What's a "floppy"?
Less than you can download in a second.
Java, one of the worst things to happen to computing, ever.
Unless you make/sell RAM.
Large hard drives are another culprit. Without a shitload of storage space to write bloatware, code would have to be efficient, as it used to be due to system restrictions.
A single install of the most popular PDF reading program will likely be larger in size than the entire collection of PDFs a person might ever view in their lifetime.
That's fucking ridiculous.
It's more of a "there and back again" story really. Ten years ago RMS published his Java Trap and the open source community was rather weary of making anything depending on a JRE blob. In 2006 Sun announced they'd open source Java and all hearts rejoiced. Except it took a really long time, here's an article on how it might finish in 2008.
Perhaps of biggest imporance is that Java ME never got freed, Sun and later Oracle always wanted a fee if you wanted to put it on your mobile phone. Then Sun got bought by Oracle in 2009, and where Sun had been admicable about the existance of Android Oracle instead chose to sue Google in 2010, claiming patent violations and copyright to the APIs. Particularly the latter is anathema in the open source community.
Due to Android being a runaway success driving Java ME out of the market and Oracle fighting it all the way in court they got branded with "stopped innovating, started suing" and the divide between Oracle with OpenOffice and the open source community with LibreOffice didn't help either. Whatever Sun and Java might have been, a friend bought out by your enemy is now your enemy.
Not that this is what's bothered the rest of the world though. For them it's all the constant critical security exploits which has turned Java into the security bad boy. It used to be ActiveX, it used to be Flash but these days the #1 security advice seems to be "disable Java". They should have just pulled support for applets because it's tar and feathering the whole brand, even for software that doesn't suffer from remote exploits.
Live today, because you never know what tomorrow brings
http://xkcd.com/1070/
Java could have been fixed when they found out that their sandbox execution back in the early 2000's had so many holes that it made a sieve look like a glass. And by fix, I mean nuke it from orbit and rebuild it from the ground up instead of issuing bandage after bandage, on something they knew was already a mess.
Coulda Woulda Shoulda...
It's interesting how technical debt has interest, sometimes so high you can only keep doing the equivalent of "pressing more money" and see where that takes you (as if everybody didn't know).
There are lots of alternatives from FreePascal to Perl. Or Sappeur. SUN have played the sales whore instead of doing proper engineering. They nicely fit into Oracle.
JS is an untyped crapola. But that doesn't mean Java is good.It's merely a bit better. Go for Pascal, Ada, Sappeur and even FORTRAN if you want engineering-quality instead of "lastest and greatest brainfart of random hipster"
You are referring to Adobe who are very likely in the pay of the intel overlords, so that they have an avenue into your computer in case they don't have a windows or linux exploit for a certain time frame.
oracle products are indeed evil, as you can shoot down the ora listener by merely telneting into it and then typing some random characters. At least that was the state of affairs in 1998. I bet they got only superficially better.
Larry is a commerce whore.
I have a CS degree and about 15 years of developer experience. I designed a language myself (Sappeur). From my P.O.V. Java has not been much more than a Sales Tool for SUN. Nothing in Java is brilliant or elegant.
Rather it is clunky, energy-wasting, RAM-devouring, non-realtime-capable, overly complex and thereby a massive security risk.
I hope Oracle will "defend" Java and all the assorted patents with fervour, so that the world can move on. So that Java can die a proper death in a corporate graveyard.
Pascal, Ada, Fortran - take these any time over this creation of commerical-men.
I have seriosu doubts whether there will ever be a high-performance and secure implementation of a JVM. Java itself is systematically inefficient and they need to do massively complex buttfucks to make it fast. Complexity normally equates to insecurity in computer science.
What's a "floppy"?
Less than you can download in a second.
Something that took a day to download in the mid '90 over a dialup connection (if it stayed connected that long).
Questions raise, answers kill. Raise questions to stay alive.
Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.
Having actually been here for the last decade, I don't know what you're on about. Java has never been the favorite son of Slashdot. There has always been a massive contingent that holds that Java is slow and stupid. Sure, there's always been a group that opposes it, but it's always been smaller. Where do you think you are, anyway?
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
web developers provided alternative site access without JAVA.
Why? Simply because JAVA is a product designed to always have things that need patched.
Its not safe, and never will be.
http://www.oxforddictionaries.com/definition/english/several
Don't you know that Java is an exploit by itself, exploited by Oracle?
You are supposed to use stringstream and string in C++
I have discovered that with GNU libstdc++, instantiation of ostringstream automatically brings the date, time, and money formatting libraries into a statically linked Hello World program that doesn't even print a date, time, or money object. This causes the executable to be a quarter megabyte in size, compared to the C equivalent that's smaller than 6K. Why does this happen?
Unfortunately, even codebases like WebKit that are worked on primarily by experienced, well paid engineers from places like Apple and Google routinely contain exploits in them that would have been avoided by the use of managed languages
How would the use of managed languages save the user from exploits when the managed language itself has exploits?
Oracle and Java exploits - An anecdote:- A couple of weeks ago I tried to log into my superannuation account, the browser fired back an authentication error, so I notified the company (MLC) who asked me to send them as many technical details as I could. After a little bit of looking around, I noted that the Oracle Access Management system that gave me the error code was was at version (11.1.1.5.0). Oracle's currently version was 11.1.2.1.0. Not too surprising, a supplier that had not patched to the current version.
What did surprise me was that Oracle's Identity Management Patch Set that was available for the version displayed was >2GB - A compressed Java application and framework for a database authentication application that was over 2 Gigabytes in size .
It has been a few years since I wrote any Oracle stuff, but that is ridiculous, what the hell have web based script kiddy/Java type developers been up to. Admittedly I started with Oracle in the Stone Age (V3) and actually shipped an application that used V4. By V6 the C interface which included all the necessary external validation code was small enough to be easily understood and modifiable by a single programmer. My memory is going now, but I seem to remember that in the 1990s all of the code for an early web CGI Oracle interface, including user validation would fit on a floppy.
Why are/were you surprised at the size of the package? I, and many other /.ers remember days when a 30 MB (no kids, that's not a typo) hard disk held dozens of applications, the GUI-based OS, and all our data files. Somewhere along the line APIs, OS frameworks and data files got less compact and then grew as the size of hard drives grew. More features, larger frameworks to accommodate those features and WHAM! you have a 2GB patch set. Sure, I still grumble when I see how big a small application (from a raw code standpoint) turns into a rather large binary, but if the features are needed then we have to just grit our teeth and accept that the underpinnings of those features in the APIs are asymmetric to the amount of text to implement them in the function call. Times they are ever a changin'.
In the Oracle world, patching does not affect version numbers. A different version means different or new functionality, even if it is the last part of the version.
Based on the version, you cannot determine if it is patched or not.
Makes sense - if they wanted to actually show patch level they'd need a more complex version numbering scheme. Just how much information do you think can really be communicated in 5 separate version numbers?
It's because Java has become extremely popular as a language, and the generally prevailing opinion on Slashdot is that only hip things are cool.
There's also a HUGE amount of misunderstanding about what's exactly "insecure" about Java. This is to the point that a "security expert" told me he was nervous about Java code written by internal developers because Java isn't "secure". For code written by internal developers running outside a browser, that's like saying "C++ isn't secure". This was the opinion of someone hired at a Fortune 100 company as the security expert holding high level security certifications. Now, I'm not terribly impressed with either of those things, but it goes to show the level to which the missinformation has risen.
There's a big difference between Java the language, Java the runtime environment, and Java the browser plugin designed to run untrusted code in a sandbox environment. Only the last one isn't secure, and for the most part people have abandoned these apps long ago (with sadly some exceptions). Java the browser plugin is about as insecure as Flash is/was (which is pretty damn insecure), though Flash was/is far more popular and hard to get rid of than Java ever was.
Java the runtime environment, and Java the language are about as secure as any other runtime environment. If you trust the person who wrote the code to not do nasty things, it's secure. We could have a discussion about whether Java is more secure than C++ because of the inability to perform buffer exploits in Java, or if it's more secure than PHP because PHP is..... well broken. But that's at least something that's debatable.
Personally, I think the big thing that's changed on Slashdot over the last 10 years is that it's gotten far dumber and more reactionary. I see more inflated article, more inflamatory responses, less intelligent criticism, and less facts than I ever have. About 3 years ago I decided it'd gotten bad enough that it wasn't even worth logging in and posting anymore.
All those having internet facing java services had remote vulnerabilities known by oracle and the NSA for months (at least if Oracle does the same as Microsoft, something very probable if not worse), and if your internal network had some value for the NSA or people working for it, it is already backdoored.
That is really what is going on. The poor security is just an excuse. Is Java really less secure now that Oracle is doing massive security updates than when Sun had it and rarely did security updates?
I keep thinking that Sun Microsystems makes Java. Some old programs complain when they detect Oracle Java instead of Sun Java on my computer. Somebody needs to update those old programs.
Don't download and run malicious code and you're OK.
This is true but not very helpful. How should the end user identify malicious code before downloading and running it?
C17 and C++17
Android developers are forced to use Java 6. I don't know if I should be more pissed at Oracle or Google right now...
> what the hell have web based script kiddy/Java type developers been up to
This is inherent in most "object oriented" worlds. They provide layer after layer of customized libraries, creating towering hierarchies of subtly different, or duplicated, libraries at different levels of the run-time interpretation that *select* the particular Java library to apply. Unfortunately, the owners of the other members of the tower don't necessarily incllude consistent and compatible versions of even core functions, so you wind up replicating the whole thing into *your* library just to ensure compatiblity.
And yes, it's bloated and nasty, It's what you get with deliberately overlapping function names.
"It's a shame either company was able to take so much money from the IT world."
Sun depended on IT departments being ignorant. When Google showed everyone that reliability could be achieved with below-consumer-quality hardware by using software that adjusted for failures, Sun began its long, slow decline.
34 of those don't require authentication.
That's for the "Java" product group, containing the following products
Java SE
Java SE Embedded
JavaFX
JRockit
What I want to know, is how many are related to the JRE and how many to the Java browser plugin, Webstart and other components.
Uncle Larry obviously has better things to do with his cash than invest sufficient money to improve the security of his own products. Exotic carbon fiber yachts don't grow on trees.
I take a more pragmatic approach. Hate it? Absolutely. For good reasons, and everybody knows they exist.
However, I do need it on occasion. Just disable it in your primary browser, and only use your like 3rd browser choice for Java applications.
Since those aren't random pages, but well known choices, you have the perfect use case for white listing.
The rest will sort itself out. If Java finds itself needing a white list as a best practices recommendation, then coders will respond and not choose it as a development platform.
That seems like a pretty honest response too.
I actually do like Java - the lanugage. It is very stringent and well defined and not sprinkled with random syntactic sugar. Quite the opposite to PHP actually.
The core libraries are mostly nice, except some pre 1.2 crap and some outdated javax junk.
Some of the 'code bloat' has been fixed, and more is fixed in the coming versions, so that's getting better.
A lot of 'code bloat' is actually culturally inherited 'architecture bloat' since IBM decided to market a servlet container + transaction manager as a e-commerce platform, and puked out the worst programming model ever. Enterprise Java was then abused by thousands of programmers and attracted hoards of useless "architects" and consultants that built "enterprise" applications and sprinkled them with billions of lines of xml configuration.
However, the jvm is still unbelievably slow to start. As it's rather fast while actually running, it seem to me that it should be possible to fix with some reasonable effort, like not loading every class in the known universe during startup for instance, and not jit-ing unless the program has been running for a while.
Java is also confusing from a user perspective since Sun messed up with executable jars, which could have been fixed by just using a separate suffix, like jxe . which even looks cool. Some more polish on the look-and-feel, and perhaps a better looking default font, and then it's done :-)
Java could have been fixed when they found out that their sandbox execution back in the early 2000's had so many holes that it made a sieve look like a glass. And by fix, I mean nuke it from orbit and rebuild it from the ground up instead of issuing bandage after bandage, on something they knew was already a mess.
Coulda Woulda Shoulda...
It's interesting how technical debt has interest, sometimes so high you can only keep doing the equivalent of "pressing more money" and see where that takes you (as if everybody didn't know).
As the saying goes money talks shit walks. It is more true in business than anywhere else. Technical debt means nothing. Financial debt and costs mean everything. If it costs money to fix the answer will always be NO even with long term financial benefits.
Some people tend to leave IT and go into management or other technical but not computer fields like statistics for reasons like these that drive people up the wall.
http://saveie6.com/
Stop coming up with brand new (redundant) languages and extensions to your bloated APIs. First, test and audit the crap out of your code and fix all your @#$ing bugs. Security and reliability matters.
try ibm jvm
You are hitting on something important here: No language is going to prevent a coder from doing blitheringly stupid things. But on the whole, C++ has a much higher bar to entry, and I will generalize here, in saying that your average C++ dev is probably going to code circles around the average Java mook.
I grew up writing C++ and ASM, and I now professional work with managed code so I have seen both sides of the street. Managed code makes a lot of things much simpler, and if you are skilled, it makes it faster to accomplish some tasks. This simplicity also makes it possible for idiots to do things that they have no understanding of. Don't believe me? Go look at the quality of code produced professional visual basic coder (even more 'dumbed down' than most managed code) and compare it to the output of C++ dev.
C++ is a better language because it requires a more skilled dev to use.
HA! I just wasted some of your bandwidth with a frivolous sig!
Spot-on about java.
Regarding Slashdot, I think that Slashdot just reflects the state of affairs in software development (or the world) in general. Younger generations appear clueless, since they don't know certain obvious things. They will therefore reinvent a lot of wheels, and while doing that, inventing a few new things, some other things just like before but a bit different, while all the time making some old stuff irrelevant.
It is to expect, but It might get worse. I'm a bit worried that a lot of young people don't seem to be able to read, as in "read a lot of text, fast". One indication is that a lot of new projects have video introductions and video tutorials instead of text documents.
I mean, why watch a 40 minute long video to figure out if a toolkit might be of use or not, instead of skimming through a few documents for 2 minutes.
But then, It's clearly is a huge effort for many to read a long document - maybe they can't skim or speed read and they need to subvocalize but a lot people don't like to read long texts.
If it's "quicker" to watch a video then less is learned since it's not as efficient as speed reading. Maybe the youtube generation have learned to skim through videos quickly but I doubt it.
Also, the universities are not exactly excelling at producing good developers ( the trade , not researchers ) . Further, very little seems to be focused on "modern history" other than unproductive academical anecdotes. I think that schools should stay away from teaching "products" but maybe there is value in exploring historic and existing products and ideas. There are some giant's shoulders to stand on, or at least code monkey shoulders, actually, but it's hard to know since some of the knowledge is stored in long boring texts, and most just exists in wetware outside academia.
I mean, no one would have been using PHP (or creating PHP) if they had paid a minimum of attention to what's been happening the last 30 years.
...says someone who knows nothing about JavaScript.
I'm just trying to understand how PHP could even remotely enter this conversation. We're talking about Java, right?
Don't get pissed-off at the popularity PHP has acquired just because your generation dropped the ball in making Java a non-Darvocet circumstance to get going on servers as well as development environments.
I have a CS degree and about 15 years of developer experience. I designed a language myself (Sappeur). From my P.O.V. Java has not been much more than a Sales Tool for SUN. Nothing in Java is brilliant or elegant.
Rather it is clunky, energy-wasting, RAM-devouring, non-realtime-capable, overly complex and thereby a massive security risk.
I hope Oracle will "defend" Java and all the assorted patents with fervour, so that the world can move on. So that Java can die a proper death in a corporate graveyard.
Pascal, Ada, Fortran - take these any time over this creation of commerical-men.
And I have 20 years of development experience, had implemented a couple of compilers and my own operating system. I'm not impressed. Neither particularly proud, as some of my acquaintances managed to accomplish even more.
Java is not the best thing under the Sun (pun really intended), but is far from being the worst.
All the vices attributed to Java are, in fact, programmer's vices. I managed to lower the memory consumption from most java programs with simple measures that, guess what, are not taken by the programmers using Ruby or any other hype language of the moment (most of them with the same "flaws" you attribute to Java).
In the aftermath, the real problem is bad choices: use the right tool to the right job - there's no good hammer when what you have in hands are screws.
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
I'm just trying to understand how PHP could even remotely enter this conversation. We're talking about Java, right?
No. We're talking about security flaws wrongly pinpointed to be inherent to Java. Had you read TFA? It's short! ;-)
Don't get pissed-off at the popularity PHP has acquired just because your generation dropped the ball in making Java a non-Darvocet circumstance to get going on servers as well as development environments.
You have a point, however. In the 90's, Java was to much of a burden to the hardware of the time. Man, running NetBeans with 64 or even 128Mb of RAM was a pain in the ass.
It took almost 10 years to computers had enough memory to allow Java to be really feasible.
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org
I'm a Linux user, so it's back to that status for me after they ended support.
I don't remember there being a lot of Java love.
Maybe from some folks, but they were fucking morons.
The platform still has some glaring holes for languages other than Java. For instance, the call stack is still represented in a C style stack, with a depth that is insufficient for functional programming. In Scala, for instance, we have people explicitly using trampolines and such to avoid running out of stack.
Oracle and Java exploits - An anecdote:-
A couple of weeks ago I tried to log into my superannuation account, the browser fired back an authentication error, so I notified the company (MLC) who asked me to send them as many technical details as I could. After a little bit of looking around, I noted that the Oracle Access Management system that gave me the error code was was at version (11.1.1.5.0). Oracle's currently version was 11.1.2.1.0. Not too surprising, a supplier that had not patched to the current version.
What did surprise me was that Oracle's Identity Management Patch Set that was available for the version displayed was >2GB - A compressed Java application and framework for a database authentication application that was over 2 Gigabytes in size .
That's normal, because the package you looked at a) is not a patch, but the full version and b) it's for the full security suite (it includes also other products).
Like many people, I have Java installed but don't have the browser plugin enabled. This means that the remote-exploitable attack surface is zero; if you don't provide a route for the attacker to get to anything vulnerable, you're totally defended from that whole class of attacks. With applications where you've already installed them locally and which don't download extra code from random locations, the nature of these issues is entirely different. (Any language which it is impossible to deliberately write an insecure program in is a language that's been castrated to the point where you can't write an interesting program at all.)
So, what about the problems in Java that are not part of the plugin? Those are the ones which it is important to know about, but TFA was extremely light on detail.
"Little does he know, but there is no 'I' in 'Idiot'!"
Its amazing how Java went from being the favoured child here on Slashdot to something generally reviled and hated over the past decade.
Java was loved here on Slashdot? I've seen little evidence of it. Typically Java's not nearly as loved as C++, Javascript, PHP, or just about anything else you can imagine. Slashdot commentators were pushing 1990's Java benchmarks to compare to 2010 benchmarks of other languages, look and feel complaints, gripes about being wordy, scoffs at the idea of using it for web programming, complaining about this and that, and generally keeping the Java FUD alive.
You'll have to work a bit harder to get me to believe that Java was loved on Slashdot.
Anyone know if this is yet another band-aid patch or are they really fixing the underlying problem? This is why we continue to see patch after patch after patch after patch.. well you get the idea. Turns admins into firemen trying to patch all of the vulnerable machines. Even for my personal machines it's really, really, really old. Glad I'm not an admin. Wonder if Ellison is sorry he bought SUN yet.
No. We're talking about security flaws wrongly pinpointed to be inherent to Java. Had you read TFA? It's short! ;-)
...now we are, sure.
In the 90's, Java was to much of a burden to the hardware of the time. Man, running NetBeans with 64 or even 128Mb of RAM was a pain in the ass.
It took almost 10 years to computers had enough memory to allow Java to be really feasible.
Depending on who you speak to, one might argue that it's still too much of a burden to use it. In the shop I work, we opted to use an entire VM using XP for development with Eclipse. Setting up the VM required about 1-2 gigabytes and running the VM required about 2-4 gigabytes of RAM. This was after making sure that the Eclipse installation had all the respective JAR files properly configured along with the Subclipse crap configured within the C: drive folders... That took a long time to figure out how to do, too, because of how everything is deployed with our stages (and since we're using Tomcat as a wrapper to Apache).
Long story short, it's been a nightmare. Hell, the main application we support and use all this shit for never has any enhancements that are less than one gigabyte and almost all of those require their own Redhat VM servers just to deploy.
Java is a nightmare to setup. It's a nightmare to develop with. It's a nightmare to version control. It's a nightmare to test... You get the point.
We have different experiences on Java, as it appears.
On my shop, what's was a HELL was bad programmers doing bad code, and yet worst decisions. Some SOB thought to be a good idea, for example, to use JBOSS just for the sake of it - and we endup with Faces Controllers using REMOTE Services as glorified DAOs. God damned dumbass. =/
I gone mad, got rid of JBOSS and some (WTF?) Spring client classes - made some glue code to emulate some key functionalities (realizing how to handle transactions on Faces was tricky, but now that it's done, it's trivial), and our memory and processor consumption drop to less than half! The response time dropped to almost one tenth of the original code when testing on localhost.
Some key features from Java were crucial to the success of this task. Of course that on C++ and others strong typed languages I would manage to do the same, but Java + Eclipse + J2SE was enough for our needs. I didn't had any trouble setting up Eclipse on my Win 7 64 VM however. I did it in half a hour, I think... Setting up the various JBOSS runtimes on my workplaces was more troublesome.
(In time, in our shop we do also development using C++ using Visual Studio 2011 and believe, this beast uses even more memory than Eclipse - and it's not half the good!)
I understand that Eclipse is a hungry memory eater - but every other (good) IDE was also. Some bad ones too (as Visual Studio). I don't see this as a problem with Java or Eclipse, but as the way we do things now.
By the way, get rid of your 32 bits boxes for Java development. I think that a lot of the trouble you have is WinXP's fault. My life became better when I dumped 32 bits VMs and migrated my development box to a 64 bit Win box.
Lisias@Earth.SolarSystem.OrionArm.MilkyWay.Local.Virgo.Universe.org