Slashdot Mirror
Oracle To Drop Java Browser Plugin In JDK 9 (softpedia.com)
An anonymous reader writes: After Mozilla said in October that it would stop supporting Firefox plugins on the older NPAPI technology, Oracle had no choice now but to announce the deprecation of the Java browser plugin starting with the release of the JDK version 9, which is set for release in March 2017, and developers are urged to start using the Java Web Start pluginless technology instead. Security issues also had a big part in Java's demise.
The plugin is in demise. Java is going strong. FUD.
We have way to many systems dependent on it. Most of our big applications are JSP based, but we have quite a few java applications browser and even desktop based.
I uninstalled Java for a year or two, but was forced to reinstall it when working on my CCNA. It is amazing how horrible Cisco's software is.
Java's 'demise'? I think that's a bit of an exaggeration.
Fuck Java. I hated it was a requirement for my networking classes and I hate what it has done to the industry in terms of advertising/abuse.
Java didn't do any of that. People did. And if it wasn't Java, they would have used something else. Java, is just a tool that people use to accomplish a goal.
I'm old enough to remember when Java was supposed to be "write once, run everywhere", and all that downloadable code was supposed to be sandboxed so the security hassles were fixed. Maybe I'm a little fuzzy here, but all that was supposed to arrive on a pony.
Get thee glass eyes, and, like a scurvy politician, seem to see things thou dost not.--King Lear
This thread isn't about politics, climate change, foreign relations, or women in STEM.
There is nothing about 'java' the language that did that; but it is very hard to deny that vulnerabilities in the implementation of support for embedded java applets have been a huge source of desktop infections. Adobe might be slightly worse; but that's damning by very faint praise.
I'll leave arguing about the merits of the language and the JVM to the experts; but applet support has, quite simply, been painfully unsuitable for use on anything except fully trusted, ideally internal, material more or less forever, and neither Sun nor Oracle ever got it up to snuff for use in a mostly-untrusted web browsing environment.
But but browser insecurity is because of plugins (Mozilla security bugs). I know that because browser vendors told me so in the 2000s and experts are NEVER wrong. :P
Note: bugs aren't the only problem here, it is your update process, and Oracle Java has an awful one, add to that that people do not update. OpenJDK does not suffer of this bad update process because distributions use their package manager to push updates.
What beta? It's still there? I've seen it twice or so, but not for a very long time. ;)
Maybe related to the fact that I appended "?nobeta=1" to the address when browsing AC
There are fewer illiterates than people who can't read.
Even with timely updates, the browser plugin was just a security hole whack-a-mole game. Only Flash Player managed to be a more bug-ridden piece of shit.
Hardly, unless you are talking about browser plugin technology. It was never big there to begin with, but Java is still a major player in server side technology.
And yet it was the dog that was walking funny this morning.
Almost every bank in Brazil uses java plugin for security login. Every single .gov.br site that has any remote type of login uses it too.
So in one hand, they will have to adapt. Most banks will. FINALLY.
OTOH there is no way in hell that the [brazilian] government will adapt in less then.. 5 year I guess.
So, from some point forward in the future, I will have to support clients using Internet Explorer.
This isn't surprising if you've been following Chrome. By some metrics it's the most used browser now, and they dropped support for NPAPI plugins (like Java) due to security concerns. Oracle's official reply to this has been "use Firefox" which in my opinion was incredibly short sighted, unless they feel Java just won't work using PPAPI. Who on earth is going to use a plugin in their website that doesn't support one of the biggest browsers? That person would have to build a fallback for Chrome, and at that point they might as well just ditch Java and use the fallback for all browsers if it's good enough.
The announcement says that the plugin will be deprecated from java 9, and removed "in a future Java SE release".
Windows, Office, Adobe products, Autodesk Products, Linux, freebsd, apache, etc.... Had and still Have vulnerabilities and yet we don't blame the c/c++ languages. Why blame Java?
So does every other language...what's your point?
OpenJDK does not suffer of this bad update process because distributions use their package manager to push updates.
That assumes one allows unattended updating or a strict adherence to checking and installing the updates manually, or not being allowed to install updates because it can only be an approved configuration and the configuration change board never meets...
true, but is is better that a fracking systray icon, for a normal user is just a system update
Compared to competition FireÃfox is lean today.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
every plugin has a possible hole, no matter which one it is.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Java had its share of bugs leading to zero-day attacks - language implementation bugs, not the browser. This one made a lot of noise a couple years ago.
The worst thing, IMHO, is not just that it was a systray icon, but that at some point the updater would attempt to run immediately! I'd start doing something, and UAC pops up with a "Are you sure you want to run this?" My instinct is "WHAT IS THIS MALWARE?!?" and to click "Hell no"
I don't like Java for other reasons, but the performance of the runtime is actually not out of whack compared to other managed runtimes.
Many Java developers however put out poor performing code. They would do things terribly no matter the language.
XML is like violence. If it doesn't solve the problem, use more.
Actually, they do. libstdc++ may have several versions living side by side. Java is more of a pain because the runtime strategy wasn't really designed to be versioned the same way.
The problem with Java (and activex, and flash) is that the initial design point is to empower code that executes, but the code is executed from remote sites without any vetting. The usage model is a person perusing sites as if they were passively reading documents ends up incidentally executing things that are allowed to do much more intrusive things. For an executable, if you download it and execute it knowingly, you largely get the blame for falling for a trojan and the language is not blamed. It's the context where things can run that is a challenge.
XML is like violence. If it doesn't solve the problem, use more.
Interestingly the dupe post promoting Softpedia got promoted over the post that directly linked the Oracle Blog post: http://slashdot.org/submission...
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
This is why all major browsers are abandoning Netscape plug-ins (or ActiveX in the case of MS Edge). Google's NaCl seems to be the best replacement. It runs bytecode plugins at near native speed, fully sandboxed.
Having said that, Javascript PDF viewers are more than adequate and the only other thing is Flash... So do we need binary plug-ins at all?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
To a certain extend the JVM does attempt to detect poorly writing code and will attempt to optimize the opcode at runtime. But there's only so much it can do.
Even Microsoft has a pretty decent VM for .Net, but because the op codes change so much version to version the JVM has proven to be far more useful for other languages (JRuby, Jython, Scala, Closure, etc.)
Right, though the same can be said of all runtimes that it tries to optimize, but there's only so much it can do. Particularly since a lot of slowness I see involves being stupid about network usage, and the runtime has no way of knowing anything that could help that (it has no idea whether the data would be static, that the target has another set of vocabulary that's faster, that another access pattern would work, etc).
XML is like violence. If it doesn't solve the problem, use more.
Unfortunately for you (or any Java hater), Java as a programming language is as healthy as ever, with Java devs being on high demand despite being commonly taught in school. Android is probably no stranger to its renewed success.
If you are talking about Java applets (that's what the browser plugin is for), it only had limited success : Flash and then JavaScript essentially killed it. As for advertising/abuse, I don't remember it being that bad, at least compared to Flash. It did have a lot of vulnerabilities though but it was mostly because of sloppy coding rather than a fundamentally broken design.
I hate what it has done to the industry in terms of advertising/abuse.
Yeeeaahhh Riiight. JAVA is the reason for all the advertising/abuse -- Flash and/or Javascript had no part in that.
The one and only time I had a Windows machine infected was some malware that got installed without my knowledge via Java Web Start. I have never let that be on a computer of mine since. I've never had that happen via the Java plugin (which, BTW, I don't allow to run by default in FF and Chrome).
Systemd bashing generates more heat these days than good ole MICRO$~1 bashing.
Stupidity is an equal opportunity striker.
Fellow slashdotter Bill Dog
So does every other language...what's your point?
He is having problems with his homework. You know, OP is just suffering from "little rebel without a cause with zero exposure outside the classroom" syndrome.
Well, since Java often deletes the old versions by default (for security reasons) when updating, so it's default behavior breaks a lot of shit.
There are two types of people in the world: Those who crave closure
Good idea on paper, but the sandboxes leaked.
Table-ized A.I.
I have to agree. I have seen so many people coming to us straight from university that could code java and would not accept that they need to know anything about basics like memory management for instance - I mean we have gc so why should we bother, right? What I noticed over the years is that real basic coding tool that is always very helpful and without which you cannot code and design stuff properly is brains. Refusal to use it usually leads to situation where any programming language is bad for the task.
There is nothing about 'java' the language that did that; but it is very hard to deny that vulnerabilities in the implementation of support for embedded java applets have been a huge source of desktop infections. Adobe might be slightly worse; but that's damning by very faint praise. I'll leave arguing about the merits of the language and the JVM to the experts; but applet support has, quite simply, been painfully unsuitable for use on anything except fully trusted, ideally internal, material more or less forever, and neither Sun nor Oracle ever got it up to snuff for use in a mostly-untrusted web browsing environment.
Oracle inherited it and has been scrambling ever since to patch vulnerabilities. Every release contains dozens of fixes.
Enough said.
Well, since Java often deletes the old versions by default (for security reasons) when updating, so it's default behavior breaks a lot of shit.
what software do you install that keeps around every previous version of the software and allows you to switch between them?
i know, if you don't want to update, don't update? i know, kind of crazy thinking though.
Android does not run Java code. Please look up "cross-compiler" at your convenience.
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
I've been reading slashdot for quite awhile (notice "cough cough" my 5 digit Id, and I was an AC for awhile before I signed up.)
The changes in slashdot are to some extent part of changes in the internet itself. More people are interacting now, and younger people, certain tropes or memes or whatever have gotten established, and in some cases become old hat and shrunk away.
Things change, period. I'm nostalgic for the hey day of Usenet, the late 80s. But if I went back and looked at old usenet posts in google groups I'd probably be underwhelmed, partly because the topics from then are dated (flame wars in rec.audio over tubes vs solid state or digital vs analog), or otherwise thrashed over so often that everything got said thrice over. Part of it would be that I've changed too. If I went back and looked at an archive of early slashdot posts (is such a thing possible?) I'd probably get the same feeling of being underwhelmed that I do with usenet. (But slashdot hasn't degraded nearly as much as Usenet has. In fact, I'm not sure I'd say it's degraded much at all, just changed.)
In theory, theory and practice are the same; in practice they're different. (Yogi Berra & A. Einstein)
I like you. JavaScript is the worst offender ever.
Pretty much this. I'd like to point out, embarrassing though it might be, that I can code badly in a few languages. Worse, I plan on brushing up (and am doing so) my skills and learning a couple of new languages. I'll then give that code away (a handful of people will use it, ever) and hate me for it.
No, I can code poorly with any tools you give me. In fact, I probably will.
There's problems with everything... There are security issues in everything. There will be bugs so long as we have humans writing software. When we have machines writing software, there will still be bugs. Why? Well, because it will have been a human that wrote that machine's code to begin with. With bugs come security issues. Without best practices come security issues. Without good education come security issues.
Good, bug-free, and secure start in the chair and before a line of code is written. No, I don't know this because of my own individual performance. I know this because I hired good, professional, programmers to do things that I could not. They were not only good but they were instructional - if you wanted to put the effort into learning.
I am reminded of a grandpa story... I'll try to make it brief.
We had a secretary who was pretty bright but she wanted to change jobs and do something more interesting. We didn't need anyone in a new job that she was suited for. Well, she decided she was going to be a programmer. So, probably mostly because she was cute and single, she was "allowed" to spend time with the programmers. She started to learn, started to practice, and damned if she wasn't writing code in a little while.
Oh, it gets a little better... She eventually learned to code quite well, just from asking good question - this is about the bit about the programmers being instructional - if you wanted to put the effort in. She actually turned out to be pretty good. We sent her to a few classes, she changed jobs, and actually ended up in QA but our QA was a little different in that they usually tried to fix the bugs themselves. We didn't actually have anyone who had the job title of QA. We just had people who filled that role because that's what they did best and were happiest doing. They largely organized themselves.
At any rate, I'll avoid the novella but they really did teach you a lot if you wanted to learn. Yes, I wrote the code base. Yes, I maintained that code and added to that code for years. It was badly written C but it worked. It wasn't for public consumption or anything so it was okay. Still, things grew and I handed off the code and it was eventually all reworked in C++. I was not ever a good programmer but I learned a lot of good things - many forgotten, and (more importantly) I learned to ask good questions. Well, I think they're good. They must be? I get the answers that I need.
"So long and thanks for all the fish."
So your mom really is a bitch? I thought you were kidding when you said that!
I kid... I just could not resist. Alas, I don't do the post as AC thing without identifying myself so I might as well post this as me and logged in.
"So long and thanks for all the fish."
It's possible, it's just not that easy. You can find an old article, search for old articles, and things like that. Then you can browse from there...
It's not pretty. I used to have a 4 or 5 digit UUI. I've no longer got access to that email and I'll be damned if I can remember either the user or the password - I've no hope at recovery. I do (I think) remember the email - I just don't have access to it any more.
At any rate, no... The last thing you probably want to do is go back and read old Slashdot threads. Oh, I've spent hours doing so but that's because I'm mentally retarded and hate myself. A funny one is the first mention of VMWare (and VMs) on Slashdot. Oh, they'll never catch on. They're a stupid idea. For that amount of money, I'll just reboot. The idea is impossible - it is technologically impossible to do such a thing. Oh, I think maybe three folks actually understood it, one read the article, and one guy had actually seen a demo.
But no, most were convinced that it was impossible, wouldn't ever work, was too expensive, couldn't work, would never catch on, was more effort than just rebooting, would not run Linux, could not run Linux, or similar...
You probably think that I'm kidding. You might even think that I'm exaggerating. I figured you might, so I armed myself with this link:
http://tech.slashdot.org/story...
I warn you, before you click that link, sit down and pour a stiff drink. Fortunately, that predates The Happening so the posts are all AC. Beware, it can also be very time consuming and you'll probably want to reply to some of the comments. You can't. Thankfully... I already never get anything done. I'd somehow get less than that done. I don't think we had moderation then? There was The Happening which meant a lot of lost data, at one point, so everyone's an AC and some of the old threads don't have proper threading or anything - even though they supported it. I didn't allow myself to open the link again. I've done that before. I've tried to forget it...
Go on... You know you're gonna click the link... Nobody ever listens to KGIII... But, seriously, do not click that link. I only include it because I'm obligated to. I'm half-tempted to go edit it out. *sighs* Good luck!
"So long and thanks for all the fish."
You know what you get in a sandbox? Cat shit and dirty kids.
"So long and thanks for all the fish."
You might want to try reading the comment I was replying to.
Default applies updates, default deletes old versions, critical software relying on old version gets broken.
All 3 are bad, all 3 are default.
There are two types of people in the world: Those who crave closure
Default applies updates
I've never had the Java installer auto-update without user confirmation. I don't even think that's possible, but even if it is, it's most definitely not the default behavior. Regardless, if you have something like that configured on a mission-critical system, I'd suggest turning it off. That's true for all software on such a system, not only Java.