Slashdot Mirror
Oracle to Block JAR Files Signed with MD5 Starting In April (bleepingcomputer.com)
An anonymous reader quotes BleepingComputer:
Oracle says that starting with April 18, 2017, Java (JRE) will treat all JAR files signed with the MD5 algorithm as unsigned, meaning they'll be considered insecure and blocked from running. Oracle originally planned MD5's deprecation for the current Critical Patch Update, released this week, which included a whopping 270 security fixes, one of the biggest security updates to date. The company decided to give developers and companies more time to prepare and delayed MD5's deprecation for the release of Oracle Java SE 8u131 and the next Java CPU, scheduled for release in April...
Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.
Oracle removed MD5 as a default code signing option from Java SE 6, released in 2006. Despite this, there will be thousands of Java apps that will never be resigned. For this, Oracle will allow system administrators to set up custom deployment rule sets and exception site lists to allow Java applets and Java Web Start applications signed with MD5 to run. Sometimes in the second half of 2017, Oracle also plans to change the minimum key length for Diffie-Hellman algorithms to 1024 bits. These updates are part of Oracle's long-standing plan for changes to the security algorithms in the Oracle Java Runtime Environment and Java SE Development Kit.
BUT WHAT ABOUT SOLARIS
It was dead the moment Oracle ate Sun -- it wasn't even their primary target, merely collateral damage in their plan to kill MySQL.
Unrelated: you really should check your keyboard, either your Caps Lock or Shift is stuck. If you can't fix that immediately, try stty iuclc although this helps on terminals only (although elinks is an option). If you did that intentionally, please at least use small caps: apt install tran; echo "But what about Solaris?"|tran smallcaps; that's way less rude. As the Great Runes are dead in England since 11th century, last computer terminals since late 1970s, there's no reason to use them.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
It seems to me that the stewardship of Java in the past few years, particularly it's security aspects, have rendered it useless and undesirable.
I must use java in my employment with well - let's just say "a lot" - and all over the world. It is not simply my own conclusion, but the conclusion of many people I consider more facile and accomplished than myself that Java is undesirable. My employer has gone to the point of shutting down a planned services introduction. That product, instead of launching, was shut down and the teams re-assigned to other tasks.
The workarounds to use Java in the current environment are such that we commonly create VM images to spin up and destroy for tasks requiring Java.
Going forward, I will carefully review employment offers - if it deals with Java, they're going to have to work very hard for me to accept it. I don't need the pain and heartache dealing with it causes if there are alternatives.
I am being intentionally careful not to give out details, and I'm sure there are many that will start off a reply "You stupid idiot, you can do X!" - again, these are not solely my own conclusions, but shared with many people I consider to be very, very good. I assure you, anything you may think of has surely been considered if not by myself, then by others in the same situation. Please do suggest if you wish, but also consider that a lot of other, very smart people, have looked at this same situation for more than a few years.
Like all opinions, this may or may not fit your situation and exact needs. It can even be quite wrong.
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
They didn't expect a group of most competent devs jumping ship and making MariaDB. It's nearly impossible for a fork of something as complex to succeed, thus it was a near-sure bet that control of MySQL would let them slowly extinguish their biggest competitor. Well, proper use cases for Oracle-the-DB and MySQL differ but most people who decide don't know the difference: if that wasn't the case, MySQL wouldn't have the massive usage share it enjoys, as if you need real SQL then Postgres is much better, and if you don't, you're better served by a non-relational database.
Thus, instead of reaping the rewards, they flail wildly and merely make MySQL unusable: stop real new features, shut down access to most of bug database, halt any detailed information about security vulnerabilities (providing fixes only as massive new versions, unfit for backporting). Thus, distributions are switching to MariaDB left and right: Debian just did, Fedora did so ages ago.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.