Slashdot Mirror
OpenJDK May Tackle Java Security Gaps With A Secretive New Group (infoworld.com)
An anonymous reader quotes InfoWorld:
To shore up Java's security, a private group that operates outside the normal open source community process is under consideration. The proposed OpenJDK Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them... The vulnerability group and Oracle's internal security teams would work together, and it may occasionally need to work with external security organizations.
Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.
Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.
You know, "open" is right there in the name. OpenJDK.
The vulnerability group and Oracle's internal security teams would work together
Two things: I thought Oracle wanted to cut Java free? No? And really, when has Oracle been willing to work with anyone outside Oracle on Java?
I mean, it could be true...
If you want news from today, you have to come back tomorrow.
Java is dead. Let it live in legacy in a dusty MDF somewhere with it's elderly uncle COBOL.
Is Java "dead"? I'm no expert, but I thought huge giant swaths of "enterprise" code was written in Java? Shit like that doesn't just vanish, it get's maintained and added on to forever - like COBOL code... But also, while it's trendy for all the hip kids to say such things, COBOL is far from dead.
If you want news from today, you have to come back tomorrow.
java is everywhere. hardy useful for mere mortals in the browser, but so much stand-alone software requires it (the runtime, not the browser plugin). not just 'enterprise' stuff either.
it is the internet explorer of this decade. a problem child that simply refuses to go away.
It's hard to take Java security seriously as long as the Java installer tries to push malware.
I've tried to figure out if it actually is legal for them to do that, but so far I haven't really found any good analysis of the case.
If this group doesn't fix the vulnerability within a few weeks then the vulnerability details should be published more widely to let what remains of the community address them and to allow users to adopt security measures of their own.
Nullius in verba
This swing/awt application that hypothetically exists that could hypothetically run in javascript via gwt without any visual elements and silently listen to every keypress?
Java is flawed from the ground up, because of a million small but insane design decisions made in the name of getting things to market quicker or helping users understand.
If you're using the Android SDK you are writing in Java.
Even if that was the sole remaining use-case it would be far from dead.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
I'm going to set BOTH of you straight:
COBOL JOBS: 1,501
https://www.indeed.com/jobs?q=cobol&l=
JAVA JOBS: 63,769
https://www.indeed.com/jobs?q=java&l=
THIS should give you a general idea of the current market for the language
enter your city to narrow down
How many are fake jobs?
Malware? Not seen that with Java at all and I deal with dozens of different Java servlets. Oh, wait, you must be using Windows.
Sorry, what exactly is the security issue with Java? Aside from the shitty browser plugin, but that bit's as good as gone these days anyway.
I agree here - plugins are in general a security hole waiting to happen. JavaScript is bad enough from a browser security perspective.
On the server side it's more a question of if some service can break out of the JVM or do other inappropriate things on the server.
But even then I can understand the need for a "secret" security team. It's good to keep the cards close until you know what the impact your problem has and a fix is dispatched.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
It's bugging me a bit when they open the web browser to a page of their choice at every install.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
New Secret Advisory? Non-public Security Abatement? Never Seen Accomplishments?
Either you only include trusted people, then what do you need the NDA for?
Or you expect it will include people not trustworthy, then maybe you shouldn't do it.
Excluding the bad guys from getting access to security issues, sure.
But I can't see NDAs do any good. At best, they cause legal concerns for those who want to be involved, at worst, it will be a way to force people to keep major undisclosed security issues that nobody feels like fixing secret and unfixed "forever".
Name one big new project that is popular made in the past 3 years based on Java?
http://saveie6.com/
It's hard to take Java security seriously as long as the Java installer tries to push malware.
I've tried to figure out if it actually is legal for them to do that, but so far I haven't really found any good analysis of the case.
That is Oracle for ya. They are too cheap to pay for the bandwidth. So eyecandy spyware is included to cover the costs since Larry doesn't make enough money.
http://saveie6.com/
I agree here - plugins are in general a security hole waiting to happen. JavaScript is bad enough from a browser security perspective.
On the server side it's more a question of if some service can break out of the JVM or do other inappropriate things on the server.
But even then I can understand the need for a "secret" security team. It's good to keep the cards close until you know what the impact your problem has and a fix is dispatched.
Yeah, it's good for an organization to save face after writing insecure code.
It's not so good for users. I want to know what the black-hats know so I can perform my own threat assessment, mitigation, and eventual patching. I don't want to be left in the dark while zero-days float around. I don't use OpenJDK but if I did, I would be looking for alternatives right now.
It's bugging me a bit when they open the web browser to a page of their choice at every install.
Odd, my package manager (Gentoo's Portage) doesn't do that ever, no matter how many times I install a JDK.
Another satisfied Microsoft customer??
If you're using the Android SDK you are writing in Java.
Even if that was the sole remaining use-case it would be far from dead.
No you are not. Oracle lies which is why they killed opensource and clean room implementations by judicial activism. Google uses Dalvik which does not contain a single line of code written by Oracle that they somehow stole and now own thanks to their lawyers.
Dalvik is a clean room implementation and does not even use a traditional JVM and would still be around if Oracle didn't threaten to sue Apache out of existence. Another reason not to consider Java as it is immoral to support Oracle.
http://saveie6.com/
Minecraft
Dalvik is a bytecode specification and a VM, not a language.
Of course you program in Java, the language, when you code for the Dalvik VM.
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
I write a bit nee Java code nearly every day ;)
Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
a wizard did it. and it was all just a dream.
Java is dead? Not likely. It is the most popular programming language in the world by a large margin.
http://pypl.github.io/PYPL.html
Been in software development for 15 years and there is always some fool saying "java is dead"
... Minecraft is older than 3 years.
Taking a quarter inch doesn't seem that bad.
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin
"I believe in Karma. That means I can do bad things to people all day long and I assume they deserve it." : Dogbert
It's still Java. It just doesn't use Oracle's JVM.
Avoid 60% of Java's security issues by disabling it in the browser.
I work for SAP and our cloud based software is written in Java. This includes the Concur, Ariba, and SuccessFactors business units. We have started many projects written in Java within the past 3 years and the language is so centric to our business that we we created our own JVM.
Never trust anyone who says "trust me".
If you're using the Android SDK you are writing in Java.
Or in C#. Or, if you don't care about platform independence, even C or C++.
While I don't disagree that Java is likely the most widely used language, I'm not sure that link is reliable. In my experience while Python is hyped it isn't widely used for software development. Similarly PHP's entire popularity is probably WordPress.
Devs can use Kotlin if Java is to be avoided -- Android Studio officially supports it.
Personally I'm hoping Google ends up making a project Fuschia/Magenta based smartphone so VM languages can be ditched completely and we can go back to native development. (One can dream).
Sluggish RAM eaters which Take 10 minutes to start Up, i assume.
My condolences.
that's VM, he means android sdk needs jdk. It won't run otherwise. As for me, I can't get it work on openjdk tho, I always need to install oracle jdk. I use mac and linux.
Larry the greasy Tycoon wants to Control the Java SPIN. Thats all.
Pros use Rust or Swift.
It doesn't matter too much for this point though, almost any way you measure it, Java comes out on the top of the language popularity lists.
"First they came for the slanderers and i said nothing."
I suspect that most of them are real jobs but that they don't require Java.
Java is the IP65 of programming languages. People who doesn't know what they need specify it instead of asking an expert what would be good for their particular case.
Unfortunately that also means that Java ends up in some cases where it don't belong.
Name one big new project that is popular made in the past 3 years based on Java?
About 70% of the software at my company?
Surely though you have a good point. We'd have been better off using on WhizBang!JS for this quarter's new projects. So what if it'll be unsupported in a year and we have to re-write everything. Job security eh?
Also, don't let numbers get in the way either:
http://www.codingdojo.com/blog...
Then you are not using the Android SDK. You are using the NDK, a game engine, or some other development environment.
Only crack the nuts that crack. You don't put the ones that don't crack in the sack.