Slashdot Mirror

← Back to Stories (view on slashdot.org)

OpenJDK May Tackle Java Security Gaps With A Secretive New Group (infoworld.com)

Posted by EditorDavid on from the beyond-the-bylaws dept.

An anonymous reader quotes InfoWorld: To shore up Java's security, a private group that operates outside the normal open source community process is under consideration. The proposed OpenJDK Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them... The vulnerability group and Oracle's internal security teams would work together, and it may occasionally need to work with external security organizations.

Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.

11 of 79 comments (clear)

  1. I smell something strangely familiar... by Frosty+Piss · · Score: 4, Insightful

    The vulnerability group and Oracle's internal security teams would work together

    Two things: I thought Oracle wanted to cut Java free? No? And really, when has Oracle been willing to work with anyone outside Oracle on Java?

    I mean, it could be true...

    --
    If you want news from today, you have to come back tomorrow.
    1. Re:I smell something strangely familiar... by Gravis+Zero · · Score: 4, Interesting

      I thought Oracle wanted to cut Java free? No?

      Oracle wanted to burden someone else with maintaining Java EE, an extended version of Java. This would allow them to do the lesser job of extending Java SE if they so choose and free them from having to bother with security (Who knew security was so complicated? Nobody knew!). Since Java EE is a superset of Java SE, the Java EE maintainers would have clean up the messes Oracle makes when they add features.

      --
      Anons need not reply. Questions end with a question mark.
    2. Re: I smell something strangely familiar... by KGIII · · Score: 4, Insightful

      I'm usually fairly mild mannered, but fuck Oracle. I trust those fuckers about as far as I can throw a fucking yacht. They came in to provide a database, consultants and all. The fucking fuckers were there for more than six months and never actually got it all working. So, I kicked them out. Shortly after, they had us in court and wanted a seven figure sum. It cost nearly that much just to defend ourselves and I have no idea how much was lost in productivity and due to morale. Fuck Oracle, fuck them right in the face.

      I feel better now.

      --
      "So long and thanks for all the fish."
    3. Re: I smell something strangely familiar... by KGIII · · Score: 3, Funny

      They probably are smarter than I am. I'm dumb enough to respond to you.

      --
      "So long and thanks for all the fish."
  2. Re:The NDA by Frosty+Piss · · Score: 4, Insightful

    Java is dead. Let it live in legacy in a dusty MDF somewhere with it's elderly uncle COBOL.

    Is Java "dead"? I'm no expert, but I thought huge giant swaths of "enterprise" code was written in Java? Shit like that doesn't just vanish, it get's maintained and added on to forever - like COBOL code... But also, while it's trendy for all the hip kids to say such things, COBOL is far from dead.

    --
    If you want news from today, you have to come back tomorrow.
  3. Re:The NDA by Plus1Entropy · · Score: 4, Informative

    If you're using the Android SDK you are writing in Java.

    Even if that was the sole remaining use-case it would be far from dead.

    --
    Only crack the nuts that crack. You don't put the ones that don't crack in the sack.
  4. Re:The NDA by Anonymous Coward · · Score: 2, Interesting

    I'm going to set BOTH of you straight:

    COBOL JOBS: 1,501
    https://www.indeed.com/jobs?q=cobol&l=

    JAVA JOBS: 63,769
    https://www.indeed.com/jobs?q=java&l=

    THIS should give you a general idea of the current market for the language
    enter your city to narrow down

  5. Re:The NDA by Anonymous Coward · · Score: 2, Interesting

    Sorry, what exactly is the security issue with Java? Aside from the shitty browser plugin, but that bit's as good as gone these days anyway.

  6. So the name of the group will be...? by hlavac · · Score: 3, Funny

    New Secret Advisory? Non-public Security Abatement? Never Seen Accomplishments?

  7. Re:The NDA by angel'o'sphere · · Score: 2

    Dalvik is a bytecode specification and a VM, not a language.
    Of course you program in Java, the language, when you code for the Dalvik VM.

    --
    Cost free eBook I read (by iBook/Kobo/Amazon/ObookO/Gutenberg etc.): "The Green Odyssey" by Philip Jose Farmer.
  8. Re:The NDA by Anonymous Coward · · Score: 3, Insightful

    Java is dead? Not likely. It is the most popular programming language in the world by a large margin.

    http://pypl.github.io/PYPL.html

    Been in software development for 15 years and there is always some fool saying "java is dead"