Proposed new schedule for JDK 8 (opens in new tab)

(mail.openjdk.java.net)

76 pointsaustinbv12y ago29 comments

29 comments

My proposed security fix: kill the Java Browser Plugin.

I agree. All the bad rep Java gets is from the Applet 0-day hacks.

Java 8 to deprecate the Browser Plugin, Applets and all related stuff to it, and for those who need this technology can use Java 7 and other previous releases.

mdmarra12y ago

Then you're going to have all kind of apps stuck on older Java versions forever. While I'd love to see it happen, it would be Oracle shooting themselves in the foot with their enterprise customers, which - let's face it - is who they actually care about.

4 more replies

brokenparser12y ago

That's a bit harsh. Just offer it as a separate download or don't include it in a default install.

csense12y ago

Does anyone have any ideas about why the browser plugin for applets has so many security zero-days?

If competing products like Flash, JavaScript, or HTML 5 have fewer security issues, what are the engineering reasons they're better, and how can those lessons be ported to Java?

Alternatively, maybe Java applets are actually comparable to other technologies in this space in terms of security zero-days. Its bad reputation might be merely due to the fact that relatively few people actually use it, so a recommendation to get rid of it won't break nearly as much of the Web as removing Flash or disabling JS. Is this explanation plausible?

TazeTSchnitzel12y ago

Because Java allows signed applets to ask to run native binaries, it will always be hopelessly dangerous.

mynameishere12y ago

It's still used in commercial and industrial applications. (Obviously, it never caught on in userland.) You could make it disabled by default, but getting rid of it would be an outrageous mistake.

hatchoo12y ago

Why not just come up with a separate installer for the browser plugin. The runtime isn't as bad security-wise. Or is it?

hugi12y ago

Kill the Java browser plugin. Also, delay by another year and use the opportunity to bring in Jigsaw. Lambdas are nice, but in the big picture, Jigsaw is huge.

batgaijin12y ago

what does jigsaw bring to the table? what does its existence imply?

suyash12y ago

Read about it and ask more specific questions: http://openjdk.java.net/projects/jigsaw/

1 more reply

rlmw12y ago

Seems pretty likely that Jigsaw will take > 1 year to complete.

suyash12y ago

We can wait till 03/2014 for JDK 8. I don't want to jump on buggy code. Good idea by Oracle not to scope creep by delaying but fixing security bugs and making the code base more stable.

iso8859-112y ago

I am happy about the renewed focus on security. As far as I remember, people were pretty skeptical and didn't think Oracle would fix the JRE once the exploits started getting discovered so frequently.

JulianMorrison12y ago

Versioned jarballs with versioned dependencies PLEASE. Seriously, Ruby is laughing at you.

moondowner12y ago

Jarballs? I don't know why Ruby would be laughing. Maven and Gradle are doing their job fine of handling project dependencies.

JulianMorrison12y ago

Build dependencies, yes.

Runtime dependencies for upgrade in situ, not so much.

j / k navigate · click thread line to collapse

29 comments

pswenson12y ago

My proposed security fix: kill the Java Browser Plugin.

moondowner12y ago

I agree. All the bad rep Java gets is from the Applet 0-day hacks.

Java 8 to deprecate the Browser Plugin, Applets and all related stuff to it, and for those who need this technology can use Java 7 and other previous releases.

mdmarra12y ago

4 more replies

brokenparser12y ago

That's a bit harsh. Just offer it as a separate download or don't include it in a default install.

csense12y ago

Does anyone have any ideas about why the browser plugin for applets has so many security zero-days?

If competing products like Flash, JavaScript, or HTML 5 have fewer security issues, what are the engineering reasons they're better, and how can those lessons be ported to Java?

TazeTSchnitzel12y ago

Because Java allows signed applets to ask to run native binaries, it will always be hopelessly dangerous.

mynameishere12y ago

It's still used in commercial and industrial applications. (Obviously, it never caught on in userland.) You could make it disabled by default, but getting rid of it would be an outrageous mistake.

hatchoo12y ago

Why not just come up with a separate installer for the browser plugin. The runtime isn't as bad security-wise. Or is it?

hugi12y ago

Kill the Java browser plugin. Also, delay by another year and use the opportunity to bring in Jigsaw. Lambdas are nice, but in the big picture, Jigsaw is huge.

batgaijin12y ago

what does jigsaw bring to the table? what does its existence imply?

suyash12y ago

Read about it and ask more specific questions: http://openjdk.java.net/projects/jigsaw/

1 more reply

rlmw12y ago

Seems pretty likely that Jigsaw will take > 1 year to complete.

suyash12y ago

We can wait till 03/2014 for JDK 8. I don't want to jump on buggy code. Good idea by Oracle not to scope creep by delaying but fixing security bugs and making the code base more stable.

iso8859-112y ago

JulianMorrison12y ago

Versioned jarballs with versioned dependencies PLEASE. Seriously, Ruby is laughing at you.

moondowner12y ago

Jarballs? I don't know why Ruby would be laughing. Maven and Gradle are doing their job fine of handling project dependencies.

JulianMorrison12y ago

Build dependencies, yes.

Runtime dependencies for upgrade in situ, not so much.

j / k navigate · click thread line to collapse