Oracle Removes Java Signatures, Breaking Webstart 198
sproketboy writes "It seems Oracle has decided in their infinite wisdom to remove digital signatures from the Java projects that they put into the open source community. Of course this breaks any application out there depending on Java Webstart using these libs. Looks like Java3D and JAI are currently affected — probably other APIs are as well. Oh Oracle! What are we supposed to do with you?"
Oracle only said they'd keep it open source (Score:5, Insightful)
Re: (Score:2)
Proprietary programming languages (Score:2)
Re: (Score:2)
I can't feel bad for the idiots who lock themselves in. It's not like it's any secret or that they didn't have a choice.
Re: (Score:2)
What is a "proprietary programming language", and why Java is one?
In any case, practice shows that corporate backing is pretty much necessary for any language to be successful, because it's what brings advanced tooling support. You can have a bunch of enthusiasts write a compiler and some skeletal standard library. But you need someone to work on "boring" things such as an IDE (and specifically on polishing its UI), and then a slew of technical writers to have solid documentation.
Doesn't mean the language i
clueless post (Score:2)
Why do we even need corporations to be involved and in control of our programming languages. Is it not time to rid ourselves as programmers from the tyranny of these greedy organizations by simply choosing to not use proprietary programming languages?
This is a clueless post. This is not fine arts where you choose to paint oil on canvas or watercolor. Rarely do you, as a programmer, choose the implementation language, even for new development. Rarely, rarely, rarely, only if you are in a small shop, or you are entrepreneur or your own business dealing with small clients or small contracts.
Again, to reiterate, this was a clueless post, full of rhetoric at the expense of everything else.
Self-signed? Big Scary Warning! (Score:3)
It's a 5 minute job to package the jar yourself and sign it.
And a how many minute job to earn money to buy the certificate from a CA to sign your signature?
Re: (Score:2, Troll)
And a how many minute job to earn money to buy the certificate from a CA to sign your signature?
$60, and about an hour of back-and-forth emails in identity verification for a class 2 identity cert [startssl.com]. Surprisingly cheap and easy.
Re: (Score:2)
And a how many minute job to earn money to buy the certificate from a CA to sign your signature?
$60, and about an hour of back-and-forth emails in identity verification for a class 2 identity cert [startssl.com]. Surprisingly cheap and easy.
You might not think so if you were a start-up in India.
Re: (Score:3)
Before you continue, make sure, that you have at least two recent documents
It mentions both a passport and state ID. In the United States, not a lot of people have a passport because not a lot of people have a need to travel internationally. So most people carry only a state ID such as a driver's license. What second document should people who never leave their home country use?
And what should I do once I've bought the certificate, but I need to push out a security update after it has expired?
Re: (Score:3)
I don't have a current passport, either. Mine expired years ago, even before 9/11.
Ultimately, I wound up sending them pictures of my state ID, birth certificate and cell phone bill. I tried sending two different photo IDs, but they sent me an email asking for a copy of the birth certificate. They're reasonably friendly and will work with you to identify the documents you'd need.
As for security updates...I don't know. It will depend on the context. Just a guess, but I imagine that, if you're using your own c
Re: (Score:2)
Sounds strange to me. What if someone signs a trojaned libary?
Re: (Score:3)
I don't know about Java and WebStart, but when I go to install or launch a signed-but-untrusted binary (such as something that's fresh out of a browser's download queue), Windows gives me the signer's name and other cert details, and asks me if I want to run code by them.
Cryptographically signing something only tells the end-user *who* it was signed by. You still have to decide whether or not to trust that Who. I expect the implementation details of that are going to be specific to WebStart and the JVM in q
Re: (Score:3)
TL;DR version of my other reply [slashdot.org].
So anyone can sign those java libraries
Sure.
and have them work without problems?
Probably not.
Sounds strange to me. What if someone signs a trojaned libary?
Was it someone you chose to trust? Then you're screwed. If it's not someone you chose to trust, then you still have the option of choosing whether or not to trust them before you run the library. In short, do your homework. Or let your package mantainer do it for you; your operating system should already be set up to ensure updates from upstream are trusted, and your package maintainer should be on the ball about being sure *his* upstream is trusted.
Security risk...sure. (Score:4, Insightful)
from FTA:
It's been several years since Oracle (previously Sun) stopped providing support for the open source Java3D projects. It was decided that keeping binaries signed with old Sun signing certificates represented a potential security risk, and because of this, we have removed the old Sun signing certificates for the binaries on download.java.net.
Cause you know...that makes sense.
Re: (Score:2)
On what planetoid does that make sense, and on what planetoid was it too hard to generate new Oracle signing certificates?
Re: (Score:2)
People who think they can convey sarcasm in printed text usually do not have the talent to carry it off. It is almost impossible to do in a brief post. People who think sarcasm is clever are not that clever. People who say "you missed the sarcasm" in such a case are merely tiresome.
Re: (Score:2)
People who think they can convey sarcasm in printed text usually do not have the talent to carry it off. It is almost impossible to do in a brief post. People who think sarcasm is clever are not that clever. People who say "you missed the sarcasm" in such a case are merely tiresome.
I picked it up. Perhaps it's cultural but the phrase "Cause you know that make sense" just reeks of sarcasm, and the ellipses makes it even more obvious. - not sarcasm.
It's Their Culture (Score:5, Insightful)
It will take a little time to untrench Java, but the intertubes won't stand for this type of reckless and disrespectful behavior. A change is a commin'.
Re: (Score:2)
>they just don't know how to handle things.
Never attribute to malice what can be explained by incompetence. Or so think those who believe the excuses of malicious people.
How comfortable does it feel to know your company database is in the hands of these fine folks.
Re: (Score:2)
Well if it was an Oracle database that I was paying a 6-7 figure sum in support fees per year for, very comfortable, provided my company was big enough to be able to afford it.
A MySQL database, not comfortable at all.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
When it comes from a large vendor, an SLA is only as good as your legal department's ability to overwhelm their legal department in a discovery war.
Re: (Score:2)
Re: (Score:2)
His parser relies on JAI you insensitive clod!
Re: (Score:2)
I am not sure yours is a counterpoint, and I'd see postgres more suitable to replace oracle.
Re:It's Their Culture (Score:5, Insightful)
Are there alternatives to Java? Mandatory bounds checking, garbage collection and all that implies, and inability to break type safety combined with good execution speed are not easy to implement, especially in a multi-platform way.
Re: (Score:2)
inability to break type safety
They removed casts and NULLs from Java?
By the way, Go and D seem decent alternatives.
Re: (Score:2)
Actually there is Modula-3 too, where quite some of the Java ideas have come from. (Admittingly without a VM and non-C-ish syntax)
Re: (Score:3)
Trying to cast an object into an incompatible type results in an exception. Trying to use a null pointer results in an exception. Both exceptions can be caught and handled. They don't leave the program into an undefined state, as they do in C or C++.
Re: (Score:3)
inability to break type safety
They removed casts and NULLs from Java?
By the way, Go and D seem decent alternatives.
Do they have a component model and architecture? Remote debugging out of the box? Ability to step through back and forth a stack call while on debugging mode? Management extensions? An similarly sizable application ecosystem?
Don't get me wrong, I think Go is a far superior language than Java, but it does not have anything of the sort mentioned above (whereas Java does). And as Google itself has said it, Go is a systems programming language intended to replace C and C++, not Java.
There is a lot more to d
Re: (Score:2)
Oh sure, Java isn't going anywhere. I was citing them as languages with the characteristics listed by GP (bounds checking, garbage collection, etc).
Modula 3 (Score:2)
Yes. Modula 3, for example. has
Mandatory bounds checking, garbage collection and all that implies, and inability to break type safety combined with good execution speed
.
Re:It's Their Culture (Score:4, Funny)
I hear good things about Flash. They just released a new version so I'm certain it'll be around for a while.
Re: (Score:2)
+5, Funny.
Serves'em right (Score:5, Insightful)
Serves JavaWebStart coders right for relying on third-party, online systems.
In that vein, one can consider what would happen if Google suddenly stopped hosting JQuery [googleapis.com]: about half of the javascript-using websites in the world would stop working. :)
Re: (Score:2)
And that one is hard to beat, on easyness to remember (4x8 is easy to remember), so one tends to use it often when one just needs a DNS server and don't want the work to look up the local DNS up.
Will Google please buy Java? (Score:2)
For the love of god. Put Oracle out of its misery. They're killing a good thing.
Re: (Score:2)
Microsoft might as well buy it. I'm switching to C#, other than for Android development, but of all these kinds of problems (and because Eclipse sucks so hard compared to VS in practically every single way). And I don't even run Windows (yes, clearly I'll need a VM for C# development). Unless Mono is something to be taken seriously these days.
Take Mono seriously, it does quite well, but MonoDevelop nope. It's about as easy to do it all by hand in your favorite text editor.
Re: (Score:2)
C#? .NET/C#/Silverlight in Win8, in favor of HTML5 and Javascript, so your "salvation" has already failed.
Microsoft has "depreciated"
I used to use VS at work running Qt with the exe Qt plugin for VS. But, I found that I could develop 2 to 5 times faster in Linux running Qt with Kate and KDbg than I could with VS in XP, so I switched out of VS and never looked back. Qt has Q_BLOCK, which adds garbage collection and automatically deletes pointers that lose focus, among other things. I especially like it
Re: (Score:2)
FUD. I remember the original slashdot FUD article you're referring to as well. WPF and Silverlight are not all of .NET or C# and even if it were the source cited didn't really say that at all.
http://weblogs.asp.net/scottgu/archive/2010/11/04/silverlight-questions.aspx [asp.net]
Re: (Score:2)
Problem exaggerated (Score:5, Insightful)
I don't like oracle either. But if you are writing a webstartable application, you probably have the infrastructure to sign your own jars. So you could sign the Java3D-jars yourself and distribute them together with your application. Depending on availability of something like http://download.java.net/media/java3d/webstart/release/j3d/1.5.2/windows-i586/j3dcore-d3d_dll.jar [java.net] - signed or not - isn't really advisable anyway.
Re: (Score:2)
That's what I was thinking. I'm a bit ignorant on the specific issue with Java3D though, maybe you can set me straight. For any other library we just bundle everything up into a single (signed) jar file which can then be used with Java Web Start or as a stand-alone application. However, since Java3D requires native libraries to get decent performance, I have been under the impression that users had to run the Java3D installer separately (same for JMF). If we can get away without doing so, that would be nice
Re: (Score:2)
I don't use Java3D but if you look at the jnlp file at http://download.java.net/media/java3d/webstart/release/java3d-latest.jnlp [java.net] you can see how native libraries are included depending on os:
Re: (Score:3)
<nativelib href="j3d/1.5.2/windows-i586/j3dcore-ogl-chk_dll.jar" download="eager"/>
<nativelib href="j3d/1.5.2/windows-i586/j3dcore-ogl_dll.jar" download="eager"/>
<nativelib href="j3d/1.5.2/windows-i586/j3dcore-d3d_dll.jar" download="eager"/>
</resources>
<resources os="Windows" arch="amd64">
<nativelib href="j3d/1.5.2/windows-amd64/j3dcore-ogl_dll.jar" download=
Re:Problem exaggerated (Score:4, Insightful)
Yea I don't see the big issue. I always thought it is VERY bad practice to depend on external links to libraries, especially if you're already providing some libraries yourself (e.g. your app). Who knows how long these links stay valid, it can lead to inconsistencies and so on. If they're not under your control, you shouldn't have any expectations.
If this breaks things for you, you did something wrong to begin with.
What do do? (Score:2)
Oh Oracle! What are we supposed to do with you?
Nuke it from orbit...it's the only way to be sure.
Webstart download these libs from where? (Score:3, Insightful)
To blame is the infinite wisdom of developers that decide to reference libraries from Oracle servers. They could instead sign all the libraries themselves and put them on their own download servers. That has the added benefit that Webstart doesn't need to rely on dozens of third-party download hosts to be up and running, but only your own host must be up.
Alternative! (Score:2)
Someone (Google?) should just make a language identical to Java and call it something else. Even existing Java compilers could compile it and existing Java VM's could run it! Then they should extend and alter it so we can call Vectors Vectors and use them like arrays, and do operator overloading, and other sugar that Javas "Everything is a Fucking Object, Now Shut Up" keeps us from.
Oh, and get rid of those damn fonts. The Sun Java fonts look like shit on any screen at any resolution. Oh and fix Java embeddi
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
And what happens when the language has some traction and Google gets all protective about it?
If you're using a language that doesn't come out of Academia and FOSS it's your own damn fault if the vendor makes decisions that screw you.
It looks like (Score:2)
Oracle just gave us an 'affeine break.
Java won't be missed (Score:3)
Though I've been a professional Java programmer I never enjoyed it as much as the other languages. It died on the desktop, it died on the web, but got a good foothold in the enterprise web services side. Mostly thanks to Sun driving it very hard, and it riding on their reputation of Sun's rock solid hardware and Solaris OS.
Oracle has done a good job of killing it. It is clear the owners don't care about it, it's sinking in a legal mire, and now it breaks in ways that would never have happened under Sun's stewardship. Time to move on.
Phillip.
Re: (Score:2)
To what? Seriously. Point me to something that can replace Java.
This affected Mercedes-Benz USA (Score:2)
This affected Mercedes-Benz USA. One of their most important apps is a JavaWebStart. This explains the company wide failure we had.
Re:Die! (Score:5, Funny)
Die Java! Die! Go Oracle! Kill this shitastic language! Once it's dead, the horde of Java "programmers" can go back to being fry cooks like they were before Java was created.
fry cook! If only .... I was a C++ programmer
Re: (Score:3)
What landed on your head to make you switch to ....... java?*shutters*
If I'm honest it was money. But I don't miss pointers, references, destructors, the pre-processor and many other things in c++
Indeed. (Score:3)
What landed on your head to make you switch to ....... java?*shutters*
If I'm honest it was money. But I don't miss pointers, references, destructors, the pre-processor and many other things in c++
Same here. Actually not but... anyways. For me it was from C/C++ (from the days of C++ without anything resembling the STL) to Java (for the money), and like you, I didn't miss the segfaults and the "ooops, I forgot to define my function args as references, causing accidental pass-by-values" or the stupidity of the throws clause (which fortunately it is being deprecated in C++0x). With the Java standard library, productivity went off the roof.
But 12 years later, now I'm back to C++ ... also for the money
Re:Die! (Score:4, Insightful)
Re: (Score:2)
Java was better than Cobol to start with, and considering it hasn't changed in the last 6 years means it didn't get any worse.
Re:Die! (Score:5, Insightful)
There are plenty of good Java programmers. Yes there are more crap java programmers. But I can't think of any language for which that ISN'T true.
Re: (Score:3, Interesting)
Python seems to think it isn't true.
Java assumes everyone is a bad programmer.
Re: (Score:2)
Is that why Python doesn't have advanced concepts like threading? Is that why Python is considered a good teaching language? Do you really think there aren't mediocre Python programmers out there?
Re: (Score:2)
Key words: "seems to think". I'd be more curious about how a language can seem to think at all... dancing bears, etc.
Re: (Score:2)
uh, my point was, the python language and indeed the community around python, make rather pretentious assumptions about themselves.
eg, there is no private/public properties in python. Instead the mentality is that the developer using an API will be smart enough to tread where they don't belong.
Java assumes the exact opposite, that everyone is dumb so this is why so much verbosity is needed.
there are pros and cons to both approaches.
Re: (Score:2)
If the Python community thought everybody was so smart then they'd just tell everybody to use C or C++, which allows you to do memory manipulation and isn't nearly as slow.
Re: (Score:2)
Java is verbose because it's a statically typed language without type inference, duh! ( You know, like C or C++ or C# )
Uhhhh.... (Score:2)
Java is verbose because it's a statically typed language without type inference, duh! ( You know, like C or C++ or C# )
Uh, from someone who does both Java and C++. These two are almost equally verbose. Also, the primary culprit behind Java verbosity (and which makes it more verbose than C++) has nothing to do with type inference. The blame falls squarely in :
1) checked exceptions,
2) checked exceptions in the throws declarations of almost all the APIs for IO/networking and threading,
3) a lack of function handlers at the JVM level which forces you to create these nastily verbose object functors (at least in C++ you can cr
Re: (Score:2)
The CPython implementation has a global interpreter lock that makes threading worthless in some situations, but the language certainly supports it (and other implementations can use it without restriction).
There certainly are mediocre Python programmers out there, but I hadn't seen "Java-bad" Python code until the most recent TDWTF: http://thedailywtf.com/Articles/Python-Charmer.aspx [thedailywtf.com]
Re: (Score:2)
Python has threading. I've used it, a lot.
I believe the module you are looking for is cryptically named "threading".
Re: (Score:2)
Is that why Python doesn't have advanced concepts like threading? Is that why Python is considered a good teaching language? Do you really think there aren't mediocre Python programmers out there?
Ahem. [python.org]
Re: (Score:2)
I've heard so many complaints from Python programmers themselves about the Global Interpreter Lock that prevents real threading from occurring that I didn't know that they actually had a threading library.
Point taken, though.
Re: (Score:3)
http://thedailywtf.com/Articles/Python-Charmer.aspx [thedailywtf.com]
There are bad programmers everywhere, but yes, the concentration of bad coders in Java, ASP, VB, C# and anything .net related is 10 times that of any other language.
Re: (Score:2)
umm, I can think of one example with worse programmers on average than any of those.
COBOL
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Well, I guess that depends if you define it intra-language or inter-language. When you wield a butcher knife there are good butchers and crap butchers, when you wield a scalpel there are good surgeons and crap surgeons but if they all entered a precision cutting competition we'd see differences. And some languages are like juggling chain saws for no discernible reason. I'd call java quite middle of the road though...
Re: (Score:2)
Eh. There are things to do in C/C++ that are trivial, that take some real creativity in Java or Python without invoking the C/C++. Likewise, there are things that are trivial in Java or Python that would take a lot of effort to program in C/C++.
I'm more inclined to think that each language tends to focus on a different mindset and skill set. Though I'd also argue that Java is a poorly thought out language, and I can't blame it's programmers for all the issues. Personally I find C to be less of a headache.
Re: (Score:2)
" There are things to do in C/C++ that are trivial, that take some real creativity in Java or Python without invoking the C/C++. "
And you've got wrapper generators for exactly those times. (Or use Lua + alien )
Both Java and Pyhton are glue languages. It's just Python is comfier in the command line while Java in the IDE.
Re: (Score:2)
Sturgeon's law applies.
Re: (Score:2)
I wonder if this is the real reason why Java gets so much crap. More generally, I wonder if this is the reason why there are so few programming systems that would be easy to use and produce efficient code.
Re:destroying open source (Score:5, Informative)
Actually, Oracle might not have bought Sun if they could not sue Android:
" Miguel De Icaza has provided a very interesting insight into the case. His report has been confirmed by James Gosling, known as the father of Java who left Sun right after the merger. Icaza speculates that the potential to monetise on Java by suing Google was pitched by Jonathan Schwartz during Sun's sales talks with Oracle. Oh boy."
http://techcrunch.com/2010/08/13/android-oracle-java-lawsuit/ [techcrunch.com]
http://tirania.org/blog/archive/2010/Aug-13.html [tirania.org]
http://www.osnews.com/story/23684/De_Icaza_Sun_s_Schwartz_Pitched_Google_Lawsuit_to_Oracle [osnews.com]
Re:destroying open source (Score:4, Insightful)
A proponent of Mono/C# has damning insight on Java... Color me shocked.
Re: (Score:3)
And this has no merit ?:
"James Gosling, the father of Java who left Sun soon after it was acquired by Oracle, writes on his blog that Oracle was eying the Java patents as part of the Sun acquisition:
Oracle finally filed a patent lawsuit against Google. Not a big surprise. During the integration meetings between Sun and Oracle where we were being grilled about the patent situation between Sun and Google, we could see the Oracle lawyer’s eyes sparkle. Filing patent suits was never in Sun’s genetic
Re: (Score:3)
Merit v. Motive.
There is no proof and neither James Gosling nor Jonathan Schwartz have said that the sole reason Oracle purchased Sun was to sue Google. Nowhere did I see the ability to sue Google being a requirement for the sale. I can see this legal issue being a sticking point because of the possible liability not that it was an asset.
Oracle does want to monetize Java (just like most open source providers of software) and one way is to protect their investment through patent enforcement. The topic of G
Re: (Score:2)
Re: (Score:2)
In a smoke filled conference room, Sun and Oracle are meeting. The officers of Sun are anxious to get on with the transfer of booty to their personal coffers. Oracle asks about Java and how come Sun couldn't monetize it. Sun's lawyers and Mr. Schwartz blink at each other and Mr. Schwartz quickly opines: Oh, we simply are lining up our ducks...there are beeelllions and beeellllions of Google money just waiting for us. Now, if y'all could finishing signing right down there on the dotted line, we'll get on dow
Re: (Score:2)
O = Obtuse
R = RAM
A = Abusing
C = Crap
L = Lame
E = Executibles
I was bored, and that came about in 1999 after dealing with some craptastic oracle products
that need more patches than a row boat made of fishing nets.
Re:Shot themselves in the foot (Score:5, Insightful)
If you have an HR webstart app that loads libraries from random servers on the internet, you probably deserve what you get...
Re:Shot themselves in the foot (Score:4, Informative)
Many of the Oracle enterprise applications are Web Start applications.
But they don't use Java3D or JAI, and thus won't have this problem. Honestly, I'm not surprised at this move. Java3D and JMF have been neglected by Sun for years, and are pretty much considered to be abandoned APIs (for example JMF has no x86-64 support, and Java3D only supports the software renderer for x86-64). We have been moving away from them wherever possible.
Re: (Score:3)
Much as I love java, doing serial port comms with it sounds downright painful. I'd be using c/c++ for that if at all possible (and not through JNI ;p).
Re: (Score:2)
Re:FORK IT! (Score:4, Insightful)
Re: (Score:2)
Yes, Microsoft tried and failed to do that. Google are in trouble with their Android implementation of Java at the moment.
Re: (Score:2)
Re: (Score:2, Offtopic)
Yes, what did the "Rich Asshole" call Larry Ellison?
Come one, don't leave us hanging!
Re: (Score:2)
"Self"