Oracle Removes Java Signatures, Breaking Webstart

sproketboy writes "It seems Oracle has decided in their infinite wisdom to remove digital signatures from the Java projects that they put into the open source community. Of course this breaks any application out there depending on Java Webstart using these libs. Looks like Java3D and JAI are currently affected — probably other APIs are as well. Oh Oracle! What are we supposed to do with you?"

Oracle only said they'd keep it open source

[Chrisq]

Oracle only said they'd keep it open source. They never said they'd let you use it.

Security risk...sure.

[Anonymous Coward]

from FTA:

It's been several years since Oracle (previously Sun) stopped providing support for the open source Java3D projects. It was decided that keeping binaries signed with old Sun signing certificates represented a potential security risk, and because of this, we have removed the old Sun signing certificates for the binaries on download.java.net.

Cause you know...that makes sense.

It's Their Culture

[WrongSizeGlass]

Oracle is used to dealing with very large corporations. Now that they have their hands on Java, which directly affects many users, web hosts (large and small), etc, etc they just don't know how to handle things. Forcing major changes onto companies that Oracle has by the implementation & licensing balls is one thing, but trying to force major changes onto the real world will only lead to a backlash and the adoption of alternatives to Java.

It will take a little time to untrench Java, but the intertubes won't stand for this type of reckless and disrespectful behavior. A change is a commin'.

Re:Die!

[TheRaven64]

Sure, just like how all of the crap programmers left the industry when COBOL, and VB6 went out of fashion...

Re:Die!

[ByOhTek]

There are plenty of good Java programmers. Yes there are more crap java programmers. But I can't think of any language for which that ISN'T true.

Re:Shot themselves in the foot

[headLITE]

If you have an HR webstart app that loads libraries from random servers on the internet, you probably deserve what you get...

Serves'em right

[Meneth]

Serves JavaWebStart coders right for relying on third-party, online systems.

In that vein, one can consider what would happen if Google suddenly stopped hosting JQuery [googleapis.com]: about half of the javascript-using websites in the world would stop working. :)

Re:FORK IT!

[mswhippingboy]

Right. Then just wait for the patent infringement suits to start rolling in. You can probably safely fork the language as long as you don't try to run the resulting binaries in a VM of any kind.

Problem exaggerated

[prionic6]

I don't like oracle either. But if you are writing a webstartable application, you probably have the infrastructure to sign your own jars. So you could sign the Java3D-jars yourself and distribute them together with your application. Depending on availability of something like http://download.java.net/media/java3d/webstart/release/j3d/1.5.2/windows-i586/j3dcore-d3d_dll.jar [java.net] - signed or not - isn't really advisable anyway.

Re:It's Their Culture

[ultranova]

Forcing major changes onto companies that Oracle has by the implementation & licensing balls is one thing, but trying to force major changes onto the real world will only lead to a backlash and the adoption of alternatives to Java.

Are there alternatives to Java? Mandatory bounds checking, garbage collection and all that implies, and inability to break type safety combined with good execution speed are not easy to implement, especially in a multi-platform way.

Re:destroying open source

[Bill_the_Engineer]

Miguel De Icaza has provided a very interesting insight into the case.

A proponent of Mono/C# has damning insight on Java... Color me shocked.

Re:Problem exaggerated

[Anonymous Coward]

Yea I don't see the big issue. I always thought it is VERY bad practice to depend on external links to libraries, especially if you're already providing some libraries yourself (e.g. your app). Who knows how long these links stay valid, it can lead to inconsistencies and so on. If they're not under your control, you shouldn't have any expectations.

If this breaks things for you, you did something wrong to begin with.

Webstart download these libs from where?

[Anonymous Coward]

To blame is the infinite wisdom of developers that decide to reference libraries from Oracle servers. They could instead sign all the libraries themselves and put them on their own download servers. That has the added benefit that Webstart doesn't need to rely on dozens of third-party download hosts to be up and running, but only your own host must be up.