Oracle Removes Java Signatures, Breaking Webstart 198
sproketboy writes "It seems Oracle has decided in their infinite wisdom to remove digital signatures from the Java projects that they put into the open source community. Of course this breaks any application out there depending on Java Webstart using these libs. Looks like Java3D and JAI are currently affected — probably other APIs are as well. Oh Oracle! What are we supposed to do with you?"
Oracle only said they'd keep it open source (Score:5, Insightful)
Security risk...sure. (Score:4, Insightful)
from FTA:
It's been several years since Oracle (previously Sun) stopped providing support for the open source Java3D projects. It was decided that keeping binaries signed with old Sun signing certificates represented a potential security risk, and because of this, we have removed the old Sun signing certificates for the binaries on download.java.net.
Cause you know...that makes sense.
It's Their Culture (Score:5, Insightful)
It will take a little time to untrench Java, but the intertubes won't stand for this type of reckless and disrespectful behavior. A change is a commin'.
Re:Die! (Score:4, Insightful)
Re:Die! (Score:5, Insightful)
There are plenty of good Java programmers. Yes there are more crap java programmers. But I can't think of any language for which that ISN'T true.
Re:Shot themselves in the foot (Score:5, Insightful)
If you have an HR webstart app that loads libraries from random servers on the internet, you probably deserve what you get...
Serves'em right (Score:5, Insightful)
Serves JavaWebStart coders right for relying on third-party, online systems.
In that vein, one can consider what would happen if Google suddenly stopped hosting JQuery [googleapis.com]: about half of the javascript-using websites in the world would stop working. :)
Re:FORK IT! (Score:4, Insightful)
Problem exaggerated (Score:5, Insightful)
I don't like oracle either. But if you are writing a webstartable application, you probably have the infrastructure to sign your own jars. So you could sign the Java3D-jars yourself and distribute them together with your application. Depending on availability of something like http://download.java.net/media/java3d/webstart/release/j3d/1.5.2/windows-i586/j3dcore-d3d_dll.jar [java.net] - signed or not - isn't really advisable anyway.
Re:It's Their Culture (Score:5, Insightful)
Are there alternatives to Java? Mandatory bounds checking, garbage collection and all that implies, and inability to break type safety combined with good execution speed are not easy to implement, especially in a multi-platform way.
Re:destroying open source (Score:4, Insightful)
A proponent of Mono/C# has damning insight on Java... Color me shocked.
Re:Problem exaggerated (Score:4, Insightful)
Yea I don't see the big issue. I always thought it is VERY bad practice to depend on external links to libraries, especially if you're already providing some libraries yourself (e.g. your app). Who knows how long these links stay valid, it can lead to inconsistencies and so on. If they're not under your control, you shouldn't have any expectations.
If this breaks things for you, you did something wrong to begin with.
Webstart download these libs from where? (Score:3, Insightful)
To blame is the infinite wisdom of developers that decide to reference libraries from Oracle servers. They could instead sign all the libraries themselves and put them on their own download servers. That has the added benefit that Webstart doesn't need to rely on dozens of third-party download hosts to be up and running, but only your own host must be up.