Polish Researcher: Oracle Knew For Months About Java Zero-Day 367
dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"
Duh (Score:5, Funny)
You think Uncle Larry gives a fuck?
No. Now pay him his money.
Re: (Score:3)
"... and I had heard most of the bigger corps went .NET for their backends."
Java is not primarily -- or even mostly -- for Web use. The vast majority of Java programs don't involve the Web at all. So yes, it is still used a lot. However, of course only the ones that are accessed via the Web are susceptible to the remote exploit.
Having said all that, I will reply to OP and say yes, it's time we started using a forked Java. In fact, most of us should have seen the writing on the wall from the actions Oracle took immediately after acquiring the rights to it. We're only a few years
Why are people still using this? (Score:2, Funny)
Re:Why are people still using this? (Score:5, Insightful)
You sound like someone who shouldn't be giving technical advice.
C/C++ has advantages over Java, just like Java has advantages over C/C++
Saying you should use one over the other for every purpose is foolhardy.
Re:Why are people still using this? (Score:5, Funny)
Hey Larry, what's your surname?
Re: (Score:2)
Other than allowing lazy people to kinda get stuff done what are the advantages of Java over C/C++?
Are any of those advantages big enough out weigh the elephant in the room which is Oracle not giving one shit about Java and the massive number of security holes?
Re: (Score:3, Informative)
I know you were trying to be clever, but since you asked:
https://en.wikipedia.org/wiki/Comparison_of_Java_and_C%2B%2B [wikipedia.org]
Re:Why are people still using this? (Score:4, Interesting)
Can you elaborate on what is awful about the Java platform? And no, lack of an open source option is NOT one of the drawbacks since Java has those as well (which is not true of C# btw where the open source alternative is not really operational).
Now, before you jump in realize that I'm not asking about JAVA APPLETS, but about the Java platform.
Go.
Re:Why are people still using this? (Score:5, Informative)
You have provided some terrible answers. Please stop posting about technologies when it's clear you have little technical knowledge.
Java is much, much faster than Flash.
The JVM set bundled with OpenJDK is the same as the one bundled with Oracle Java (Oracle Java is built on OpenJDK)
Java is cross platform, it's worked reliably for a long time
Java is open source, so blaming Oracle for slow development isn't fair (not that I like them, Fuck Oracle)
Some things that suck about Java:
No runtime generics
No lambda support
You have define your maximum heap size when the application is started
AWT and Swing are the official UI technologies and they're fucking terrible
It's very hard to port to platforms where it doesn't exist already
Re:Why are people still using this? (Score:5, Insightful)
To be fair to AC, Java is dead slow to start up. Once it's up and running there are no issues anymore, but on the desktop, the startup time is pretty bad.
Also, IIRC, I think there are still a few libraries that are not open source (and that don't work well in OpenJDK)
Re: (Score:3)
Performance. Flash may be pure hell, but at least it runs, and doesn't bring one's Web browser to a lurching halt like Java does.
No, it just causes my browser to slowly scroll to the ends of very long pages with no way to regain control over that or any other browser window until it's done, short of killing the browser itself and all browser windows, downloads, etc.
As for Java version and platform issues, I call BS. Java is the ONLY programming environment (not just language) that I know of that has explicit deprecation mechanisms built into the core spec so that things will continue to run long after they're obsolete. And anyone who
Re: (Score:2)
Good desktop applications are rare in Java, and the only ones I'd recommend are developer tools anyways: Eclipse, SmartSVN.
The only drawbacks are startup times for me.
Re: (Score:2, Informative)
Ignoring for a moment Eclipse's awful UI, its entirely broken in Windows because of the way it handles (or rather, fails to handle) per-user special folders. Last time I installed it, it basically engaged in a DoS attack against every other app trying to use named folders.
Re: (Score:2)
Running the code in a VM is OK for a server, but it is a disaster (in terms of resource usage) for a desktop.
Re: (Score:2)
JOSM (Java OpenStreetMap editor) is not too bad Java application either. It is constantly improved to meet the demands on the mappers but still manages to stay fairly stable.
Good Java Desktop Application (Score:2)
Re: (Score:2)
Apparently it wasn't Oracle ignoring the exploit, its just that the exploit happened to be found well outside the standard Java quarterly patch release. Pesky kids, if only they'd waited until a week or so before patch tuesday, everything would have been fine - I mean, you just cannot imagine the paperwork involved in moving that patch release date!
Anyway, I agree Java is not the best environment - if you want performance and resource efficiency, you use C/C++. If you want developer productivity you use any
Re:Why are people still using this? (Score:5, Interesting)
Have you worked with C# under the .NET 4.x framework now that they've added Entity Framework to it?
It is so much more efficient that any other data access abstraction I've ever seen. It even makes Hibernate/NHibernate look like a lame hack.
I am able to do extremely complex things with 10% of the amount of code I used to have to write.
Microsoft might be making a LOT of mistakes lately, but Entity Framework is not one of them. I don't know if I'll ever have the patience to use another language again - C# with Entity Framework is that much better.
Re:Why are people still using this? (Score:4, Interesting)
Re: (Score:2)
Thanks
Re:Why are people still using this? (Score:5, Funny)
So I know what you're thinking; "Well then how do I talk to a database?" Well as it turns out, every database has a library that local applications can use to send SQL queries to the database. It's true! You can also roll a socket protocol to talk to damn near anything else on the internet. You don't even have to use XML if you don't want to!
Now, these applications are linear in execution, so you don't have to maintain a session state or anything like that. When you're in the application, you're just wherever you are in the application. This might take some getting used to.
Now I know what else you're thinking; "But Java is write once run everywhere!" Well your IT department has the same version of Windows installed on every system in your company, so what's the problem? If you use cross-platform libraries like Boost, GTK or QT, odds are good you'll just be able to recompile your binaries if you need to support Linux or OSX, anyway.
Re: (Score:2)
Yes, clearly the answer to someone asking what we can replace specific web technologies (the one thing Java is good at) is to suggest building local apps (one of the things C/C++ is good at).
Hey, can you compile a version of your replacement app that runs on iOS? Android? Windows? Linux? OSX? FreeBSD?
If you answered no to any of those, *bzzt* sorry, your solution has lost potential customers and is rejected out of hand.
Re: (Score:2)
Re:Why are people still using this? (Score:4, Interesting)
You have a far bigger problem with local apps. The problems are your APIs. You have (presumably) a web server somewhere serving data to your local apps. And every time you will release a new version of your app, you will also release a new version of your API. But you also should remember to keep the old one working, because guess what: Some people will upgrade, and then some will not.
All of a sudden, you have your server and a gazillion apps out there, some more or less buggy than the others.
THIS is the biggest benefit of a web based app, not the reach of the 1205 users of FreeBSD. You have a bug? Fix it. Instantly, no one has a bug anymore. THAT is convenient.
Re: (Score:3)
Of course, you have the pros of your cons.
And finally, if you have to change (as opposed to simply extend) the API each time you release a new version of the client, IMHO you've done something wrong.
However, with AJAX you don't have to do that anymore. You can very well release a new API without touching your UI and you can release a new UI without releasing new DATA API. Look at gmail for example. They now have at least 5 different UIs (mobile, new, old, pure html, tablet, ...), and trust me, they have only one DATA API.
As surprising as it may seem, the web has evolved since 1995.
Re: (Score:2)
"Well your IT department has the same version of Windows installed on every system in your company, so what's the problem?"
have you ever worked for a large organization? Ever looked t costs of this?
Web applications have a lot of advantages over stand alone. It's a matter of risk/cost.
And I have been a software engineer for decades. Not that it makes me right or wrong, only that I understand the pre-internet software world as well as the internet transition phase.
Re:Why are people still using this? (Score:4, Informative)
good honest work :)
All those things are artifacts of how crappy java is, in order to get anything done you need a metric ton of framework crap slapped on, and this is why people say "java is fast to develop in" - they mean, the frameworks make it faster to develop stuff, as long as you're developing exactly the kind of thing those frameworks are designed for. C/C++ world tends to have libraries that provide you with functionality you then plug in to your code, rather than having to code the way the framework wants you to (roughly).
You could use Ruby on Rails and get much better developer productivity, or Python, or node.js
As for C++, we don't tend to use EJBs - straight forward classes are fine, though you could use COM if you're on Windows (or COM+). The JSP frameworks are covered by either Microsoft's new Casablanca project or various web-server libraries like cppCMSS. C++ doesn't have much in the way of ORMs, preferring faster access to DB code but there are still plenty, eg ODB [wikipedia.org]
For example, you need tomcat to host your java beans and pages, but C++ would just run off Apache - either as a mod_xxx module, or via pass though to a running service. A C++ developer wouldn't necessarily embed a webserver into his code, instead expecting to reuse the existing web server infrastructure.
Generally the best place to start looking for C++ libraries is Boost. From there, just use google for what you need.
Re:Java is used everywhere in the office (Score:3, Interesting)
As someone pointed out in the last story it is the IE 6 that wont go away, or at least the Cobol of the 21st century.
Every banking site requires it so it can wrap win32 com objects like excel spreadsheets for lines of credit reportsthat can be cut and pasted using security holes from 1.4.1 or some ancient version. So java is used to activeX like functionality with no security controls and is a requirement for anyone in finance. Some support java 6 but have to include some security holes so they can access w
Re: (Score:3, Insightful)
Does it really matter how verbose a language is if it gets compiled down byte code? If it's good code, it doesn't matter. You have the same logic that managers have, i.e., counting lines of code is a measure of productivity. There's plenty to dislike about the way Oracle has handled Java, however, complaining that it takes too many lines to accomplish something is not one of them. My guess is that there's a Perl programmer out there who thinks C++ is bloated.
The complaint I see, but hasn't been ve
Re: (Score:3)
Counting lines of code is a measure of productivity. The more lines I need to type to get the same work done, the less productive I am for that functionality. If I can do the same work in half the lines of code without sacrificing readability and maintainability (I'd argue that often these are improved by cutting out boilerplate), then I'm more productive.
Every time I have to look at Java, I boggle at the volume of text they have to write for the simplest things. And then I'm happy I do most of my work i
Re: (Score:2)
Perl is a horrid 'language' for readability and maintainability.
Re: (Score:2)
There are some things in Java that are decent. It's just that none of them are on the client side.
Re: (Score:2)
code performance critical portions in C/C++/Cython
Well, you just set off the "I don't know what I'm talking about" alarm.
What the fuck do you think you were using when you did the rest of the code in Python? Cython is Python.
Re: (Score:2)
Well, you just set off the "I don't know what I'm talking about" alarm. Cython [cython.org] is a derivative of Pyrex [canterbury.ac.nz], neither of which should be confused with CPython [python.org]. And of course CPython is not Python either, it's the reference implementation of an interpreter for the Python language.
Ask Toolbar Really ? (Score:5, Insightful)
This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.
It's even worse (Score:3)
This is the programming language that still bundles the "Ask Toolbar" crapware with their installer. Nuff said.
It asks you whether you want to install the Ask Toolbar, defaulting to yes, of course, every time you install a security update.
Developer liability (Score:3)
As a developer, I totally understand the problems with holding software developers liable for security vulnerabilities. But when it comes to cases like this, I can't help but think there should be some legal liability for mega-corporations knowingly distributing vulnerable products.
No (Score:5, Interesting)
This is not a sign that you need to start ditching Oracle. The reason more security loopholes are discovered in Oracle are because it is the most widely used JVM. Other VMs will still have a ton of issues, they just don't get attacked as much (yet).
A similar argument used to be debated years ago with Apple v Microsoft... Apple toted it's superior security over MS when in reality, nobody gave a crap about attacking Mac users which only made up 10% of the market. Once they gained popularity, they started getting hit more as well.
The real scary part is that MS at least takes its security flaws somewhat seriously. Oracle seems to have smugly ignored Mr. Gowdiak. He can now smugly turn around and give them a big "I told you so!"
Re:No (Score:5, Insightful)
The real problem here is the quarterly patch cycle that seems to ignore the severity of security bugs. If you want to do a quarterly cycle that's fine - but you need to make exceptions for security bugs.
Stop spreading ridiculous myths (Score:3)
Really. When did this happen? The claim that Microsoft has more viruses because they have more market share is patently ridiculous, if only becaue Linux has a huge market share on the targets that hackers really want, to wit
Re:Stop spreading ridiculous myths (Score:5, Insightful)
First of all, I think the comparison was Apple to Microsoft, not Linux to MS.
Second, when you talk desktop to server, you are talking apples (heh) to oranges. Desktops are important hosts for viruses because of what they are used for and who they are used by. Which is to say they tend to run on-demand applications and web browsing, and are run by anyone, usually amateurs who are easy to socially engineer.
A server is going to be run by professionals who operate services that are either developed in-house, or purchased and supported professionally. They will not frequently install new software, and that will usually be vetted carefully, if only because they will tend to spend money on purchase or support. You can still socially engineer professionals, but you will tend to have a lot harder time doing it, as they usually receive training covering that very contingency.
Consequently, while server exploits definitely exist, exploits that are directly related to a server tend to be fewer and more difficult to make use of where they exist, so Linux is going to have a much lower exploit penetration simply by virtue of being used mostly as a server, despite its market share of the server business. Hence, the comparison of the Windows market share, which is primarily desktop computing, to the Linux market share, which is mostly servers, is going to show significant deviation based on their usage patterns. That invalidates a direct comparison of their market shares in this instance and fatally undermines the argument.
Desktop market share is a big deal for viruses particularly if it is as high as that for Windows. The argument that Microsoft only cares about money doesn't cut it when you'd consider that Apple only cares about making money as well. MacOS is not a community project like most distributions of Linux, it may have more links to Open Source, but that doesn't mean that Apple is immune to profit motive, as we well know. You may well argue that Microsoft ignored the issues in favor of their vision of interoperability and control, but simple profit motive alone is not going to explain the differences without further elaboration.
Apple did and does have a smaller market share. It was also used, primarily, for purposes like design until it became more popular for developers in the last few years. While Apple probably has better security, part of which is inherited from it's UNIX roots, this is not going to be sufficient to deter malicious coders if there is interest in penetrating the MacOS share of PCs. In short, Apple users are a minority who don't really have a usage pattern that will be useful for most exploit developers. This is a real effect which decreases number and extent of exploitation and it *does* make using that platform safer, but it is a smokescreen, not a shield against future attacks.
You could make more of an argument for the security of an iOS specifically than Apple in general. However, even that security model was built more on the need to generate revenue than it was to prevent infections.
So, market share does matter significantly. While amateur hackers may well like the challenge of cracking something like a Mac or an Amiga for that matter, the more professional exploiters are going to spend time on the platform that they can generate the most effect from for the smallest initial investment. These professional exploiters will be more effective and more persistent than amateurs, which means they will tend to keep at exploits until they work well enough for significant penetration. This is a primary reason that Windows is riddled with exploits and would continue to be riddled with them even with better security measures.
Re: (Score:3)
Are you really making the definition of "hacker" and "cracker" part of your response? I just can't generate a serious response to that. All I can say is that I've learned my lesson and I'll consult the Jargon File the next time I make an argument. I am chastened and bow before your neckbeard. And your bolding skills.
Sorry, there I go again... I meant your use of the "strong" tag. Or was I supposed to use CSS here?
Still, you do realize that you can't actually refute something by simply labeling it "moro
Re: (Score:3)
It isn't the loopholes, its the lack of response from Oracle that's the issue.
Re: (Score:3)
Re: (Score:2)
Billions of Java apps run cross platform with no problems.
WTF is your problem?
Re:No (Score:5, Funny)
Yeah, Lotus Notes "runs" also. Lots of shitty software "runs". My minimum bar isn't "runs" but is "not shitty".
Re:No (Score:5, Interesting)
Dear Blakey Troll,
Java desktop application guy here
Last place I worked, I was the lead architect for a real-time patient care system deployed to 120,000 users across 2500 hospital sites around western Europe across Windows, Linux and Solaris platforms.
It stopped the users' patients from dying, so they are quite happy with it as are their patients. It is incredibly fast (2 orders of magnitude faster than the C++ based MFC native Windows app our competitor was throwing out), it has had no downtime (ever!) by nature of the architecture which must not go down under any circumstance (everything was fully distributed), the UI definitely does not suck and it's certainly not bloated at 52Mb including the JVM (our competitor hit 2Gb including the local SQL server instance installation).
What do you propose we use instead and how do you propose we start rewriting the 1.9 million lines of code we've already got?
Re:No (Score:5, Interesting)
No - you are actually totally clueless here and are just trying to get karma by jumping on the anti-Java bandwagon.
No our application is not contributing any such risk whatsoever:
1. We shipped the JVM with the application in its own standalone directory. No applets, no browser plugins. It's launched by a wrapper exe on windows and a script on Linux+Solaris. Basically it runs java[.exe] -jar application.jar. There is no target vector for this exploit.
2. we ship JVM 1.6 which is not vulnerable.
3. It uses SWT which looks native on all platforms - look it's not ugly at all: http://www.eclipse.org/swt/ [eclipse.org]
Re:No (Score:5, Informative)
If you think "looks native" has ANYTHING to do with usability, you are entirely unqualified to judge the usability of an app. So I stand by my statement that your app is an unusable mess.
SWT doesn't just make it look native, it calls the OS's underlying libraries... SWT is (formerly) IBM's Java Native Interface library, written in C to do those calls. As such, its C code is wildly different on each OS. For that matter, the Linux/BSD versions require that GTK be installed, because there is no QT version of SWT.
Re:No (Score:4, Interesting)
Seeing as I made a claim, I'll explain further.
No it's definitely faster if you know what you are doing. The reason C++ is "fast" is that you can easily sacrifice clean interfaces and modularity for raw performance i.e. by using raw memory and pointers etc. The moment you throw that away to build clean interfaces and modularity in (which is essential on larger projects like ours), your performance advantage goes out of the window. We're not doing it wrong - we're leveraging the right technology. It's easier to make serious mistakes in C++ as well and the additional checks required to verify that they are not being made are expensive. In Java, most of this is handled at compile time (g++ checks+valgrind are not sufficient btw).
Regarding downtime. Consider CAP theorem. We use a PAXOS consensus algorithm based protocol between nodes and our own event driven message-oriented container which runs inside the client process. Effectively the system, per-installation is a big message bus. There is no central point of failure. There are no servers to fail. If a single node is up, the system is operational. Scalability comes from CAP theorem - we sacrificed C (consistency) yet apply P (partition tolerance) and A (availability). We have unique reliability requirements which means we don't use a COTS container like Tomcat, Glassfish or Jetty which is what you are most likely used to.
1.9 million lines is due to the complexity of the product - the task it is required to do is not easy to visualize, is processing heavy and is complex. We also have about 2.9 million lines of jUnit and selenium RC tests. It's modular and well maintained as it's built by people who know what they're doing.
I earn plenty thank you.
This is a proper software engineering project, not a startup, internet fad, cost cutting low-rate business.
IBM (Score:4, Interesting)
I'm not ready to give up on Java. It is not because I think it's the best, I still think C# beats it as a language, but at times when a client requires non-microsoft, it is my only choice for a modern language. Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.
So, anyhow, Eclipse seems to have really gone in the dumpster as far as quality lately, and IBM is silent as a Java leader too. Is IBM bailing on Java? I see the have a new big push to virtualization to a level that makes sense, by using a mainframe. Maybe they have (bailed). So what post java, other than c#, is available?
Re:IBM (Score:5, Informative)
Whatever happened to them? Didn't they at one time have a Java implementation?
IBM's Java work is now part of [wikipedia.org] OpenJDK [java.net]. How close OpenJDK is to Oracle Java and whether it shares this exploit I don't know (although the OpenJDK home page says they are '...based largely on the same code'), but if it does it should be patchable.
I'm not ready to give up on Java. It is not because I think it's the best, I still think C# beats it as a language, but at times when a client requires non-microsoft, it is my only choice for a modern language. Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.
I could happily give up Java, but I wouldn't willingly give up Clojure [clojure.org]. There's more (and better) languages for the JVM [wikipedia.org] than just Java.
Re: (Score:2, Informative)
see http://www.ibm.com/developerworks/java/jdk/
Re: (Score:3)
Java is not the best language out there, but it has a good library of APIs and 3rd party libraries that put any other business application friendly language/runtime below it. You want a better less verbose language? running on the JVM, just try one of the many. I personally recomment Scala
Note: I am really tired of news like this when people start bashing Java instead of the real problem that is Oracle slow response, IcedTea (and OpenJDK variant used by many Linux distros is already pushing updates for this
Re: (Score:2)
"but as long as it needs header files, I don't put it into a modern language category."
Sorry , what? Where do you propose putting common definitions then shared by many modules? Or do you seriously think the moronic everything-in-a-class approach of java is a sensible way to do things?
Re: (Score:2)
I'm not sure what you're saying. Having the "common definitions" inside a class or outside a class is orthogonal to requiring header files. Why can't "common definitions" simply be derived from the source files, as they are in pretty much all "modern" languages?
Re: (Score:2)
So you think web services are non-modern either, as they use a header file - otherwise known as a WSDL.
That's the way to think of C++ headers, like interface definitions for the implementation cpp files. For that, they work great, so I actually prefer them over a large file with definitions and implementation all listed in it, that you *need* an IDE to figure out what is in each class. At least with C/C++ you can look at the header and see quickly and easily.
Re: (Score:2)
Except that the programmer doesn't (generally) have to create and manage the WSDL file, it's generated on-demand by the framework or toolkit in use. If the header files were generated automatically behind the scenes, and included where necessary all invisibly, then they'd be great.
Re:IBM (Score:4, Interesting)
Though I preface that with, while people have done UI's in Haskell, the idea to me is mindboggling, and I would just stick with UI in HTML using Haskell to serve web-pages in a non-microsoft shop. I wouldn't use java for UI in a non-microsoft shop anyway, java UI is absolutely gnarly bad and we all know it. If forced to do a desktop UI app in non-microsoft I would immediately be looking at tcl/tk, yes- ugly, but no one can argue with the fact that it always performed very well.
Re: (Score:3)
What about the D programming language? Object-oriented, memory management, C ABI compatible, compiles down to native code and requires no runtime components, I don't believe. There's a GCC-based compiler, an LLVM-based compiler, and the reference implementation.
C++ header files (Score:2)
Yeah, I know C++11, I've looked at it quite a bit, and it is better than it was, but as long as it needs header files, I don't put it into a modern language category.
This is the most bizarre statement I've seen here today. Can you explain your reasoning?
Re: (Score:2)
From a usage perspective, there is no real difference between header files and import statements. The only significant difference between them, in fact, is in their creation, where a programmer must explicitly separate the interface from the implementation.
As it's entirely possible to write software that generates header files from an implementation (with suitable markup), and this phase can be added to the in
Re:IBM (Score:5, Insightful)
This is something I struggle with. Lots of people would reply "python", but I think they're off their rocker. Yes, python is probably just fine for a lot of website development, and yes, I know some enterprises are using it heavily, but when you dig into it, it's really a hacked up POS that carries WAY too much of its evolutionary baggage. Java certainly has a bit of that as well, mostly in the bundled libraries, but they are much more consistently architected than the Python libraries. Plus, the lack of true multi-threading support is just...unconscionable for a modern language, I think. Yeah, it simplifies things for the hoi polloi, but that should hardly be the standard we aspire to.
Unfortunately, the only languages I know which have the features I expect from the next great modern language are all research languages at this point. What I'd really like: Start with Java (convenient syntax that is familiar to many people, and a VM with a lot of important concepts). Go through the standard library and rework it to make it consistent, ditch the older paradigms that still hang around to support backwards compatibility. Rework generics, also ditching compatibility but to improve usefulness. Add support for design-by-contract. Add in language level (not library level) features to support fork-join with support for some mechanism to declare affinity between work units and data so that the VM can optimize thread placement and data placement in memory. Add better built in support for both dynamic class creation and bytecode injection. Add a smart/flexible int/float/number types where the VM will take care of sizing depending on how big the number is, something which can flow up to the Big range without needing to keep track of sizes yourself...and crucially, where the math operations work regardless of number size, efficiently (i.e., under the covers, this would mean allowing for a mutable big integer/decimal). Also add support for primitive collections...but do it in such a way that it's made as transparent as possible. This would probably mean it would allow treating primitives as Objects from a parameter passing perspective, so, say, your Map put method would still be put(K,V), but if you used a map which supported primitives (which would be a lot easier to write with the smart-number facility), it would pass a primitive straight through without any boxing/unboxing.
I'm sure if I thought a bit longer, I could come up with some other features I'd like to see. Importantly, this language still has a VM...I think that becomes more important for the future, not less, as we move to higher core/processor counts and NUMA becomes a bigger and bigger issue. There will always be a place for lower level coding a-la C/C++; but I think that a higher level language really...you need a VM. And, as with the JVM/CLR, I would want the VM for this language to offer support for running bytecode which could be compiled from a multitude of languages. People who have done work developing those sorts of compilers would probably have suggestions on how that could be even better supported, and I certainly think that input would be important for ensuring that support is done right.
All bugs should be reported opening (Score:4, Insightful)
This is why reporting bugs to the software developers is stupid. Post the bug into the public, so they have no choice but to upgrade. Corporations are run by people who want to spend as little as possible to make as much money as possible. They won't patch bugs unless they are forced. They need to be forced.
Re: (Score:3)
ah shit, fucked the title up. I'd fix it, but no one is forcing me.
As a former Oracle dev (Score:5, Insightful)
Unless an SVP gets involved, it's unlikely that it will be rushed.
Re:As a former Oracle dev (Score:5, Insightful)
Processes in overly-large & complicated orgs (Score:3)
Oracle is a huge organisation. I mean mindbogglingly huge (think planet Vogon). There is a lot of red tape that you have to cut to get anything done, and in 4 months they're probably still scheduling meetings to figure out if it should be fixed, and when, and by whom. Unless an SVP gets involved, it's unlikely that it will be rushed.
Perhaps they should, you know, have a department dedicated to handling these kinds of things in a timely manner then?
Oh, don't worry, it's in the works -- the planning meeting for starting the process of organizing to set up such a department is scheduled for early 2013.
Re:As a former Oracle dev (Score:4, Insightful)
If that's the way they work, they should not be selling mission-critical software that is exposed to the internet.
Java on Slashdot is almost a meme now (Score:4, Insightful)
Same old jokes and criticisms. Reading these posts, you'd think Java was relegated to driving outhouse fans in Siberia and not the #3 language by popularity in the world.
That being said, the Java *browser* vulnerabilities need to be taken far more seriously. The only exploit that I know I've been hit by was through an unpatched Java install and it was nasty; as in rebuild my laptop from the ground up nasty.
Re:Java on Slashdot is almost a meme now (Score:4, Insightful)
Same old jokes and criticisms. Reading these posts, you'd think Java was relegated to driving outhouse fans in Siberia and not the #3 language by popularity in the world.
A lot of these problems could be resolved if the Java installer didn't include the browser plugin. That should be a separate download, or at least it should require the user to affirmatively check a box. At this point, Java in the browser is, for most users, little more than a giant security hole. Virtually no legitimate public websites require it.
Re:Java on Slashdot is almost a meme now (Score:4, Interesting)
Amen to that. As any /. Java comment thread demonstrates, the chief functionality of the Java browser plugin these days is tarnishing the reputation of the entire Java platform and ecosystem.
Doubtless there are still websites out there that need the plugin, but I don't remember the last time I saw one. Definitely time to make it opt-in, not opt-out.
Zero Day? (Score:4, Insightful)
Report to OpenJDK as well (Score:3)
If you find a security 'sploit in Java, test in OpenJDK/IcedTea and report it to the security teams at Red Hat, Ubuntu and Debian. They are rather less likely to sit on it for months. I notice a fix in OpenJDK came through in Ubuntu this morning.
Not a zero day bug (Score:5, Informative)
Re:Ditch Java entirely. (Score:5, Funny)
So your business model is:
1) Ditch Java
2) ???
3) Profit!
You and the underpants gnomes should hook up!
Re: (Score:2)
1) Ditch Java
2) Use mono or LLVM or
3) Profit!
Not too extreme really..
Re: (Score:3, Insightful)
Mono sucks and is inferior to OpenJDK .NET
LLVM is awesome but a different technology all together
LOL @
Re:Ditch Java entirely. (Score:4, Insightful)
Re: (Score:3)
Sure, but some actions are taken to minimize cost centers.
Like cleanup after a security breach.
Re: (Score:2)
No it doesn't. And the goal of every action is certainly not profit.
There was no business decision being made when I had peach with my breakfast instead of grapefruit this morning. There was no profit when we played Alhambra last night instead of Carcassonne.
Re: (Score:2)
Networking is good.
Re: (Score:3)
Posting anonymously is not networking.
Re:Ditch Java entirely. (Score:5, Funny)
Everything we do has a business case attached
I'd like to see the formal business case you made for posting on Slashdot.
Well, it was originally a 78 page densely-written scenario analysis document circulated four weeks ago to more than 20 executives and managers. They liked it, so I was authorized to spend a week making 45 slides to reinforce the case, and these were presented two weeks ago to a specially selected focus group of at least 30 managers and engineers. We discussed it for a whole day at the meeting. There were lots of fancy headings, beautiful fonts, pie charts, animations, etc., and I got excited and did a lot of arm-waving which helped persuade the focus group to pass the business case onwards. I'm not sure which team they passed it to, but our processes must be streamlined, because it already got approved today, which was pretty fast.
Anyway here it is, reduced disgracefully down to a single paragraph:
"By encouraging all businesses to waste effort making business cases to justify every decision (including trivial ones), we can cripple our competitors in terms of costs (their management overheads skyrocket), reaction time (all their decisions get delayed), and flexibility (they must omit/neglect some possible decisions). Posting as an AC on Slashdot will advance this goal."
Re: (Score:3)
Re:Ditch Java entirely. (Score:5, Insightful)
Ditch Java applets entirely.
Re: (Score:3)
Indeed.
Microsoft, Mozilla, Google, and Apple should all be seriously considering enacting the death penalty after this latest exploit. These browsers should be actively blocking the Java plugin by default. Java applets have outlived their usefulness and now are good for little else besides drive-by exploits.
Re:Ditch Java entirely. (Score:4, Informative)
Re:Ditch Java entirely. (Score:5, Informative)
And if you have not used Java in 30 days, Apple disables it in the browser. (At least Java 6 and I believe any Java version). :-)
e.g., see http://www.christopherprice.net/making-sense-of-oracle-java-7-for-os-x-2119.html [christopherprice.net]
Re: (Score:2)
Maybe it's time to ditch Java altogether!
Yes, I'll switch to Scala. It will run on my Java web server and allow full access to Java class lib ... oh wait!
Re: (Score:3)
Maybe it's time to ditch Java altogether!
Can I keep LibreOffice if I remove Java completely?
Calm down... You can keep it - sure. ;-)
(Whether it still works is another question.
Re: (Score:3)
Re: (Score:2)
What hokey coded-overnight-while-drunk were you running, that routine JVM updates broke things?
Re: (Score:2)
Re: (Score:2)
Amen to that.
Re: (Score:2)
Really? In what way? Specifics, man!
According to my info, it has some Java, but it is mostly C, C++ and Python and is based on the Linux kernel.
Re:java is an abomination (Score:5, Insightful)
!? Java is basically the only language you can seriously use to write apps on Android. The NDK? It's awful. I love Android but I seriously hate Java. As a language it's terrible, and anyone who says otherwise needs to pull their head out of their ass and play with some other languages. What's awesome about Java is the JVM... which is basically just an open standard. It doesn't necessarily need to run Java code just Java *bytecode*. There are some fantastic alternatives that run on the JVM too, like Scala (and in sort of a different way JRuby). Unfortunately Scala on Android isn't so mature and is a nightmare to get working or really use.
Not fully supporting the NDK is one of the biggest things that pisses me off about Android. I'd drop Java in a heartbeat for C++ if the NDK was decent. Google would do well to start supporting some scripting languages natively too - there's a reason there are so many projects trying to make platforms in Python and Ruby for Android, but they all end up half assed or running out of time/money and they start going non-free.
Seriously Google, give us some alternatives. Java is the absolute worst part of Android.
Re: (Score:2)
Just like with the flash thing, it doesn't matter if YOU ditch it, we need websites to ditch it as well.
What public websites still require Java? I haven't had this crap installed on my home PC in 3 years and I think I may have seen one random personal website that wanted it (and even then it was for menu buttons or some nonsense, nothing essential).
Re: (Score:3)
Not a fork, but a variant of OpenJDK already exists today, at least for Linux systems many distrutions use it (but people still insist on installong the Oracle one!!!!) IcedTea and they already patched this bug [wildebeest.org]
Re: (Score:2)
Is that a Gosling quote from when he says Ruby is inferior without actually knowing anything about Ruby and just making shit up, or is it from the time when he claimed non-optimized Java bytecode will run faster than hand optimized ASM on ARM?
Oh, and while I'm here let me just give a shout out to James: Hey James! Fucking die!