Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Java Open Source Oracle Security

OpenJDK May Tackle Java Security Gaps With A Secretive New Group (infoworld.com) 79

An anonymous reader quotes InfoWorld: To shore up Java's security, a private group that operates outside the normal open source community process is under consideration. The proposed OpenJDK Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them... The vulnerability group and Oracle's internal security teams would work together, and it may occasionally need to work with external security organizations.

Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.

This discussion has been archived. No new comments can be posted.

OpenJDK May Tackle Java Security Gaps With A Secretive New Group

Comments Filter:
  • by Frosty Piss ( 770223 ) * on Monday August 28, 2017 @01:07AM (#55095419)

    The vulnerability group and Oracle's internal security teams would work together

    Two things: I thought Oracle wanted to cut Java free? No? And really, when has Oracle been willing to work with anyone outside Oracle on Java?

    I mean, it could be true...

    • by Gravis Zero ( 934156 ) on Monday August 28, 2017 @01:31AM (#55095453)

      I thought Oracle wanted to cut Java free? No?

      Oracle wanted to burden someone else with maintaining Java EE, [wikipedia.org] an extended version of Java. This would allow them to do the lesser job of extending Java SE if they so choose and free them from having to bother with security (Who knew security was so complicated? Nobody knew!). Since Java EE is a superset of Java SE, the Java EE maintainers would have clean up the messes Oracle makes when they add features.

    • by KGIII ( 973947 ) <uninvolved@outlook.com> on Monday August 28, 2017 @01:33AM (#55095461) Journal

      I'm usually fairly mild mannered, but fuck Oracle. I trust those fuckers about as far as I can throw a fucking yacht. They came in to provide a database, consultants and all. The fucking fuckers were there for more than six months and never actually got it all working. So, I kicked them out. Shortly after, they had us in court and wanted a seven figure sum. It cost nearly that much just to defend ourselves and I have no idea how much was lost in productivity and due to morale. Fuck Oracle, fuck them right in the face.

      I feel better now.

      • We had Oracle throw every incentive they had at us, but we kindly showed them the door and switched to PostgreSQL. It was an awesome day.

        • by KGIII ( 973947 )

          Yeah... In their defense (as I'm loathe to post it), it wasn't a trivial setup. We were doing "distributed computing" before it really had that name. The DB was supposed to span multiple CPUs, stacks of RAM, and disks. It was a failure BUT the fuckers said they could do it. They requested, and received, extensions. They sent in new and more people. They failed. I kicked them out. Then, they sued us. (I was the owner.)

      • by Anonymous Coward

        "When dealing with oracles, sign only fixed contracts." -- Ancient Greek proverb

  • If this group doesn't fix the vulnerability within a few weeks then the vulnerability details should be published more widely to let what remains of the community address them and to allow users to adopt security measures of their own.
    • by Anonymous Coward

      Give the OpenBSD folk a fat donation in return for auditing their codebase - or several other competent orgs..
      The payback is if they like what they see - they have first dibs at other products in their closet needing remediation.

      People with security reputations need no agreements - people who know who is who. Management saying security is important - indicates their brains have just ticked over.

    • The same should apply to minutes/email-list/... of the private forum. Being private the initial report and then while a fix/... is devised is reasonable but there must be a guarantee that it will, eventually, be published. How long is much harder to define: well defined bug -> fix -- a few weeks; something deeper & more fundamental -- it could take longer.

    • Java should be permitted to die the death it deserves within a few weeks.

      Anyone who uses Java for a new project while it is still controlled by Oracle is an enemy of all that makes fucking sense.

  • by hlavac ( 914630 ) on Monday August 28, 2017 @04:13AM (#55095707)
    New Secret Advisory? Non-public Security Abatement? Never Seen Accomplishments?
  • "Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin

  • Never trust anyone who says "trust me".

Never worry about theory as long as the machinery does what it's supposed to do. -- R. A. Heinlein