OpenJDK May Tackle Java Security Gaps With A Secretive New Group (infoworld.com) 79
An anonymous reader quotes InfoWorld:
To shore up Java's security, a private group that operates outside the normal open source community process is under consideration. The proposed OpenJDK Vulnerability Group would provide a secure, private forum in which trusted members of the community receive reports on vulnerabilities in code bases and then review and fix them... The vulnerability group and Oracle's internal security teams would work together, and it may occasionally need to work with external security organizations.
Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.
Due to the sensitive nature of its work, membership in the group would be more selective, there would be a strict communication policy, and members or their employers would need to sign both a nondisclosure and a license agreement, said Mark Reinhold, chief architect of the Java platform group at Oracle. "These requirements do, strictly speaking, violate the OpenJDK bylaws," Reinhold said. "The governing board has discussed this, however, and I expect that the board will approve the creation of this group with these exceptional requirements." If the Java security group is approved, Andrew Gross, leader of Oracle's internal Java vulnerability team, would lead it.
Re: (Score:2)
Re:The NDA (Score:5, Insightful)
Java is dead. Let it live in legacy in a dusty MDF somewhere with it's elderly uncle COBOL.
Is Java "dead"? I'm no expert, but I thought huge giant swaths of "enterprise" code was written in Java? Shit like that doesn't just vanish, it get's maintained and added on to forever - like COBOL code... But also, while it's trendy for all the hip kids to say such things, COBOL is far from dead.
Re:The NDA (Score:5, Informative)
If you're using the Android SDK you are writing in Java.
Even if that was the sole remaining use-case it would be far from dead.
Re: (Score:1)
If you're using the Android SDK you are writing in Java.
Even if that was the sole remaining use-case it would be far from dead.
No you are not. Oracle lies which is why they killed opensource and clean room implementations by judicial activism. Google uses Dalvik which does not contain a single line of code written by Oracle that they somehow stole and now own thanks to their lawyers.
Dalvik is a clean room implementation and does not even use a traditional JVM and would still be around if Oracle didn't threaten to sue Apache out of existence. Another reason not to consider Java as it is immoral to support Oracle.
Re: (Score:3)
Dalvik is a bytecode specification and a VM, not a language.
Of course you program in Java, the language, when you code for the Dalvik VM.
Re: (Score:2)
If you're using the Android SDK you are writing in Java.
Or in C#. Or, if you don't care about platform independence, even C or C++.
Re: (Score:2)
Then you are not using the Android SDK. You are using the NDK, a game engine, or some other development environment.
Re: (Score:2, Interesting)
I'm going to set BOTH of you straight:
COBOL JOBS: 1,501
https://www.indeed.com/jobs?q=cobol&l=
JAVA JOBS: 63,769
https://www.indeed.com/jobs?q=java&l=
THIS should give you a general idea of the current market for the language
enter your city to narrow down
Re: (Score:2, Insightful)
Name one big new project that is popular made in the past 3 years based on Java?
Re: (Score:1)
Minecraft
Re: (Score:1)
I work for SAP and our cloud based software is written in Java. This includes the Concur, Ariba, and SuccessFactors business units. We have started many projects written in Java within the past 3 years and the language is so centric to our business that we we created our own JVM.
Re: (Score:2)
Name one big new project that is popular made in the past 3 years based on Java?
About 70% of the software at my company?
Surely though you have a good point. We'd have been better off using on WhizBang!JS for this quarter's new projects. So what if it'll be unsupported in a year and we have to re-write everything. Job security eh?
Also, don't let numbers get in the way either:
http://www.codingdojo.com/blog... [codingdojo.com]
Re: (Score:2)
I write a bit nee Java code nearly every day ;)
Re: (Score:2, Interesting)
Sorry, what exactly is the security issue with Java? Aside from the shitty browser plugin, but that bit's as good as gone these days anyway.
Re: (Score:2)
I agree here - plugins are in general a security hole waiting to happen. JavaScript is bad enough from a browser security perspective.
On the server side it's more a question of if some service can break out of the JVM or do other inappropriate things on the server.
But even then I can understand the need for a "secret" security team. It's good to keep the cards close until you know what the impact your problem has and a fix is dispatched.
Re: (Score:2)
It's bugging me a bit when they open the web browser to a page of their choice at every install.
Re: A.S.M.C.! (Score:1)
On Windows, the installer tips it's hand.
Re: (Score:1)
Even on Windows, the JDK installer never installed that yahoo/Ask crap or whatever it was/is.
Only the JRE installer snuck it in there if you weren't watching carefully.
Re: (Score:2)
It's hard to take Java security seriously as long as the Java installer tries to push malware.
I've tried to figure out if it actually is legal for them to do that, but so far I haven't really found any good analysis of the case.
That is Oracle for ya. They are too cheap to pay for the bandwidth. So eyecandy spyware is included to cover the costs since Larry doesn't make enough money.
Re: (Score:3, Insightful)
Java is dead? Not likely. It is the most popular programming language in the world by a large margin.
http://pypl.github.io/PYPL.html
Been in software development for 15 years and there is always some fool saying "java is dead"
Re: (Score:2)
I smell something strangely familiar... (Score:5, Insightful)
The vulnerability group and Oracle's internal security teams would work together
Two things: I thought Oracle wanted to cut Java free? No? And really, when has Oracle been willing to work with anyone outside Oracle on Java?
I mean, it could be true...
Re:I smell something strangely familiar... (Score:5, Interesting)
I thought Oracle wanted to cut Java free? No?
Oracle wanted to burden someone else with maintaining Java EE, [wikipedia.org] an extended version of Java. This would allow them to do the lesser job of extending Java SE if they so choose and free them from having to bother with security (Who knew security was so complicated? Nobody knew!). Since Java EE is a superset of Java SE, the Java EE maintainers would have clean up the messes Oracle makes when they add features.
Re: I smell something strangely familiar... (Score:5, Insightful)
I'm usually fairly mild mannered, but fuck Oracle. I trust those fuckers about as far as I can throw a fucking yacht. They came in to provide a database, consultants and all. The fucking fuckers were there for more than six months and never actually got it all working. So, I kicked them out. Shortly after, they had us in court and wanted a seven figure sum. It cost nearly that much just to defend ourselves and I have no idea how much was lost in productivity and due to morale. Fuck Oracle, fuck them right in the face.
I feel better now.
Re: I smell something strangely familiar... (Score:4, Funny)
They probably are smarter than I am. I'm dumb enough to respond to you.
Re: (Score:2)
We had Oracle throw every incentive they had at us, but we kindly showed them the door and switched to PostgreSQL. It was an awesome day.
Re: (Score:2)
Yeah... In their defense (as I'm loathe to post it), it wasn't a trivial setup. We were doing "distributed computing" before it really had that name. The DB was supposed to span multiple CPUs, stacks of RAM, and disks. It was a failure BUT the fuckers said they could do it. They requested, and received, extensions. They sent in new and more people. They failed. I kicked them out. Then, they sued us. (I was the owner.)
Re: (Score:1)
"When dealing with oracles, sign only fixed contracts." -- Ancient Greek proverb
Time limit (Score:2)
Re: (Score:1)
Give the OpenBSD folk a fat donation in return for auditing their codebase - or several other competent orgs..
The payback is if they like what they see - they have first dibs at other products in their closet needing remediation.
People with security reputations need no agreements - people who know who is who. Management saying security is important - indicates their brains have just ticked over.
Re: (Score:2)
The same should apply to minutes/email-list/... of the private forum. Being private the initial report and then while a fix/... is devised is reasonable but there must be a guarantee that it will, eventually, be published. How long is much harder to define: well defined bug -> fix -- a few weeks; something deeper & more fundamental -- it could take longer.
Re: (Score:1)
Java should be permitted to die the death it deserves within a few weeks.
Anyone who uses Java for a new project while it is still controlled by Oracle is an enemy of all that makes fucking sense.
So the name of the group will be...? (Score:4, Funny)
Benjamin Franklin (Score:2)
"Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety." -- Benjamin Franklin
What a load of crap (Score:2)
Never trust anyone who says "trust me".
Re: (Score:1)