Oracle's Head of Security Promises to Fix Issues and Improve Communication
Following a spate of high-profile security issues, Oracle's head of Java Security, Milton Smith, is promising that the vendor will fix issues with the platform, and improve its communication to community members.
"The plan for Java security is really simple," Milton Smith said during a conference call (mp3 audio) with Java User Group (JUG) leaders.
It's to get Java fixed up, number one, and then, number two, to communicate our efforts widely; we really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy, or do anything for us. We have to fix Java.
The focus is on Java in the browser, where most of the recent security exploits have been happening. As well as the patches, Milton highlighted the addition, in Java 7u10, of a “security slider” to the Java control panel, along with a checkbox to make disabling Java across various platforms easier for users. Engineers have also introduced functionality that ensures that no applets run without first warning users, as a means to prevent exploits from being launched.
With regards communication Milton said, "We have a lot of things that we're looking at,” and highlighted the need for Oracle to reach all audiences, from engineers, to IT professionals running data centers, and, presumably though not explicitly mentioned, consumers as well. Exactly how this will be done is yet to be determined, but it could include providing more information to JUG leaders, who would then be able to disseminate that information to their members, as well as more presentations at tech conferences, and talking to the press. Oracle's unwillingness to answer questions from the press may well have resulted in some of the "loose" reporting which Director of Product Management for OpenJDK, Donald Smith, and others, criticized during the call.
Elsewhere on the call, Donald refused to be drawn on the reasons for the 10 minutes delay which occurs when users install the Ask toolbar. As we previously reported, Andrew Moers, President of the Ask Partner Network, told InfoQ, "This is to ensure the JRE updates properly load without additional strain on a user's computer". Donald Smith would only say,
That would be an example of the kind of information that I would love to share with you as to why things are done this way, but I couldn't unilaterally do. I hear you; I agree that on the surface when you look at it it’s like, "Why is that that way?" and it could be that we are never able to give a satisfactory answer, but I hope at some point we'll be able to clarify what that’s about and why.
Part of the challenge that Oracle faces is the very wide audience that Java has: from home users, to individual developers, to large enterprises. An example of the conflict this raises came up when the JUG leaders also asked if Java could be given a silent auto-updating mechanism, as seen in both the Chrome and Firefox browsers. This might well be desirable behaviour for end-users of Java, but many enterprises have carefully controlled desk-top environments and tend to be hostile to the practice - even more so when applied to clusters of servers running Java-based applications. Donald said that at present
There’s no plans to do it, but there's no plans to not do it, and it is a topic that is in constant discussion. The challenge is of course that you get - if that was a feature that came out, you have an ecosystem with a long history of it not working that way, and you would suddenly have a large segment of people saying, "How do I prevent this from happening?"
Milton Smith ended the phone call by asserting how much the Java development team appreciate feedback from the community via the mailing list - "Every message that comes through is read and passed along and considered carefully," he said.
All views voiced are my own, not necessarily Oracle's.
Todd Montgomery Dec 19, 2014