BT

Oracle's Head of Security Promises to Fix Issues and Improve Communication

by Charles Humble on Jan 30, 2013 |

Following a spate of high-profile security issues, Oracle's head of Java Security, Milton Smith, is promising that the vendor will fix issues with the platform, and improve its communication to community members.

"The plan for Java security is really simple," Milton Smith said during a conference call (mp3 audio) with Java User Group (JUG) leaders.

It's to get Java fixed up, number one, and then, number two, to communicate our efforts widely; we really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy, or do anything for us. We have to fix Java.

The focus is on Java in the browser, where most of the recent security exploits have been happening. As well as the patches, Milton highlighted the addition, in Java 7u10, of a “security slider” to the Java control panel, along with a checkbox to make disabling Java across various platforms easier for users. Engineers have also introduced functionality that ensures that no applets run without first warning users, as a means to prevent exploits from being launched.

With regards communication Milton said, "We have a lot of things that we're looking at,” and highlighted the need for Oracle to reach all audiences, from engineers, to IT professionals running data centers, and, presumably though not explicitly mentioned, consumers as well. Exactly how this will be done is yet to be determined, but it could include providing more information to JUG leaders, who would then be able to disseminate that information to their members, as well as more presentations at tech conferences, and talking to the press. Oracle's unwillingness to answer questions from the press may well have resulted in some of the "loose" reporting which Director of Product Management for OpenJDK, Donald Smith, and others, criticized during the call.

Elsewhere on the call, Donald refused to be drawn on the reasons for the 10 minutes delay which occurs when users install the Ask toolbar. As we previously reported, Andrew Moers, President of the Ask Partner Network, told InfoQ, "This is to ensure the JRE updates properly load without additional strain on a user's computer". Donald Smith would only say,

That would be an example of the kind of information that I would love to share with you as to why things are done this way, but I couldn't unilaterally do. I hear you; I agree that on the surface when you look at it it’s like, "Why is that that way?" and it could be that we are never able to give a satisfactory answer, but I hope at some point we'll be able to clarify what that’s about and why.

Part of the challenge that Oracle faces is the very wide audience that Java has: from home users, to individual developers, to large enterprises. An example of the conflict this raises came up when the JUG leaders also asked if Java could be given a silent auto-updating mechanism, as seen in both the Chrome and Firefox browsers. This might well be desirable behaviour for end-users of Java, but many enterprises have carefully controlled desk-top environments and tend to be hostile to the practice - even more so when applied to clusters of servers running Java-based applications. Donald said that at present

There’s no plans to do it, but there's no plans to not do it, and it is a topic that is in constant discussion. The challenge is of course that you get - if that was a feature that came out, you have an ecosystem with a long history of it not working that way, and you would suddenly have a large segment of people saying, "How do I prevent this from happening?"

Milton Smith ended the phone call by asserting how much the Java development team appreciate feedback from the community via the mailing list - "Every message that comes through is read and passed along and considered carefully," he said.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Thanks! by Reza Rahman

Thanks so much for posting this. I emphasize the need to provide timely, reasonable, constructive feedback on all things Java now and going forward. There is no better way to keep clear the much needed pathways of openness, mutual dialog and community that is so vital for Java to keep moving forward. I personally wholeheartedly agree with the need for Oracle as a company to dramatically improve it's interaction with the press, especially with regards to Java.

All views voiced are my own, not necessarily Oracle's.

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

1 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT