Hi Everyone
I am considering learning Java. There have been well publicized Java security incidents recently that make me not want to learn it.
However it's in Centos and I trust Centos, are the concerns in the media blown out of proportion ?
-Patrick
On Sat, Oct 5, 2013 at 9:21 AM, Patrick patrick@spellingbeewinnars.org wrote:
Hi Everyone
I am considering learning Java. There have been well publicized Java security incidents recently that make me not want to learn it.
However it's in Centos and I trust Centos, are the concerns in the media blown out of proportion ?
The security issues mostly related to running programs with the browser plugings and they seem to be mostly fixed. As far as using it as a server-side or standalone programming language goes it is as good as anything else.
On Sat, Oct 5, 2013 at 11:21 AM, Patrick patrick@spellingbeewinnars.org wrote:
However it's in Centos and I trust Centos, are the concerns in the media blown out of proportion ?
1. In short: Yes, they were blown out of proportion with a high dose of FUD. Read the following analysis specially the last few paragraphs.
http://timboudreau.com/blog/The_Java_Security_Exploit_in_%28Mostly%29_Plain_...
2.The most widely referred hole had to do with running applets on a browser.
3. J7u40 and OpenJDK7U40 took care of the major issue: Java previously ran unsigned "applets" automatically. Now it no longer does
4. Most brosers now feature "click to run" on applets. Effectively creating a dual barrier against running unsigned code (two clicks, one to the browser warning, another for the JRE warning about unsigned code). Drive-by exploits are thus impossible.
4. Java now offers a "server JRE" without the browser plug-in, starting w J7u21
http://www.oracle.com/technetwork/java/javase/7u21-relnotes-1932873.html#ser...
5. Applets are on the way out, most of the action these days is on server-side Java, and on client-side Java, not browser java.
6. Lots of apps are Java based and have no intention of switching (Jitsi, Vuze, etc)
7. JVM languages are booming (JRuby, Jython, Scala, Clojure, RedHat's Ceylon) http://www.drdobbs.com/jvm/a-long-look-at-jvm-languages/240007765
8. Java is open source, with Twitter, SAP, RedHat,IBM, Oracle and even Google collaborating with the project. See:
http://www.redhat.com/summit/2012/pdf/2012-DevDay-OpenJDK-Bhole.pdf
9. Java8, OpenJDK 8 is coming, w Java9 OpenJDK9 next
10. Java is more than a language. Its also a runtime environment and level playing field software ecosystem. You can create Java apps with any of the JVM languages without ever writing a single line of Java code.
11. Raspberry Pi just announced that RasPis will ship with OpenJDK and JRE
Those are my reasons, if you dont like em, I have others... ;) FC
On 10/5/2013 7:59 AM, Fernando Cassia wrote:
- Applets are on the way out, most of the action these days is on
server-side Java, and on client-side Java, not browser java.
I suspect you meant to say...
5. Applets are on the way out, most of the action these days is on server-side Java, and on client-side JavaSCRIPT, not browser java.
client side javascript programming is sometimes called AJAX. Note that JavaSCRIPT is not Java, it only looks vaguely similar
On Sat, Oct 5, 2013 at 3:04 PM, John R Pierce pierce@hogranch.com wrote:
I suspect you meant to say...
- Applets are on the way out, most of the action these days is on
server-side Java, and on client-side JavaSCRIPT, not browser java.
client side javascript programming is sometimes called AJAX. Note that JavaSCRIPT is not Java, it only looks vaguely similar
I'm fully aware that Java != Javascript. I was talking about the differences between client-side, desktop Java apps and browser-based applets.
There's plenty of desktop Java based apps including Jitsi (www.jitsi.org), Vuze P2P (vuze.com), Art of Illusion (Raytracer), Sweet Home 3D (CAD), muCommander (JWS-enabled NC clone), jEdit, the Netbeans IDE, FreeMind (mind mapper-productivity tool), Frinika (music workstation), JShot (taking screenshots and uploading them to social sites), PowerFolder (cloud storage/sync)
Or others like the burp LAN scanner or jHome home automation solution http://portswigger.net/burp/ http://www.eletronlivre.com.br/jhome/
JavaFX 2.0 and its open source release OpenJFX is client-side desktop Java, and unrelated to applets or browsers.
FC
On Sat, Oct 5, 2013 at 2:04 PM, John R Pierce pierce@hogranch.com wrote:
On 10/5/2013 7:59 AM, Fernando Cassia wrote:
- Applets are on the way out, most of the action these days is on
server-side Java, and on client-side Java, not browser java.
I suspect you meant to say...
- Applets are on the way out, most of the action these days is on
server-side Java, and on client-side JavaSCRIPT, not browser java.
client side javascript programming is sometimes called AJAX. Note that JavaSCRIPT is not Java, it only looks vaguely similar
Yes, browsers normally execute javascript internally, and there are some toolkits like GWT to write interactive applications where you write mostly server-side java and it generates the browser javascript code for you.
On 10/05/2013 05:21 PM, Patrick wrote:
Hi Everyone
I am considering learning Java. There have been well publicized Java security incidents recently that make me not want to learn it.
However it's in Centos and I trust Centos, are the concerns in the media blown out of proportion ?
A programming language is not secure or not. It's about the programs you write with it.
On 10/05/2013 12:27 PM, Mihamina RKTMB wrote:
On 10/05/2013 05:21 PM, Patrick wrote:
Hi Everyone
I am considering learning Java. There have been well publicized Java security incidents recently that make me not want to learn it.
However it's in Centos and I trust Centos, are the concerns in the media blown out of proportion ?
A programming language is not secure or not. It's about the programs you write with it.
Yes sort of but a runtime is a program written by others
On 10/05/2013 07:29 PM, Patrick wrote:
On 10/05/2013 12:27 PM, Mihamina RKTMB wrote:
On 10/05/2013 05:21 PM, Patrick wrote:
Hi Everyone
I am considering learning Java. There have been well publicized Java security incidents recently that make me not want to learn it.
However it's in Centos and I trust Centos, are the concerns in the media blown out of proportion ?
A programming language is not secure or not. It's about the programs you write with it.
Yes sort of but a runtime is a program written by others
OK. Everything is insecure then. Don't use.
On 10/05/2013 10:21 AM, Patrick wrote:
Hi Everyone
I am considering learning Java. There have been well publicized Java security incidents recently that make me not want to learn it.
However it's in Centos and I trust Centos, are the concerns in the media blown out of proportion ?
-Patrick
First, just in case you're confused, Java, and Java Script, are two totally different things. Only the names are similar to confuse the innocent. Just like Visual Basic, VBScript, and Virtual Basic for Applications (VBA) are three totally different things with similar names just to confuse the innocent.
Java Script is as secure as any other reasonably applied scripting language. Java, which runs on a Java Virtual Machine (JVM) is know in the trade as (J)ust (A)nother (V)ulnerability (A)nnouncement. Java should never be enabled in a web browser.
If your intention is to write Java applications then go for it.
On Sat, Oct 5, 2013 at 6:21 PM, Mark LaPierre marklapier@aol.com wrote:
Java, which runs on a Java Virtual Machine (JVM) is know in the trade as (J)ust (A)nother (V)ulnerability (A)nnouncement
Let's try to be serious here. Theres funny definitions based on acronyms,based on everyone's agendas. Some who opposed SNMP called it "security is not my problem", because of shortcomings in the first version. Last time I checked, SNMP was mature and used throughout corporate LANs. Security is a process, not a definitive state. FOSS software is patched all the time too, and for good reason.
http://www.mail-archive.com/blueonyx@mail.blueonyx.it/msg05233.html
. Java should never be enabled in a web browser.
To quote Icedtea-web* Red Hat developer Andrew Haley : "Andrew Haley aph@redhat.com wrote: I think this [removing the plug-in] is truly dreadful reasoning. Either we think that the plugin is safe enough for people to use, or we don't ship it."
Anyway, enough said I think that by now the original poster's question has been throrougly answered.
FC * (Icedtea-web is the FOSS version of the Java plug-in for OpenJDK, as Sun open sourced Java in 2006 but never the browser plugin, that need was filled by the FOSS community via Icedtea-web)
-
Fernando Cassia -
John R Pierce -
Les Mikesell -
Mark LaPierre -
Mihamina RKTMB -
Patrick