I heard that Oracle won the America's Cup recently which leads me to give them some unsolicited advice.
Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash.
3+ billion devices will thank you.
Spot on. Working with their products on a daily basis, I just get the feeling that Oracle doesn't really give a shit about anything other than that god damned boat.
"As you know people, as you learn about things, you realize that these generalizations we have are, virtually to a generalization, false. Well, except for this one, as it turns out. What you think of Oracle, is even truer than you think it is. There has been no entity in human history with less complexity or nuance to it than Oracle. And I gotta say, as someone who has seen that complexity for my entire life, it’s very hard to get used to that idea. It’s like, ‘surely this is more complicated!’ but it’s like: Wow, this is really simple! This company is very straightforward, in its defense. This company is about one man, his alter-ego, and what he wants to inflict upon humanity — that’s it! …Ship mediocrity, inflict misery, lie our asses off, screw our customers, and make a whole shitload of money. Yeah… you talk to Oracle, it’s like, ‘no, we don’t fucking make dreams happen — we make money!’ …You need to think of Larry Ellison the way you think of a lawnmower. You don’t anthropomorphize your lawnmower, the lawnmower just mows the lawn, you stick your hand in there and it’ll chop it off, the end. You don’t think ‘oh, the lawnmower hates me’ — lawnmower doesn’t give a shit about you, lawnmower can’t hate you. Don’t anthropomorphize the lawnmower. Don’t fall into that trap about Oracle." [1]
> I just get the feeling that Oracle doesn't really give a shit about anything other than that god damned boat.
I was helping out a cousin install Oracle on Oracle Linux, and I found it way too complicated to set up. Installing their flagship product on their official distribution was a pain. All they could have done is provide proper repos/rpms. It's sad that they couldn't get that right.
That whitepaper isn't really FUD. It's basically just explaining 'open source' to people who don't really get it. The paper explains that Oracle software includes open source software and then Oracle is arguing that they do a better job of developing, leveraging, integrating, and supporting FOSS than IT workers in gov't offices can. It's a fairly reasonable argument.
I beg to differ. The UK government (finally) has got its act together in this department. We're seeing the NHS's core "Spine" system being rewritten using open source software (riak/erlang/ubuntu + others) and we have the excellent http://gov.uk/ as well.
Good point. I do however feel that the government departments that have failed miserably on projects will start looking at more successful projects for inspiration. We'll be a few more £billion down by then but things will improve.
HMRC's systems are pretty good these days as well (I just did my tax return online). Relatively smooth process for a large Java behemoth.
You claim you read it, but they don't say that at all.
What they're specifically saying is that government is not the ideal entity to be shepherding OSS projects. More specifically - Large Scale OSS projects that require a rigorous process and are mission critical. They observe that OSS Projects exhibit high quality primarily (though not exclusively) when there is a large financial motive to make the project high quality. (E.g. Linux, Firefox, and the other big hits).
Now, Oracle might be against-OSS in general, but this paper is not the "FUD" that you're looking for.
1. Oracle is embracing and offering open source solutions as a viable way to complete simple software projects and as an adjunct to the development and deployment of more complex projects that are based on commercial software.
- Open source for tiny projects. Oracle for the real work. Got it.
2. Another key issue facing government acquisition executives is the issue of indemnification. When a software company provides a product to its customers, it is expected to stand by its product, and is legally required to do so. In the case of open source, there are remarkably few companies willing or able to offer indemnification for their “products.”
- There are several open source companies, which stand by their "products", and offer support contracts.
3. Load testing, system performance tuning, and system optimization are also expensive tasks. Commercial software companies have developed highly refined methodologies to
perform these tasks.
- I've worked some with Oracle databases. Most organizations are paying through the nose for little benefit; management loves whitepapers like this.
4. Oracle licenses commercial software to fill the gaps where open source does not fully address enterprise capability requirements. Automated Deployment & Provisioning ...Extreme Performance, High Availability, & Scalability
- Ok.
5. If you are concerned with vendor lock-in, and you see open source solutions as a means of “owning” the code you want to run, a quick glance at the Open Source Initiative (OSI) can be daunting. Nearly 100 licensing regimes have gone through the license approval process. Open source is not free, nor is it easy to understand the strict legal terms and conditions associated with its use.
- I've found the popular OSS licenses quite simple to understand and there are excellent explanations available; Most Open Source apps use one of these, though there might be 100 which are OSI approved.
First, lets address your original comments. These are your words "in which they are saying OSS is unsuitable for enterprises, unscalable, untested, insecure, etc.".
Your characterization implies that the main theme of the paper is "OSS is unsuitable for enterprises, unscalable, insecure, etc". Please find me a single line in the PDF YOU linked to that implies "OSS is unsuitable for enterprises, unscalable and insecure".
How incredibly dishonest of you. You've presented all your evidence as simply your own assertions, experience and anecdotes. Where is YOUR data?
Lets examine your own words :-
>"There are several open source companies, which stand by their "products", and offer support contracts"
Several? How many? Out of how many in total? What contracts have you looked at? How do they compare to other contracts offered to DoD by non-open source companies?
>I've worked some with Oracle databases. Most organizations are paying through the nose for little benefit;
That is your experience and assertion. Why should anyone care? Are you a well known person in the database domain whose opinion is widely respected?
>I've found the popular OSS licenses quite simple to understand and there are excellent explanations available; Most Open Source apps use one of these, though there might be 100 which are OSI approved.
Okay so YOU have found them simple. Again why is your anectdote and experience so superior? Are you a well known licensing expert?
--------------------
See, its rather easy to accuse someone of FUD, its another thing to actually provide evidence beyond some vague arguments. :)
That whitepaper is for management and purchasing. The security patches are for the poor sysops who have to look after the mess left behind by the former.
Every large commercial software company is just as bad. It was only a few years ago that Microsoft were doing the same, until they realised they could monetize open source software themselves[1] as well and decided to stop the badmouthing.
[1] through azure and buying into major open source ecosystems to gain mindshare.
They would gain a bit more respect by getting rid of the Ask toolbar option from the Java installer. Wonder if they actually make any significant money from that garbage.
We signed a contract through which we’d make their toolbar optionally available to our audience via the Java update mechanism. They paid us a much appreciated fee, which increased dramatically when we renegotiated the contract a year later. Distribution was becoming quite valuable to us and to them – and given the “take” rates, or the rates at which consumers were choosing to install new content, the Java audience saw value in the new application.
The year following, the revenue increased dramatically again – when an aspiring search company (again, you can figure out who) outbid our first partner to place their toolbar in front of Java users (this time, limited to the US only). Toolbars, it turns out, are a significant driver of search traffic – and the billions of Java runtimes in the market were a clear means of driving value and opportunity.
The revenues to Sun were also getting big enough for us to think about building a more formal business around Java’s distribution power – to make it available to the entire Java community, not simply one or two search companies on yearly contracts.
And that’s what Project Vector is designed to deliver – Vector is a network service to connect companies of all sizes and types to the roughly one billion Java users all over the world. Vector (which we’ll likely rename the Java Store), has the potential to deliver the world’s largest audience to developers and businesses leveraging Java and JavaFX. What kinds of companies might be interested?
If you talk to a Fortune 500 company or a startup, pretty much everyone craves access to consumers – which is the one problem we’ve solved with the Java platform. Most folks don’t think of Sun as a consumer company, and largely we’re not, but our runtimes reach more consumers than just about any other company on earth.
This isn't one comment to HN with 127 spelling mistakes, it would be equivalent to 1000s of people as part of a collective group contributing 1000s of spelling mistakes over the past 15 years, then all of a sudden fixing a ton of the mistakes.
Your argument is wrong but your point is correct. In the above scenario, should they be applauded for fixing 3 year old spelling mistakes that someone told them about 3 years ago...
(Mac OSX): Can anyone explain why 'java --version' still produces java version "1.7.0_17" even though I've updated?
EDIT: Solved. Including this in case anyone runs into it. There are apparently two update mechanisms in OSX (1) From within System Preference->Java Control Panel and (2) By downloading the java file manually from Oracle.
I ran the update "1" from control panel and said system had been updated to U45, but command line didn't reflect that.
After manually downloading and installing JDK from Oracle command line now reflects "1.7.0_45".
I have no idea why this half-baked situation exist, but evidently its how it works....?
I think that's because the Java Control Panel updates the JRE, but that just updates the plugins and stuff. The manually downloaded JDK pkg definitely will update the java you invoke in the shell.
Could someone explain why Applets/Webstart is so insecure? I know that JRE itself isn't really bad, it's the web-plugin for Java that has security vurnabilities. But how so?
Most of it is politics. Applets aren't fundamentally more insecure than other competing technologies like Flash or Silverlight. They just got a lot of hate, first due to the Microsoft "embrace and extend" attempts in the 90s (shipping its own awful JVM) and now again due to the buyout by Oracle with its horrible PR.
It's nonsense that modern browsers treat Java applets as if they were radiactive material, showing lots of warnings and scary dialogs (and even forcing you to update) while they do nothing of the sort with Flash.
Because the full power of Java exists in Applets. Browsers do their best to sandbox it and to make sure users give permission before it is allowed outside the sandbox. There are probably other reasons too, but that's afaik the basic reason.
I think it's a little unfair how the whole industry has treated Applets vs. Flash. Applets were pretty nice but Sun couldn't really fight it out like Adobe did against the other larger players.
Anyhow, I disabled Applets and Flash recently myself too. The web works ok, thanks to Apple I guess, but I still need to flip on Flash occasionally.
Java was invented as a full fledged vm with libraries that provide disk access, start and stop processes, taking screenshots etc.
In contrast, Javascript didn't even have these ideas. The only file access it has are through APIs like reading and writing cookies, and file uploads. Another example is Silverlight. Silverlight only provides a limited set of APIs that access the file system. For example, you cannot read any file unless it was initiated through user interaction via OpenFileDialog.
Sandboxing, i.e. preventing untrusted code from calling privileged libraries like disk access through walking the call stack and making sure the call originated from a trusted source. This was tricky but it worked. In Java 7, a new object was invented, called the MethodHandle. This is functions as a first class object, and I suspect that when Oracle bought out the Sun, they lost some key engineers and there has been a slew of exploits via MethodHandle. Hopefully, this patch caught all of them.
They're not really the same thing. People rely (to a greater or lesser degree) on VM security guarantees for running less than fully trusted code in a variety of contexts - I say VM rather than JVM to include Dalvik, JS engines, etc. People don't run random untrusted C and C++ code.
Fine, go read the bug trackers for them. Your point was? Oh, probably better to spend the time patching your desktop and servers given the massive drive through holes Java has left there.
My point is that it is easy to escalate Java security issues to average Joe, while forgetting it is just the tip of the iceberg of all attack vectors a computer has, regardless of which programming languages are used.
The issue we're talking about has nothing to do with the relative priority of security issues versus other bugs. The OP claimed that Oracle issues bug fixes less frequently (quarterly) than Microsoft or Adobe (monthly). Your claim is completely unrelated to that.
I certainly hope that not many of the major vendors take three months to fix critical, remotely exploitable security issues. If they do, they deserve the same criticism that Oracle got.
> "51 security vulnerabilities are addressed in Java this quarter, and 50 of them affect Java Applets or Java WebStart, the plugin that runs Java in your web browser. Worse yet, all but one are remotely exploitable without authentication."
I wonder is that's just where all the cruft is, or if Oracle is getting serious about webstart?
What would "authentication" mean, in this context?
I think what this must mean is that IF you click through the various dialogs to enable an applet or Java webstart application to run in your browser (or be launched from it), at that point the running code could do something bad. Perhaps these are ways to escape the normal applet sandbox?
And "exploitable without authentication" I guess must be about... what, signed JARs? That's a sort of authentication, and I can't imagine what else this could be talking about.
That's not so amazing, really, or even very scary, because the user has to explicitly click at least one (usually more) dialogs before the code will run. On some browsers, there are many more steps involved because Java is disabled by default (and even re-disabled by default if you don't use it for a while), and you have to figure out how to enable it first. On some browsers (like Chrome on OS X) Java simply doesn't work, so it's out of the question.
This is where a lack of detail really harms the point -- if they walked through the actual steps involved in using any of these exploits, people would have a much better idea of what was actually at risk. My suspicion is that for anyone who doesn't approve applets on shady sites, the risk is negligible.
Put the award on the shelf in your lobby, sell the ten million dollar boat and hire the engineers needed to update the Java patch cycle to monthly with the spare cash.
3+ billion devices will thank you.
Spot on. Working with their products on a daily basis, I just get the feeling that Oracle doesn't really give a shit about anything other than that god damned boat.