SAN FRANCISCO — Oracle, which officially took on the big job of shepherding Java two years ago this month, is traveling bumpy roads lately, with its modularization and licensing plans for Java raising eyebrows and security concerns coming to the fore as well.
Plans for version 8 of Java Platform Standard Edition, which is due next year, call for inclusion of Project Jigsaw to add modular capabilities to Java. But some organizations are concerned with how Oracle’s plans might conflict with the OSGi module system already geared to Java. In the licensing arena, Canonical, the maker of Ubuntu Linux, says Oracle is no longer letting Linux distributors redistribute Oracle’s own commercial Java, causing difficulties for the company. Meanwhile, security vendor F-Secure views Java as security hindrance. (Oracle declined to discuss these issues with InfoWorld.)
Jigsaw’s inclusion draws ire
With Jigsaw, Oracle intends to provide an approachable and scalable module system for large legacy software systems in general and the JDK (Java Development Kit) in particular, said Mark Reinhold, Oracle’s chief architect of the Java platform group, in a recent blog post.
But some see conflict between Oracle’s Jigsaw effort and OSGi, a long-standing dynamic module system for Java adopted by organizations like the Eclipse Foundation (of which Oracle is a member) for open source tools. “The major risk inherent in Project Jigsaw is that it is attempting to supplant an incumbent Java modularity system that has already seen a great deal of success,” says Eclipse representative Ian Skerrett. “OSGi is widely used across the Java ecosystem in the implementations of IDEs, enterprise service buses, and application servers. Project Jigsaw must not only support the modularization of the Java platform, it also must provide seamless integration with the existing OSGi ecosystem.”
Rather than benefiting Java, Jigsaw will only complicate matters, says Peter Kriens, technical director of the OSGi Alliance: “Jigsaw is inventing something that doesn’t really fit very well in Java.”
Help may be on the way, however.
Floated in an OpenJDK online discussion group is a proposed effort called Penrose to implement interoperability between Jigsaw and OSGi implementations. This project would enable cooperation between Jigsaw and OSGi to show how OSGi implementations would run on the OSGi runtime and how to load Jigsaw modules into OSGi frameworks.
Both Skerrett and Kriens see great benefits to Oracle’s goal of adding modularization to Java. “It dramatically improves the robustness and flexibility of software systems, especially large software systems…. By reducing the complexity of software, modularity allows greater reuse and easier deployment, which in turn allows systems to adapt to change in easier and safer ways,” Skerrett says.
Java’s licensing change troubles Canonical
Oracle also is raising dander over a recent license change limiting distribution of Oracle’s commercial Java. Canonical says that Oracle has retired its license that permitted Linux distros to redistribute Java. Under the new Oracle license, users now must download Java directly from Oracle’s website.
“That left us in a pickle, because the current version of Java that we’re distributing had known security issues that were being exploited,” says Canonical CEO Jane Silber. Security problems in Java 6 include problems with remote exploits enabled through the Java browser plug-in, she says. To address the security issue, though not solve it, Canonical is pushing out an update that will disable part of the Java version on users’ machines.
Canonical can still distribute the open source OpenJDK version of Java, but it is not equivalent to the commercial Oracle implementation, Silber says. Canonical’s troubles date back to Oracle’s announcement last summer that OpenJDK would become the reference implementation of Java, which resulted in the discontinuance of the “non-free” operating system distributor license for Java used by Canonical. The bottom line is that Oracle wants Linux distributions to migrate to OpenJDK, even if a distributor believes the commercial version is better for its customers.
Java’s security questioned
Oracle also has been receiving flak elsewhere over the security of Java. F-Secure Security Labs recently posted a notice, “Java considered harmful,” that advises people to remove the Java plug-in from their browsers. “The risks of Java are nicely illustrated by the recent Java Rhino vulnerability (aka CVE-2011-3544). If you’re running Java, but not the latest version, you’re vulnerable. So either you have to check at all times that you have the latest version of Java — or get rid of it altogether,” F-Secure writes.
Keeping Java secure is no mean feat, as it is a popular target for hackers. “Java is currently the lowest-hanging fruit of the third-party software that gets attacked,” says Sean Sullivan, an F-Secure security advisor. While Java is a great platform on back-end systems, Java on Windows PCs facilitates the running of undesirable code, he says.
Oracle’s thankless job
Oracle has numerous Java projects to maintain and update, such as last week’s release of the NetBeans 7.1 IDE equipped with support for the JavaFX 2.0 rich Internet application platform. With Java being such a ubiquitous technology after 16-plus years, whoever is in charge of it is sure to upset some folks with how the platform is proceeding. In fact, disagreements over Java are nothing new: The Apache Software Foundation’s efforts to get proper certification for its Apache Harmony implementation of Java have spanned both the Sun and Oracle reigns over Java, for example.
Oracle, however, perhaps should cut back on the heavy-handedness, perceived or actual, if it hopes to preserve and maximize its substantial investment in Java. Otherwise, Oracle risks sending users looking for alternatives.