Code One Preview: JavaOne v2, Gosling & Blockchain Beer

If you had to rank the many changes the Java community has seen over the past few years, the rebranding of a developer conference probably wouldn't make the top 10. But Oracle's decision to expand the menu of languages, frameworks, tools and tech covered at what was the annual JavaOne event, now called Oracle Code One, which gets underway next week in San Francisco, ain't nothin'.

In fact, it could be considered a kind of manifestation of a Java landscape increasingly infiltrated by new languages and not-so-Java tools -- many of which are quickly becoming essential additions to the Java Jock's gym bag.

That's kinda the way Stephen Chin explained it to me last week. Chin is the director of the Developer Community Team at Oracle (and a former JavaOne Rock Star), and he's the current Conference Content Chair, a role he also played for past JavaOne conferences.

"This is a trend that has been going on for several years," he said of the non-Java content in this year's show. "Now we're changing the conference name to match what has become a very broad developer conference."

As I reported earlier, Oracle is billing the change as "an expansion of tracks to include more languages, technologies, and developer communities." This year's conference program includes three tracks dedicated to Java content exclusively: a Java core track, which comes straight from the Java technology team; a server-side Java track, which covers the backend server-side use cases for Java, "including both the things we do at Oracle and things from the broader Java community," Chin said; and a Java ecosystem track, which is chaired by, Jonathan Giles, who works for Microsoft.

But for the first time, the conference will include content aimed at two different developer communities: those building databases-focused apps and MySQL developers. The program also includes sessions on such languages as Go, Rust, Python, JavaScript, and R.

"We're not taking away any significant Java content from the show," Chin said. "We adding to it."

The big events are also on the schedule: In the very popular Java technical keynote on Monday, Mark Reinhold, Chief Architect of the Java Platform Group, and Georges Saab, VP of Development, are set to talk about Java SE updates from the last 12 months, including Java 11, as well as "future projects aimed at accelerating user productivity, such as Java in container environments and exploration of new code review options for the JDK."

The Duke's Choice Awards are still part of the conference, the winners of which will announced during the technical keynote. But there's a new prize on the program called the Groudbreakers Award. Where Duke's Choice is aimed at projects, Groundbreakers recognizes influential developers in the community, Chin explained. In fact, "Groundbreakers" is a new "developer engagement brand," Chis said, which is why all the demos will be happening in the Groundbreakers Hub, and Oracle is promoting a new class of expert, called Groundbreaker Ambassador.

The Code One conference has 500 speakers on the schedule, Chin said, including a surprise addition to the community keynote on Wednesday: the father of Java himself, James Gosling. Chin will be there, too, along with Heather VanCura, Director at Oracle and Chair of the Java Community Process.

This year's Fireside Chat brings together some other industry icons, including: Doug Cutting, co-creator of Hadoop; Neha Narkhede, co-founder and CTO of Apache Kafka; Charles Nutter, co-leader of JRuby, Graeme Rocher, creator of Grails and Micronaut; and Guido van Rossum; creator of Python.

The great news about the chat is, attendees will get a chance to ask these luminaries questions during an audience Q&A.

And then there's the Blockchain Beer demo. There are a half dozen cool demos planned for the event, but this is the one, not surprisingly, generating the buzz.

For this demo, Oracle instrumented the entire operation of a Bay Area brewer, Alpha Acid Brewing Company, with IoT sensors, and coordinated with its suppliers (GigaYeast in San Jose, Admiral Malting in Alameda, and a hops farm in Gilroy) to collect data into a distributed blockchain ledger. The result: a QR code on the labels that, when scanned, shows the full history of the beverage, from farm to bottle.

"One of the things I love about doing projects like this is they expose small businesses doing interesting things," Chin said. "GigaYeast, for example, is working with local universities on specific strains of yeast that generate flavors and essences that taste like hops, so you get a hoppier beer without adding more hops.

Oracle was written up in the San Francisco edition of Eater, on this project, which I'm sure is a media first for Oracle.

The first official Oracle Code One keynote is set for Tuesday. Matt Thompson, Oracle's VP of Developer Engagement and Evangelism will be presenting. He'll be joined by Amit Zavery, Executive, Vice President of Fusion Middleware and PaaS Development at Oracle, and Siddhartha Agarwal, Group Vice President of Product Management and Strategy for Oracle Cloud Platform. The keynote will "explore topics ranging from managed Kubernetes and serverless functions to blockchain and intelligent digital assistants powered by chatbot technology," the company said.

Lots of other stuff to see and do at this year's show, including the big CloudFest concert on Wednesday night. You won't even notice the rebranding.

Oracle CodeOne, which runs Oct. 22-25, will be held at Moscone West.

Posted by John K. Waters on 10/16/2018 at 3:13 PM0 comments


Eclipse Launches New Kubernetes Working Group for IOT, Edge Computing

The Eclipse Foundation is joining forces with the Cloud Native Computing Foundation (CNCF) to form a new Eclipse working group focused on improving Kubernetes IoT and edge deployments, the two organizations recently announced. The Kubernetes IoT Edge Working Group will address "surging demand" for Kubernetes in IoT cloud and edge environments, they said.

The working group is also supported by several industry heavy hitters who are betting big on Kubernetes, including Red Hat, Bosch, Eurotech, InfluxData, Siemens, Vapor IO, and VMware.

But it's actually more accurate to say that the new working group is a collaboration among the 40-member Eclipse IoT Working Group and the Kubernetes community, explained the Eclipse Foundation's Executive Director, Mike Milinkovich.

"We saw that there were highly complementary technologies being worked on by our two groups," Milinkovich told me. "It just made sense to pull the members together, so they could collaborate on defining the terminology, identifying the gaps in deployment and management, put standard metrics in place, identify open source projects that could help, and just generally educate the market on common use cases and typical scenarios for IoT solutions."

The complexity of orchestrating IoT systems is a problem domain for which Kubernetes is a perfect fit, Milinkovich added.

"Companies with commercial interests in IoT are facing a common set of infrastructure challenges at the edge," said Dejan Bosanac, Red Hat engineer and lead of the new working group, in a statement. "IoT and edge applications have many distributed components that don't usually sit together within the same datacenter infrastructure. There are messaging challenges, security has to be re-invented for every application and service, and there are integration and data locality issues with sidecar services. These are issues that shouldn't have to be re-invented every time; they should be open source infrastructure with broad industry support."

Red Hat sees "broad potential" for Kubernetes sitting between gateways, edge nodes, and cloud platforms, said Bosanac. "Much like the LAMP stack was instrumental to the client-server era, this group is focused on accelerating a Kubernetes stack for running cloud infrastructure and distributed components at the IoT edge," he said.

To get everybody's favorite container orchestration platform IoT-and-edge-ready, the working group will focus first on evolving Kubernetes to support IoT workloads at the edge (a $2.1 trillion market by 2021, according to IDC), and defining key use cases and requirements, Milinkovich said. Several areas that need improvement have already been identified. If Kubernetes is going to work in Industrial IoT (IIoT) applications, for example, the ingress layer must scale to millions of connections. That same layer must provide first-class support for IIoT messaging protocols. And Kubernetes must support multi-tenancy for environments where devices and gateways are shared.

"As you're building out IoT use cases, and in particular Industrial IoT use cases, you pretty quickly get into extremely large-scale scenarios -- millions of devices, hundreds of thousands of IoT gateways, and the scale of the data is enormous," Milinkovich said. "Ultimately, you need to get that data into a cloud infrastructure, so it can be dealt with at cloud scale and connected to the business processes."

Milinkovich also wrote about the new working group in a blog post, which I recommend. Here's a quote from the blog:

"Enterprises are being catapulted into system resource engineering concepts that have been the bedrock of operations at web-scale leaders like Google and Netflix, and the open source stack underneath it all is evolving so fast it's hard to keep up. Kubernetes is attracting all sorts of exciting frameworks and services (see projects like Istio and Envoy), and no one could have anticipated it having this degree of momentum."

The CNCF, which is part of The Linux Foundation, hosts some of the key components of cloud native software stacks, including Kubernetes and the Prometheus systems and service monitoring system.

Posted by John K. Waters on 09/26/2018 at 11:31 AM0 comments


Surging Interest in Jakarta EE and IoT Drive Recent Spate of New Eclipse Foundation Memberships

What the Eclipse Foundation is describing as a "surge" of interest in both enterprise Java (Jakarta EE) and the activities of the Eclipse IoT community led to a spike in new memberships last month. The standards organization behind 350 open source projects and home of the Eclipse IDE added 16 new member organizations in August to its roster of 275 members.

The list of new members includes Advantest Europe GmbH, Baloise Holding AG, Cirrus Link Solutions, Cloudbees, Codescoop Oy, Fujitsu, iJUG, Inductive Automation, Istanbul JUG, Karakun AG, Kynetics LLC, Liferay, Lightbend, London Java Community, Mettenmeier, Mindus, Mizuho International, Nanjing Glaway, Pacific Northwest National Laboratory, RTD Embedded Technologies, Toyota, Tuev Sued Auto Services, Useopen Middleware and V2Com.

The Foundation is focused on creating an environment for successful open source projects, and to promote the adoption of Eclipse technology in commercial and open source solutions.

"Throughout the 14-year history of the Eclipse Foundation, our focus has been on fostering successful open source projects using a member and community-driven process to enable commercial adoption," said Mike Milinkovich, the Foundation's Executive Director, in a statement. "This is one of the most exciting periods in the Foundation's history, particularly as the enterprise Java stack re-imagines itself for cloud-native use cases via Jakarta EE, and as commercial adoption of IoT continues to explode with Eclipse IoT projects at the center of this innovation."

According to Milinkovich, seven of the Foundation's new members said they joined specifically to contribute to the evolution of Jakarta EE, and several expressed interest in participating in the Eclipse IoT Working Group, an industry collaboration of companies that invest and promote an open source community for IoT. Eclipse IoT currently includes more than 40-member companies working on 35 open source projects for IoT devices, gateways, and cloud platforms.

Another draw: the Foundation's new open source governance model and a "cloud native Java" path forward for Jakarta EE, which the organization unveiled in April.

"Ultimately, what we are trying to do here is to take a technology that is approaching its 20th birthday and give it a whole new life," Milinkovich told ADTmag in an earlier interview. "I have to say, when I talk to people, whether it's in person or through the mailing list, there is still an enormous amount of energy and passion in the Java EE community. If we can tap into that and give developers the tools they need on this platform to be successful in this new cloud-native, microservices-centric kind of world, they're going to love what's coming out of the Jakarta EE projects. This is an opportunity for this community to get a whole second generation of technology and momentum, and that's really what we are working very, very hard toward."

Posted by John K. Waters on 09/12/2018 at 7:49 AM0 comments


Appeals Court Refuses to Hear Latest in $8.8 Billion Java Copyright Dispute

And so, finally, after eight long years, can this really be the end of the seemingly immortal court battle between Oracle and Google over those 37 Java APIs? The answer is ... probably not.

This week a U.S. Federal Circuit Court of Appeals declined to re-hear the case (Oracle America v. Google LLC) in which it found Google to be in violation of Oracle's copyright of those infamous APIs in its Android OS by a panel, or en blanc. Google can still appeal the ruling to the Supreme Court, but that court refused to hear an earlier appeal.

If Google appeals again and the Supremes demure again, the next step is a jury hearing to determine damages. Why take another run at the big court? Oracle is claiming $8.8 billion in damages, which is a lot of money, even for Alphabet's search giant.

In March, the appeals court ruled that Google's use the Java APIs in its Android OS was not protected under the fair use provision of U.S. copyright law. The U.S. Court of Appeals for the Federal Circuit sent the case back to a judge in San Francisco for a trial to decide how much the search engine giant will have to pay.

Oracle originally sued Google in 2010. Google's argument that its use of the Java APIs was allowed under the "fair use" provisions of the federal copyright law, and therefore did not infringe on Oracle-owned copyrights failed to persuade the court. "There is nothing fair about taking a copyrighted work verbatim and using it for the same purpose and function as the original in a competing platform," a panel of three Federal Circuit judges wrote in their March opinion.

What the appeals court found initially was that the declaration code in Oracle's API packages, which Google copied verbatim, was copyrightable. Google developed the implementation code independently, so that wasn't at issue. The court found that the Oracle code had not been merged with the functions performed by the code; that combinations of short code phrases, such as those used in the APIs, can be copyrightable; and the fact that the code serves a function does not preclude its copyrightability if, as the court put it, "the author had multiple ways to express the underlying idea" at the time of creation of the code.

Given the stakes, I think we can expect one more round.

Posted by John K. Waters on 08/29/2018 at 1:40 PM0 comments


Lightweight Javalin Framework Already Moving Past Milestone

The lightweight Web framework for Kotlin and Java known as Javalin reached a milestone with the release of version 2.0 last week -- and then promptly issued a point release (v2.1) this week, underscoring the growing popularity of this type of minimalist framework in general and the momentum of this project in particular.

The fledgling Javalin framework is simple, lightweight, and flexible. It supports WebSockets, HTTP2, and async requests, and goes a long way toward making life easier for a range of developers. It's primary claim to fame, of course, is its "first class" interoperability between Kotlin and Java.

"Javalin is more library than framework," the Javalin team wrote in a blog post, "you don't need to extend anything, there are no @Annotations, no reflection, no other magic; just code."

Version 1.0 of the Javalin framework was released in November 2017. It actually started life as a fork of the Spark Framework, another simple Java/Kotlin Web framework, but the project evolved quickly into a "ground-up rewrite" influenced by express.js, an unopinionated, minimalist Web framework for Node.js. The framework runs on Eclipse Jetty, one of the most used and stable Web servers on the JVM.

The operative word for all of these frameworks is "lightweight." They were inspired, their contributors say, by Sinatra, a modern micro Web framework written in Ruby and considered the grandfather of these offerings. And the focus is on getting things done quickly and with a small amount of code.

A lot has changed since the last release -- more than 180 files, according to the Javalin team. Those changes included approximately 5,000 additions, 5,500 deletions, "which is more or less the entire code base," they said.

The popularity of Kotlin among Java developers has been growing steadily since JetBrains created and then open-sourced the statically typed programming language in 2011. The language compiles to both JVM byte code and JavaScript. JetBrains, the Prague-based maker of the venerable code-centric Java IDE IntelliJ IDEA, has claimed that Kotlin is more stable at runtime than Java, because it can statically check weak points and supports things like variable type interface, closures, extension functions, and mix-ins. It's also less verbose than Java, which means devs can write less code with a more readable syntax. During a memorable keynote demo at the 2017 Google I/O conference, Google's Android team showed an example of how Kotlin could accomplish in one line of code the same thing that required 87 lines of Java code.

The Javalin project code files and details are available on GitHub. A complete list of the changes between the 1.0 and 2.0 release can be found here.

Posted by John K. Waters on 08/28/2018 at 4:29 PM0 comments


The 16th Annual Duke's Choice Award Nominations Are In!

The nominations for the 16th annual Duke's Choice Awards closed this week. The winners will be announced at The Developer Conference Formerly Known as JavaOne in October. (Okay, it's Oracle Code One. I'll get used to it eventually.)

Duke, of course, is the official Java mascot, a red-nosed, triangular thingamajig that cartwheeled across our screens to oo's and ah's back in the day, when Java was the Green Project. He (I'm assuming here) was created by graphic artists, Joe Palrang, who would later work on animated movies, including "Shrek," "Over the Hedge" and "Flushed Away," and he/she/it was open sourced along with Java SE and Java ME in 2006.

The awards named for the little guy "celebrate extreme innovation using Java technology," Oracle says on its Web site. Big O is running the event, of course, but the nominations come from the community. Nominations from just about anyone are accepted, including Oracle employees and ambitious self-promoters. You can nominate a project, person, product, service, or "any program related to Java innovation."

The judging levels the field, Oracle says: "The primary judging criterion for this prestigious award is innovation, putting small developer shops and individual developers on an equal footing with global giants."

Nine winners were selected last year in what I think was meant to be a nod to Java 9. All nine received full conference passes JavaOne, winner badges, and a Duke statue, inclusion in Oracle corporate social media programs, and perhaps most important, community recognition as elite members of the Java ecosystem.

While we wait for the results to be announced at Oracle Code One (See? I just needed five paragraphs to get there.) I think it worth re-acknowledging last year's winners. From a lightweight Docker interface to a tool designed to tackle the extremely complex challenges associated with optimal interplanetary trajectory design, it's an impressive lineup:

  1. Rapid Dashboard (Hakan Ozler)
    Lightweight Docker developer interface for Docker remote API.
  2. The Java Terminal Project (Rahman Usta)
    Provides the ability to run a fully featured terminal emulator on Linux, Mac and Windows. Supports Cloud and Web apps.
  3. Robo4J (Marcus Hirt & Miroslav Wengner)
    A framework to quickly start building and running robots and IoT devices.
  4. jHipster (Matt Raible)
    A development platform to develop and deploy Spring Boot + Angular Web applications and Spring microservices.
  5. On Board (Bert Ertman)
    Collects real-time sensor data from marine vessels to provide captains and crew performance info.
  6. U en Linea - Catholic University Luis Amigo (Hilmer Chona)
    Heart of the University information system started in 2010, has student developer input, and runs on Oracle VM server cluster with WebLogic and Oracle DB
  7. ControlsFX (Jonathan Giles)
    Library for developers of JavaFX applications with huge download stats.
  8. Deep Space Trajectory Explorer (Sean Phillips)
    Created to tackle the challenges of interplanetary trajectory design.
  9. Latin America Virtual JUG (Cesar Hernandez) Collaboration among Spanish speaking JUGs in Mexico, Colombia, Peru, Guatemala and Panama. Together, delivered a full day of Spanish content on Cloud Day Mexico City.

Posted by John K. Waters on 08/14/2018 at 2:51 PM0 comments


Apache NetBeans 9.0 Approaching Final Approval

The Apache Software Foundation (ASF) has been working hard on its first release of the NetBeans IDE since Oracle contributed the popular software development environment to the ASF in October 2016. The community has finally given a thumbs up to Apache NetBeans 9.0. All that's left is the tabulation of a final vote by the project management committee (PMC), the compilation of the results of a community survey, and the final vote by the incubator managers.

The ASF has gathered the final vote by the Podling Project Management Committee (PPMC) -- essentially, a group of community members charged with helping a nascent project, called a "podling," learn how to govern itself. According to the ASF, a PPMC works like a regular PMC, but reports to the Incubator PMC instead of the ASF Board. Initially, this group includes the podling's mentors and initial committers. The PPMC is directly responsible for the oversight of the podling, and it also decides who to add as a PPMC member. (Click here to read the related Apache NetBeans dev mail thread.)

The ASF is no longer accepting responses to the Apache NetBeans 9.0 Community Acceptance Survey, which focused on functionality. The results will be available, soon.

The ASF was set to begin the Apache NetBeans IPMC voting process on July 22, which enables members of the Apache Incubator to approve the release. It's all tentative at this point, but if all goes as planned, Apache NetBeans 9.0 will be released during the first weeks of August.

This first Apache NetBeans release is focused specifically on Java SE tooling. According to Geertjan Wielenga, Oracle product manager and developer advocate for open source projects, that's because NetBeans is so large; it will likely be the largest project under the aegis of the ASF once everything has been donated. This is a 20-plus-year-old project, he noted in a blog post, and it provides support for an enormous range of technologies. Because so many files needed to be audited before they could be donated to Apache, he said, the decision was made to donate NetBeans in pieces.

"And since NetBeans is modular," he explained, "doing an incremental donation was not difficult to architect. The first donation focused specifically on the underlying core, i.e., the NetBeans Platform (e.g., the module system, window system, menubar, etc.) and, to enable the result of the first donation to be usable for general users and not just NetBeans Platform developers, the various Java SE features were included too, e.g., Java project templates, Java editor, and new Java features such as support for Jigsaw, JLink, and JShell."

That first donation effectively constitutes Apache NetBeans 9.0. The second donation has been completed, which means Oracle has audited and donated all the modules for features providing support for JavaScript, PHP, Groovy, and Java EE. Those features are on a separate branch in the Apache NetBeans Git repo, and they will be integrated sometime after the 9.0 release. The next set of modules being audited prior to donation are related to C/C++, he said.

NetBeans continues to be a popular Java IDE (1.5 million active users, according to the community), but it has grown beyond Java to support C/C++, Groovy, PHP, JavaScript, and the HTML5 and CSS Web development standards.

Posted by John K. Waters on 07/25/2018 at 10:42 AM0 comments


Milinkovich on Eclipse's New Quarterly Release Train, the LSP and Progress on Jakarta

The annual Eclipse Release Train chugged out of the station right on time again this year, with 85 projects in tow, but with this release, the Eclipse Foundation threw a switch (pardon the tortured metaphor) that put the train on a much faster track. The new quarterly rolling release cadence, announced today, is more of a rebranding of a process started last year with the quarterly point releases of the Oxygen Release Train.

The Foundation's executive director, Mike Milinkovich, characterized the change as "the end of an era." And it has been a remarkable run: 13 years without a miss. That's a tough act to follow, and yet the Foundation actually raised the bar for itself with the new quarterly coordinated release schedule. And they did it while taking on responsibility for enterprise Java.

I couldn't help wondering if Milinkovich gets any sleep, but he reminded me that he's not in this alone.

"Because we do ship something that looks a lot like a product, and we keep to something that looks like a release schedule, people forget sometimes that we're not a vendor," he told me. "But I remind you every year that I don't get to tell anybody to do anything. The success of the release train speaks to the possibility within open source communities of doing things in a disciplined and predictable fashion. There's nothing about open source that prevents good software engineering practices, even product management practices."

He also reminded me that there are many projects in every release train not backed by corporations, but supported solely by individuals. What draws those individuals to this model, he said, is its predictable nature and the widespread adoption it promises. In other words, it gets their technology into the hands of millions of developers.

"That's catnip for developers," he said. "They know that this thing they're building is going to be used by millions of people -- which is totally understandable. The last thing you want to do is build something that nobody uses."

The faster release cadence is a huge change and a response to new, industry-wide expectations for faster releases. Or, as the Foundation put it in a release, it "demonstrates a commitment to keeping pace with evolving developer and commercial needs." That attention to this evolution can also be seen in the new native Eclipse IDE support for the Rust language and C# through Language Server based plugins. The Language Server Protocol (LSP) ecosystem delivers editing support for popular and emerging programming languages.

"I remember going to a JavaOne conference 20 years ago and hearing people say that Java was the last programming language we would ever need," Milinkovich said. "I didn't believe it then, and I think it's pretty obvious that no one believes that now. We live in a polyglot world. Lots of developers have to deal with multiple languages and multiple stacks. The ability to quickly add support for new languages in this way I think is very powerful and something that will serve the Eclipse community for many years to come."

Meanwhile, the Foundation continues its work on Jakarta EE, Milinkovich said. All of the projects have been created and provisioned, and code is going into them. He's expecting to see GlassFish builds in a few weeks available for download. Soon after, he expects to see a certified release as Java EE 8 compatible, which he sees as a major milestone.

"The hard work is still ahead," he said. "We're creating a specification organization, so there are lot of things we have to deal with that developers don't care about, but corporate lawyers love -- everything from patents to trademarks. Still a lot of heavy lifting to be done before Jakarta EE is truly up and running as the full successor to Java EE."

"Everything is going extremely well," he added, "in that we're having some tough conversations about difficult subjects, and everyone is being constructive and friendly. Things always take longer than you expect, but I'm optimistic that the process will continue ... and we'll get there soon."

Posted by John K. Waters on 06/27/2018 at 10:40 AM0 comments


Waratek's Giannakidis: Removing Serialization from Java Is Not the End of the Story

Last month, Oracle's chief architect, Mark Reinhold, said during a conference Q&A that one of Oracle's long-term goals is to change the way Java handles object serialization. In fact, he called the decision to adopt the current serialization feature a "horrible mistake," and a virtually endless source of security vulnerabilities.

Java object serialization is the process of converting an object into a stream of bytes for transport and storage. Oracle is currently planning to develop a plugin mechanism that will allow developers to choose a serialization format, such as XML, JSON, YAML. They'll also be able to choose the existing native serialization. Oracle says it is also developing a new, safe serialization format based on a new language feature called data classes, which is part of the project Amber.

Removing serialization is one of the goals of Project Amber, an OpenJDK project that aims to "explore and incubate smaller, productivity-oriented Java language features that have been accepted as candidate JEPs under the OpenJDK JEP process," the project page explains, including lambda leftovers, pattern matching, local-variable syntax for lambda parameters, switch expressions, and raw string literals. Announced last year, the project is being led by Oracle's rockstar Java architect Brian Goetz. He discusses his ideas around "the possible direction of data classes in a blog post.

Apostolos Giannakidis, security analyst at Waratek, a Dublin-based app security tools provider with a special focus on Java, is one of my go-to Java security experts. He does work for a security products vendor, but his insights are always spot on. He shared his thoughts on these long-time-coming changes in a recent blog post, with the subtitle "Oracle has declared an end to Java's serialization approach, but that's not the end of the story."

"There is little doubt that serialization issues plague Java and that addressing the underlying causes will benefit the Java community," Giannakidis wrote. "But how long will it take to bring a new approach to the market, and will simply replacing the old serialization mechanism with a new approach end the issue?"

Among his concerns: removing the existing serialization mechanism will take at least a couple of years. "The current approach to serialization is two decades old and is the foundation of hundreds of Java SE components," he wrote. "Even when an alternative approach becomes available, Oracle will likely keep native serialization as an option just to maintain backwards compatibility for a few more years."

He also worries that enterprise middleware, servers, and higher-level protocols (such as RMI, JMX, JMS, etc.), which depend on Java's native serialization, are going to be very difficult to change. Software vendors might need years to switch to any alternative technology. And backwards compatibility will be a big issue.

"Even if all the above issues are resolved, deserialization vulnerabilities are not going away," he wrote. "Java's native serialization is not the only flawed serialization technology. XML and JSON deserialization vulnerabilities exist and are real threats to enterprises. In the recent months, attackers exploited these vulnerabilities (such as CVE-2017-9805) to infect with crypto-mining malware their targets."

Deserialization reverses the process when the data is received. It can also be used to reconstruct an object graph from a stream.

While Oracle gets its arms around its serialization-removal plan, legacy servers and applications will continue to be vulnerable, Giannakidis warned. "It is difficult now for most organizations to keep pace with Java updates," he wrote. "Oracle's co-CEO Mark Hurd recently acknowledged that Java users typically run months to years behind in patching. Upgrading versions or rewriting apps takes even longer, if practical.

He also warned that non-Java shops should be worried about deserialization issues, because Java isn't the only platform affected by it. .NET, Ruby, PHP, Python, and others are all subject to deserialization vulnerabilities.

Posted by John K. Waters on 06/11/2018 at 10:40 AM0 comments


Most   Popular
Upcoming Events

AppTrends

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.