News

Oracle: Renewed Security Focus Will Delay Java 8

• By John K. Waters
• April 18, 2013

Oracle appears to have shifted significant material resources to work on the Java-based browser security vulnerabilities that have grabbed headlines over the past two years -- so many resources that development of new features in the Java platform have been delayed.

In a blog posted Thursday, Mark Reinhold, chief architect of the Java Platform Group, wrote that maintaining Java security "always takes priority over developing new features," which is why some features planned for Java 8 slipped past Milestone 6 (M6) at the end of January, the original feature-complete target.

"…Oracle is committed to continue fixing security issues at an accelerated pace, to enhance the Java security model, and to introduce new security features," Reinhold wrote. "This work will require more engineer hours than we can free up by dropping features from Java 8 or otherwise reducing the scope of the release at this stage...As a consequence of this renewed focus on security the Java 8 schedule, with a GA release in early September, is no longer achievable."

The biggest feature to slip past M6, Reinhold noted, was Project Lambda (JSR-335), which adds closures and related features to the Java language to support programming in multicore environments. Reinhold called it "the sole driving feature of the release," adding:

"We integrated the language and VM changes for Lambda late last year, but between all the moving parts involved and the security work it's taken a bit longer than expected to put the finishing touches on the stream API and the related core-libraries enhancements (JEPs 107 and 109). Our best estimate right now is that we can finish this work by early May, about three months later than planned."

Delaying the release of Java 8 is probably a small price to pay for better security, said IDC analyst Al Hilwa.

"The recent security response [of Oracle] has been sizeable," Hilwa told ADTmag in an e-mail, "and now we know that it represented an important shift of resources and priorities. In my opinion, the small delay in the Java release schedule are a worthwhile tradeoff. What is new in the security response is that Oracle is taking a long-term and systemic approach, which absolutely the right thing to do for Java."

In January, Oracle's senior product security manager, Milton Smith, told Java User Group (JUG) leaders during a conference call, "The plan for Java security is really simple: It's to get Java fixed up -- number one -- and then, number two, to communicate our efforts widely. We really can't have one without the other. No amount of talking or smoothing over is going to make anybody happy or do anything for us. We have got to fix Java…"

Oracle has been criticized for its handling of Java security, and questions have arisen about the future of client-side Java. Forrester Research analyst Mike Gualtieri told ADTmag in an earlier interview that the steady surfacing of Java security vulnerabilities could kill any chance that Java will play a bigger role on the desktop or mobile devices in the future. Hilwa pointed out that any add-on to a browser is going to increase the surface area for security attacks. But he also pointed out that Oracle complicates things by bundling the Java browser extension with the Java runtime environment (JRE).

Reinhold argued that, with Lambda nearly complete, it makes sense to delay the release of Java 8 just a bit.

"If we can finish the remaining design and development work by early May then we should be able to test and stabilize the build over the summer and ship a solid Developer Preview release in early September," he wrote.

He added his opinion that "it's best to structure the Java development process as a continuous pipeline of innovation that's only loosely coupled to a regular, rhythmic release process. If a major feature misses its intended release train then that's unfortunate but it's not the end of the world: It will be on the next train, which will also leave at a predictable time."

IDC believes that the existing feature-driven Java release schedule is likely to be with us for a while.

"JDK 8 is in many ways the Lambda release at this point," Hilwa said. "It is always a concern when release dates slip, but under the circumstances the team is prioritizing the right work, namely a deeper security review.  Platform technology like Java are difficult to stabilize and a shift to a schedule-oriented release strategy may not be easy to adopt in the short term."