Your one-stop web resource providing safety and security information to manufacturers

Everyone knows Java has been a security nightmare for users and for Oracle, so the scheduled release of Java 8 is shifting from September 2013, to the first quarter in 2014.

With this shift, Oracle would push JDK 9 from 2015 to early 2016. Java 8 originally was on the slate for late 2012 but ended up delayed when Java 7 had issues during development.

Java Exploit in New Kit
Java Patched; New Holes Found
Oracle Fixes 128 Vulnerabilities
Java 7 Security Update Fills Holes

“We should be able to complete the browser-related security work to which we’ve committed and then resume a regular two-year release cadence, with Java 8 due in early 2014 and Java 9 in early 2016,” said Mark Reinhold, chief architect of Oracle’s Java platform group.

The delay in Java 8 has a lot to do with the number of security vulnerabilities in Java identified earlier this year. Oracle released several out-of-band updates, as well as two huge patches in February and April to fix the security issues.

Cyber Security

Investigating and addressing security flaws takes a lot of time and effort, and Oracle took engineers off the Java 8 effort in order to address the issues, Reinhold wrote. Oracle will now offer an “intense effort to address those issues” and upgrade its development processes to “increase the level of scrutiny applied to new code so that new code doesn’t introduce new vulnerabilities,” Reinhold said.

“Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8,” Reinhold said.

The company could reduce the time for feedback and testing in order to meet the original general availability date, but it would run counter to Oracle’s new commitment to security. Reinhold said that would just put Java 8 down the same path earlier versions of Java are currently mired in.

“If we sacrifice quality in order to maintain the schedule then we’ll almost certainly repeat the well-worn mistakes of the past, carving incomplete language changes and API designs into virtual stone where millions of developers will have to work around their flaws for years to come until those features-or the entire Platform-are replaced by something new,” Reinhold said.

Instead of delaying Java 8, one option was to restrict features in the component JSR 335, dubbed Project Lambda, or dropping it entirely, Reinhold said. However, the project is considered to be one of the largest significant enhancement to the programming language made since 2004, and a Lambda-less release this year would be “unlikely to gain wide adoption,” Reinhold said. There would be no point in releasing a version no one would bother with just to stick to a schedule.

Oracle is “committed to continue fixing security issues at an accelerated pace, to enhance the Java security model, and to introduce new security features,” Reinhold said. Dropping features from Java 8 will not free up the time and engineers needed as part of the revamp effort. Delaying the general availability release for Java 8 was a “consequence” of this renewed focus on security, Reinhold said.

Pin It on Pinterest

Share This