Frank talk with JUG leaders

Java security needs to be “fixed”, admitted Oracle staff in a frank conversation with Java user group (JUG) leaders.

The recorded phone call, which is 52 minutes long, was published by Oracle late last week and features Milton Smith, Java security lead, and Donald Smith, Director of Product Management on OpenJDK.

The two Smiths said that Oracle’s two priorities are to “fix Java” and increase communication with developers. “No amount of talking or schmoozing over is going to make anyone happy or do anything for us,” admitted Milton Smith. “We have to fix Java, and we have been doing that.”

A “communication plan” is currently being put together, he said, in order to increase their own transparency and ensure incorrect information isn’t spread. “We’re a very small group and it’s oftentimes frustrating to get a message out. So even when we get all the approvals we need, sometimes understanding how to get a message out is challenging.”

This could potentially include increased outreach to JUG leaders, talks at conferences, and possibility even a dedicated JavaOne security track. The current Java security alerts are “probably” too technical for most, they admitted, and there has been widespread confusion over whether the recent vulnerabilities affect Java outside of the desktop.

The JUG leaders present in the conference call raised several concerns particularly relating to Java’s desktop installer, which has also received criticism after a ZDNet article highlighted Java’s bundling with third-party software.

Donald Smith said it was “not a new business [..] this is something that Sun initiated a long time ago.” However, he said he was bound by commercial agreements and couldn’t discuss the issue further.

Questioned as to why the Ask toolbar installs ten minutes after Java, he replied: “That would be an example of the kind of information that I would love to be able to share why things are done that way, that I couldn’t unilaterally do.

“I hear you, I agree that on the surface when you like at it it’s like ‘why is that that way?’ and it could be that we are never able to give a satisfactory answer but I hope at some point we’ll be able to clarify what that’s about and why.”

JUG leaders also asked if Java could be given an auto-updating mechanism, as seen in Chrome or Flash Player. “There’s no plans to do it, but there’s no plans to not do it, and it is a topic that is in constant discussion,” said Donald Smith. “It has been talked about.”

“The challenge is of course that you get – if that was a feature that came out, you have an ecosystem with a long history of it not working that way, and you would suddenly have a large segment of people saying ‘how do I prevent this from happening?’”

He ended the phone call by asserting how much the Java development team appreciate feedback from the community, assuring that “every message that comes through [on the mailing list] is read and passed along and considered carefully”.

Oracle’s pledging of transparency and responding to feedback can only be a good thing. However, the delivery of this information – within an obscure 52-minute MP3 rather than, say, an easy-to-digest blog post – merely exemplifies the communication issues discussed within the conversation.