Java 7 Adoption at 79%

According to a recent blog post from the cloud hosting company Jelastic, Java 7 adoption on their platform is now at 79%. While this is a single data point and should not be read too broadly, it does match other indicators we have that Java 7 is picking up, such as uptake among Oracle middleware customers, download statistics and online activity. The spike in adoption in April coincided with the release of JDK 7 Update 4. This is in line with our expectations since that release added Mac OS X support as well as java.com moving to Java 7 as the default download for end-users; two events that marked the maturity of Java 7 to the community.

Since the original release of Java 7, Oracle has shipped 7 update releases, added ports to Mac OSX and Linux/ARM and expanded JavaFX to all common desktop platforms.

Comments:

is a good

Posted by aboubakar siddiki on September 18, 2012 at 12:44 PM PDT #

Hi Henrik

Being a staunch Java supporter, I've wanted to comment on the recent JRE 7 updates (update 6 and 7) and the negative publicity they have received on the Internet around security. I found it affected me quite directly: Before JRE 7 update 6 was released I was considering giving JavaFX a try in a new RIA side project. At the time I was a bit hesitant, wondering whether Java 7 (being still relatively new) was secure enough yet. However, with the release of update 6 I thought I’ll go ahead. When news of the security issues in update 6 surfaced, however, I realized I could not risk asking clients to enable the latest Java 7 plug-in in their web browsers. So against my will I have to opt for a different technology (for now).

Since then I’ve read a number of articles. One article describes the situation very well: Due to OS and web browsers becoming more and more secure, hackers have started targeting third-party browser plug-ins / add-ons. Because of Java's ubiquity, because it runs on all the popular OSes and is available as a browser plug-in, it currently gives hackers the biggest return on investment. As Oracle fixes the Java security issues going forward, it will eventually reach the point where the hackers will have to start looking for new low hanging fruit. So Java is just being forced down the same bumpy road the OSes and web browsers have already run.

In view of the above I would like to make a few suggestions:

- One question that must have occurred to many a Java user affected by the security issues is, couldn’t Oracle build a relationship with the security research companies that find and announce the security flaws in the JRE? Couldn’t Oracle proactively provide a pre-release of each JRE update to them and ask them to look for security holes? They might will charge a fee, but would it not be worth the investment?

- Another idea based on the concept of crowdsourcing, which is taking root more and more, couldn’t Oracle make a pre-release of a JRE / JRE update available on the Internet and ask the security community to look for holes and report them? Kapersky Lab has done something similar more than once (http://www.wired.com/threatlevel/2012/08/gauss-mystery-payload/). Furthermore, if one wants the hacker community to also participate, one could announce a competition with a prize for the person/group finding the most holes :-).

- JavaFX holds a lot of potential as a RIA technology. I think it would be prudent to not wait until JavaFX becomes as popular and ubiquitous as Java itself (let’s be optimistic), before hardening it from a security point of view. So perhaps the security community should also be requested to look for holes in it. (As a side note, some kind of competition for the “best” real-world JavaFX RIA may also help stimulate the uptake of JavaFX – once the security issues in Java 7 have been addressed to the point that not every security expert on the Internet recommends that end users disable the Java browser plug-in or completely uninstall Java if they do not need it.)

I honestly think that reaching out to the community and using some crowdsourcing methodology will not only show that Oracle is serious about addressing these security issues, it will also positively engage the community.

Sincerely
Klaas

Posted by Klaas Bredenkamp on September 27, 2012 at 11:42 PM PDT #

Klaas - Thank you for your thoughtful and encouraging comments. You are absolutely right about the challenge faced by widely used technologies such as Java; the more common and popular, the more attractive a target. On the suggestion of pre-release, our Java implementation is open source (with very few exceptions) and pre-release builds are published on an ongoing basis on java.net and there are several channels open for providing feedback either directly to Oracle, or to the OpenJDK community. Although I am not able to comment on details in this forum, we do cooperate with security researchers and have a well-established program in place for managing security issues (see http://www.oracle.com/us/support/assurance/fixing-policies/index.html). Also, if you happen to be at JavaOne this year, we have a session going through how our security processes work and what are doing to improve security in the Java platform (CON12803 - Making the Future Secure with Java, Monday 8:30).

Posted by Henrik on September 28, 2012 at 09:03 AM PDT #

Post a Comment:
Comments are closed for this entry.
About

Henrik Stahl is VP of Product Management in the Java Platform Group at Oracle, and is responsible for product strategy for Java ME and SE.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today