Lambda lags

Security woes leave Java 8 delayed

Elliot Bentley

Need to patch emergency client-side vulnerabilities has left Project Lambda out in the lurch, says Java chief architect.

Java 8 is unlikely to
ship until next year as a consequence of the platform’s recent
applet-based security issues. According to Mark Reinhold, chief
architect of the Java platform, Oracle’s efforts to patch these
holes “have inevitably taken engineers away from working on Java

With the planned September release “no longer
achievable”, Reinhold wrote on his blog,
something has to give: either dropping closure implementation
‘Project Lambda’ altogether, rushing its development, or pushing
the schedule back to provide extra time. He said that, in his own
opinion, the latter was the “least-bad” option.

If the development team agree to the proposed new
schedule, Java 8 will go GA on 3 March 2014 – six months later than
originally planned.

“We’d use the additional time to stabilize, polish,
and fine-tune the features that we already have,” said Reinhold,
though he was keen to emphasise that this would not result in a
“flood” of last-minute additions. Only “a select few” additional
features would be considered, “especially in areas related to

It’s not the first setback the long-awaited next
version of Java has faced. Project Jigsaw, an ambitious attempt to
modularise the platform, was
pushed back to Java 9
last September. Earlier this year, there
were already signs that Java 8 was
behind schedule
, with important features missing milestones and
delays to the developer preview.

However, this is the first time that Java’s
security vulnerabilities
– which mostly only affect
browser-based applets – have been revealed to have an impact on the
development of the language itself.

While many commenters agreed with Reinhold’s proposal
(“No one wants to be stuck with another java.util.Date”, wrote
one), others expressed disappointment that resources were being
diverted to the aging client-side aspect of the language.

“How about dropping Applets and Webstart instead, if
it is taking so much resource,” asked one. “A minority of people
use it and it gives Java a bad name when in fact server and client
side is super robust.”

Reinhold’s proposal is not set in stone, and on the

jdk8-dev mailing list
said he was still “open to suggestions”.
However, it now seems highly unlikely that Java 8 will be released
before the end of this year.

comments powered by Disqus