Security woes leave Java 8 delayed
Need to patch emergency client-side vulnerabilities has left Project Lambda out in the lurch, says Java chief architect.
Java 8 is unlikely to ship until next year as a consequence of the platform’s recent applet-based security issues. According to Mark Reinhold, chief architect of the Java platform, Oracle’s efforts to patch these holes “have inevitably taken engineers away from working on Java 8”.
With the planned September release “no longer achievable”, Reinhold wrote on his blog, something has to give: either dropping closure implementation ‘Project Lambda’ altogether, rushing its development, or pushing the schedule back to provide extra time. He said that, in his own opinion, the latter was the “least-bad” option.
If the development team agree to the proposed new schedule, Java 8 will go GA on 3 March 2014 – six months later than originally planned.
“We’d use the additional time to stabilize, polish, and fine-tune the features that we already have,” said Reinhold, though he was keen to emphasise that this would not result in a “flood” of last-minute additions. Only “a select few” additional features would be considered, “especially in areas related to security”.
It’s not the first setback the long-awaited next version of Java has faced. Project Jigsaw, an ambitious attempt to modularise the platform, was pushed back to Java 9 last September. Earlier this year, there were already signs that Java 8 was behind schedule, with important features missing milestones and delays to the developer preview.
However, this is the first time that Java’s high-profile security vulnerabilities – which mostly only affect browser-based applets – have been revealed to have an impact on the development of the language itself.
While many commenters agreed with Reinhold’s proposal (“No one wants to be stuck with another java.util.Date”, wrote one), others expressed disappointment that resources were being diverted to the aging client-side aspect of the language.
“How about dropping Applets and Webstart instead, if it is taking so much resource,” asked one. “A minority of people use it and it gives Java a bad name when in fact server and client side is super robust.”
Reinhold’s proposal is not set in stone, and on the jdk8-dev mailing list said he was still “open to suggestions”. However, it now seems highly unlikely that Java 8 will be released before the end of this year.