Oracle has decided to delay the release of Java 8 in order to address fundamental security concerns for the beleaguered technology.
Currently scheduled for September 2013, Oracle is now planning a general availability for Java 8 sometime in the first quarter of 2014. This would push JDK 9 from 2015 to early 2016. Java 8 was originally scheduled for late 2012 but was delayed when Java 7 had issues during development.
“We should be able to complete the browser-related security work to which we’ve committed and then resume a regular two-year release cadence, with Java 8 due in early 2014 and Java 9 in early 2016,” Mark Reinhold, chief architect of Oracle’s Java platform group, wrote on his blog.
The delay in Java 8 has a lot to do with the number of security vulnerabilities in Java identified earlier this year. Oracle released several out-of-band updates, as well as two gargantuan patches in February and April to fix many of the security issues.
Investigating and addressing security flaws takes a lot of time and effort, and many Oracle engineers were taken off the Java 8 effort in order to address many of the issues, Reinhold wrote. Oracle has mounted an “intense effort to address those issues” and upgraded its development processes to “increase the level of scrutiny applied to new code so that new code doesn’t introduce new vulnerabilities,” Reinhold said.
“Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8,” said Reinhold.
The company could reduce the time for feedback and testing in order to meet the original general availability date, but it would run counter to Oracle’s new commitment to security. Reinhold said that would just put Java 8 down the same path earlier versions of Java are currently mired in.
“If we sacrifice quality in order to maintain the schedule then we’ll almost certainly repeat the well-worn mistakes of the past, carving incomplete language changes and API designs into virtual stone where millions of developers will have to work around their flaws for years to come until those features-or the entire Platform-are replaced by something new,” Reinhold said.
Oracle “got it right” by redirecting its engineering effort away from Java 8 to focus on fixing security issues in the current version of Java, said Amol Sarwate, directory of Qualys Vulnerability Labs. Oracle has acknowledged the seriousness of Java security flaws and this decision confirms their resolve to fix the issues, he said.”In my opinion, the delay in release of Java 8 is worth the wait,” Sarwate said.
Instead of delaying Java 8, one option was to restrict features in the component JSR 335, dubbed Project Lambda, or dropping it entirely, Reinhold said. However, the project is considered to be one of the largest significant enhancement to the programming language made since 2004, and a Lambda-less release this year would be “unlikely to gain wide adoption,” Reinhold said. There would be no point in releasing a version no one would bother with just to stick to a schedule.
This decision also makes it more likely that Java 8 will include all security fixes of Java 7, but also that it will go through a thorough security testing cycle, Sarwate said.
Oracle is “committed to continue fixing security issues at an accelerated pace, to enhance the Java security model, and to introduce new security features,” Reinhold said. Dropping features from Java 8 will not free up the time and engineers needed as part of the revamp effort. Delaying the general availability release for Java 8 was a “consequence” of this renewed focus on security, Reinhold said.
The tech giant has promised to make security in Java a priority. “The plan for Java security is really simple,” Milton Smith, the security lead for Java told developers and stakeholders on a conference call in January. “It’s to get Java fixed up, number one, and then, number two, to communicate our efforts widely,” Smith said.
Oracle’s renewed focus on security is reminiscent of Microsoft in the early 2000s, when the software giant made security a top priority for the company, implemented new processes and procedures to ensure security was baked-in at all aspects of development. It will be interesting to see how successful Oracle will be with improving security in Java.
