Author Topic: Complaining about Java  (Read 2198 times)

0 Members and 1 Guest are viewing this topic.

Offline Fury

  • The Curmudgeon
  • 213
Complaining about Java
Additionally, there is a critical point about the recent Java security vulnerabilities that isn't being emphasized: they apply to Java applets rather than Java applications.  Java applets are what run in your browser, and they tend not to be popular these days because everyone prefers alternatives such as Flash -- which is one of the reasons Oracle was caught off-guard.  Java applications are what run on your desktop.  The FSO Installer is a Java application.  If you disable all your Java browser plugins, you'll be fully protected from all the security exploits, and you'll still be able to run the Installer.
People are stupid, they don't know the difference between applets and applications. They don't know how to protect themselves once they have Java installed. And having JRE as a requirement to run the installer would just serve as additional support headache.

I would strongly recommend compiling native Windows, linux and OS X executables from your Java codebase with help from GCJ. That way you can maintain single codebase (in java) for the launcher and still provide native executables without extra support overhead of requiring JRE or unintentionally and potentially exposing people to Java exploits, through browser or otherwise. Chief already has experience in multi-platform compiling, adapting that for this project and GCJ should provide the best results in long term. IMO anyway.
« Last Edit: March 19, 2013, 11:24:50 am by Fury »

 

Offline Goober5000

  • HLP Loremaster
  • Administrator
  • 214
    • Goober5000 Productions
Re: Complaining about Java
People are stupid, they don't know the difference between applets and applications. They don't know how to protect themselves once they have Java installed. And having JRE as a requirement to run the installer would just serve as additional support headache.
People are highly likely to have Java installed already.  And it's not like Java is some obscure prerequisite.

Quote
I would strongly recommend compiling native Windows, linux and OS X executables from your Java codebase with help from GCJ. That way you can maintain single codebase (in java) for the launcher and still provide native executables without extra support overhead of requiring JRE or unintentionally and potentially exposing people to Java exploits, through browser or otherwise. Chief already has experience in multi-platform compiling, adapting that for this project and GCJ should provide the best results in long term. IMO anyway.
This will be worth investigating.

 

Offline Mongoose

  • Rikki-Tikki-Tavi
  • Global Moderator
  • 212
  • This brain for rent.
    • Minecraft
    • Steam
    • Something
Re: Complaining about Java
Ability to formulate sentences this early should not be done without the proper stimulants.. Like coffee.
Or java, perhaps? :nervous:

 
 

Offline jg18

  • A very happy zod
  • 210
  • can do more than spellcheck
Re: Complaining about Java
People are stupid, they don't know the difference between applets and applications. They don't know how to protect themselves once they have Java installed. And having JRE as a requirement to run the installer would just serve as additional support headache.
People are highly likely to have Java installed already.  And it's not like Java is some obscure prerequisite.
This. Has the Java prereq been a serious problem in the past?

I would strongly recommend compiling native Windows, linux and OS X executables from your Java codebase with help from GCJ. That way you can maintain single codebase (in java) for the launcher and still provide native executables without extra support overhead of requiring JRE or unintentionally and potentially exposing people to Java exploits, through browser or otherwise. Chief already has experience in multi-platform compiling, adapting that for this project and GCJ should provide the best results in long term. IMO anyway.
This will be worth investigating.
GCJ hasn't been updated in years, nor is it likely to be complete enough to be able to compile the installer. I wouldn't count on it.


Also, don't you think it's a wee bit presumptuous to be crowned "Installer Dude" when you haven't produced a beta yet? :P


EDIT: Re: Java and browser security, some browsers (such as Firefox) now disable the Java plug-in by default as a security precaution. So security concerns may not be quite as serious as they appear.
« Last Edit: March 22, 2013, 10:42:29 pm by jg18 »

 

Offline Goober5000

  • HLP Loremaster
  • Administrator
  • 214
    • Goober5000 Productions
Re: Complaining about Java
No, it would be presumptuous to be crowned "Installer Dude" if I weren't working on the Installer. :p

I'm not aware of anybody having an issue with the fact that the Installer -- even Turey's old one -- was written in Java, until this thread.

 

Offline Fury

  • The Curmudgeon
  • 213
Re: Complaining about Java
Seriously?

Since last summer many news outlets (including papers and tv) have recommended uninstalling Java completely, not just updating it. This escalated this year with even US Department of Homeland Security going as far as to recommend uninstalling, instead of updating. Past year we have seen many 0-day exploits against Java, and I highly doubt these are going to stop anytime soon. Independent third party validations have concluded Java as insecure mess.

Apple, Google and Mozilla all issue updates to their software to blacklist old versions of Java. That still leaves roughly half of PC users unprotected against outdated Java versions. Namely those using IE as their browser, as Microsoft does not blacklist old Java versions. Blacklisting does not always protect against 0-day exploits either. In addition, Oracle has at times failed to fix security issues even if an update was supposed to fix them.

I would have imagined you to have reservations about using Java after all these months of Java security issues being in news, not just in internet but also in papers and tv. I am honestly quite amazed this is not the case. People who have Java installed must be record low as of now, thanks to all that news drumming.

Bottom line? It is in bad taste to require people to have 3rd party software installed that potentially puts them at risk for your own convenience. Even if great number of people already have Java installed, there is no reason to contribute towards that number. It is completely irrelevant whether old installer also required Java or not, we're not living in 2006 anymore. The date is 2013.

I don't know if this changes anything, but I'm done discussing the subject either way.

 

Offline MatthTheGeek

  • Captain Obvious
  • 212
  • Frenchie McFrenchface
Re: Complaining about Java
Riiiiight. Because news and TV are sooooooo trustworthy, especially when it comes to technology stuff. Same for the government.
People are stupid, therefore anything popular is at best suspicious.

Homeworld: Blue Planet     -     Help us help you     -     FSO Installer     -     BP extras portal     -     My legacy

666maslo666: Releasing a finished product is not a good thing! It is a modern fad.

SpardaSon21: it seems like you exist in a permanent state of half-joking misanthropy

Axem: when you put it like that, i sound like an insane person

bigchunk1: it's not retarded it's american!
bigchunk1: ...

batwota: steele's maneuvering for the coup de gras
MatthTheGeek: you mispelled grĂ¢ce
Awaesaar: grace
batwota: oh right :P
Darius: ah!
Darius: yes, i like that
MatthTheGeek: the way you just spelled it it means fat
Awaesaar: +accent I forgot how to keyboard
MatthTheGeek: or grease
Darius: the killing fat!
Axem: jabba does the coup de gras
MatthTheGeek: XD
Axem: bring me solo and a cookie

 

Offline niffiwan

  • 211
  • Eluder Class
Re: Complaining about Java
Well, SANS is one of the highly respected security organisations in the world - you can read the following (without being a member) for their take on it:

https://www.sans.org/webcasts/uninstall-java-realistic-recommendation-no-insanity-yes-96192
https://isc.sans.edu/diary/When+Disabling+IE6+%28or+Java,+or+whatever%29+is+not+an+Option.../14947
Creating a fs2_open.log | Red Alert Bug = Hex Edit | MediaVPs 2014: Bigger HUD gauges | 32bit libs for 64bit Ubuntu
----
Debian Packages (testing/unstable): Freespace2 | wxLauncher
----
m|m: I think I'm suffering from Stockholm syndrome. Bmpman is starting to make sense and it's actually written reasonably well...

 

Offline The E

  • He's Ebeneezer Goode
  • Global Moderator
  • 213
  • Nothing personal, just tech support.
    • Steam
    • Twitter
Re: Complaining about Java
Riiiiight. Because news and TV are sooooooo trustworthy, especially when it comes to technology stuff. Same for the government.

I'm sorry, but that's stupid. Governments and news outlets were only repeating what experts (real experts that is, white hat and black hat infosec people alike) were saying for years. Java plugins for browsers are a giant security risk, that's a fact.
Let there be light
Let there be moon
Let there be stars and let there be you
Let there be monsters and let there be pain
Let us begin to feel again
--Devin Townsend, Genesis

 
Re: Complaining about Java
Unless someone writes (and releases!) a Python-based cross-platform installer, nothing constructive is gonna come out of bashing Java here...

 

Offline Fury

  • The Curmudgeon
  • 213
Re: Complaining about Java
Okay, I said I would drop the subject but I find FSF's reply worth responding to.

Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html

Now, this might be easy and lazy way out of Java and results may not be top quality, but there is Java to Python converter tool. https://github.com/natural/java2python

 

Offline wistler

  • 28
Re: Complaining about Java
I don't care one way or the other what the installer is written in, only that we have a working installer. THANKS GOOBER!   :D

 

Offline Kopachris

  • 28
  • It's Pythonic
    • Steam
    • Twitter
    • HLP QuoteDB
Re: Complaining about Java
Okay, I said I would drop the subject but I find FSF's reply worth responding to.

Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html

Now, this might be easy and lazy way out of Java and results may not be top quality, but there is Java to Python converter tool. https://github.com/natural/java2python

I think I might start working on that.  Sounds loads easier than the Blender/POF stuff I was working on.  Out of curiosity, though, why exactly to we need an installer?  Is it supposed to handle the retail installation also?  (Could it, by verifying that the person has a GoG FS2 installer, then providing the files on its own--without getting us in trouble?)  If not, would this whole installer issue be better resolved by an easier-to-use file hosting site tailored specifically for our use?
--
Yo momma's so fat when she sits on a binary tree she flattens it to a linked list in constant time.

 

Offline niffiwan

  • 211
  • Eluder Class
Re: Complaining about Java
I don't believe it's to provide retail files (IMO if it could get us in trouble if we tried it).  AFAIK the installer is just to give a simple interface for installing mods.  i.e. automate the process and there's less chance of users making mistakes. 
Creating a fs2_open.log | Red Alert Bug = Hex Edit | MediaVPs 2014: Bigger HUD gauges | 32bit libs for 64bit Ubuntu
----
Debian Packages (testing/unstable): Freespace2 | wxLauncher
----
m|m: I think I'm suffering from Stockholm syndrome. Bmpman is starting to make sense and it's actually written reasonably well...

 

Offline Luis Dias

  • 211
Re: Complaining about Java
I don't care one way or the other what the installer is written in, only that we have a working installer. THANKS GOOBER!   :D

We do? Where.

 
Re: Complaining about Java
Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html

Not only that, but Python comes preinstalled on OSX and most major Linux distros; so generating a native binary is only really needed for Windows.

The big question would be: Python 2.x or Python 3? ;)

 

Offline jg18

  • A very happy zod
  • 210
  • can do more than spellcheck
Re: Complaining about Java
Not for the attention span-challenged...


Seriously?

Since last summer many news outlets (including papers and tv) have recommended uninstalling Java completely, not just updating it. This escalated this year with even US Department of Homeland Security going as far as to recommend uninstalling, instead of updating.
I can't find anything from the DHS saying that Java should be installed completely, just disabled in the browser. Even if they did say it, assertions backed by references would be cool, since I really shouldn't have to go digging.

I'll admit that IE not providing adequate security is more of a concern, although that's really up to Microsoft to fix. If nothing else, we could tell people to disable Java in the browser. Yes, many wouldn't read or follow it, but it's better than nothing. I'd be interested in trying not mentioning the Java dependency at all when it's released and finding out how many people actually don't have Java installed.


Well, SANS is one of the highly respected security organisations in the world - you can read the following (without being a member) for their take on it:

https://www.sans.org/webcasts/uninstall-java-realistic-recommendation-no-insanity-yes-96192
https://isc.sans.edu/diary/When+Disabling+IE6+%28or+Java,+or+whatever%29+is+not+an+Option.../14947
Hm, interesting. Good to see people being pragmatic. Although I doubt disabling the Java plug-in would cause much pain for people, especially given how often it's automatically done.


Riiiiight. Because news and TV are sooooooo trustworthy, especially when it comes to technology stuff. Same for the government.

I'm sorry, but that's stupid. Governments and news outlets were only repeating what experts (real experts that is, white hat and black hat infosec people alike) were saying for years. Java plugins for browsers are a giant security risk, that's a fact.
Sure, the Java plug-in is a huge security risk, although I'd bet that not many in the mainstream media know the difference between the JRE, which is what the installer uses, and the Java browser plug-in, which uses the JRE but is separate from it.


Now, this might be easy and lazy way out of Java and results may not be top quality, but there is Java to Python converter tool. https://github.com/natural/java2python
I might fiddle with this later, but $10 says that this source-to-source compiler either won't run to completion, won't produce anything resembling working code, or will produce working but unreadable/unmaintainable code. Like any other Java program, the installer doesn't just consist of the program text, but also all of the Java libraries it uses, whether standard (like Swing for the GUI and eventually crypto for computing hashes) or third-party (like 7-Zip functionality).

Also remember that with software, maintaining and updating the software is the really hard part. We'd need the installer to be maintained for years. It's great if people can write it in Python now, but who's going to keep it going and add features when we need them? Is there anyone able and willing to commit to that?


If not, would this whole installer issue be better resolved by an easier-to-use file hosting site tailored specifically for our use?
I don't understand how that would look, please explain.


I don't believe it's to provide retail files (IMO if it could get us in trouble if we tried it).  AFAIK the installer is just to give a simple interface for installing mods.  i.e. automate the process and there's less chance of users making mistakes. 
Yup. Installing mods manually is, quite honestly, a pain, and I'm not sure there's a good way to make it painless. A few months ago, I helped someone manually install FS2 and the MVPs, and we both thought it was a pain. And this was a guy who's plenty tech-savvy (codes for his day job) working one-on-one with the guy who wrote the current install instructions.


I don't care one way or the other what the installer is written in, only that we have a working installer. THANKS GOOBER!   :D

We do? Where.
I suppose a more nuanced description would be "we have been told that we should have a working installer Soon (TM)".


Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html

Not only that, but Python comes preinstalled on OSX and most major Linux distros; so generating a native binary is only really needed for Windows.
Hm, I'd forgotten that it comes pre-installed on those. I guess depending on just one random piece of third-party software is moderately more feasible then depending on three, even if py2exe hasn't had an official release in over 4 years (how reassuring!). I hope everyone would agree that asking all players to install Python is a non-starter.


The big question would be: Python 2.x or Python 3? ;)
I'd go with the latest version that's widely available on the versions of OS X we can actually support (i.e., not Tiger, maybe not Leopard), which would likely set the bar low enough for reasonably recent Linux distros. That'd likely rule out Python 3.

The latest version of py2exe supposedly supports Python 2.7, so we'd be stuck with that. Freeze (at least I think this is the project Fury was talking about, since the wiki page he linked to didn't seem to go anywhere) is supposedly cross-platform and supports more recent versions of Python.

 

Offline Kopachris

  • 28
  • It's Pythonic
    • Steam
    • Twitter
    • HLP QuoteDB
Re: Complaining about Java
If not, would this whole installer issue be better resolved by an easier-to-use file hosting site tailored specifically for our use?
I don't understand how that would look, please explain.


I don't believe it's to provide retail files (IMO if it could get us in trouble if we tried it).  AFAIK the installer is just to give a simple interface for installing mods.  i.e. automate the process and there's less chance of users making mistakes. 
Yup. Installing mods manually is, quite honestly, a pain, and I'm not sure there's a good way to make it painless. A few months ago, I helped someone manually install FS2 and the MVPs, and we both thought it was a pain. And this was a guy who's plenty tech-savvy (codes for his day job) working one-on-one with the guy who wrote the current install instructions.
A single place to look for mods, assets, and executables that's not the forums or some site from the '90s.  Tagging and searching would be a plus, and additionally the ability to package multiple things together (e.g. FS2_Open with wxLauncher and MediaVPs, or all BP mods.  Just download and extract to your FS2 directory--how hard could that be?).  The most difficult part of the installation would be cleaning it up right after you run the GoG installer.

Quote
Python. Definitely leaps and bounds better choice than Java. Not only it is more secure than Java, there are working tools to compile executables that do not require Python to be installed on computer.
- Windows: http://www.py2exe.org/
- Linux: http://wiki.python.org/moin/Freeze
- OS X: http://svn.pythonmac.org/py2app/py2app/trunk/doc/index.html

Not only that, but Python comes preinstalled on OSX and most major Linux distros; so generating a native binary is only really needed for Windows.
Hm, I'd forgotten that it comes pre-installed on those. I guess depending on just one random piece of third-party software is moderately more feasible then depending on three, even if py2exe hasn't had an official release in over 4 years (how reassuring!). I hope everyone would agree that asking all players to install Python is a non-starter.


The big question would be: Python 2.x or Python 3? ;)
I'd go with the latest version that's widely available on the versions of OS X we can actually support (i.e., not Tiger, maybe not Leopard), which would likely set the bar low enough for reasonably recent Linux distros. That'd likely rule out Python 3.

The latest version of py2exe supposedly supports Python 2.7, so we'd be stuck with that. Freeze (at least I think this is the project Fury was talking about, since the wiki page he linked to didn't seem to go anywhere) is supposedly cross-platform and supports more recent versions of Python.

PyInstaller supports Win, Mac, and Lin, both Python 2.x and 3.x.  The real question is: wxPython or Tkinter?
--
Yo momma's so fat when she sits on a binary tree she flattens it to a linked list in constant time.

 

Offline headdie

  • i don't use punctuation lol
  • 212
  • Lawful Neutral with a Chaotic outook
    • Minecraft
    • Skype
    • Twitter
    • Headdie on Deviant Art
Re: Complaining about Java
Can I say two things.

Firstly any chance of a thread split as the java vs python/other languages discussion seems to be a discussion in itself now.

Secondly, unless someone is going to develop and maintain an alternative multi platform launcher the programming language discussion is a mute discussion as it wont change anything, where as Goober's launcher which is getting along nicely in it's development will make a real difference once it is complete.
Minister of Interstellar Affairs Sol Union - Retired
quote General Battuta - "FRED is canon!"
Contact me at [email protected]
My Release Thread, Old Release Thread, Celestial Objects Thread, My rubbish attempts at art