>From: "Curt Sampson" <cjs@cynic.net>
> On Sat, 7 Sep 2002, James Santagata wrote:
> > It's quite unfair to characterize cogent and objective discussions
> > of some of Java's shortcomings as "bashing".
>
> I think it is. The original point was just that, given the choice
> between Java and C, Java will let you write more secure software.
The original point concerned Java as a "write once run everywhere"
language. I think we all agree this is bunk and I haven't seen arguments
to the contrary. If I am incorrect, please let me know, because I know
two companies right now that sure wish they knew how to do this.
After this was readily debunked, a tangential topic was raised
(not by me) that we should still use Java, perhaps as a language
of choice, because by nature it is far more secure than
other languages or at least languages in its class.
I say languages in its class because I'm certain there a number of
specialized languages out there that are much more robust and
secure. In any event, Java may be more secure than other languages,
but it doesn't guarantee that by using Java you will
end up with a more secure program than one I write in C or
perl. Not understanding how to securely pass data, improperly handling
user sessions, sloppy programming techniques, etc. can and do
occur in any language. Java is no exception.
Lastly, the level of security required by an app will
vary by the use case. Nuclear powerplant apps require
high security and robustness, yet Sun tells us that we
shouldn't use Java for that type of app. Sending out
opt-in email has a somewhat low security requirement so why
would I need Java? I can use Java, I may use Java, but
I don't need to use Java. Perhaps I need portability (perl) or
real performance (c), there are many, many other factors
involved.
> Some on this list have been interpreting this as "Java guarantees
> the security of the entire system," and attacking that statement.
> Well, the only people who ever said that are the ones attacking
> that statement. It's a straw man.
It is not a straw man argument. A chain is only
as strong as its weakest link. Period. A computer app
is no different. The ones who think it is, are usually the first
one's hacked.
Trying to use a padlock to secure a paper door is not security.
You can state
Java is more secure than other languages -- it may even
be true. But that still doesn't mean a program written in
Java is more secure than one written in a different
language.
If you came home and a burglar had ripped through
your paper door and cleaned your house out, would you
pat yourself on the back say "well, at least the padlock held up."?
> Yes, your operating system may have buffer overflows. Yes, your
> web server may have buffer overflows. Changing from Java to C won't
> fix those. That doesn't change the fact that, if you write your
> application in C, your code is highly likely to have buffer overflows,
Perhaps highly likely to have buffer overflows but not guaranteed to.
In addition, there may be other areas which may require more
attention (portability, scalability, whatever), that I am able
to better address with a language other than Java. Java
may work fine, perhaps it won't -- many considerations. It's
just one tool in my toolkit.
> It depends on the application. Java is, for many applications that
> run on a full size VM, pretty much "write once run anywhere."
For many, perhaps, but not all. I'm still waiting for one
streaming media vendor to get their Java app to run on Linux
(from MSFT). They told me it would be a snap "Java's portable!".
Hmm. Not sure why it's taken almost 6 months now.
> I can take a Tomcat application and move it to BEA without changing
> a line of code. I can can run either of those on Windows or Unix.
> That's a pretty good achievement.
Sure, I've moved perl apps around, too. Portability is a nice
feature where some apps require it, others don't. Again, it's one
more thing to consider and has varying weight attached to it
which is my point. Use cases.
> The marketing guys are obviously, when they give you this phrase,
> not giving you a long list of qualifications for it. If this comes
> as a surprise to you, well, you're pretty naive.
It's not surprising to me at all. But I am surprise, that
it was a surprise to the developers in the CNET article.
I'm frankly not one to be easily fleeced with ridiculous
claims like the ones made by Sun or other vendors.
(Although Sun likes to tell you they don't make those
kinds of claims, only Bill Gates does).
But just because I'm not easily fooled doesn't mean
that others aren't fooled (like a lot of my customers
and investors) and that I should just shut my mouth
and not point this out. Why? Because I've had more
than one investor say, "You should write you app in Java."
When I asked why, what will that do for me?
He said "Java's hot!"
> Next time, before
> believing the marketing hype, just have a qualified technical person
> have a quick look at it, and he'll tell you, for your particular
> application, how likely it is to be portable.
You're the one defending Java not me.
I've never believed the marketing hype, which is why I'm the one
pointing out the emperor has no clothes. All languages have
shortcomings, why would you be naive enough to believe that
Java doesn't? Perhaps you are the one believeing Sun's
marketing hype, not me.
> > Many people (especially in managerial positions who don't have hands
> > on programming experience) believe Sun's hype -- no wonder they are
> > upset when the prime premise of Java's advantages turns out to be an
> > empty cup of coffee.
>
> These people are going to be upset no matter what. Anybody who
> blindly believes marketing rather than doing proper technical
> planning is doomed, regardless of whether they use Java or not.
Actually if you believe that, that's where you are naiive. I
have experienced first hand as well as worked with highly technical
people who have either themselves chosen a language not best
suited for the job at hand to suite themselves (want to try something new,
it's cool, get new skills, whatever) or the programmers that worked
for them/me have done the same thing or investors/customers have
pressured it because "it's hot!".
James Santagata
A U D I E N C E T R A X
http://www.audiencetrax.com
Received on Mon Sep 9 01:15:42 2002