javaws CLI with Icedtea-web

Jacob Wisor gitne at gmx.de
Mon Jun 30 16:43:12 UTC 2014 

On 06/30/2014 06:07 PM, Jiri Vanek wrote:
> On 06/30/2014 05:23 PM, Jacob Wisor wrote:
>> On 06/30/2014 04:39 PM, Chris Lee wrote:
>>> Hi Jiri
>>>
>>> Thanks so much
>>>
>>> To explain as well, what I am trying to do is use a specific proxy server and
>>> port for a specific website.
>>> I had thought that a link to the CLI might be the quickest if I can get it
>>> working, If there is an easier way to configure, then I am open to suggestions.
>>
>> Try using Java's network configuration properties like http.proxyHost,
>> http.proxyPort, https.proxyHost, https.proxyPort, ftp.proxyHost,
>> ftp.proxyPort, gopher.proxyHost, gopher.proxyPort, socksProxyHost,
>> socksProxyPort with the -J-D switch. For more information have a look into
>> <JRE_HOME>/lib/net.properties.
>>
>>>> 1.4.1 is outdated. If you need for some reason to stay with 1.4, please
>>>> update to 1.4.2, however - please swap to 1.5. It was released few month
>>>> ago, is stable, and a a lot of fixes was fixed here.
>>>
>>> This installation is for the ATLAS experiment at CERN. For security reason,
>>> we are usually compelled to use what is available in the SLC repos, which
>>> unfortunately for me right now is 1.4.1
>>
>> If security is key to you, you shouldn't probably be using IcedTea-Web yet.
>> Instead, resort to Oracle's Java Web Start implementation. This product is
>> feature and specification complete, in contrast to IcedTea-Web. Java Web Start
>> has most probably received far more security fixes and screening than
>> IcedTea-Web. Personally, at the current stage of IcedTea-Web I would advise
>> any enterprise or security aware user not to use IcedTea-Web.
>
> I would not say this.
>
> AFAIK(IMHO :) The ITW is more secure. The closed source Oracle javaws have
> unknown bugs lurking in hidden codebase.  The only known about it is, that it
> have huge (really huge. Maybe whole sun.com packages or similar) % of copypasted
> code from JRE inside. Well that measn duplicated code, that means incompatible
> and unfixable code.
> All known security fxes for Oracle javaws and plugin are to JRE itself. So
> icedtea web have them all (as it is using JRE without copypasted code). As
> oposite, copypasted parts of closed plugin may not fit.
>
> I would not even use "specification complete" - They have implemented the
> specification on their own, and are not able to discus any misleading hunks of
> it.  Even more. They are making some thngs which are not in specification, or
> are making them differently. Wee then need to ask ourselves - do we need to do
> it as Oracle  javaws, or should we follow specification?
>
>  From that point of view itw may looks like specification incomplete, or more
> lenient, but we have actually no choice. What are trying (oporite to oracle) is
> to keep old appelts and javaws aps running. Not stop tyhem by really suspicious
> implementation of even more suspicious ( I would tell make in rush) specification.
>
>
> No flame here, but I really must protest against ITW being insecure. If you wont
> to point to this, please provide hack(proof) first.

I did not say nor meant IcedTea-Web was insecure. ;-) All I meant was that given 
its current overall code quality, its existing gaps to the specification, and 
its relatively small user and install base compared to Oracle's Java Web Start 
it has still some way to go to meet enterprise security and quality standards. 
Just because its executable and is more strict on checking the JNLP protocol 
here and there does not mean it is more secure or meats all security standards. 
Of course, no one of us can make any statements about the code quality of 
Oracle's Java Web Start but given its longer availability, feature completeness, 
broader adoption, and larger user and install base, it is fair to assume its 
overall quality, especially in key code paths, has passed more development 
cycles than IcedTea-Web. IcedTea-Web has had too many authors by now and no top 
audit or review has been completed so far, which I believe it has very necessary 
to meet enterprise and security standards. AFAIK Java Web Start had only one or 
two authors, so we can assume its code to be more consistent from a general 
perspective.

This does not mean that IcedTea-Web will never reach enterprise level quality. 
It just means that at the current pace of development it will still take some 
considerable amount of time and review work to reach that level.

Jacob

More information about the distro-pkg-dev mailing list