Update to Java for Mac OS X released

[Eli Delventhal]

more good news on the apple java applet stuff http://blogs.sun.com/javafx/entry/new_security_warning_for_mac

</sarcasm>

Motherf**ker. 

Mac OS X is becoming just like Vista, giving me worthless security dialogs for practically everything. "This is a document you downloaded from the internet. Are you sure you want to open it?"

These things save 1 user for every 99 users that get inconvenienced by it. Plus as a power user with two external HD backups that are never both plugged in at once and who doesn't download random stuff when it could be harmful, I will never[/i find any security pop-ups anywhere useful. So why am I burdened?

WHYYYYYYYYYY?!?!?!??!?!?!?!?! 

[jezek2]

Well the dialog is just telling the truth. Allowing unrestricted access is very dangerous (and in many cases it's requested because you want just some little thing and unfortunately you must require full unrestricted access...). Sun should actually use the already present fine-grained Java Security system for applets/webstart and special things like JavaFX should be handled differently.

[swpalmer]

The dialogs on Mac aren't quite as bad as Windows... at least you only have one click to say, "yeah, that's what I want"

I like that it does this actually.  Specially if you download something and forget about it for a while and then try to run it.  The warning is still there until you say ok that one time.. then the warning is gone forever for that file.  it's not so bad.

<Begin Rant>

What we REALLY need is reasonably priced signing certificates.  The OS should require that ALL code is signed.  Then it is a matter of trusting the entire publisher just once.

But code signing is done by a bunch of rip-off artists. The very idea that you need different "kinds" of certificates to sign code versus use SSL on your site, versus whatever -- that's just the signing authorities being greedy weasels.    Why when you go to verisign are you asked if you will be signing code for Java or Windows Authenticode, or Adobe AIR, etc? It's all the same damn it! A simple asymmetric crypto key pair...  They bury this in the fine print... "For ease of use, VeriSign recommends buying a code signing certificate for each developer platform. You could use a code signing certificate for one platform to sign code for others. However, ..."

And they charge $499!  It would be over priced at $49... and it's only good for a year!  Money grubbing weasel scum... They are like banks, insurance companies, and telcos... I hate them all!   :-)

Games published by our own members! Check 'em out!

[swpalmer]

BTW, I came to this thread to mention the new developer preview that was made available today... Mac is actually AHEAD of Sun at the moment.

That was really fast (for Apple especially) to get something available to address the regressions that some were experiencing. And it has the added bonus of being a *VERY* recent version of Java.

[kappa]

The dialogs on Mac aren't quite as bad as Windows... at least you only have one click to say, "yeah, that's what I want"

Have you seen that new mac dialogs? Now those are killer scary, much less chance a user will accept them then they would the current dialogs on windows/linux.

That was really fast (for Apple especially) to get something available to address the regressions that some were experiencing. And it has the added bonus of being a *VERY* recent version of Java.

Ah cool, hopefully it really has java plugin2 this time.

thx for the update.

[elias4444]

TW, I came to this thread to mention the new developer preview that was made available today... Mac is actually AHEAD of Sun at the moment.

Just wondering where you saw this? I can't find it.

[swpalmer]

It was announced on the java-dev email list that Apple runs.

http://lists.apple.com/archives/Java-dev/2009/Jul/msg00076.html

[swpalmer]

Have you seen that new mac dialogs? Now those are killer scary, much less chance a user will accept them then they would the current dialogs on windows/linux.

That is the dialog for a certificate that could not be verified - it's supposed to be scary!  So long as a verified certificate presents a more reasonable dialog, I'm fine with that one being as it is.

Yes that means that self-signed certificates are going to yeild dialogs that are scary..., since anyone (virus writer, etc.) could produce such a cerificate there isn't much that can be done about it.  If you are self-signing code you will likely have to provide a bit of a "ReadMe" on your web page to explain the dialog and what it means - possibly even providing instuctions for importing you key as a trusted source. You could even provide a double-clickable .jar file that would import your key.

I honestly think it makes more sense for a imilar scary warning to occur with ALL unsigned software, regardless of the language or platform it is written for.  That would force the issue of educating the average user.

[princec]

That's why I think it should have been completely delegated to the host OS in the first place.

Cas

[swpalmer]

That's why I think it should have been completely delegated to the host OS in the first place.

Cas

Non-trivial to do when from the host OS' perspective all java software looks like java.exe or javaws.exe -- say you trust it once and then ALL java programs could be trusted!  I think Sun was forced to implement this themselves, even if the OS did have a similar system in place - like Mac OS X and the "you downloaded this from that scary interweb thingy,do you trust it?" warning.  I suppose if the OS did that for opening .JNLP files it might suffice - but you would still be missing the authentication ("we verified it came from X, do you trust X?", "Do you want ot trust everything from X from now on?", etc.)... heck maybe it does, I can't remember.

Games published by our own members! Check 'em out!

[princec]

I mean the java process would hook in to the OS code for validating certs. So you'd use whatever the host uses for cert storage and key management and dialogs. Not the other way around.

Cas

[kappa]

looks like mac's have finally gotten Java 6 for 32bit with snow leopard http://java.dzone.com/news/32-bit-java-6-mac-os-x-snow

[Eli Delventhal]

Finally...

[swpalmer]

And in case you haven't heard alredy: Snow Leopard has *only* Java 6, no previous versions are installed (Leopard has 1.5 also).

[kappa]

And in case you haven't heard alredy: Snow Leopard has *only* Java 6, no previous versions are installed (Leopard has 1.5 also).

ah thats good to know, any ideas if its using the Java applet plugin2? or still on the old plugin?

[swpalmer]

It is still the old plugin , but the new plugin is installed in a beta form for developers...  users would have to copy or symlink it to the approriate place to get it to be used.   The release notes are available here:
Java for Snow Leopard Release Notes

[swpalmer]

From apple's Javadev mailing list:

On Aug 29, 2009, at 10:21 AM, Greg Guerin wrote:

Emmanuel Puybaret wrote:

If Mac OS X 10.6 contains only Java SE 6 version, I guess that Sweet Home 3D installer available at http://prdownloads.sourceforge.net/sweethome3d/SweetHome3D-2.0-macosx.dmg won't work under Mac OS X 10.6 since I set "1.5*" in the "JVMVersion" Java option of its Info.plist file. :-(

Your app will probably work as-is.

There is a "virtual" 1.5 Java version, but it actually runs 1.6.  This is what it means for the 1.5 symlink in the JavaVM.framework to point to 1.6.

I just tried two different apps of my own on a 10.6 pre-release, with "1.5*" in the Info.plist, and they work fine.  One app has an About window that shows the Java version, and it definitely show 1.6 even though it's a "1.5*" app.

That's not exactly true. Bundled applications should be promoted automatically to the default JVM if they don't match the version requirement. That promotion however, would be a violation of the Web Start spec, so for Web Start apps we show the standard "version doesn't match" UI from Sun.

Best,
Mike Swingler
Java Runtime Engineer
Apple Inc.

So check your webstart code.. you might want to make sure you are using 1.5+ instead of 1.5* where possible.