Chuck McManis writes:
Perry pointed out the standard set of concerns that anyone should have with Java. About the only thing I'd care to dispute at the moment is that Java is a "large complicated" application. It is in fact less than 20K lines of C code.
Sendmail is about 29K lines of C code -- not significantly larger by my standards -- and has proven nearly impossible to secure.
And while it is true that applications of even this size are difficult to prove safe, there has been an effort to break that problem up into components such that each "layer" can be proven safe and where that layer is used that safety carries over.
Sendmail performs a much simpler task and has not proven secure. Look, I'm not arguing that you and the rest of the Java folks aren't smart people who have worked very hard. I've got a great deal of respect for Gosling and the rest of you guys. Unfortunately, you've taken on an impossible task. Marcus Ranum has noted that you can't trust a program thats bigger than a couple of pages long, and I believe he's right. Thats why when there is a program that I absolutely have to trust I make sure it isn't any longer than that. (This is frequently a very practical thing, by the way.) As an aside, have you tried breaking your own program? Spend a week on it some time. Its usually an educational experience and it breaks you out of the mindset you have fixed in for a while. As people have found out, it has proven possible to core dump the Java interpreter. That means that your implementation has contained flaws that potentially permitted people to do unplanned things to the state of the interpreter. By the way, I suggest that Sun should offer a large money prize for the first significant security hole found the Java implementation. Its a tiny price to pay for security. Perry