hypnosec writes "Oracle has proposed a new project for OpenJDK — Nashorn, which aims to implement a high-performance yet lightweight JavaScript runtime that would run on the JVM natively. Nashorn will be headed by Jim Laskey, multi-language Lead at Oracle and the project will be sponsored by HotSpot group. The project proposes an implementation of JavaScript such that it can run standalone JavaScript applications via the JSR 223 APIs. Nashorn's design will enable it to take advantage of new JVM technologies like the MethodHandles and the InvokeDynamic APIs."

Artefacto writes "The Ksplice team has made available a git repository with the changes Red Hat made to the kernel broken down. They are calling this project RedPatch. This comes in response to a policy change Red Hat had implemented in early 2011, with the goal of undercutting Oracle and other vendors' strategy of poaching Red Hat's customers. The Ksplice team says they've been working on these individual patches since then. They claim to be now making it public because they 'feel everyone in the Linux community can benefit from the work.' 'For Ksplice, we build individual updates for each change and rely on source patches that are broken-out, not a giant tarball. Otherwise, we wouldn't be able to take the right patches to create individual updates for each fix, and to skip over the noise — like a change that speeds up bootup — which is unnecessary for an already-running system.'"

A while ago you had the chance to ask Bruce Perens about how open source has changed in the past 15 years, what's happening now, and what's to come. Bruce has been busy traveling, but he's found some free time and sent in his answers. Read below to see what he has to say.

hypnosec writes "Developers over at Red Hat are busy porting OpenJDK to ARM's latest 64-bit architecture — the ARMv8, also known as the AArch64. The current OpenJDK ARM situation is rather unsatisfactory: for the current 32-bit ARM processors, there are two versions of the HotSpot JVM for OpenJDK — Oracle's proprietary JIT, and a less sophisticated free JIT that performs poorly in comparison. To avoid a similar situation for the 64-bit platform, the developers are working on an entirely Free Software port of HotSpot to 64-bit ARM."

Trailrunner7 writes "A security researcher has submitted to Oracle a patch he said took him 30 minutes to produce that would repair a zero-day vulnerability currently exposed in Java SE. He hopes his actions will spur Oracle to issue an out-of-band patch for the sandbox-escape vulnerability, rather than wait for the February 2013 Critical Patch Update as Oracle earlier said it would. Adam Gowdiak of Polish security consultancy Security Explorations reported the vulnerability to Oracle on Sept. 25, as well as proof-of-concept exploit code his team produced. The vulnerability is present in Java versions 5, 6 and 7 and would allow an attacker to remotely control an infected machine once a user landed on a malicious website hosting the exploit. Gowdiak said his proof-of-concept exploit was successfully used against a fully patched Windows 7 machine using Firefox 15.0.1, Chrome 21, IE 9, Opera 12, and Safari 5.1.7."

An anonymous reader writes "Salesforce.com CEO Marc Benioff is the latest to predict Windows 8 will be a disaster for Microsoft, but for a different reason than some others: he says that Windows is simply irrelevant in the new era of cloud computing and bring-your-own-devices (BYOD), which will become clear to corporate IT decision makers when they confront the upgrade decision. Of course, this conveniently dovetails with Salesforce's market position, so consider the source. Another interesting development is the growing rivalry between Benioff and his old boss Larry Ellison; Salesforce.com is a longtime Oracle shop, but they have just announced intentions to hire 40-50 PostgreSQL developers."

Mark Hachman writes in Slash Datacenter that the Sparc T5 chip Oracle announced earlier this year apparently won't be ready until sometime in 2013. John Fowler, executive vice president, Systems, Oracle, presented at Oracle Open World a chart outlining highlights of Oracle's plans for the future. "But Fowler also skipped over some bad news: an apparent delay for the Sparc T5. A year ago, Oracle’s Sun division announced the Sparc T4—and according to Fowler, Oracle chief Larry Ellison set a very high bar for the next iteration: double the performance while maintaining app compatibility on an annual basis. Apparently, that didn’t quite happen with the T5; Oracle had the opportunity to announce a T5-based server, and didn’t. That’s a bit of bad news for the Sun design team, which already had to watch Intel’s Xeon chief, Diane Bryant, give the preceding keynote. ... As detailed at this year’s Hot Chips conference, the T5 combines 16 CPU cores running at 3.6 GHz on a 28-nm manufacturing process. Continuing the trend of hardware acceleration of specific functions, Sun executives claimed the chip would lead in on-chip encryption acceleration, with support for asymmetric (public key) encryption, symmetric encryption, hashing up to SHA-512, plus a hardware random number generator."

angry tapir writes "Nokia and Oracle have joined forces on mapping, with details of the deal to be announced at the Oracle OpenWorld conference. To differentiate its smartphones from the competition, Nokia is betting big on location as well as imaging technology. Oracle is expected to add Nokia's mapping technology to its applications. Part of Nokia's location strategy is signing deals for the use of its Navteq mapping technology with as many companies as possible. Besides the deal with Oracle, Nokia has recently announced contracts with car makers BMW, Mercedes, Volkswagen and Korean Hyundai, which will all use Navteq map data in some of their vehicles. Garmin will also start using Nokia data on transit services and walking routes to power a new Urban Guidance feature, which will be available as part of its Navigon app for Android and iOS. Nokia's most important partner on navigation, though, is Microsoft. All smartphones based on Windows Phone 8 will have Nokia's Drive application as standard, while Microsoft's Bing Maps geographical search engine uses Nokia data."

Nerval's Lobster writes "Oracle CEO Larry Ellison used his opening keynote at Oracle Open World (OOW) to unveil several initiatives to accelerate the cloud, including its own private cloud, Infrastructure-as-a-Service, and its latest database version—which, coincidentally, can be stored in memory within Oracle's latest Exadata database machines. Ellison also paid tribute to Oracle hardware partner Fujitsu, which had earlier announced 'Project Athena': a server designed with a UltraSPARC chip that (he claimed) can run the Oracle database 'faster than any microprocessor on the planet.' Ellison opened OpenWorld with four key announcements: that Oracle is now offering infrastructure as a service; that it will complement the IaaS offering by allowing customers to run that same infrastructure behind their corporate firewall as a private cloud; the launch of Oracle database 12C (where the 'c' stands for 'cloud'); and, finally, the new Exadata servers, which barely use disk drives at all in-favor of in-memory storage, with flash memory as a fallback."

concertina226 writes with interesting news from France. From the article: "French government agencies could become more active participants in Free Software projects, under an action plan sent by Prime Minister Jean-Marc Ayrault in a letter to ministers (PDF, and in French of course), while software giants Microsoft and Oracle might lose out as the government pushes Free Software such as LibreOffice or PostgreSQL in some areas. ... He also wants them to reinvest between 5 percent and 10 percent of the money they save through not paying for proprietary software licenses, spending it instead on contributing to the development of the free software. The administration already submits patches and bug fixes for the applications it uses, but Ayrault wants to go beyond that, contributing to or paying for the addition of new functionality to the software."

jcatcw writes "Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco, researchers from the Polish firm Security Explorations disclosed yet another critical Java vulnerability that might 'spoil the taste of Larry Ellison's morning ... Java.' According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects one billion users of Oracle Java SE software, Java 5, 6 and 7. It could be exploited by apps on Chrome, Firefox, Internet Explorer, Opera and Safari. Wow, thanks a lot Oracle."

First time accepted submitter radudragusin writes "IEEE suffered a data breach which I discovered on September 18. For a few days I was uncertain what to do with the information and the data. Yesterday I let them know, and they fixed (at least partially) the problem. The usernames and passwords kept in plaintext were publicly available on their FTP server for at least one month prior to my discovery. Among the almost 100.000 compromised users are Apple, Google, IBM, Oracle and Samsung employees, as well as researchers from NASA, Stanford and many other places. I did not and will not make the raw data available, but I took the liberty to analyse it briefly."

hypnosec writes "Just yesterday Apple released updates to fix Java vulnerabilities, but it seems the patch doesn't actually target the recently discovered high-profile Java bug that has been the talk of the web during the last two weeks. The two updates – Java for OS X 2012-005 for OS X Lion and Java for Mac OS X 10.6 Update 10 for Mountain Lion, are meant to tackle the vulnerability described in CVE-2012-0547. But according to KerbsOnSecurity, it seems Cupertino hasn't addressed the recent mega-vulnerabilities in Java as described in CVE-2012-4681." Update: 09/07 12:00 GMT by S : As readers have pointed out, these updates address flaws in Java 6, which is the version Apple maintains. The recently-reported Java vulnerabilities primarily affect Java 7, the patching of which is handled solely by Oracle. Nothing to see here.

eldavojohn writes "You may recall the news that Google would not be paying Oracle for Oracle's intellectual property claims against the search giant. Instead, Google requested $4.03 million for lawyer fees in the case. The judge denied some $2.9 million of those fees and instead settled on $1.13 million as an appropriate number for legal costs. Although this is relative peanuts to the two giants, Groklaw breaks the ruling down into more minute detail for anyone curious on what risks and repercussions are involved with patent trolling."

PCM2 writes "The Register reports that Security Explorations' Adam Gowdiak says there is still an exploitable vulnerability in the Java SE 7 Update 7 that Oracle shipped as an emergency patch yesterday. 'As in the case of the earlier vulnerabilities, Gowdiak says, this flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.'"

First time accepted submitter JavaBear writes "Oracle have just released the u7 release of their Java 7. From the article: 'In response to the findings of a recent vulnerability in Java 7 that was being exploited by malware developers, Oracle has released an official patch that takes care of the problem. In the past week, a new vulnerability was unveiled in Oracle's Java 7 runtime, which has been used by hackers in targeted attacks on Windows-based systems. Similar to the recent Flashback malware in OS X, this vulnerability allows criminals to create a drive-by hack where the only action needed to compromise a system is to visit a rogue Web page that hosts a malicious Java applet."

dutchwhizzman writes "Polish security researcher Adam Gowdiak submitted bug reports months ago for the current Java 7 zero-day exploit that's wreaking havoc all over the Internet. It seems that Oracle can't — or won't? — take such reports seriously. Is it really time to ditch Oracle's Java and go for an open source VM?"

tsu doh nimh writes "A new exploit for a zero-day vulnerability in Oracle's Java JRE version 7 and above is making the rounds. A Metasploit module is now available to attack the flaw, and word in the underground is that it will soon be incorporated into BlackHole, a widely used browser exploit pack. KrebsOnSecurity.com talked to the BlackHole developer, who said the Java exploit would be worth at least $100,000 if sold privately. Instead, this vulnerability appears to have been first spotted in targeted/espionage attacks that used the exploit to drop the remote control malware Poison Ivy, according to experts from Deep End Research. Because Oracle has put Java on a quarterly patch cycle, and the next cycle is not scheduled until October, experts have devised and are selectively releasing an unofficial patch for the flaw."

mpol writes "Sergei from MariaDB speculated on some changes within MySQL 5.5.27. It seems new testcases aren't included with MySQL any more, which leaves developers depending on it in the cold. 'Does this mean that test cases are no longer open source? Oracle did not reply to my question. But indeed, there is evidence that this guess is true. For example, this commit mail shows that new test cases, indeed, go in this "internal" directory, which is not included in the MySQL source distribution.' On a similar note, updates for the version history on Launchpad are not being updated anymore. What is Oracle's plan here? And is alienating the developer community just not seen as a problem at Oracle?"

itwbennett writes "Earlier this month, the judge in the Oracle v. Google trial ordered the companies to disclose the names of bloggers and reporters who had taken payments from them. Not surprisingly, both companies have denied making direct payments to writers (with the exception of Florian Mueller of FOSSPatents, whose relationship to Oracle was disclosed in April). But Oracle has tattled on Google regarding some indirect connections. In particular, Oracle called out Ed Black for an article he wrote about the case for Forbes. And Jonathan Band, co-author of the book, 'Interfaces on Trial 2.0,' which Google cited in its April 3, 2012 copyright brief." Groklaw has an in-depth look at the filings. Oracle's fingerpointing is based in part on this BBC article and this piece at The Recorder, both of which they entered into evidence. Google's filing (PDF) affirmed that they have not paid media for articles or done any quid pro quo in exchange for coverage. However, they acknowledged that many people receive money from Google through other means (the company's philanthropy, ad business, etc.), and asked the judge if he wanted further details about those instances.