hardly usefull for comercial deployment …
Well I’ve seen people who as soon as they see any sort of “warning: may harm your computer” (which IIRC webstart shows even with signed certificates) instantly click cancel. Annoyingly, these are the same people who’ll happily download and run any random exe they stumble across without a moments thought.
I thought Vista stuck up a dialog now if you tried to install unsigned .exes?
Cas 
Well, I ain’t going to pay even $10 a year for some license, to be able to publish a small game. No freedom in that. Doesn’t make sense that you have to pay them to publish your game, that’s my attitude. Signed or not, whatever you run may be a security risk. Who’s to say I’m not going to “do harm” to some computer clients even with my “signed” application? Are they going to review my code? What is the real difference really between unsigned and signed? Seems to me there is only more hassle with signed stuff.
This concept is mind boggling. Perhaps I’m not very familiar with this concept, so I’m probably ignorant about how it works.
All I want to do is write games, they should load & run FAST, and the user should not be aware of any Java loading, scary unsigned/signed dialogs etc.
Heck, I just started a Java WebStart game, I counted the dialogs and the user (un)experience:
- First the browser dialog (Save as… or Run) for the jnlp file. (Yes, I know I can define so it runs always)
- Second, I could clearly hear my computer booting up some Java processes…, Java icon appears in system tray! (took a 2-3 seconds)
- Third, Java WebStart loading dialog appears…stays there until everything is fully loaded
- Fourth, Some nice orange Java applet logo showing the download status (although I’d like to be able to replace this with my own)
- Fifth, one of those “scary” dialog pops up, “Unsigned” bla bla bla… I choose Ok.
- Sixth, some more loading…
- Seventh, the scary dialog pops up again!! I choose Ok.
- Eight, finally the game can start loading…and I’m in!
The user might think by now he’s got a new Operating System after such a operation
With Flash?
- Nice looking (custom) loading indicator for few secs… bamm… you’re playing!
Although at first I thought the licensing thing was a scam to extort money, in this day and age I have finally figured out its value.
Any fool can write a malicious applet or JWS download with ease. A single click on a webpage and BANG! recursive delete on C:. I could do it now, to you, for amusement. Worse, someone else could post a link to Treasure Tomb but in fact it was just a link to a program that deletes everything on C:. You might scoff but this can happen and it will happen. That’s how all of these viruses, trojans and worms come to exist in the first place - if someone can take advantage of something, they will. When you think about it there is virtually no limit to what a JWS application can do, all from a single mouseclick. Why aren’t you scared? You should be. What’s to stop some blogger finding a link to my alpha, decompiling it, and adding in a bit of code that writes a .exe keylogger into the Windows Run registry? Nothing except the fact that if anyone tries it - the scary dialog will appear.
When the code is signed, you know it’s from me. If it fucks your machine up or steals your bank details, you can find out where I live and take legal action.
So if you’re serious about giving people code to run on the internet, buy a certificate. It’s pocket money after all to get a proper one. Otherwise, you’re not serious about it, which means it’s for forum mates and friends, and we don’t care about the scary dialog because we know you.
See? How hard is this to grasp?
Cas
But from the users perspective it makes no difference. Half of everything is unsigned so they either ignore them or don’t run anything. Even drivers for hardware from major manufacturers is not signed, so the whole signing thing is generally useless.
For a user to see an unsigned version of your game and know not to use it, they must first know that your game is in fact signed and that the message indicates they are using a phoney one. Even sodaplay’s soda constructor is unsigned!!!
That’s a good point Cas, but then the contents of the dialog should be changed to reflect what you just said. Right now they are implying that signed applications cannot hurt your PC.
Ye, the purpose of certs isn’t about security… it’s about trust, verification of your identity and integrity of the files. Eg no one could hack into your server and add a trojan dropper to your jnlps (well, he/she could… but it wouldn’t work :)).
My identity for example isn’t much of a mystery. The German law forces me to reveal it completely. But there is no indication that the files on my server are really from me. And that’s where certs jump in.
Signed applications != trustworthy applications
Anyone can sign a application, distribute it, and it might as well delete all your files or add a keylogger/trojan like you described. You have no idea.
As long as Java Applet/WebStart games need to go out of the sandbox for greater speed, and the user has to accept it, then I don’t see Java games going anywhere, at least not a real competition to Flash. The ideal solution would be if OpenGL access was included in the sandbox, and probably JOGL be included in the JRE.
[quote]As long as Java Applet/WebStart games need to go out of the sandbox for greater speed, and the user has to accept it, then I don’t see Java games going anywhere, at least not a real competition to Flash. The ideal solution would be if OpenGL access was included in the sandbox, and probably JOGL be included in the JRE.
[/quote]
I don’t think webstart is needed for professional games. Any commercial game from the shop is installed as a standalone application, and so can Java games. Applets simply aren’t suited for big games (due to downloads, speed, etc.)
Ehm… with a proper cert I know who you are and where you’re living. Do you really want that someone burns your house down? Of course I would also DoS your servers while I’m at it.
edit: Oh yea… and of course I would sue you as well 
Good luck with that I’m in Iceland btw, our laws are really poor regarding computers/internet and stuff Most likely you would be thrown to jail for trying to DoS me or burn down my house
And don’t tell me those certs can’t be “faked”, that is, I can easily steal the identity of someone, credit card… buy some cert and do some stuff.
[quote]And don’t tell me those certs can’t be “faked”, that is, I can easily steal the identity of someone, credit card… buy some cert and do some stuff
[/quote]
Of course. You can also steal a passport but that doesn’t make a passport useless.
[quote]The ideal solution would be if OpenGL access was included in the sandbox
[/quote]
I agree. The main reason I don’t do JOGL or LWJGL applets is to avoid the trust dialog box. Signed apps (including JWS) are one thing, but no should have to choose whether or not to trust a game embedded on a web page.
App signing is fine, but vendors deliberately create such vivid warnings to force developers to pay for a license.
The real issue is that the very latest drivers for some cards are massively broken. If the card is slightly older… it simply won’t work and you can’t make it work.
Yes, I’m of course talking about ATI.
(Standalone apps work fine tho.)
afaik Iceland trades with the outside world and thus is subject to international law and european law. And I doubt iceland would turn in to an autonomic country just because you wanted to be a jackass. And even if they did CA’s, can retract certificates isp can be black listed.
Certificates are bound to urls requiring to also have control over the site or a/the dns server.
And while anyone can sign, or rather create a cert and, sign his applet. only does who can make a 3 way handshake get accepted without warning, thats you can a third party. A third party that you choose to trust(or rather microsoft/mozilla foundation). those 3rd parties don’t hand them out indiscriminately.
also note that if they have access to the webserver there a loads of other, easier ways, to go. Like replacing downloadable applications, drivers…
no, signed applets are probably one of the more trustworthy code that this computer has seen.
How on earth is ogl access going to fix all of your problems? - what about all the other stuff you need that has nothing to do with OpenGL?
Well, while it’s not the problem, it’s part of the problem. There is a reason why people want to run their games opengl accelerated, it’s because they run a lot faster. You cannot run it accelerated in the sandbox, and thus you need that dialog to scare away players… both webstart and applet. Besides, the download size of the OGL library is relatively large (both JOGL and LWJGL), especially when the game should load promptly up.
I don’t know the answers to all problems regarding embedded web applications/games, all I can describe is how I think it’s supposed to work… or at least how it should work for the user.
Consider you had the following requirements:
- game should load fast
- game should run fast
- user should not be annoyed by dialogs, slowdown of the pc or anything “happening” other than the game loading and starting
Would you select Java to make all your games in when you’re working for a company running a multi-million dollar game portal site?
The truth is, the webgames industry has become HUGE. Java is missing out, I would be surprised if it had 2% marketshare. All Java has to show for are a few games that dedicated Java developers have put together, which is great (don’t get me wrong), but more is needed. What is it that makes Flash so successful for games?
Perhapse one of the problems with Java is that it’s not a “Web Plugin” like Flash is, which is designed for embedded web applications.
I’m not playing the “blame-game”, but I do think Sun needs to learn by example if it intends to participate in embedded web applications market.
[quote]What is it that makes Flash so successful for games?
[/quote]
certainly not it’s technical superiority. a schoolmate just finished an interactive Flash application and he swears nevers to use it again