More reasons webstart sucks

General Discussions
#1

  1. Sun’s jarsigner has at least one (or, from the unique reports I’ve seen on java.sun.com, more like 10+) fundamental bugs in it’s encryption / sighing code. Signing frequently “fails” for no apparent reason, with all Sun’s code (webstart etc) giving off seemingly random error messages. Repeating the sign fails, then fails, then fails, then suddenly without chanigng anything, it succeeds. N0-one knows why.

  2. Sun decided not to use any of the industry standards for keystores. No idea why. Their tool docs imply that only their standard can be used in java without writing custom code, but the tools happily use others if you just try it and ignore the docs.

  3. Sun’s code accepts some certs, but not others, for no apparent reason. The error message is simply “there was an error whilst parsing”.

  4. Sun’s Webstart will not accept multiply-signed jars. No apparent reason.

  5. …but Sun’s own jarsigner will happily multiply-sign JAR’s.

  6. …and has no option to de-sign them.

  7. Its damn hard to get webstart to launch from the hard-disk in Java 1.4.x - you can launch the file if and only if you:

  • hard-code it to only work from one directory on your personal machine
  • OR: DONT load any JARs
  • (I’m sure I’ve got this working before on linux with creative use of “the CWD path” but can’t get it to work now)

Maybe this is an apple-only thing (I have nothing else to hand to test with)? From what I understand, there’s nothign different in Apple’s JVM’s webstart code launcher ?

#2

So what ?

Everytime you start a topic you’re making complaints about Java and Sun. You’re never happy. Why the hell are you using Java ? Use C++, Python, or anything else, but please STOP COMPLAINING ABOUT JAVA.

1.5 is crapped out, generics are crap, nio is as shit as a shitty stick, webstart is foobared beyond help, sun is bad… what more?

Blah, your a stuck up freak who doesn’t give the community any help at all besides moan moan moan…

#3

[quote]Blah, your a stuck up freak who doesn’t give the community any help at all besides moan moan moan…
[/quote]
I kind of like it. It’s one of the few constants of life. We should hold onto that kind of stuff.

#4

I think criticism is needed in order to improve.

And blah^3 for example helped me once with a problem, so he does not only complain.

#5

It makes the gui easier when it comes to asking the user if they will accept code signed by X. You don’t really want a dialog asking if an app where a.jar has been signed by X and Y while b.jar has been signed by Y and Z is OK. Yes they could and perhaps should look for the intersection of the signers, but then should they present all the common signers to the user or just pick an arbitrary one?
For a common case where multiple signers might arise (use of an already signed 3rd party jar), there is a better solution ---- use a separate jnlp file to refer to that jar file and leave its existing signature unchanged.

On the other hand it is quite easy to run something like Jetty to provide a little web server that will allow launching JNLP files.

#6

[quote]…and has no option to de-sign them.
[/quote]
Now that feature would be handy.

Will.