Newsmaker: Gosling looks down Sun's open road

newsmaker Openness breeds trust--and more secure software.

That's the message from the man known as the "father of Java," James Gosling. He's still at Sun Microsystems working on software development tools and aligning the strategies for the language and platform he created more than a decade ago.

Silicon.com recently caught up with Gosling to discuss Sun's decision to release Java under the GPL (General Public License), whether open source is more secure than proprietary software, how IT departments can cut development costs, and why Microsoft still owns the desktop.

Q: Sun has come to embrace open source. Why did you take that open approach with Java?
Gosling: With Java it was a couple of things. One is to get people to use it in the largest number of places, to get people to do ports to platforms and various things.

One of the biggest reasons for me has been that we then get a lot more collaboration with the community--people doing everything from bug fixes to security audits. One of the reasons Java has such a great security story is that we've had lots and lots of people stare at the source code.

"(Open source is) the only way that you can come to trust a piece of software."

We do an immense amount of testing and design work, but none of that is anywhere near as good as having thousands of talented eyeballs just stare at it and think about it.

But it's only recently--last November--that Sun announced it'll release Java under the GPL, a standard open-source license.
Gosling: For the longest time, all of the source code for Java has been available to everyone. And until recently it came with a license that said: "The source is open but you can't redistribute the results of any of your changes without passing the test suite."

We got a lot of flak from the open-source community about that. We got to the point where it was clear that the market pressures were strong enough around testing and interoperability and reliability that the clause in the license was not hugely useful. So we switched to using the GPL license.

When will the switch to the GPL happen?
Gosling: We're still in the process of implementing it. We expect the process to be pretty much complete by May.

Do you believe that an open-source development model is inherently better for security?
Gosling: Oh yeah. Because it's the only way that you can come to trust a piece of software. Security is a very different kind of thing to test because in security you're not trying to test that the thing you built works. You have to do that but you have to figure out--are there any cracks? Are there any flaws at the design level? And there aren't automated testing techniques (for that). There's nothing that replaces somebody putting on a black hat and saying, "OK, I'm gonna try to break you." And then they do.

Ten years ago people were breaking into Java now and then, but always in a spirit of co-operation. We had a number of people find chinks in the armor which we fixed almost immediately. There's not been a single incident of actual loss due to a security issue. There is no Java antivirus software because it's not necessary. We've had 12 years of intense scrutiny by experts all over the world.

It can be hard for people who design--whether it's a language or software or a platform--to anticipate all the different angles for someone trying to break into it.
Gosling: Exactly. So when you build tests, the tests are inherently limited by what you think they're going to do to break in. You can build tests to make sure any of the break-in techniques you know of are stopped. And you can sit around scratching your head thinking of new ways to break into things. But you're not going to be anywhere near as creative as thousands of grad students out there adding a chapter to their Ph.D. thesis.

Do you think we'll see more use of open source in the enterprise as time goes on?
Gosling: Yeah. It's sort of gotten to the point where it's hard to imagine people using more because so much already is (used)--everything from open-source operating systems to databases to programming languages to development tools. It's getting to the point where there's not much left. There are some areas like large-scale databases and ERP (where) there aren't any really serious open-source ERP (enterprise resource planning) solutions. They're getting there.

What do you see as the biggest security threat to enterprises?
Gosling: The No. 1 biggest threat to enterprises is the inherent fallibility and laziness of humans. We can make the software as solid as we can, but if someone says the root password of the machine is "nothing," anyone can walk in and (log onto the machine).

More Newsmakers

[Shef Seattle]

Tired of Java updates

The laptop I bought has somehow JRE pre-installed. I was tired of contact Java updates and so I just uninstalled it. It is no different than Windows; it constantly needs updating. Just another headache.

[stephenwalli]

Living on the "edge of collapse" is GOOD!

The sort of enablement he describes on the second page is a good thing. All our advances in languages and tools are about developing more (better) software by writing less code. From higher level (compiled) languages, to modules, libraries, objects (and distributed objects), scripting languages, web services, visualization, configuration management, and automated build and delivery, it's all about enablement. Every time we double the speed or transistor density of a chip, or the bandwidth on the Net, we come up with new and interesting applications to devour it. So too with human capacity.

http://stephesblog.blogs.com/my_weblog/2007/03/it_departments_.html

[Blito]

Liberalese

Well theres definite la divide in Mac and Linux users.
MS gets the job done of running software but in a conservative sense it's quite boring to some. I like that boring steel structure that you know will run what you want it to run. I don't haev to use anti virus with MS and certainly not Vista.