Java 8 Update Expiry

April 22, 2015 - Programming

Java has had an interesting feature for some time, Though I must question it’s implementation. Of course Java has been the butt of many jokes about security flaws, and Oracle sought to try to keep customers secure by trying to make sure they are running the latest version. Now, personally, I think the best way to make Java secure is to not allow the software to be used by remote sources such as websites, but maybe I’m just old-fashioned. At any rate, They tried a nagging Auto-updater which complained about Java being out-of-date. They tried having Java ‘expire’ based on looking at the website, at which point it would complain. Their latest work is to effectively hard-code an expiry date within the run-time, which practically forces that run-time to be uninstalled.

Keeping consumers up-to-date makes a lot of sense- they should be given credit for their goal. But, as I said, their implementation does leave something to be desired. For example, if you install Java 8 Update 40- which expired last Tuesday (April 14th) It will install, and then after install it will run the tool which uninstalls old versions. This tool is designed to remove previous versions primarily- to prevent possible vulnerabilities. Unfortunately in that instance it finds that Java 8 update 40 is “unsecure” and uninstalls it.

Great. Thanks. So I managed to install Java, then Java uninstalled itself immediately afterwards because it is unsecure. It receives points for honesty, I suppose. The solution, at that point, is to install a version that hasn’t expired. Unfortunately, this doesn’t at all solve the problem of deploying a Java runtime for applications. Now you need to make sure all clients are running the latest version and update packages include the latest Java installer, because the moment Oracle decides it’s old that version will suddenly start uninstalling itself immediately after installation, leaving the system with no Java installed. Furthermore, this cycle repeats until either the prompt to uninstall unsecure versions is skipped, or you install a version that has not expired manually. Ideally, this process would be more automatic- that is, after all, practically what they are going for. I’m all for Oracle automatically updating the Java version, but I don’t think uninstalling Java and leaving no Run-time at all- while arguably more secure that way- is a good outcome when your software deployment relies on Java.

Have something to say about this post? Comment!