Two TCKs for Eclipse – What is really in it for Open Source?

Back in May Oracle awarded a Compatibility Testing Scholarship to the Eclipse Foundation. This got some attention in media during the last days and I just wanted to make sure that I shine some light on the whole process and the action in detail. What does look like a simple and honest gift on first sight actually has more aspects in it. But lets start at the beginning:

Technology Compatibility Kit
Covered by the Java Community Process (JCP) both Java as a language and the various platforms on top (Java SE, Java EE, Java ME) are developed. Each JSR (Java Specification Request) includes an EG (Expert Group) a bunch of documents and of course a reference implementation (RI) and a corresponding TCK (Technology Compatibility Kit). The TCK can be executed against implementations and checks them for compliance with the specification. So it basically is the code equivalent of the specification document. Most TCKs consist of a bunch of test cases as well as a "test harness" which executes the tests. If there is a TCK per JSR it is safe to assume that there are at least as many TCKs available as we have active JSRs in the JCP. But that is only a theoretical thought. Practically there aren't. At least not publicly avaiable.  Besides JBatch, CDI and Bean Validation I can't think of much more. And those are only part of the Java EE platform which has at least 28 specifications. The majority of TCKs unfortunately is under lock and key at Oracle. But why? The main reason for this is that the TCKs are also used as a tools for the platform certification. Successfully running a TCK against an implementation proves it's correctness and with that somehow it's compliance.

What does platform certification actually mean?
The platform compatibility is an excellent advert for products. The Java EE compatibility list is a Who-is-Who of the Java EE server market. If you're not on that list with your product you basically don't have a chance of being recognized. With Apache Tomcat being the only known exception to that rule. But what does it take to get the certification? For Java EE there is the Java EE Compatibility Test Suite (CTS) which probably consists of little more than the sum of the individual TCKs. Honestly I have not seen it. You have to become a licensee of Oracle to get access to it. And this is exactly where it is starting to become expensive. I do not know how expensive exactly but once you payed you can access the CTS through the Java Partner Engineering web site. There is only one alternative way of getting hands on the CTS. Going through the Compatibility Testing Scholarship Program which is a way for non-profit organizations and individuals to apply for a free-of-charge CTS. The requests are judged by a review board. There is a PDF out there which explains how this process exactly works. Beside the ASF various other organizations and individuals gained access to individual TCKs and CTS as of today. Now that you know about the basic program and certification it is easier to look at the details for the two Eclipse projects that has been granted a CTS Scholarship. I need to preface the following with a little disclaimer. I only can draw my conclusions from what is publicly known. I don't have any insights or further information on the reasons behind. It might be much simpler than what I came up with ...

EclipseLink - the JPA Reference Implementation
According to press release from early May Oracle demonstrates its "commitment to Java developers and the open source community" by granting access to two TCKs and related support services to the Eclipse Foundation. Time to start wondering. Wasn't EclipseLink the RI for JPA? What exactly are they doing if not building the TCK for JPA themselves, right? Why do they need a license?
EclipseLink has its roots in TopLink. Anyone who knows the history of TopLink knows that this is a relatively old product that belonged to WebGain before it has been acquired by Oracle. WebGain was a strong Eclipse supporter and even a member on the  Board of Directors back in 2002. Only five years after its acquisition by Oracle TopLink was donated to the Eclipse Foundation and has been there ever since. EclipseLink is available under the EPL 1.0. The project itself does not contain the TCK. A difficult situation for a RI. Looking at the list of committers isn't really exciting. 30 people. And only one non-Oracle. Why do I believe that this team actually owns the TCK (Oracle internally) and even develops it? Strictly speaking, EclipseLink has a license that doesn't fit the TCK licensing rules. Granting the Scholarship license here simply corrects some legal issues in that constellation.

Virgo - the Java EE Web Profile Server
But for Virgo the granted license really makes a difference, right? Maybe. Virgo is the former Spring dm server which was donated to the Eclipse Foundation by SpringSource back in 2010. The list of committers paints a different picture than the TopLink list. It is not just SAP behind every name. Committers spread equally among three companies.  SAP, Pivotal and Tasktop Technologies. The latter has an interesting management board. Former SpringSource COO Neelan Choksi and Rod Johnson himself are members. This might indicate that Pivotal has a little more influence on the project than SAP. Anyway, both companies are most likely not big Oracle buddies. The scholarship license isn't a gift for them obviously. In fact, Virgo is already Java EE 6 certified. However, under another name. The SAP NetWeaver Cloud has built its Java EE 6 Web Profile offering on Virgo. So SAP has probably acquired a license from Oracle and certified Virgo themselves. I don't know for sure but someone could have come up with the idea that it is cheaper to use an already certified server instead of paying the annual royalties year by year. Given the fact that the Eclipse Foundation is a non-profit organization it was easy to apply for the Scholarship program to get this sorted. At least in this case there is a positive side-effect. Virgo now has the chance of becoming another Java EE certified server. SAP already has proven that it is possible. Sooner of later the community will earn the profit by probably having a new EE 7 certified OSS server.

But it is a positive sum below the line, right?
Two new projects gained access to the TCK of the specification they are implementing. That is positive. Looking at the total sum of publicly available TCKs it is still frustrating. Especially in the EclipseLink case it is frustrating because the TCKs may not at all be available in public. An elongated discussion on the JPA mailing list from last year discuss this problem a bit and illustrates the drawbacks. Although it is getting better with the changes made by the JSR-348. We're still not there. In fact I expect that the TCKs are available to all interested parties. This would improve quality of the specifications and the reference implementations by finding holes in the specs and also inadequately tested areas of RIs. Both will prevent many errors from affecting users. As key part of JSR 358 is the work done towards a new licensing model for TCKs. An accompanying Java.net project contains all the discussion materials and is publicly accessible. Everyone is free to join the discussion and express his or her opinion. The Observer mailing list is available to any registered java.net user. If you're interested in the view of CloudBees, Red Hat and IBM onto licensing issues you can find some more material on the presentations page. Oracle itself proposes to proceed with standard TCK licensing models in the future version of the JCP:
"TCKs for all future JSRs must be made available for certification and branding purposes under one or more of the Approved Open Source Licenses and / or a Standard Commercial TCK License. The TCK for all future non-umbrella JSRs must be made available to all Participants in the relevant RI open source project under a standard JCP Community TCK License. " (Source: Oracle's Proposal for JSR 358, PDF, pages 15 +16)
That would be a step in the right direction and would truly help the open source community. If the granted TCKs are a gift or not: It simply isn't enough to cure today's problems. We need a general change if it should be better in the future.

Two TCKs for Eclipse – What is really in it for Open Source?

Back in May Oracle awarded a Compatibility Testing Scholarship to the Eclipse Foundation. This got some attention in media during the last days and I just wanted to make sure that I shine some light on the whole process and the action in detail. What does look like a simple and honest gift on first sight actually has more aspects in it. But lets start at the beginning:

Technology Compatibility Kit
Covered by the Java Community Process (JCP) both Java as a language and the various platforms on top (Java SE, Java EE, Java ME) are developed. Each JSR (Java Specification Request) includes an EG (Expert Group) a bunch of documents and of course a reference implementation (RI) and a corresponding TCK (Technology Compatibility Kit). The TCK can be executed against implementations and checks them for compliance with the specification. So it basically is the code equivalent of the specification document. Most TCKs consist of a bunch of test cases as well as a "test harness" which executes the tests. If there is a TCK per JSR it is safe to assume that there are at least as many TCKs available as we have active JSRs in the JCP. But that is only a theoretical thought. Practically there aren't. At least not publicly avaiable.  Besides JBatch, CDI and Bean Validation I can't think of much more. And those are only part of the Java EE platform which has at least 28 specifications. The majority of TCKs unfortunately is under lock and key at Oracle. But why? The main reason for this is that the TCKs are also used as a tools for the platform certification. Successfully running a TCK against an implementation proves it's correctness and with that somehow it's compliance.

What does platform certification actually mean?
The platform compatibility is an excellent advert for products. The Java EE compatibility list is a Who-is-Who of the Java EE server market. If you're not on that list with your product you basically don't have a chance of being recognized. With Apache Tomcat being the only known exception to that rule. But what does it take to get the certification? For Java EE there is the Java EE Compatibility Test Suite (CTS) which probably consists of little more than the sum of the individual TCKs. Honestly I have not seen it. You have to become a licensee of Oracle to get access to it. And this is exactly where it is starting to become expensive. I do not know how expensive exactly but once you payed you can access the CTS through the Java Partner Engineering web site. There is only one alternative way of getting hands on the CTS. Going through the Compatibility Testing Scholarship Program which is a way for non-profit organizations and individuals to apply for a free-of-charge CTS. The requests are judged by a review board. There is a PDF out there which explains how this process exactly works. Beside the ASF various other organizations and individuals gained access to individual TCKs and CTS as of today. Now that you know about the basic program and certification it is easier to look at the details for the two Eclipse projects that has been granted a CTS Scholarship. I need to preface the following with a little disclaimer. I only can draw my conclusions from what is publicly known. I don't have any insights or further information on the reasons behind. It might be much simpler than what I came up with ...

EclipseLink - the JPA Reference Implementation
According to press release from early May Oracle demonstrates its "commitment to Java developers and the open source community" by granting access to two TCKs and related support services to the Eclipse Foundation. Time to start wondering. Wasn't EclipseLink the RI for JPA? What exactly are they doing if not building the TCK for JPA themselves, right? Why do they need a license?
EclipseLink has its roots in TopLink. Anyone who knows the history of TopLink knows that this is a relatively old product that belonged to WebGain before it has been acquired by Oracle. WebGain was a strong Eclipse supporter and even a member on the  Board of Directors back in 2002. Only five years after its acquisition by Oracle TopLink was donated to the Eclipse Foundation and has been there ever since. EclipseLink is available under the EPL 1.0. The project itself does not contain the TCK. A difficult situation for a RI. Looking at the list of committers isn't really exciting. 30 people. And only one non-Oracle. Why do I believe that this team actually owns the TCK (Oracle internally) and even develops it? Strictly speaking, EclipseLink has a license that doesn't fit the TCK licensing rules. Granting the Scholarship license here simply corrects some legal issues in that constellation.

Virgo - the Java EE Web Profile Server
But for Virgo the granted license really makes a difference, right? Maybe. Virgo is the former Spring dm server which was donated to the Eclipse Foundation by SpringSource back in 2010. The list of committers paints a different picture than the TopLink list. It is not just SAP behind every name. Committers spread equally among three companies.  SAP, Pivotal and Tasktop Technologies. The latter has an interesting management board. Former SpringSource COO Neelan Choksi and Rod Johnson himself are members. This might indicate that Pivotal has a little more influence on the project than SAP. Anyway, both companies are most likely not big Oracle buddies. The scholarship license isn't a gift for them obviously. In fact, Virgo is already Java EE 6 certified. However, under another name. The SAP NetWeaver Cloud has built its Java EE 6 Web Profile offering on Virgo. So SAP has probably acquired a license from Oracle and certified Virgo themselves. I don't know for sure but someone could have come up with the idea that it is cheaper to use an already certified server instead of paying the annual royalties year by year. Given the fact that the Eclipse Foundation is a non-profit organization it was easy to apply for the Scholarship program to get this sorted. At least in this case there is a positive side-effect. Virgo now has the chance of becoming another Java EE certified server. SAP already has proven that it is possible. Sooner of later the community will earn the profit by probably having a new EE 7 certified OSS server.

But it is a positive sum below the line, right?
Two new projects gained access to the TCK of the specification they are implementing. That is positive. Looking at the total sum of publicly available TCKs it is still frustrating. Especially in the EclipseLink case it is frustrating because the TCKs may not at all be available in public. An elongated discussion on the JPA mailing list from last year discuss this problem a bit and illustrates the drawbacks. Although it is getting better with the changes made by the JSR-348. We're still not there. In fact I expect that the TCKs are available to all interested parties. This would improve quality of the specifications and the reference implementations by finding holes in the specs and also inadequately tested areas of RIs. Both will prevent many errors from affecting users. As key part of JSR 358 is the work done towards a new licensing model for TCKs. An accompanying Java.net project contains all the discussion materials and is publicly accessible. Everyone is free to join the discussion and express his or her opinion. The Observer mailing list is available to any registered java.net user. If you're interested in the view of CloudBees, Red Hat and IBM onto licensing issues you can find some more material on the presentations page. Oracle itself proposes to proceed with standard TCK licensing models in the future version of the JCP:
"TCKs for all future JSRs must be made available for certification and branding purposes under one or more of the Approved Open Source Licenses and / or a Standard Commercial TCK License. The TCK for all future non-umbrella JSRs must be made available to all Participants in the relevant RI open source project under a standard JCP Community TCK License. " (Source: Oracle's Proposal for JSR 358, PDF, pages 15 +16)
That would be a step in the right direction and would truly help the open source community. If the granted TCKs are a gift or not: It simply isn't enough to cure today's problems. We need a general change if it should be better in the future.

Island News – New German Java Blog

This blog has its fans and I am very thankful for them. But one little drawback always has been that I blog in English. And I like it the way it is. But as a German there is always the need to spread the word out to the German Java Community.
And in order to do this in my native language the idea was born to actually run a German blog. Naughty, isn't it? :) It probably wouldn't be an option to simply setup a translated version of this blog. Nobody would want that. Especially not me. But German publishing house Heise was so kind to offer me a nice place on their developer website. This is where I will be blogging about news from the Island of Java. In German. It will be a mix of technical and non-technical topics. Mostly like I try to do it here. So if you're interested in reading about my rumblings with Java and the latest news from the community in German: Head over there and please don't forget to give feedback. I love to hear about what you want to read.

Island News – New German Java Blog

This blog has its fans and I am very thankful for them. But one little drawback always has been that I blog in English. And I like it the way it is. But as a German there is always the need to spread the word out to the German Java Community.
And in order to do this in my native language the idea was born to actually run a German blog. Naughty, isn't it? :) It probably wouldn't be an option to simply setup a translated version of this blog. Nobody would want that. Especially not me. But German publishing house Heise was so kind to offer me a nice place on their developer website. This is where I will be blogging about news from the Island of Java. In German. It will be a mix of technical and non-technical topics. Mostly like I try to do it here. So if you're interested in reading about my rumblings with Java and the latest news from the community in German: Head over there and please don't forget to give feedback. I love to hear about what you want to read.

The Heroes of Java: Kevlin Henney

The "Heroes of Java" series is back after a longer break. I'm somehow surprised about this interview. I occasionally run into Kevlin on conferences. And it is amazing to see him on stage. Asking him at last year's JavaZone was simple. Waiting nearly a year for the answers made me believe this is not going to happen. But it did. Thanks Kevlin! "Inbox 2!" :)

Kevlin Henney 
is an author, presenter, and consultant on software development. He has written on the subject of computer programming and development practice for many magazines and sites, including Better Software, The Register, C/C++ Users Journal, Application Development Advisor, JavaSpektrum, C++ Report, Java Report, EXE, and Overload. He is a member of the IEEE Software Advisory Board. Henney is also coauthor of books on patterns and editor of 97 Things Every Programmer Should Know.

General part
Who are you? (Describe yourself in max three sentences)
I am a software development consultant and trainer. I write and speak at conferences. I live in transit, online and, sometimes, at home in Bristol.

Your official job title at your company?
Anything I want it to be! One of the advantages of working for myself. That said, I have no reason to want or use one, so the only official title I've ever used is director, because legally that is what I am.

Do you care about it?
My job title? No. I've worn, worn through and outgrown many job titles, and have not found them to be a particularly useful currency. They are largely an organisational fetish.

Do you speak foreign languages? Which ones?
Yes. I'm part Brazilian, so I can speak and read Portuguese, although not with the fluency I'd like. My grammar and idiom are clumsy, my vocabulary doesn't extend to being able to hold technical conversations and my written skills are appalling! I have modest comprehension of French, German and Spanish, with varying degrees of fluency and incompetence. But I can order wine and beer in more languages than the ones I've just listed.

How long is your daily "bootstrap" process? (Coffee, news, email)
It can be anything from an hour to a whole day.

Twitter
You have a twitter handle? Why?
It's hard to use Twitter effectively without one... [Ed: @KevlinHenney]

Whom are you following in general?
A mix of friends, software developers, speakers, authors, miscellaneous geeks, science sites, news and business sources, writing journals, etc.

Do you have a personal "policy" for twitter?
I try to avoid being negative, so unless I can find humour or something constructive in a complaint, I'm not likely to tweet it. I prefer to stick to matters of technical and geeky interest, which sometimes means science, sometimes means code and sometimes is about one of my other interests, typically creative writing.

Does your company restricts or encourages you with your twitter usage?
I'm very fair with my employee. And my employer is very fair with me.

Work
What's your daily development setup? (OS/IDE/VC/other Tools)
I normally carry a Windows laptop, although I have a few other things lying around at home from tablets to a Chromebook to old laptops in various states of old and odd OSs. Windows 8 is surprisingly good if you're a person who lives by keyboard shortcuts. I don't possess a mouse and I've found the touch screen to be surplus to requirements.

As I don't specialise in developing every day and I deal with different languages in varying amounts, I have a mix of things installed and in use, from Eclipse to Visual Studio, from Java to Python. Some of these are for serious work and some are just for messing around with. An essential feature is some variation of Cygwin for command-line tools, although I also use PowerShell and the Ch shell. When it comes to editors outside the IDE I am likely to be found using Vim, Notepad2 or Notepad++.

Which is the tool providing most productivity to your work?
Realistically, given the number of hours in the day I spend using them, the award for most productive tool is going to go to one of Gmail, Chrome or PowerPoint!

Your preferred way of interacting with co-workers?
As I don't strictly speaking have any co-workers, I guess that my interactions are primarily around courses, workshops, meetings, etc. I prefer face-to-face interaction or email. I don't particularly like the phone and variations on that theme (e.g., Skype). These monopolise time without giving you either the presence and feedback of face-to-face interactions or the precision and asynchronicity of email.

What's your favorite way of managing your todo's?
Crossing them out! Seriously though, I prefer a physical list on A5 paper or index cards, with reminders for time-related events scattered throughout my calendar. I also use my inbox as a to-do list.

If you could make a wish for a job at your favorite company: What would that be?
I'll let you know when I know!

Java
You're programming in Java. Why?
It offers a reasonable object-oriented lingua franca.

What's least fun with Java?
Either the verbosity or the type model.

If you could change one thing with Java, what would that be?
Less the language, more the development model: the reactive, snail's pace evolution of the language.

What's your personal favorite in dynamic languages?
Possibly Python, because of cleanliness, regularity and the proximity of the Pythonic ideal to functional programming. I've used it a little with my children. Without any dressing up in a hand-holding environment it offers a good entry level for non-programmers as well as being powerful and expressive for programmers.

Alternatively, I have a growing appreciation for PowerShell. I've always had a soft spot for shell scripting, and what I've learnt about PowerShell has impressed me. It has made some good design decisions and well considered compromises, leaving it with a regular model and expressive syntax.

And somewhere I will always have a soft spot for Lisp, although I haven't been doing much more than watching the recent renaissance of its family.

Which programming technique has moved you forwards most and why?
In my career and in my thinking there is little doubt that object-oriented programming gave me the greatest boost forward and the most insights, also helping to open up other approaches to programming once I realised the questions I could be asking of any approach. I first started getting into OOP around the time I was programming in Fortran and C, nearly quarter of a century ago.

I really wish more people understood OO, because it would certainly stop them writing most of the Java legacy they are currently creating, and it would make them less surprised by functional programming when they properly understood that approach as well.

What was the biggest project you've ever worked on?
In terms of lines of code and potential effect on everyday life, I guess the biggest may have been a project I worked on many years ago to develop software to monitor and control electric power distribution. I have consulted on and contributed to larger systems, but have not been involved in developing those beyond short-term engagements.

Which was the worst programming mistake you did?
To the best of my knowledge, nothing catastrophic! Which suggests that I have yet to make my greatest programming mistake.

The Heroes of Java: Kevlin Henney

The "Heroes of Java" series is back after a longer break. I'm somehow surprised about this interview. I occasionally run into Kevlin on conferences. And it is amazing to see him on stage. Asking him at last year's JavaZone was simple. Waiting nearly a year for the answers made me believe this is not going to happen. But it did. Thanks Kevlin! "Inbox 2!" :)

Kevlin Henney 
is an author, presenter, and consultant on software development. He has written on the subject of computer programming and development practice for many magazines and sites, including Better Software, The Register, C/C++ Users Journal, Application Development Advisor, JavaSpektrum, C++ Report, Java Report, EXE, and Overload. He is a member of the IEEE Software Advisory Board. Henney is also coauthor of books on patterns and editor of 97 Things Every Programmer Should Know.

General part
Who are you? (Describe yourself in max three sentences)
I am a software development consultant and trainer. I write and speak at conferences. I live in transit, online and, sometimes, at home in Bristol.

Your official job title at your company?
Anything I want it to be! One of the advantages of working for myself. That said, I have no reason to want or use one, so the only official title I've ever used is director, because legally that is what I am.

Do you care about it?
My job title? No. I've worn, worn through and outgrown many job titles, and have not found them to be a particularly useful currency. They are largely an organisational fetish.

Do you speak foreign languages? Which ones?
Yes. I'm part Brazilian, so I can speak and read Portuguese, although not with the fluency I'd like. My grammar and idiom are clumsy, my vocabulary doesn't extend to being able to hold technical conversations and my written skills are appalling! I have modest comprehension of French, German and Spanish, with varying degrees of fluency and incompetence. But I can order wine and beer in more languages than the ones I've just listed.

How long is your daily "bootstrap" process? (Coffee, news, email)
It can be anything from an hour to a whole day.

Twitter
You have a twitter handle? Why?
It's hard to use Twitter effectively without one... [Ed: @KevlinHenney]

Whom are you following in general?
A mix of friends, software developers, speakers, authors, miscellaneous geeks, science sites, news and business sources, writing journals, etc.

Do you have a personal "policy" for twitter?
I try to avoid being negative, so unless I can find humour or something constructive in a complaint, I'm not likely to tweet it. I prefer to stick to matters of technical and geeky interest, which sometimes means science, sometimes means code and sometimes is about one of my other interests, typically creative writing.

Does your company restricts or encourages you with your twitter usage?
I'm very fair with my employee. And my employer is very fair with me.

Work
What's your daily development setup? (OS/IDE/VC/other Tools)
I normally carry a Windows laptop, although I have a few other things lying around at home from tablets to a Chromebook to old laptops in various states of old and odd OSs. Windows 8 is surprisingly good if you're a person who lives by keyboard shortcuts. I don't possess a mouse and I've found the touch screen to be surplus to requirements.

As I don't specialise in developing every day and I deal with different languages in varying amounts, I have a mix of things installed and in use, from Eclipse to Visual Studio, from Java to Python. Some of these are for serious work and some are just for messing around with. An essential feature is some variation of Cygwin for command-line tools, although I also use PowerShell and the Ch shell. When it comes to editors outside the IDE I am likely to be found using Vim, Notepad2 or Notepad++.

Which is the tool providing most productivity to your work?
Realistically, given the number of hours in the day I spend using them, the award for most productive tool is going to go to one of Gmail, Chrome or PowerPoint!

Your preferred way of interacting with co-workers?
As I don't strictly speaking have any co-workers, I guess that my interactions are primarily around courses, workshops, meetings, etc. I prefer face-to-face interaction or email. I don't particularly like the phone and variations on that theme (e.g., Skype). These monopolise time without giving you either the presence and feedback of face-to-face interactions or the precision and asynchronicity of email.

What's your favorite way of managing your todo's?
Crossing them out! Seriously though, I prefer a physical list on A5 paper or index cards, with reminders for time-related events scattered throughout my calendar. I also use my inbox as a to-do list.

If you could make a wish for a job at your favorite company: What would that be?
I'll let you know when I know!

Java
You're programming in Java. Why?
It offers a reasonable object-oriented lingua franca.

What's least fun with Java?
Either the verbosity or the type model.

If you could change one thing with Java, what would that be?
Less the language, more the development model: the reactive, snail's pace evolution of the language.

What's your personal favorite in dynamic languages?
Possibly Python, because of cleanliness, regularity and the proximity of the Pythonic ideal to functional programming. I've used it a little with my children. Without any dressing up in a hand-holding environment it offers a good entry level for non-programmers as well as being powerful and expressive for programmers.

Alternatively, I have a growing appreciation for PowerShell. I've always had a soft spot for shell scripting, and what I've learnt about PowerShell has impressed me. It has made some good design decisions and well considered compromises, leaving it with a regular model and expressive syntax.

And somewhere I will always have a soft spot for Lisp, although I haven't been doing much more than watching the recent renaissance of its family.

Which programming technique has moved you forwards most and why?
In my career and in my thinking there is little doubt that object-oriented programming gave me the greatest boost forward and the most insights, also helping to open up other approaches to programming once I realised the questions I could be asking of any approach. I first started getting into OOP around the time I was programming in Fortran and C, nearly quarter of a century ago.

I really wish more people understood OO, because it would certainly stop them writing most of the Java legacy they are currently creating, and it would make them less surprised by functional programming when they properly understood that approach as well.

What was the biggest project you've ever worked on?
In terms of lines of code and potential effect on everyday life, I guess the biggest may have been a project I worked on many years ago to develop software to monitor and control electric power distribution. I have consulted on and contributed to larger systems, but have not been involved in developing those beyond short-term engagements.

Which was the worst programming mistake you did?
To the best of my knowledge, nothing catastrophic! Which suggests that I have yet to make my greatest programming mistake.

The Heroes of Java: Kevlin Henney

The "Heroes of Java" series is back after a longer break. I'm somehow surprised about this interview. I occasionally run into Kevlin on conferences. And it is amazing to see him on stage. Asking him at last year's JavaZone was simple. Waiting nearly a year for the answers made me believe this is not going to happen. But it did. Thanks Kevlin! "Inbox 2!" :)

Kevlin Henney 
is an author, presenter, and consultant on software development. He has written on the subject of computer programming and development practice for many magazines and sites, including Better Software, The Register, C/C++ Users Journal, Application Development Advisor, JavaSpektrum, C++ Report, Java Report, EXE, and Overload. He is a member of the IEEE Software Advisory Board. Henney is also coauthor of books on patterns and editor of 97 Things Every Programmer Should Know.

General part
Who are you? (Describe yourself in max three sentences)
I am a software development consultant and trainer. I write and speak at conferences. I live in transit, online and, sometimes, at home in Bristol.

Your official job title at your company?
Anything I want it to be! One of the advantages of working for myself. That said, I have no reason to want or use one, so the only official title I've ever used is director, because legally that is what I am.

Do you care about it?
My job title? No. I've worn, worn through and outgrown many job titles, and have not found them to be a particularly useful currency. They are largely an organisational fetish.

Do you speak foreign languages? Which ones?
Yes. I'm part Brazilian, so I can speak and read Portuguese, although not with the fluency I'd like. My grammar and idiom are clumsy, my vocabulary doesn't extend to being able to hold technical conversations and my written skills are appalling! I have modest comprehension of French, German and Spanish, with varying degrees of fluency and incompetence. But I can order wine and beer in more languages than the ones I've just listed.

How long is your daily "bootstrap" process? (Coffee, news, email)
It can be anything from an hour to a whole day.

Twitter
You have a twitter handle? Why?
It's hard to use Twitter effectively without one... [Ed: @KevlinHenney]

Whom are you following in general?
A mix of friends, software developers, speakers, authors, miscellaneous geeks, science sites, news and business sources, writing journals, etc.

Do you have a personal "policy" for twitter?
I try to avoid being negative, so unless I can find humour or something constructive in a complaint, I'm not likely to tweet it. I prefer to stick to matters of technical and geeky interest, which sometimes means science, sometimes means code and sometimes is about one of my other interests, typically creative writing.

Does your company restricts or encourages you with your twitter usage?
I'm very fair with my employee. And my employer is very fair with me.

Work
What's your daily development setup? (OS/IDE/VC/other Tools)
I normally carry a Windows laptop, although I have a few other things lying around at home from tablets to a Chromebook to old laptops in various states of old and odd OSs. Windows 8 is surprisingly good if you're a person who lives by keyboard shortcuts. I don't possess a mouse and I've found the touch screen to be surplus to requirements.

As I don't specialise in developing every day and I deal with different languages in varying amounts, I have a mix of things installed and in use, from Eclipse to Visual Studio, from Java to Python. Some of these are for serious work and some are just for messing around with. An essential feature is some variation of Cygwin for command-line tools, although I also use PowerShell and the Ch shell. When it comes to editors outside the IDE I am likely to be found using Vim, Notepad2 or Notepad++.

Which is the tool providing most productivity to your work?
Realistically, given the number of hours in the day I spend using them, the award for most productive tool is going to go to one of Gmail, Chrome or PowerPoint!

Your preferred way of interacting with co-workers?
As I don't strictly speaking have any co-workers, I guess that my interactions are primarily around courses, workshops, meetings, etc. I prefer face-to-face interaction or email. I don't particularly like the phone and variations on that theme (e.g., Skype). These monopolise time without giving you either the presence and feedback of face-to-face interactions or the precision and asynchronicity of email.

What's your favorite way of managing your todo's?
Crossing them out! Seriously though, I prefer a physical list on A5 paper or index cards, with reminders for time-related events scattered throughout my calendar. I also use my inbox as a to-do list.

If you could make a wish for a job at your favorite company: What would that be?
I'll let you know when I know!

Java
You're programming in Java. Why?
It offers a reasonable object-oriented lingua franca.

What's least fun with Java?
Either the verbosity or the type model.

If you could change one thing with Java, what would that be?
Less the language, more the development model: the reactive, snail's pace evolution of the language.

What's your personal favorite in dynamic languages?
Possibly Python, because of cleanliness, regularity and the proximity of the Pythonic ideal to functional programming. I've used it a little with my children. Without any dressing up in a hand-holding environment it offers a good entry level for non-programmers as well as being powerful and expressive for programmers.

Alternatively, I have a growing appreciation for PowerShell. I've always had a soft spot for shell scripting, and what I've learnt about PowerShell has impressed me. It has made some good design decisions and well considered compromises, leaving it with a regular model and expressive syntax.

And somewhere I will always have a soft spot for Lisp, although I haven't been doing much more than watching the recent renaissance of its family.

Which programming technique has moved you forwards most and why?
In my career and in my thinking there is little doubt that object-oriented programming gave me the greatest boost forward and the most insights, also helping to open up other approaches to programming once I realised the questions I could be asking of any approach. I first started getting into OOP around the time I was programming in Fortran and C, nearly quarter of a century ago.

I really wish more people understood OO, because it would certainly stop them writing most of the Java legacy they are currently creating, and it would make them less surprised by functional programming when they properly understood that approach as well.

What was the biggest project you've ever worked on?
In terms of lines of code and potential effect on everyday life, I guess the biggest may have been a project I worked on many years ago to develop software to monitor and control electric power distribution. I have consulted on and contributed to larger systems, but have not been involved in developing those beyond short-term engagements.

Which was the worst programming mistake you did?
To the best of my knowledge, nothing catastrophic! Which suggests that I have yet to make my greatest programming mistake.

Java SE 7 Update 25 – Release-Notes explained.

Yesterday was CPU day. Oracle released the Java SE update 25 with the June Java Critical Patch Update. After the last major update in April this is the last one which does not fit into the Oracle Critical Patch Update schedule along with all other Oracle products. Starting in October 2013, Java security fixes will follow the four annual security release cycle. But don't panic: Oracle will retain the ability to issue emergency “out of band” security fixes through the Security Alert program. Further on this is the first CPU which will not publicly update the Java SE 6 family. If you need an update on that JRE Family you need to have a Oracle's Java SE Support. Going down this road brings you Java SE 6u51.

The Management Summary
This release has been announced some time back already and addresses 40 vulnerabilities with fixes across Java SE products. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  Four of them are applicable to server deployments (CVE-2013-2451,CVE-2013-2457, CVE-2013-2407, CVE-2013-2461). A complete list is shown in the Oracle Java SE Risk Matrix. The expiration date for JRE 7u25 is November 15, 2013. After that date the clients start showing warnings about a too old JRE.

I'm an End-User. Whats new?
(Source: Oracle Docs)
Not very much this time. Two little improvements which should not impact you too much.
Before signed Java applets and Java Web Start applications are run, the signing certificate is checked to ensure that it has not been revoked. Advanced options in the Java Control Panel (JCP) can be set to manage the checking process. These online checks might not work at all in enterprise environments or have an impact on startup performance. To avoid both it is now possible to disable it. You should carefully make this decision and only do it in managed environments because it decreases the overall security protection mechanism.

(Source: Oracle Docs)
Further on the security dialogues have been enhanced with a "more information" link. Whenever you hit an insecure constellation you are now presented with the warning dialogues introduced with 7u21 with an additional link in them.

If you haven't been prompted to update you should do this as soon as possible. Download the JRE for your system from java.com and be up-to-date!

I'm a Developer! Tell me the dirty news!
No dirty and not announced news this time. But again, you still have a couple of things to take care of. First of all this release brings the new Olson Data 2013b. Which is a good thing even if we have the TZUpdater back.

An important bug was fixed regarding signed jars. With 7u21 signed jars were allowed to be loaded without any unsigned warning if they contain unsigned index.list entry but this is not true anymore with 7u25. To properly sign a jar, index entries must be created before the jar is signed. For more information see bug 8016771.

JDK 7u25 release introduces the permissions and codebase attributes in the JAR Manifest File. The Permissions attribute is used to verify that the permissions level requested by the RIA when it runs matches the permissions level that was set when the JAR file was created. The values sandbox and all-permissions are valid. It must match the permission level requested in the JNLP file or the applet tag.
The Codebase attribute is used to restrict the code base of the JAR to specific domains. Set this attribute to either the domain name or IP address where the application is located. A port number can also be included. For multiple locations, separate the values with a space. An asterisk (*) can be used as a wildcard only at the beginning of the domain name. The value of the Codebase attribute must match the Code base specified in the JNLP file or the applet tag or the actual location from which the app is accessed.
If one of both or both requirements don't match, an error is shown and the application is not run. If the attributes permissions or codebase  are not present, a warning is written to the Java Console and the permissions/codebase specified for the applet tag or JNLP file is used. This behavior is most likely going to change and be handled more restrictively in the future. If you want more examples have a look at the SE 7 technote.

If you're hosting Javadoc somewhere make sure to regenerate it with latest Javadoc Tool. As stated in  CVE-2013-1571  API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server. If you can't regenerate them, use the new Updater Tool which is NOT contained in the SDK/JRE bundles.

Since 7u21 the decoding of command strings specified to java.lang.ProcessBuilder and the exec methods defined by java.lang.Runtime, has been made stricter on Windows platforms. 7u25 brings a new system property jdk.lang.Process.allowAmbigousCommands which can be used to relax the checking process and may be used as a workaround for some applications that are impacted by the stricter validation.  To use this workaround, either the command line should be updated to include -Djdk.lang.Process.allowAmbigousCommands=true or the java application should set the system property jdk.lang.Process.allowAmbigousCommands to true.

Further on there have been a lot of bug fixes which directly address CVEs. A complete explained list is available in text form.

Further Readings
The official announcement on the Java Blog:
https://blogs.oracle.com/java/entry/java_se_7_update_25
The 7u25 Release-Notes:
http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html
Overview April Java CPU:
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
Patch Availability Document for Oracle Java SE June CPU
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1560542.1
Java SE 6 Downloads:
http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html


Java SE 7 Update 25 – Release-Notes explained.

Yesterday was CPU day. Oracle released the Java SE update 25 with the June Java Critical Patch Update. After the last major update in April this is the last one which does not fit into the Oracle Critical Patch Update schedule along with all other Oracle products. Starting in October 2013, Java security fixes will follow the four annual security release cycle. But don't panic: Oracle will retain the ability to issue emergency “out of band” security fixes through the Security Alert program. Further on this is the first CPU which will not publicly update the Java SE 6 family. If you need an update on that JRE Family you need to have a Oracle's Java SE Support. Going down this road brings you Java SE 6u51.

The Management Summary
This release has been announced some time back already and addresses 40 vulnerabilities with fixes across Java SE products. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  Four of them are applicable to server deployments (CVE-2013-2451,CVE-2013-2457, CVE-2013-2407, CVE-2013-2461). A complete list is shown in the Oracle Java SE Risk Matrix. The expiration date for JRE 7u25 is November 15, 2013. After that date the clients start showing warnings about a too old JRE.

I'm an End-User. Whats new?
(Source: Oracle Docs)
Not very much this time. Two little improvements which should not impact you too much.
Before signed Java applets and Java Web Start applications are run, the signing certificate is checked to ensure that it has not been revoked. Advanced options in the Java Control Panel (JCP) can be set to manage the checking process. These online checks might not work at all in enterprise environments or have an impact on startup performance. To avoid both it is now possible to disable it. You should carefully make this decision and only do it in managed environments because it decreases the overall security protection mechanism.

(Source: Oracle Docs)
Further on the security dialogues have been enhanced with a "more information" link. Whenever you hit an insecure constellation you are now presented with the warning dialogues introduced with 7u21 with an additional link in them.

If you haven't been prompted to update you should do this as soon as possible. Download the JRE for your system from java.com and be up-to-date!

I'm a Developer! Tell me the dirty news!
No dirty and not announced news this time. But again, you still have a couple of things to take care of. First of all this release brings the new Olson Data 2013b. Which is a good thing even if we have the TZUpdater back.

An important bug was fixed regarding signed jars. With 7u21 signed jars were allowed to be loaded without any unsigned warning if they contain unsigned index.list entry but this is not true anymore with 7u25. To properly sign a jar, index entries must be created before the jar is signed. For more information see bug 8016771.

JDK 7u25 release introduces the permissions and codebase attributes in the JAR Manifest File. The Permissions attribute is used to verify that the permissions level requested by the RIA when it runs matches the permissions level that was set when the JAR file was created. The values sandbox and all-permissions are valid. It must match the permission level requested in the JNLP file or the applet tag.
The Codebase attribute is used to restrict the code base of the JAR to specific domains. Set this attribute to either the domain name or IP address where the application is located. A port number can also be included. For multiple locations, separate the values with a space. An asterisk (*) can be used as a wildcard only at the beginning of the domain name. The value of the Codebase attribute must match the Code base specified in the JNLP file or the applet tag or the actual location from which the app is accessed.
If one of both or both requirements don't match, an error is shown and the application is not run. If the attributes permissions or codebase  are not present, a warning is written to the Java Console and the permissions/codebase specified for the applet tag or JNLP file is used. This behavior is most likely going to change and be handled more restrictively in the future. If you want more examples have a look at the SE 7 technote.

If you're hosting Javadoc somewhere make sure to regenerate it with latest Javadoc Tool. As stated in  CVE-2013-1571  API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server. If you can't regenerate them, use the new Updater Tool which is NOT contained in the SDK/JRE bundles.

Since 7u21 the decoding of command strings specified to java.lang.ProcessBuilder and the exec methods defined by java.lang.Runtime, has been made stricter on Windows platforms. 7u25 brings a new system property jdk.lang.Process.allowAmbigousCommands which can be used to relax the checking process and may be used as a workaround for some applications that are impacted by the stricter validation.  To use this workaround, either the command line should be updated to include -Djdk.lang.Process.allowAmbigousCommands=true or the java application should set the system property jdk.lang.Process.allowAmbigousCommands to true.

Further on there have been a lot of bug fixes which directly address CVEs. A complete explained list is available in text form.

Further Readings
The official announcement on the Java Blog:
https://blogs.oracle.com/java/entry/java_se_7_update_25
The 7u25 Release-Notes:
http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html
Overview April Java CPU:
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
Patch Availability Document for Oracle Java SE June CPU
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1560542.1
Java SE 6 Downloads:
http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html


Java SE 7 Update 25 – Release-Notes explained.

Yesterday was CPU day. Oracle released the Java SE update 25 with the June Java Critical Patch Update. After the last major update in April this is the last one which does not fit into the Oracle Critical Patch Update schedule along with all other Oracle products. Starting in October 2013, Java security fixes will follow the four annual security release cycle. But don't panic: Oracle will retain the ability to issue emergency “out of band” security fixes through the Security Alert program. Further on this is the first CPU which will not publicly update the Java SE 6 family. If you need an update on that JRE Family you need to have a Oracle's Java SE Support. Going down this road brings you Java SE 6u51.

The Management Summary
This release has been announced some time back already and addresses 40 vulnerabilities with fixes across Java SE products. 37 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  Four of them are applicable to server deployments (CVE-2013-2451,CVE-2013-2457, CVE-2013-2407, CVE-2013-2461). A complete list is shown in the Oracle Java SE Risk Matrix. The expiration date for JRE 7u25 is November 15, 2013. After that date the clients start showing warnings about a too old JRE.

I'm an End-User. Whats new?
(Source: Oracle Docs)
Not very much this time. Two little improvements which should not impact you too much.
Before signed Java applets and Java Web Start applications are run, the signing certificate is checked to ensure that it has not been revoked. Advanced options in the Java Control Panel (JCP) can be set to manage the checking process. These online checks might not work at all in enterprise environments or have an impact on startup performance. To avoid both it is now possible to disable it. You should carefully make this decision and only do it in managed environments because it decreases the overall security protection mechanism.

(Source: Oracle Docs)
Further on the security dialogues have been enhanced with a "more information" link. Whenever you hit an insecure constellation you are now presented with the warning dialogues introduced with 7u21 with an additional link in them.

If you haven't been prompted to update you should do this as soon as possible. Download the JRE for your system from java.com and be up-to-date!

I'm a Developer! Tell me the dirty news!
No dirty and not announced news this time. But again, you still have a couple of things to take care of. First of all this release brings the new Olson Data 2013b. Which is a good thing even if we have the TZUpdater back.

An important bug was fixed regarding signed jars. With 7u21 signed jars were allowed to be loaded without any unsigned warning if they contain unsigned index.list entry but this is not true anymore with 7u25. To properly sign a jar, index entries must be created before the jar is signed. For more information see bug 8016771.

JDK 7u25 release introduces the permissions and codebase attributes in the JAR Manifest File. The Permissions attribute is used to verify that the permissions level requested by the RIA when it runs matches the permissions level that was set when the JAR file was created. The values sandbox and all-permissions are valid. It must match the permission level requested in the JNLP file or the applet tag.
The Codebase attribute is used to restrict the code base of the JAR to specific domains. Set this attribute to either the domain name or IP address where the application is located. A port number can also be included. For multiple locations, separate the values with a space. An asterisk (*) can be used as a wildcard only at the beginning of the domain name. The value of the Codebase attribute must match the Code base specified in the JNLP file or the applet tag or the actual location from which the app is accessed.
If one of both or both requirements don't match, an error is shown and the application is not run. If the attributes permissions or codebase  are not present, a warning is written to the Java Console and the permissions/codebase specified for the applet tag or JNLP file is used. This behavior is most likely going to change and be handled more restrictively in the future. If you want more examples have a look at the SE 7 technote.

If you're hosting Javadoc somewhere make sure to regenerate it with latest Javadoc Tool. As stated in  CVE-2013-1571  API documentation in HTML format generated by the Javadoc tool that contains a right frame may be vulnerable to frame injection when hosted on a web server. If you can't regenerate them, use the new Updater Tool which is NOT contained in the SDK/JRE bundles.

Since 7u21 the decoding of command strings specified to java.lang.ProcessBuilder and the exec methods defined by java.lang.Runtime, has been made stricter on Windows platforms. 7u25 brings a new system property jdk.lang.Process.allowAmbigousCommands which can be used to relax the checking process and may be used as a workaround for some applications that are impacted by the stricter validation.  To use this workaround, either the command line should be updated to include -Djdk.lang.Process.allowAmbigousCommands=true or the java application should set the system property jdk.lang.Process.allowAmbigousCommands to true.

Further on there have been a lot of bug fixes which directly address CVEs. A complete explained list is available in text form.

Further Readings
The official announcement on the Java Blog:
https://blogs.oracle.com/java/entry/java_se_7_update_25
The 7u25 Release-Notes:
http://www.oracle.com/technetwork/java/javase/7u25-relnotes-1955741.html
Overview April Java CPU:
http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html
Patch Availability Document for Oracle Java SE June CPU
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1560542.1
Java SE 6 Downloads:
http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-javase6-419409.html