harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alexei Fedotov" <alexei.fedo...@gmail.com>
Subject Re: Visualizing JreLite
Date Wed, 05 Mar 2008 21:38:47 GMT
I believe signing is a must for self-installing systems. From the
other side for a light Java hosting which might be Johnny's use case
signing is not as important as SSL.

On 06 Mar 2008 00:31:23 +0300, Egor Pasko <egor.pasko@gmail.com> wrote:
> On the 0x3FE day of Apache Harmony Johnny Kewl wrote:
>  > > Do you expect any security issues here? How you are going to verify
>  > > that dynamically downloaded bits are 'original' bits (i.e. not
>  > > cracked) ?
>  >
>  > Software does not have to be signed... its not like an applet, its no more
>  > dangerous than a user deciding to download Harmony.
>
>  I disagree with you here. Security is still a matter of trust, right?
>  To install Harmony on my computer I need to trust the community, the
>  measure of trust might be different depending on what kind of machine
>  I would install it on.
>
>
>  > ie its a conscious click... besides, its someone elses application, the JRE
>  > cant do anything about that.
>  > If the primary supplier of the application wants to protect the user, they
>  > will make a SSL web page for instance.
>
>  no, SSL is damn slow, people will continue to prefer signing their packages
>
>
>  > As for the JVMLite pulling components from the server... the bootstrap can
>  > give the user the choice of SSL, or not.
>  > It must be a choice because if the server is used internal to a company,
>  > they dont need SSL.
>
>  there can be men-in-the-middle even inside companies
>
>
>  > There will be certified (well known servers), these are precoded into
>  > the JRELite bootstrap....
>  > If a third party wants to add a well known server, they need to ask.... (now
>  > my
>  > imagination is taking off ha ha) google can allocate
>  > a specific site (I have a feeling they will be interested ;) for the JreLite
>  > bootstrap... if someone wants to add a server, they have to
>  > ask IGI (IntelGoogleIbm) for permission for it to be added.... this means
>  > that if a server fails, the JreLiteBoot or JVM Resolver
>  > can retry a few servers before giving up....
>  > (now my imagination is flying) ... the servers contain PURE JAVA classes...
>  > BUT, if an organization wants to add more API
>  > to the server... say the ability for a programmer to program 911 calls into
>  > their programs... then IGI has to approve them
>  > .... an so the world is safe ;)
>
>  they approve what? do "they" need to approve each binary release of
>  each package? make sure there are no viruses, troyans, spyware?
>
>
>
>  > The application itself comes from whoever makes it and is placed on any
>  > medium... so what the servers are really serving
>  > is API, and so this must be safe.
>  >
>  > Uses I think must not be charged to use the servers, thats stupid... but
>  > there can be premuim services that come into
>  > play thru special API.... if you click, gimme a pitza in an app... you
>  > expect to pay ;)
>  >
>  > The signed sofware CA model is old and boring, please no... these servers
>  > fund themselves by selling
>  > API.... :)
>  > And then lets get the IT biz back to normal human biz models... they make
>  > extra money
>  > threw cool derivative services... that come from the API.
>  > Programmers can add a emergency help number to their code, if the user
>  > clicks it, a gorgeous
>  > blonde arrives at the door ;) etc etc
>  >
>  > .... and I'm sending IGI my consulting bill ;)
>  >
>  >
>  > > Thanks,
>  > > Stepan.
>  > >
>  > >> STARTUP
>  > >> ========
>  > >>
>  > >> The Bootstrap place JVMLite in its special folder location...
>  > >> Start... JVMLite -jar MyApp.JreLite
>  > >>
>  > >>
>  > >> RUNNING BOOTSTRAP
>  > >> ==================
>  > >>
>  > >> The application starts and it needs a swing... the JVM's resolver can
>  > >> determine this...
>  > >> It loads it.
>  > >>
>  > >> So the thing to really understand is that the application starts almost
>  > >> immediately but its "still"
>  > >> loading from the remote server, AS THE USER IS USING IT....
>  > >>
>  > >> It feels like Java started in 20 seconds and remember this is only the
>  > >> first (one time hit)...
>  > >> After that programs start "instantly"
>  > >>
>  > >> Also think about this.... if a user never goes to a part of the
>  > >> application that is not used... that never has to be loaded.
>  > >>
>  > >> Bottom Line
>  > >> =========
>  > >> If we can strip the JRE down to somewhere around 3 megs.... make the
>  > >> classes and fonts late binding... and put them on a deliver server.
>  > >> JRELite exists...
>  > >>
>  > >> The JVMLite work... is mainly in bridging the resolver with the ability
>  > >> to pull the require component down from the server.
>  > >> Where ever that font engine is hiding... it too has to bridged with the
>  > >> ability to pull a font down.
>  > >>
>  > >> The rest of the work... is in making the downloads fine grained... you
>  > >> let the JVM pull the classes it needs... NOT the whole Jar.
>  > >> So those Jars live on the server as a file structure...
>  > >>
>  > >> If the font needed is Gothic A, and that needs a Unicode DLL.... ONLY
>  > >> that moves over the wire...
>  > >>
>  > >> Yes... oh boy... they all packed into humongeuos file now.... that has
to
>  > >> be fine grained on the server.
>  > >>
>  > >> This works so well... you going to be shocked at how efficient Java
>  > >> becomes ;)
>  > >>
>  > >> Harmony is not far from this already.... the packaging just has to
>  > >> change.
>  > >>
>  > >> For now... just that needs to be done... complex optimizations can come
>  > >> later.
>  > >>
>  > >> ... I think ;)
>  > >>
>  > >
>  >
>  >
>
>  --
>  Egor Pasko
>
>



-- 
With best regards,
Alexei

Mime
View raw message