leJOS.org

[moosooboo]

Is it possible to compile leJOS programs using an online Java compiler for the Java parts of the compile, link and upload?

Online compilers such as http://ideone.com/api or https://compilr.com/ which have APIs for direct access to the compiler, not pasting code into the web based editor. I've googled about trying to find using a url in the environment variables rather than a local path, but can't find anything. Other ways?

Reason: I want to code on OS X 10.8, but no Java there and would rather not install it due to all security issues (yes, I get they have mostly been the plugin, not the JVM, but I am paranoid about security on my main computer and it remains to be seen what is still to come out:-) I'd code in an editor such as Sublime Text as no Java = no Eclipse.

Sorry if it is a dumb question, I am curious.

[skoehler]

Well, I guess those online compilers don't have the leJOS linker on their servers. And then there might be issues with settings the boot classpath. I haven't tried though.
You need a computer to run the leJOS linker, even if you were able to generate the *.class files. Hence you need a JVM.

I have to say, that you're pretty paranoid. Maybe, you should set up a virtual machine to play with leJOS?

[moosooboo]

Well, I guess those online compilers don't have the leJOS linker on their servers. And then there might be issues with settings the boot classpath. I haven't tried though.
You need a computer to run the leJOS linker, even if you were able to generate the *.class files. Hence you need a JVM.

Fair enough, thanks for your reply. Where can I find more detailed info on the leJOS compile process?

I have to say, that you're pretty paranoid. Maybe, you should set up a virtual machine to play with leJOS?

Paranoid? Yep. I have an interest in computer security, not a technical knowledge, but the whole field is like a spy novel, I find it fascinating. There are some really clever people, on all sides, work like http://adamcecc.blogspot.ru/2011/01/javascript.html amazes me technically, never mind the social and nationstate aspects. The problem with Java IMHO is that all the known security problems have been related to the browser plugin, but reading what security reports there are from researchers about the current Java issues, they recommend the removal or avoidance of all Java (on the desktop) if it is not needed. OK, that is kind of standard security advice, if you are not using 'something' (service, port, plugin, etc) then the 'vector' should be closed or removed. Given the appalling job that Oracle is doing with managing the Java plugin security, then I wonder what other skeletons (zero days) are still to pop out the closet. Very FUD, but in the absence of hard evidence I prefer to play it safe till there are a few more facts. I don't know really, what do you think?

Yes, currently running in a VM.

[skoehler]

The problem with Java IMHO is that all the known security problems have been related to the browser plugin, but reading what security reports there are from researchers about the current Java issues, they recommend the removal or avoidance of all Java (on the desktop) if it is not needed.

Who is actually giving the advice of not having Java on the computer AT ALL for security reasons?
Because, recently, as you say, only the Java plug-in has been in the news. And how does the "not being able to confine an applet to its sandbox" relate to any other Java application that is not an applet? Because non-applet Java application don't run in a sandbox at all. Just as most of your programs do.

[moosooboo]

General background:
arstechnica.com/security/
schneier.com

Specific articles:
http://www.zdnet.com/homeland-security-warns-to-disable-java-amid-zero-day-flaw-7000009713/
npr.org/blogs/thetwo-way/2013/01/14/169338707/java-security-flaw-is-repaired-experts-still-recommend-disabling-it
https://krebsonsecurity.com/2013/01/oracle-ships-critical-security-update-for-java/ - It’s nice that Oracle fixed this vulnerability so quickly, but I’ll continue to advise readers to junk this program altogether unless they have a specific need for it'

Department of Homeland Security recommends
https://www.us-cert.gov/cas/techalerts/TA13-051A.html - Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data.

Some of that language is specific, some is ambiguous and some is slightly mis-representing advisories. But it is clearly stated in a number of those to remove all Java, not just the plugin.

Do all apps on OS X 10.8 and Ubuntu (via App Armor) not run in a sandbox?

The lack of clear advice relating to the plugin and all Java, plus Oracles poor security record wrt to Java, is what is making me cautious. Java is also heavily used in the enterprise and banking, and whilst it has been stated in some places that these Java apps are safe, given the implications I am paranoid enough to wonder what is not being said. Why is the Department of Homeland Security on this? I'm trying not to state anything as any sort of fact, as I said plenty FUD right now, but I am hoping by discussing it to form a more informed view.

[skoehler]

Department of Homeland Security recommends
https://www.us-cert.gov/cas/techalerts/TA13-051A.html - Some vulnerabilities affect stand-alone Java applications, depending on how the Java application functions and how it processes untrusted data.

A quote from that page:

By convincing a user to load a malicious Java applet or Java Network Launching Protocol (JNLP) file, an attacker could execute arbitrary code on a vulnerable system with the privileges of the Java plug-in process.

Stand-alone java applications may also be affected.

They seem to be concerned about Java Applets, and Java WebStart applications. Now the sentence that stand-alone Java application may also be affected ... well ... it seems extrapolated. I can't say much against it, as it's not obvious how they come to that conclusion.

Do all apps on OS X 10.8 and Ubuntu (via App Armor) not run in a sandbox?

All "normal" applications run with the full permissions of the user that you are currently logged in as. They could delete everything, your entire home directory, including your collections of pictures or whatever - if they wanted to - or if they have a security hole, that allows an attacker to execute code. Now attackers attack typically via network. So you should be most paranoid about applications 1) that communicate via the internet 2) that you open you downloads / email attachements with. leJOS is neither of type 1 or 2.

You should disable webstart (in case you're scared of accidently starting a Java webstart application) and your Java browser plug-in. And while you're at it, you should probably also disable browser plug-in like a PDF reader and such.
Chrome is the only browser I know that has a built-in sandbox - but I'm not sure, whether plugin are starting within that sandbox. I believe, they are not.

[moosooboo]

Interesting, a difficult situation! Time for some robots:-)

Happy Mens' Day (or Defenders of the Motherland) from Moscow.

[s.frings]

Since Java provides full access to the local filesystem (if executed with root/admin permissions) Java programs can be dangerous. But this is not a Java issue! All programming languages are affected by this.

So removing only Java is not a solution. You need to remove ALL programs to have secure system. Of course - a computer without programs is useless.

All the security advises that recomment to remove Java completely are written for the average user who does not really need Java. It's easier to uninstall Java than disabling parts of it in several web browsers.

The problematic part of Java is the Web browser Plugin. Again this is not a Java specific issue. Also the Flash Plugin and the Adobe Reader Plugin as well as many others are also dangerous. Plugins enhance the browser to EXECUTE CODE, and this is the problem, because websites can start the execution of unknown (maybe malicious) code.

But Lejos runs only when you start it yourself manually. And Lejos is not malicious - otherwise you would find related problem reports here.