On the 0x3FE day of Apache Harmony Johnny Kewl wrote: > > Do you expect any security issues here? How you are going to verify > > that dynamically downloaded bits are 'original' bits (i.e. not > > cracked) ? > > Software does not have to be signed... its not like an applet, its no more > dangerous than a user deciding to download Harmony.
I disagree with you here. Security is still a matter of trust, right? To install Harmony on my computer I need to trust the community, the measure of trust might be different depending on what kind of machine I would install it on. > ie its a conscious click... besides, its someone elses application, the JRE > cant do anything about that. > If the primary supplier of the application wants to protect the user, they > will make a SSL web page for instance. no, SSL is damn slow, people will continue to prefer signing their packages > As for the JVMLite pulling components from the server... the bootstrap can > give the user the choice of SSL, or not. > It must be a choice because if the server is used internal to a company, > they dont need SSL. there can be men-in-the-middle even inside companies > There will be certified (well known servers), these are precoded into > the JRELite bootstrap.... > If a third party wants to add a well known server, they need to ask.... (now > my > imagination is taking off ha ha) google can allocate > a specific site (I have a feeling they will be interested ;) for the JreLite > bootstrap... if someone wants to add a server, they have to > ask IGI (IntelGoogleIbm) for permission for it to be added.... this means > that if a server fails, the JreLiteBoot or JVM Resolver > can retry a few servers before giving up.... > (now my imagination is flying) ... the servers contain PURE JAVA classes... > BUT, if an organization wants to add more API > to the server... say the ability for a programmer to program 911 calls into > their programs... then IGI has to approve them > .... an so the world is safe ;) they approve what? do "they" need to approve each binary release of each package? make sure there are no viruses, troyans, spyware? > The application itself comes from whoever makes it and is placed on any > medium... so what the servers are really serving > is API, and so this must be safe. > > Uses I think must not be charged to use the servers, thats stupid... but > there can be premuim services that come into > play thru special API.... if you click, gimme a pitza in an app... you > expect to pay ;) > > The signed sofware CA model is old and boring, please no... these servers > fund themselves by selling > API.... :) > And then lets get the IT biz back to normal human biz models... they make > extra money > threw cool derivative services... that come from the API. > Programmers can add a emergency help number to their code, if the user > clicks it, a gorgeous > blonde arrives at the door ;) etc etc > > .... and I'm sending IGI my consulting bill ;) > > > > Thanks, > > Stepan. > > > >> STARTUP > >> ======== > >> > >> The Bootstrap place JVMLite in its special folder location... > >> Start... JVMLite -jar MyApp.JreLite > >> > >> > >> RUNNING BOOTSTRAP > >> ================== > >> > >> The application starts and it needs a swing... the JVM's resolver can > >> determine this... > >> It loads it. > >> > >> So the thing to really understand is that the application starts almost > >> immediately but its "still" > >> loading from the remote server, AS THE USER IS USING IT.... > >> > >> It feels like Java started in 20 seconds and remember this is only the > >> first (one time hit)... > >> After that programs start "instantly" > >> > >> Also think about this.... if a user never goes to a part of the > >> application that is not used... that never has to be loaded. > >> > >> Bottom Line > >> ========= > >> If we can strip the JRE down to somewhere around 3 megs.... make the > >> classes and fonts late binding... and put them on a deliver server. > >> JRELite exists... > >> > >> The JVMLite work... is mainly in bridging the resolver with the ability > >> to pull the require component down from the server. > >> Where ever that font engine is hiding... it too has to bridged with the > >> ability to pull a font down. > >> > >> The rest of the work... is in making the downloads fine grained... you > >> let the JVM pull the classes it needs... NOT the whole Jar. > >> So those Jars live on the server as a file structure... > >> > >> If the font needed is Gothic A, and that needs a Unicode DLL.... ONLY > >> that moves over the wire... > >> > >> Yes... oh boy... they all packed into humongeuos file now.... that has to > >> be fine grained on the server. > >> > >> This works so well... you going to be shocked at how efficient Java > >> becomes ;) > >> > >> Harmony is not far from this already.... the packaging just has to > >> change. > >> > >> For now... just that needs to be done... complex optimizations can come > >> later. > >> > >> ... I think ;) > >> > > > > -- Egor Pasko
