>insufficient information. What is the provenance of z/OS Java? Is it >maintained by Oracle (I suspect not), or by IBM from source code obtained >from Oracle (on what terms?)
I can't speak to the details, but based on things I have been told in the past, at least some of the code comes from Oracle and is maintained by Oracle. It seems like this has been discussed here in the past and collaborated from other sources too. Clearly, J9 has significant IBM code too though, so one can't assume that a bug in the Oracle JVM automatically means that the same bug appears in the IBM JVM. >I wonder what happens if a JavaScript exposure requires browser suppliers >to disable all JavaScript, and users are uable to get to PayPal? One of the many significant differences between Java and JavaScript (or more formally/accurately, ECMAScript) is that on the x86 platform, there is effectively only one common JVM, provided by one vendor: Oracle. While there is an IBM JVM and and a few others, they are not, I believe, widely used. The last I knew you can only run IBM's J9 JVM on IBM-branded hardware. However, there are multiple ECMAScript implementations that are in broad use: Microsoft's JScript, Mozilla's Rhino and SpiderMonkey, Google's V8, and the runtimes embedded in Opera and Safari (whatever they call those). So if there's a security issue with Microsoft's JScript engine, that doesn't mean that there's an issue with V8. I suppose there could be a security vulnerability in the ECMA specification itself, but that seems much less likely than a bug in the implementation of the spec. Scott Chapman ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
