Q&A: James Gosling, 'father of Java'

Why is Sun's Java going the GPL open source route? Are software development costs doomed to spiral out of control? And is Microsoft destined to rule the enterprise forever? silicon.com's Sylvia Carr caught up with Sun's James Gosling to find out his thoughts on these questions and more.

Known as the 'father of Java', James Gosling is still at Sun Microsystems working on software development tools and aligning the strategies for the language and platform he created more than a decade ago.

silicon.com recently caught up with Gosling to discuss Sun's decision to release Java under the GPL, whether open source is more secure than proprietary software, how IT departments can cut development costs and why Microsoft still owns the desktop.

silicon.com: Sun has come to embrace open source. Why did you take that open approach with Java?
Gosling: With Java it was a couple of things. One is to get people to use it in the largest number of places, to get people to do ports to platforms and various things.

One of the biggest reasons for me has been that we then get a lot more collaboration with the community - people doing everything from bug fixes to security audits. One of the reasons Java has such a great security story is that we've had lots and lots of people stare at the source code.

We do an immense amount of testing and design work but none of that is anywhere near as good as having thousands of talented eyeballs just stare at it and think about it.

But it's only recently, last November, that Sun announced it'll release Java under the GPL, a standard open source licence.
For the longest time, all of the source code for Java has been available to everyone. And until recently it came with a licence that said: 'The source is open but you can't redistribute the results of any of your changes without passing the test suite.'

We got a lot of flak from the open source community about that. We got to the point where it was clear that the market pressures were strong enough around testing and interoperability and reliability that the clause in the licence was not hugely useful. So we switched to using the GPL licence.

When will the switch to the GPL happen?
We're still in the process of implementing it. We expect the process to be pretty much complete by May.

Do you believe that an open source development model is inherently better for security?
Oh yeah. Because it's the only way that you can come to trust a piece of software. Security is a very different kind of thing to test because in security you're not trying to test that the thing you built works. You have to do that but you have to figure out - are there any cracks? Are there any flaws at the design level? And there aren't automated testing techniques [for that]. There's nothing that replaces somebody putting on a black hat and saying, 'OK, I'm gonna try to break you'. And then they do.

Ten years ago people were breaking into Java now and then. But always in a way done in a spirit of co-operation. We had a number of people find chinks in the armour which we fixed pretty much immediately. There's not been a single incident of actual loss due to a security issue. There is no Java antivirus software because it's not necessary. We've had 12 years of pretty intense scrutiny by experts all over the world.

It can be hard for people who design - whether it's a language or software or a platform - to anticipate all the different angles for someone trying to break into it.
Exactly. So when you build tests, the tests are inherently limited by what you think they're going to do to break in. You can build tests to make sure any of the break-in techniques you know of are stopped. And you can sit around scratching your head thinking of new ways to break into things. But you're not going to be anywhere near as creative as thousands of grad students out there adding a chapter to their PhD thesis.

Do you think we'll see more use of open source in the enterprise as time goes on?
Yeah. It's sort of gotten to the point where it's hard to imagine people using more because so much already is [used] - everything from open source operating systems to databases to programming languages to development tools. It's getting to the point where there's not much left. There are some areas like large-scale databases and ERP [where] there aren't any really serious open source ERP solutions. They're getting there.

What do you see as the biggest security threat to enterprises?
The number one biggest threat to enterprises is the inherent fallibility and laziness of humans. We can make the software as solid as we can but if someone says the root password of the machine is 'nothing', anyone can walk in and [log onto the machine].

It's amazing how many people will do something like that because it makes their life easier. The world is filled with IT operations where the staff has gotten annoyed with all the security so they just turn it off.

Or they'll do really dumb things like put a copy of their entire customer database on their laptop hard drive and then go on vacation and lose the laptop.

Do you think the onus is just on the IT department to have stricter policies or do you think there's anything that can be done to make it easier for them?
We put in an immense amount of effort into trying to make it such that the security policies are as easy to administer as possible. We want to make sure that things are not onerous, that things are not pushing IT departments to be lazy. There's a lot of stuff in Java and a lot of stuff in Solaris [Sun's Unix operating system] that are about trying to make bulletproof systems easy to live with. But in some places there's no limit to human laziness.

Continued on page 2...