On Mon, Nov 16, 2015 at 2:10 AM, toki <toki.kant...@gmail.com> wrote:
> On 15/11/2015 20:06, Dennis E. Hamilton wrote: > > > Please be more specific. I can't tell from the previous post what you > mean by deserializing untrusted code. > > There are a string of known zero day exploits that Oracle, for whatever > reason, has not released patches for, despite exploits having been in > the wild for more than 90 days. > > jonathon > > > You really seem to have it in for Java, and would have us reject the entire platform for all eternity because of the alleged current state of 1 implementation. What, then, is your rationale for remaining with C/C++, which are insecure by design in all compilers AOO ever used (eg. no arrays bounds checking, printf doesn't verify types), or what alternative do you propose instead? Damjan