I’m interested in DocFetcher https://docfetcher.sourceforge.io/en/index.html an application that is supposed to search the contents of something like 15 different file types. It requires Java. In Terminal entering “java -version” returned “Unable to locate a Java Runtime. Please visit http://www.java.com for information on installing Java."
OK, simple enough. But is there anything I should know about installing Java (why hasn’t Apple included it)? Would I be opening up another entry point for malware, or might I encounter a conflict with some System operation?
Also, despite 80 5-star reviews at SourceForge, I may not be happy with DocFetcher and choose to delete it. I don’t suppose there is an “uninstall” for Java?
Oracle tends to have pretty draconian license policies which I suspect Apple would find unacceptable. Java is only free to use for certain restricted, non-commercial scenarios. Otherwise, it requires a subscription.
Oracle does have an uninstall tool and instructions at the java.com site.
There is also an open-source implementation, OpenJDK which is GPL licensed and, I believe, also an Oracle product.
Thank you Ron. I suppose having a tight licensing policy almost necessitates providing a removal tool. My use will be strictly personal. I’m a retired professor with a large number of journal-provided research articles (as pdfs). It would be a boon to be able to search the pdfs by keyword or text string, as the Java-dependent DocFetcher application is apparently designed to accomplish.
Apple stopped including Java in macOS a long time ago (so long, in fact, that the OS was still called OS X and Steve Jobs answered a developer’s question about Apple’s decision). See:
As for the security and privacy implications of installing Java on your machine, I think this is a good article (again, notice the story is more than a decade old):
For a similar concern, I avoid apps that are built with Java. I assume the downsides are the same, or worse if the developer isn’t updating the internal Java to the latest releases.
Well, thank you all, the TidBITS community is fabulous. I’m certainly glad I asked before installing and running. Apple’s refusal to sanction even its own version of Java is compelling enough for me to give it a miss. I don’t think the two aforesaid articles specify the nature of the security concern(s), but if they had, I probably wouldn’t have understood it anyway.
I don’t think installing the Oracle Java runtime presents any security concerns.
It used to be that the primary reason users needed Java on their machines was for Java apps to run in browsers. Now no browsers support Java (at least, no major, current browser), so attacks from the web are not a risk.
Apple used to supply a Java runtime (last version Java 6) because Oracle didn’t. But now Oracle provides a runtime for macOS, and thus there was no reason for Apple to do so. It wasn’t due to security concerns.
As for the security exposure of having the runtime installed: sure, it would allow you to download and run some malware that’s in a Java archive. But did you know you could also download a Perl, Ruby, Python, or shell script, all of which already have their runtimes on macOS? Or even a Mach executable?
This is why all executables, including .jar files (I think), get quarantined when they’re downloaded.
Agreed. I’ve always though that the Java language is awesome, and that it’s a great platform for developing cross-platform desktop applications.
The security issues stem from using it for browser applets, where merely visiting a web page can cause an application to be downloaded and run from within your browser. That’s just too risky, period. But that capability is gone, and Java itself remains as a very useful application environment.
Yes, you could download and install a malicious Java app. But you could do the same for an app written in any other language. But if you have to explicitly download, install and run the app, and it can’t auto-run by visiting a web page, then you should be OK. Your system software can (and should) protect you from outside attacks, but it can not (and should not) protect you from your own mistakes, like deliberately installing and running an app from a source you don’t trust.
It’s worth noting that all Android apps are written in a language (Kotlin) that compiles to Java-like bytecode, in order to be compatible with all Android devices regardless of hardware architecture. This is no more or less secure than any other choice of language would be - security depends entirely on the security of the app store(s) you choose to get your apps from.
Another interesting note. The idea of downloading applets that run in your browser is far from dead. WebAssembly is effectively the same thing, but is not tied to the Java language. I’m suspicious of any implementation of this concept, even if big organizations like Mozilla and Apple support it.
Small quibble: Android apps don’t have to be written in Kotlin, Java (the Android programming language from the beginning) still works, even tough Google now prefers folks to use Kotlin.
As others have pointed out, there’s no particular security or privacy risk in installing a Java runtime. What was said or written 10 years ago about applets or JavaWebStart long ceased to be relevant. Any downloaded app may or may not have risks, but that is independent of the language it’s written in.
I second avoiding Oracle’s implementation. I’ve been getting mine from Adoptium (https://adoptium.net/) for ages.
FYI, I just used the search capabilty of Finder on my MacBook Air running Sonoma 14.6.1 to find a text string in a folder full of PDF and text files. I had to use " " around the string otherwise it found any of the words in the string, which was not surprising. Open a new window in Finder, choose File>Find (or CMD-F), navigate to your folder of files, from the drop-downs choose ‘Contents’ ‘Contains’ and enter your text in quotes. Once the list of files appear you need to open each file (with Preview by default for PDFs) then search for the text. It’s probably not as elegant as DocFetcher but it works.
Excellent! Thank you Nalarider. I’ve been using Macs since 1992 and didn’t know about Cmd-F for looking into files. I also noticed that it’s possible to limit the search to pdfs in the “Any” drop-down. Nice.
I think WebAssembly (aka WASM) differs from the old browser applets in that it’s inherently more secure; it runs inside the browser sandbox, has the same cross-domain limitations, etc. as other code delivered from a site. There’s also some WASM-specific security that I’m not going to try to understand.
I read similar things when I was reading about WASM, but they sound like the same claims Sun/Oracle made about Java.
Ultimately, any applet platform runs a risk of the app breaking out of the sandbox/browser. So instead of trusting Oracle, you have to trust Apple, Mozilla, Microsoft and Google.
Of course, as an open W3C specification and at least some implementations (Mozilla and Chromium) being open source, then hopefully we can expect security bugs to be found and fixed faster than when we all depended on Sun/Oracle’s engineers working on their closed-source implementation.
I am much less qualified than many who have already answered, but it seems to me that this discussion misses the fundamental, direct answer.
First, just download DocFetcher and run it. No need to futz around with installing Java or anything else.
Second, when you no longer want DocFetcher, drag tha application icon to the trash, then empty the trash. All gone, nice and clean.
Third, … there is no third thing.
Shocking as this may sound, I think for running applications written in Java, the “it just works” Macintosh dream has been fulfilled.
Running macOS 14.7beta, when I look in System Information / Software / Installations I see Java 8 Update 271. In / Frameworks I see JavaLaunching, JavaNativeFoundation, JavaRuntimeSupport, and JavaVM. It’s all there, included as part of macOS so malicious actors can’t mess with it. I think you should only install Java if you intend to write Java applications.
I learned this the hard way. In 2020 I bought a CyberPower UPS. Its software “PowerPanel” is written in Java. For several months I could not get PowerPanel to work, and CyberPower tech support was no help. Then suddenly everything did work. I think what happened is I updated macOS to a version with a better implementation of Java Runtime Environment. Perhaps relevant, looking at Java 8 Update 271 I see Install Date: 12/23/20. I think the CyberPower PowerPanel worked properly when the macOS I was running included a good JRE.