Allow installation without bundled JRE
Are you missing a feature? Request its implementation here.
Allow installation without bundled JRE
Please adjust the Oxygen XML packages for Windows, macOS, etc. so that installing the bundled JRE is optional.
A bundled JRE does not receive any security updates; it will become exposed to vulnerabilities over time. Oxygen XML can already be configured to use a separate JRE even if the bundled one is installed. However, the fact that the bundled JRE remains present on the disk violates the security policy of some organizations, so it needs to be possible to install Oxygen XML without it.
I am aware that the generic Oxygen XML package does not include a JRE, but that is missing OS integration such as file type associations and app registration. The OS-specific installers need to be adjusted to accommodate installation without the bundled JRE.
Thanks!
A bundled JRE does not receive any security updates; it will become exposed to vulnerabilities over time. Oxygen XML can already be configured to use a separate JRE even if the bundled one is installed. However, the fact that the bundled JRE remains present on the disk violates the security policy of some organizations, so it needs to be possible to install Oxygen XML without it.
I am aware that the generic Oxygen XML package does not include a JRE, but that is missing OS integration such as file type associations and app registration. The OS-specific installers need to be adjusted to accommodate installation without the bundled JRE.
Thanks!
Re: Allow installation without bundled JRE
Hello,
I'm sorry, but we are not planning to do that, at least not for Windows and macOS. I will explain our reasoning for bundling a JRE below and its peculiarities (it's not a vanilla JRE), if you are interested, after discussing your arguments. I hope you'll pardon the rant...
The problem with security policy of some organizations is that they are sometimes written for a specific category of applications (client/server), and are rather black/white in reasoning.
Oxygen does not install Java at user or system level. It simply includes a private Java runtime (a folder) within its own installation folder. It does not expose its bundled Java runtime to any other application. There is no reason a bundled private JRE of a desktop application would pose a security risk for the user or the system. If the bundled JRE version poses a security risk for the app, a security advisory will be issued and updates will be made available for the versions of the app that are still maintained.
So, you are aware of the package without a bundled JRE, Downloads > Other > All platforms (.tar.gz) download. There are no .exe. or .app launchers in this distribution and no OS integration unfortunately, only command line scripts, but it works on any platform as long as you have a compatible version of Java indicated by the JAVA_HOME environment variable.
It is also possible to remove the JRE bundle from the Windows ('jre' folder) and macOS ('.install4j/jre.bundle' folder) packages and let Oxygen run with your system installed JRE. If you don't want to run an installer that uses that JRE, download the Windows ZIP package, unpack it and remove the 'jre' folder.
We do not officially support running Oxygen with a random version of Java other than the one bundled with that version of Oxygen.
There is also the technical aspect of the JRE bundled with Oxygen in that it uses a customized OpenJDK runtime that also includes OpenJFX (JavaFX), which is required for a few Oxygen features (embedded web browser used by the dynamic help and embedded media player in Author mode) and by some Oxygen third party plugins (e.g. Acrolinx).
Running Oxygen with an OpenJDK runtime that doesn't include OpenJFX will make those features unusable.
Needless to say, Oxygen is officially supported only when used with the bundled Java runtime version that includes OpenJFX.
Your system installed JRE is most likely not including OpenJFX, so it's one of the reasons we do not encourage or support using an external JRE.
Other than the technical aspect of the customized JRE the main reason for bundling a JRE is using a specific version of Java for proper QA testing
and validation. We cannot insure that Oxygen will run correctly with any version of Java, or even with minor updates of a specific major version.
The other aspect that has convinced us that the JRE should be bundled with the app is user/admin knowledge of Java.
A long time ago Oxygen did provide distributions without a JRE bundle and usually required a certain major version of Java. Results varied, but in general the user experience could sometimes be frustrating with some Java updates breaking Oxygen either partially or completely (some new major Java versions).
So, our 20+ years experience with Java product development and product support has thought us that for the best user experience with a Java application the JRE should be bundled. The user doesn't have to think or worry about it, there's no system Java update that will interfere with Oxygen's, so the only remaining aspect in the long term for the app is future OS compatibility.
Regards,
Adrian
I'm sorry, but we are not planning to do that, at least not for Windows and macOS. I will explain our reasoning for bundling a JRE below and its peculiarities (it's not a vanilla JRE), if you are interested, after discussing your arguments. I hope you'll pardon the rant...
The problem with security policy of some organizations is that they are sometimes written for a specific category of applications (client/server), and are rather black/white in reasoning.
Oxygen does not install Java at user or system level. It simply includes a private Java runtime (a folder) within its own installation folder. It does not expose its bundled Java runtime to any other application. There is no reason a bundled private JRE of a desktop application would pose a security risk for the user or the system. If the bundled JRE version poses a security risk for the app, a security advisory will be issued and updates will be made available for the versions of the app that are still maintained.
So, you are aware of the package without a bundled JRE, Downloads > Other > All platforms (.tar.gz) download. There are no .exe. or .app launchers in this distribution and no OS integration unfortunately, only command line scripts, but it works on any platform as long as you have a compatible version of Java indicated by the JAVA_HOME environment variable.
It is also possible to remove the JRE bundle from the Windows ('jre' folder) and macOS ('.install4j/jre.bundle' folder) packages and let Oxygen run with your system installed JRE. If you don't want to run an installer that uses that JRE, download the Windows ZIP package, unpack it and remove the 'jre' folder.
We do not officially support running Oxygen with a random version of Java other than the one bundled with that version of Oxygen.
There is also the technical aspect of the JRE bundled with Oxygen in that it uses a customized OpenJDK runtime that also includes OpenJFX (JavaFX), which is required for a few Oxygen features (embedded web browser used by the dynamic help and embedded media player in Author mode) and by some Oxygen third party plugins (e.g. Acrolinx).
Running Oxygen with an OpenJDK runtime that doesn't include OpenJFX will make those features unusable.
Needless to say, Oxygen is officially supported only when used with the bundled Java runtime version that includes OpenJFX.
Your system installed JRE is most likely not including OpenJFX, so it's one of the reasons we do not encourage or support using an external JRE.
Other than the technical aspect of the customized JRE the main reason for bundling a JRE is using a specific version of Java for proper QA testing
and validation. We cannot insure that Oxygen will run correctly with any version of Java, or even with minor updates of a specific major version.
The other aspect that has convinced us that the JRE should be bundled with the app is user/admin knowledge of Java.
A long time ago Oxygen did provide distributions without a JRE bundle and usually required a certain major version of Java. Results varied, but in general the user experience could sometimes be frustrating with some Java updates breaking Oxygen either partially or completely (some new major Java versions).
So, our 20+ years experience with Java product development and product support has thought us that for the best user experience with a Java application the JRE should be bundled. The user doesn't have to think or worry about it, there's no system Java update that will interfere with Oxygen's, so the only remaining aspect in the long term for the app is future OS compatibility.
Regards,
Adrian
Adrian Buza
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com
Re: Allow installation without bundled JRE
Hello Adrian,
Thanks,
David
The problem here is that despite this reasoning, the fact that a vulnerability assessment scanner can detect the presence of an outdated Java version is enough to cause compliance issues for some organizations, which can not be resolved except by removing it.Oxygen does not install Java at user or system level. It simply includes a private Java runtime (a folder) within its own installation folder. It does not expose its bundled Java runtime to any other application. There is no reason a bundled private JRE of a desktop application would pose a security risk for the user or the system. If the bundled JRE version poses a security risk for the app, a security advisory will be issued and updates will be made available for the versions of the app that are still maintained.
What I am suggesting is an option in prevars or similar that directs the installer to omit this folder. It doesn't have to be exposed in the UI. It can be caveated that this option is very unsupported (just like the options to override the JRE).It is also possible to remove the JRE bundle from the Windows ('jre' folder) and macOS ('.install4j/jre.bundle' folder) packages and let Oxygen run with your system installed JRE.
I'm not disagreeing with that, but unfortunately that isn't always an option. For organizations that must comply with the same regulatory policies as ours, either we must take out the bundled JRE, or we can't run Oxygen XML at all. Please do keep this in mind.So, our 20+ years experience with Java product development and product support has thought us that for the best user experience with a Java application the JRE should be bundled. The user doesn't have to think or worry about it, there's no system Java update that will interfere with Oxygen's, so the only remaining aspect in the long term for the app is future OS compatibility.
Thanks,
David
Last edited by dpward on Fri Nov 04, 2022 7:27 pm, edited 3 times in total.
Re: Allow installation without bundled JRE
Hi,
An issue I have seen with this when testing is that it doesn't seem to remember the JRE you have indicated during the installation, so when you launch Oxygen afterwards, it looks for it at system level, it doesn't use the one you have indicated when installing.
Regards,
Adrian
In that case, you're in luck, at least for Windows. By design the install4j Windows installers have a command line option that can help you with this.What I am suggesting is an option in prevars or similar that directs the installer to omit this folder. It doesn't have to be exposed in the UI. It can be caveated that this option is very unsupported (just like the options to override the JRE).
So, you can simply run the Oxygen installer in the command line with this argument and it will prompt you to select the JRE that you want to use to run the installer. It won't install or use the bundled JRE.-manual
This option only applies to Windows. In GUI mode, the default JRE search sequence will not be performed and bundled JREs will not be used either. The installer will act as if no JRE has been found at all and display the dialog that lets you choose a JRE or download one if a JRE has been bundled dynamically. If you locate a JRE, it will be used for the installed application.
...
An issue I have seen with this when testing is that it doesn't seem to remember the JRE you have indicated during the installation, so when you launch Oxygen afterwards, it looks for it at system level, it doesn't use the one you have indicated when installing.
Regards,
Adrian
Adrian Buza
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com
<oXygen/> XML Editor, Schema Editor and XSLT Editor/Debugger
http://www.oxygenxml.com
Re: Allow installation without bundled JRE
I didn't realize that - thanks Adrian!In that case, you're in luck, at least for Windows. By design the install4j Windows installers have a command line option that can help you with this.
David
Jump to
- Oxygen XML Editor/Author/Developer
- ↳ Feature Request
- ↳ Common Problems
- ↳ DITA (Editing and Publishing DITA Content)
- ↳ SDK-API, Frameworks - Document Types
- ↳ DocBook
- ↳ TEI
- ↳ XHTML
- ↳ Other Issues
- Oxygen XML Web Author
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Content Fusion
- ↳ Feature Request
- ↳ Common Problems
- Oxygen JSON Editor
- ↳ Feature Request
- ↳ Common Problems
- Oxygen PDF Chemistry
- ↳ Feature Request
- ↳ Common Problems
- Oxygen Feedback
- ↳ Feature Request
- ↳ Common Problems
- Oxygen XML WebHelp
- ↳ Feature Request
- ↳ Common Problems
- XML
- ↳ General XML Questions
- ↳ XSLT and FOP
- ↳ XML Schemas
- ↳ XQuery
- NVDL
- ↳ General NVDL Issues
- ↳ oNVDL Related Issues
- XML Services Market
- ↳ Offer a Service