Re: GRAVE bug in j2re1.4 packages
[I'm CC'ing debian-java so that we have more feedback]
On Tue, Dec 09, 2003 at 02:47:00PM +0000, José Fonseca wrote:
> Brian, I'm going to check what the problem you describe.
[...]
>
> On Tue, Dec 09, 2003 at 09:36:05AM -0500, Brian Almeida wrote:
> > Hi,
> >
> > I discovered a grave bug with j2re1.4 1.4.1.01-1 ...
> > it overwrites kerberos binarys with symlinks to /etc/alternatives,
> > which symlink to /usr/lib/j2se/1.4/bin/<binary>!
With the current wave attacks I was concerned the same had happened to
the packages, but thankfully that's not the case. Not only that but the
kerberos stuff is included in *all* java binaries I checked, including
the original Blackdown's j2se1.4-i386-1.4.0.99beta and the recent Sun's
j2sdk-1.4.2.02. Hubert Schmid's mpkg-j2sdk/j2se-package packages do the
same thing AFAICT.
> > Why on earth is java providing kerberos stuff?
I don't know the answer for that, but I'll try to find out. Most likely
java binaries have dependencies on kerberos binaries, and Sun decided to
include them to cope with the wide variety of linux distributions out
there.
> > The binaries from krb5-user work fine.
> > Please fix it so it doesn't clobber klist/kinit/etc!
I guess there are too alternatives here:
a) don't include kerbero stuff and depend on the respectives debian
packages.
b) include the alternatives but with a lower priority
I'm inclined towards a) as I believe the less we rely on external
binaries the better. Does anybody disagree?
José Fonseca
Reply to: