openjdk-25: icedtea-web package - should it be removed?

To: Debian Java List <debian-java@lists.debian.org>
Subject: openjdk-25: icedtea-web package - should it be removed?
From: Vladimir Petko <vladimir.petko@canonical.com>
Date: Wed, 26 Nov 2025 15:34:09 +1300
Message-id: <[🔎] CALFf3keByx7mnb7v7V+W93HShQiHoUp0nNkRQmWiGXJELdVESA@mail.gmail.com>

Dear Maintainers,

IcedTea Web implements the Java Web Start (JWS) specification[1].

Applet support is removed from the browsers, but the user can still
run Java Web Start applications via the provided desktop launchers by
downloading the JLNP file.

Security Manager provided a moderate sandbox that limited access to
the host machine. OpenJDK 25 removes the Security Manager. This allows
unrestricted access to the host machine without the user realising it.

I wonder if we should remove this package from the unstable pocket, as
it poses a security risk to users when ran using openjdk-25.

Best Regards,
 Vladimir.

[1] https://github.com/AdoptOpenJDK/IcedTea-Web?tab=readme-ov-file

Reply to:

Follow-Ups:
- Re: openjdk-25: icedtea-web package - should it be removed?
  - From: Matthias Klose <doko@debian.org>
- Re: openjdk-25: icedtea-web package - should it be removed?
  - From: Emmanuel Bourg <ebourg@apache.org>

Prev by Date: Re: New upstream version 2.0.0 of tuxguitar available on mentors
Next by Date: Re: openjdk-25: icedtea-web package - should it be removed?
Previous by thread: Re: New upstream version 2.0.0 of tuxguitar available on mentors
Next by thread: Re: openjdk-25: icedtea-web package - should it be removed?
Index(es):
- Date
- Thread