Re: openjdk-25: icedtea-web package - should it be removed?

To: debian-java@lists.debian.org
Subject: Re: openjdk-25: icedtea-web package - should it be removed?
From: Matthias Klose <doko@debian.org>
Date: Wed, 26 Nov 2025 08:24:47 +0100
Message-id: <[🔎] 2b2c14af-0cef-465a-948a-3f13aaee4d8a@debian.org>
In-reply-to: <[🔎] CALFf3keByx7mnb7v7V+W93HShQiHoUp0nNkRQmWiGXJELdVESA@mail.gmail.com>
References: <[🔎] CALFf3keByx7mnb7v7V+W93HShQiHoUp0nNkRQmWiGXJELdVESA@mail.gmail.com>

On 11/26/25 03:34, Vladimir Petko wrote:

Dear Maintainers,

IcedTea Web implements the Java Web Start (JWS) specification[1].

Applet support is removed from the browsers, but the user can still
run Java Web Start applications via the provided desktop launchers by
downloading the JLNP file.

Security Manager provided a moderate sandbox that limited access to
the host machine. OpenJDK 25 removes the Security Manager. This allows
unrestricted access to the host machine without the user realising it.

I wonder if we should remove this package from the unstable pocket, as
it poses a security risk to users when ran using openjdk-25.


yes please!

Reply to:

References:
- openjdk-25: icedtea-web package - should it be removed?
  - From: Vladimir Petko <vladimir.petko@canonical.com>

Prev by Date: openjdk-25: icedtea-web package - should it be removed?
Next by Date: Re: openjdk-25: icedtea-web package - should it be removed?
Previous by thread: openjdk-25: icedtea-web package - should it be removed?
Next by thread: Re: openjdk-25: icedtea-web package - should it be removed?
Index(es):
- Date
- Thread