Re: openjdk-25: icedtea-web package - should it be removed?

[Emmanuel Bourg <ebourg@apache.org>]

On 26/11/2025 03:34, Vladimir Petko wrote:

> IcedTea Web implements the Java Web Start (JWS) specification[1].
>
> Applet support is removed from the browsers, but the user can still
> run Java Web Start applications via the provided desktop launchers by
> downloading the JLNP file.
>
> Security Manager provided a moderate sandbox that limited access to
> the host machine. OpenJDK 25 removes the Security Manager. This allows
> unrestricted access to the host machine without the user realising it.
>
> I wonder if we should remove this package from the unstable pocket, as
> it poses a security risk to users when ran using openjdk-25.

No please. The sandbox was mostly useful for the unsigned JNLP 
applications. At some point signing became mandatory in all cases if I 
remember well, and signed applications always requested full system 
access anyway since the sandbox was too restrictive (no filesystem 
access, network access to the originating host only, etc).

So the usefulness of IcedTea Web doesn't change with the removal of the 
Security Manager in OpenJDK 25. As long as IcedTea Web is maintained 
upstream we can keep it in Debian.

Emmanuel Bourg