[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DSA 2311-1] openjdk-6 security update

(Please cc me, I'm not subscribed to -security or -java.)

On Tue, 27 Sep 2011 at 22:10:30 +0200, Florian Weimer wrote:
> In addition, this update removes support for the Zero/Shark and Cacao
> Hotspot variants from the i386 and amd64 due to stability issues.
> These Hotspot variants are included in the openjdk-6-jre-zero and
> icedtea-6-jre-cacao packages, and these packages must be removed
> during this update.

Would it be possible to provide some sort of empty transitional package for
those Hotspot variants in order to get rid of them? At the moment a
default Debian squeeze desktop installation, with openoffice.org added, needs
this update but won't carry it out without input from a knowledgeable user:

* openoffice.org depends on a JRE

* the JRE released with squeeze recommends icedtea-6-jre-cacao (even on x86 -
  I'm not sure why)

* update-manager-gnome is in the default Debian desktop's notification area,
  and is how we encourage non-technical users to apply security updates

* when presented with an upgrade that will add or remove packages,
  update-manager presents a message similar to "This update will add or remove
  packages, do you want to do a safe-upgrade instead?" - a non-technical user
  can't really make an informed decision here, and the conservative answer
  is "yes, do a safe-upgrade"

* doing a safe-upgrade will only upgrade openjdk-6-jre-lib and not the rest
  of OpenJDK (without in-depth knowledge of Java, I don't know whether this
  fixes all of the vulnerabilities in this advisory)

* doing the upgrade in Synaptic does the right thing (asks the user if it's
  OK to remove icedtea-6-jre-cacao); you and I know that icedtea-6-jre-cacao
  is unnecessary, but a non-technical user can't really make an informed
  decision here


Reply to: