Re: [SECURITY] [DSA 2311-1] openjdk-6 security update
(Please cc me, I'm not subscribed to -security or -java.)
On Tue, 27 Sep 2011 at 22:10:30 +0200, Florian Weimer wrote:
> In addition, this update removes support for the Zero/Shark and Cacao
> Hotspot variants from the i386 and amd64 due to stability issues.
> These Hotspot variants are included in the openjdk-6-jre-zero and
> icedtea-6-jre-cacao packages, and these packages must be removed
> during this update.
Would it be possible to provide some sort of empty transitional package for
those Hotspot variants in order to get rid of them? At the moment a
default Debian squeeze desktop installation, with openoffice.org added, needs
this update but won't carry it out without input from a knowledgeable user:
* openoffice.org depends on a JRE
* the JRE released with squeeze recommends icedtea-6-jre-cacao (even on x86 -
I'm not sure why)
* update-manager-gnome is in the default Debian desktop's notification area,
and is how we encourage non-technical users to apply security updates
* when presented with an upgrade that will add or remove packages,
update-manager presents a message similar to "This update will add or remove
packages, do you want to do a safe-upgrade instead?" - a non-technical user
can't really make an informed decision here, and the conservative answer
is "yes, do a safe-upgrade"
* doing a safe-upgrade will only upgrade openjdk-6-jre-lib and not the rest
of OpenJDK (without in-depth knowledge of Java, I don't know whether this
fixes all of the vulnerabilities in this advisory)
* doing the upgrade in Synaptic does the right thing (asks the user if it's
OK to remove icedtea-6-jre-cacao); you and I know that icedtea-6-jre-cacao
is unnecessary, but a non-technical user can't really make an informed
decision here
Thanks,
S
Reply to: