Re: Bug#645881: critical update 29 available
- To: Philipp Kern <pkern@debian.org>
- Cc: Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, doko@ubuntu.com, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org
- Subject: Re: Bug#645881: critical update 29 available
- From: Florian Weimer <fw@deneb.enyo.de>
- Date: Sun, 11 Dec 2011 14:21:55 +0100
- Message-id: <[🔎] 87wra3i6q4.fsf@mid.deneb.enyo.de>
- In-reply-to: <[🔎] 20111211094031.GA19461@spike.0x539.de> (Philipp Kern's message of "Sun, 11 Dec 2011 10:40:31 +0100")
- References: <a99694a8206b782c0176d9df732e4a3a.squirrel@wm.kinkhorst.nl> <4E9EBF7C.7020501@ubuntu.com> <a022548bb2db4ab2477511adccb72c57.squirrel@wm.kinkhorst.nl> <20111019143357.GA5502@thrall.0x539.de> <4E9EF8BC.9080205@debian.org> <20111021064138.GA22046@inutil.org> <87lisebtm5.fsf@mid.deneb.enyo.de> <20111122202427.GA5761@pisco.westfalen.local> <[🔎] 87sjl4vx1i.fsf@mid.deneb.enyo.de> <[🔎] 20111208194306.GA4317@pisco.westfalen.local> <[🔎] 20111211094031.GA19461@spike.0x539.de>
* Philipp Kern:
> sun-java6 is sadly still a very high profile package. I won't go and
> break all those installations which force sun-java6 over openjdk-6
> locally, either in unattended installations or through other means.
It's really unfortunate that most of those installations seem to need
sun-java6-plugin, which the package which is actually dangerous to
install. (Presumably, only the first stage payload is pure Java, and
the dropped malware won't run, but it's a bit unsettling.) At least
this package doesn't seem to be install without explicit request, so
it's not extremely bad.
> openjdk-6 might well be a viable replacement in wheezy, but there
> are no efforts to backport those compatibility patches that might be
> in newer versions.
We will have to switch to a different IcedTea version in squeeze
because the 1.8 branch we currently use will cease to receive security
fixes soonish, probably after the next round of updates. If we switch
to branch where the plugin is separate (1.10 and later, IIRC), we
could start fixing compatibility issues more aggressively if we wanted
to.
> openjdk-6 might well be a viable replacement in wheezy, but there
> are no efforts to backport those compatibility patches that might be
> in newer versions.
I doubt it. The incompatibilities do not vanish, unless there is a
critical mass of users who also contribute bug fixes. We just don't
seem to be there yet.
(I also doubt that Oracle can drop security support for the Java 6
plugin in mid-2012, for mostly the same reason, at lesat if they don't
want to be entirely reckless. They haven't even started pushing
Java 7 to end users yet.)
Reply to: