Re: Bug#645881: critical update 29 available
- To: Florian Weimer <fw@deneb.enyo.de>
- Cc: Philipp Kern <pkern@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>, drazzib@debian.org, twerner@debian.org, doko@ubuntu.com, team@security.debian.org, 645881@bugs.debian.org, Sylvestre Ledru <sylvestre@debian.org>, debian-security@lists.debian.org, debian-release@lists.debian.org
- Subject: Re: Bug#645881: critical update 29 available
- From: Russ Allbery <rra@debian.org>
- Date: Sun, 11 Dec 2011 11:34:26 -0800
- Message-id: <[🔎] 87pqfuaon1.fsf@windlord.stanford.edu>
- In-reply-to: <[🔎] 87wra3i6q4.fsf@mid.deneb.enyo.de> (Florian Weimer's message of "Sun, 11 Dec 2011 14:21:55 +0100")
- References: <a99694a8206b782c0176d9df732e4a3a.squirrel@wm.kinkhorst.nl> <4E9EBF7C.7020501@ubuntu.com> <a022548bb2db4ab2477511adccb72c57.squirrel@wm.kinkhorst.nl> <20111019143357.GA5502@thrall.0x539.de> <4E9EF8BC.9080205@debian.org> <20111021064138.GA22046@inutil.org> <87lisebtm5.fsf@mid.deneb.enyo.de> <20111122202427.GA5761@pisco.westfalen.local> <[🔎] 87sjl4vx1i.fsf@mid.deneb.enyo.de> <[🔎] 20111208194306.GA4317@pisco.westfalen.local> <[🔎] 20111211094031.GA19461@spike.0x539.de> <[🔎] 87wra3i6q4.fsf@mid.deneb.enyo.de>
Florian Weimer <fw@deneb.enyo.de> writes:
> * Philipp Kern:
>> sun-java6 is sadly still a very high profile package. I won't go and
>> break all those installations which force sun-java6 over openjdk-6
>> locally, either in unattended installations or through other means.
> It's really unfortunate that most of those installations seem to need
> sun-java6-plugin, which the package which is actually dangerous to
> install.
I'm not sure that we actually know that. popcon tends to overweight
desktop systems, since servers more often have security policies that
don't allow use of popcon for one reason or another.
I know we (Stanford) have a whole ton of server systems that are using
sun-java6 with Tomcat or similar application architectures. We're working
on migrating them all to OpenJDK, of course, but we don't expect to finish
that until the wheezy release unless something that seriously affects
server use of the Sun JDK crops up. (And we have some vendor apps that
unfortunately so far have refused to even consider or test OpenJDK.
Sigh.)
We know that OpenJDK doesn't work with some of our applications currently,
mostly for stupid reasons, like a web service that doesn't support any
remotely modern SSL implementation.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: