* Rahul Sundaram <metherid@xxxxxxxxx> [2013-06-17 15:42]: > Hi > > > On Mon, Jun 17, 2013 at 3:26 PM, Dan Mashal wrote: > > > > There is no way in hell anyone here is going to fix the security holes > in Java (open or closed). > > The only way to avoid the security holes caused by java is to not use it. > > > That is too extreme. It is certainly possible to fix security issues in > IcedTea and OpenJDK. Otherwise Fedora wouldn't be including it in the > distribution and building a lot of packages using openJDK. If we don't > include IcedTea by default and there are future security issues, it still needs > to be fixed but the chances of it affecting users are reduced however we might > be creating problems for users who are relying on IcedTea-Web to do their > banking or other critical tasks and IcedTea-Web is not easily installable via > the Firefox plugin search and it is a entirely un-obvious name for users to > install using the package manager. Not a lot of people understand that Java > applet source was never open sourced by Sun or Oracle and is not part of the > OpenJDK project. If we can fix Firefox to install IcedTea on demand, that > would be great. > +1 to fixing Firefox if we must stop it from being installed by default. As archaic as applets may be, they are still used in critical applications such as for banking/trading/etc. and I think it should always be possible for users to easily find it/install it if it is not already done by default. FWIW, Oracle has been taking JVM security very seriously lately -- we do security releases on OpenJDK in Fedora and over the past few months, we have seen a significant rise (past avg*3+) in the number of issues fixed and also a significant rise in code hardening. Cheers, Deepak > Rahul > > > -- > devel mailing list > devel@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
