> > Is java environment the only security flawed software distributed in > Fedora by default? I don't think so. Please, correct me if I'm wrong. > Does it mean Fedora should drop about 1/3 of packages because they have > security bugs? What about Linux Kernel? It's also buggy. Should it be not > included in Fedora? > This is probably the wrong way to think of it. We're not telling anyone they shouldn't be using the web plugin, we're saying it carries with it a certain amount of risk. Should we subject all users, even the ones who don't use this plugin, to that risk? We've made similar decisions in the past. Why do we turn on the firewall, or make Sendmail only listen on localhost? Sometimes it makes sense to make a decision that lowers potential risk for most users while being a slight inconvenience for other users. I think this plugin falls into that category. Thanks. -- Josh Bressers / Red Hat Product Security Team -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
