On 06/18/13 at 01:50pm, Josh Bressers wrote: > > Is java environment the only security flawed software distributed in > > Fedora by default? I don't think so. Please, correct me if I'm > > wrong. Does it mean Fedora should drop about 1/3 of packages > > because they have security bugs? What about Linux Kernel? It's also > > buggy. Should it be not included in Fedora? > > This is probably the wrong way to think of it. We're not telling anyone > they shouldn't be using the web plugin, we're saying it carries with it a > certain amount of risk. Should we subject all users, even the ones who > don't use this plugin, to that risk? Some recent news, http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/ "The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system," said Ross Barrett, senior manager of security engineering at Rapid7. ... This is not the first time that so many (40!) security bugs have been found and fixed in Java. I don't think that any Fedora package has a worse security record than Java stuff in recent times. -- Dhiru -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
