Florian Weimer <fweimer <at> redhat.com> writes: > > I noticed that icedtea-web (the Java browser plugin implementation for > OpenJDK) is installed and enabled by default (as part of the "GNOME > Desktop" set). This is a bit surprising, considering that the rest of > the world tries to move away from Java browser plugin technology (and > even browser plugin technology in general). > > We cannot really remove installed packages after the release, so I'm > wondering if we still can fix this prior to release. > Hi, in icedtea-web 1.4+ (current version as of F18), we have enabled click-to-play for all applets by default, making the attack vector much smaller. No code runs without confirmation anymore, additionally it can be configured to disallow unsigned applets altogether. I think discoverability of the plugin should be improved first, before being removed. I do not think it compromises the security of Fedora, with the recent improvements, though. Cheers, -Adam -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
