AW: Question Update Java Security Updates
Roger Marquis
marquis at roble.com
Mon Mar 14 03:51:20 UTC 2011
Rob Farmer wrote:
> If you have info showing that these vulnerabilities are bogus and
> don't affect most people, please post it. Sun though the issues were
> important enough to patch and the "important point" it raises is that,
> for Java, I trust Sun more than you.
We should distinguish between Java's JDK, JRE, and webstart. The
vulnerabilities you note are not in the JDK or the JRE, they are in
webstart. Webstart is the browser plugin. As I noted earlier but
neglected to add IMO, the server apps and most commonly used apps are
specifically "other than webstart".
If I inferr correctly from your email we are in disagreement about the
popularity of javaws and not the relative security of java, javac, etc.
> If mailing list traffic (here, questions, ports) is any indication,
> most people using Java care about the browser plugin.
I don't see it that way for a few reasons. 1) the webstart plugin
generates more mail because it has so many more problems. 2) I haven't
personally seen much use of applets or javaws. YMV obviously. And 3) It
has also been my experience that FreeBSD is used far more as a server OS
than as a desktop OS. That (#3) is changing to be sure. Yahoo's project
Rewire is purging that company of FreeBSD and PC-BSD is making the
desktop more viable. I'll grant you FreeBSD may be becoming more of a
desktop than a server OS.
> This change is almost certainly going to happen, sooner or later.
And I am looking forward to that as long as the transition isn't rushed.
>From difficult experience with the latest (Linux) Gnome, KDE, gjc, ...
which were all rushed and broke far more than they fixed. For obvious
reasons I'm not keen on repeating those experiences with Java. Sun's QA
of Java is still second to none. The OpenJDK may never have the
resources to do that kind of QA but it will, at some point, get enough QA
to avoid the bugs and vulnerabilities which handicapp javaws and limit
the adoption of so much other OSS. That point, however, is not now or
soon.
> There's nothing happening with the old ports. If you have issues with
> openjdk
It's not about "issues" with anything, it's about objective measures of
the frequency of mandatory upgrades, time spent maintaining applications,
and the relative time and money required to use different OS'. But as
long as the "old" java ports don't get any more difficult to install or
use I suppose it shouldn't matter which one is FreeBSD's official java.
IMO,
Roger Marquis
More information about the freebsd-java
mailing list