AW: Question Update Java Security Updates

Achilleas Mantzios achill at matrix.gatewaynet.com
Mon Mar 14 08:14:27 UTC 2011 

Στις Monday 14 March 2011 05:51:19 ο/η Roger Marquis έγραψε:
> Rob Farmer wrote:
> > If you have info showing that these vulnerabilities are bogus and
> > don't affect most people, please post it. Sun though the issues were
> > important enough to patch and the "important point" it raises is that,
> > for Java, I trust Sun more than you.
> 
> We should distinguish between Java's JDK, JRE, and webstart.  The
> vulnerabilities you note are not in the JDK or the JRE, they are in
> webstart.  Webstart is the browser plugin.  As I noted earlier but

/usr/local/diablo-jdk1.5.0/bin/javaws != /usr/local/diablo-jdk1.5.0/jre/plugin/i386/ns7/libjavaplugin_oji.so
and (similarly)
/usr/local/openjdk6/bin/javaws != /usr/local/openjdk6/jre/lib/IcedTeaPlugin.so

> neglected to add IMO, the server apps and most commonly used apps are
> specifically "other than webstart".
> 

Agreed on that. Never bothered with javaws either.

> If I inferr correctly from your email we are in disagreement about the
> popularity of javaws and not the relative security of java, javac, etc.
> 
> > If mailing list traffic (here, questions, ports) is any indication,
> > most people using Java care about the browser plugin.
> 
> I don't see it that way for a few reasons.  1) the webstart plugin
> generates more mail because it has so many more problems.  2) I haven't
> personally seen much use of applets or javaws.  YMV obviously.  

I do not see the browser plugin that way. Surely applets did not make it, as opposed to flash
or hot supercharged use of javascript, but there is a vast amount of old applets that need
to be kept running. People still use them to do work with them.
And the people who wrote those applets (like in my case) cause Java was what i was more
familiar with, and not willing to learn new technologies just for the sake of an old
graphic browser app. It does not make any business sense.

> And 3) It 
> has also been my experience that FreeBSD is used far more as a server OS
> than as a desktop OS.  That (#3) is changing to be sure.  Yahoo's project
> Rewire is purging that company of FreeBSD and PC-BSD is making the
> desktop more viable.  I'll grant you FreeBSD may be becoming more of a
> desktop than a server OS.
> 

I have thought of switching to Ubuntu at our home computer,
but then again, in the end i find it a silly idea ;)

> > This change is almost certainly going to happen, sooner or later.
> 
> And I am looking forward to that as long as the transition isn't rushed.
> >From difficult experience with the latest (Linux) Gnome, KDE, gjc, ...
> which were all rushed and broke far more than they fixed.  For obvious
> reasons I'm not keen on repeating those experiences with Java.  Sun's QA
> of Java is still second to none.  The OpenJDK may never have the
> resources to do that kind of QA but it will, at some point, get enough QA
> to avoid the bugs and vulnerabilities which handicapp javaws and limit
> the adoption of so much other OSS.  That point, however, is not now or
> soon.
> 

Now you are comparing apples and oranges. Just because you had some hard time
upgrading some linux boxes with gnome, kde, gjc (yes the first 2 have problems in FreeBSD, as well, as of late)
does not say anything about upgrading openjdk in FreeBSD.
Java has (at least when talking about same version upgrades) was the least of the nightmares
of any upgrade i have gone through. Surely you must re-write certain apps if you go
from java5 to java6, but that is anticipated, going from e.g. openjdk6-b21 to openjdk6-b22
should not be any major concern.

> > There's nothing happening with the old ports. If you have issues with
> > openjdk
> 
> It's not about "issues" with anything, it's about objective measures of
> the frequency of mandatory upgrades, time spent maintaining applications,
> and the relative time and money required to use different OS'.  But as
> long as the "old" java ports don't get any more difficult to install or
> use I suppose it shouldn't matter which one is FreeBSD's official java.
> 
> IMO,
> Roger Marquis
> _______________________________________________
> freebsd-java at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-java
> To unsubscribe, send any mail to "freebsd-java-unsubscribe at freebsd.org"
> 



-- 
Achilleas Mantzios

More information about the freebsd-java mailing list