* Philipp Kern: > sun-java6 is sadly still a very high profile package. I won't go and > break all those installations which force sun-java6 over openjdk-6 > locally, either in unattended installations or through other means.
It's really unfortunate that most of those installations seem to need sun-java6-plugin, which the package which is actually dangerous to install. (Presumably, only the first stage payload is pure Java, and the dropped malware won't run, but it's a bit unsettling.) At least this package doesn't seem to be install without explicit request, so it's not extremely bad. > openjdk-6 might well be a viable replacement in wheezy, but there > are no efforts to backport those compatibility patches that might be > in newer versions. We will have to switch to a different IcedTea version in squeeze because the 1.8 branch we currently use will cease to receive security fixes soonish, probably after the next round of updates. If we switch to branch where the plugin is separate (1.10 and later, IIRC), we could start fixing compatibility issues more aggressively if we wanted to. > openjdk-6 might well be a viable replacement in wheezy, but there > are no efforts to backport those compatibility patches that might be > in newer versions. I doubt it. The incompatibilities do not vanish, unless there is a critical mass of users who also contribute bug fixes. We just don't seem to be there yet. (I also doubt that Oracle can drop security support for the Java 6 plugin in mid-2012, for mostly the same reason, at lesat if they don't want to be entirely reckless. They haven't even started pushing Java 7 to end users yet.) -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wra3i6q4....@mid.deneb.enyo.de
