* Bob <bob_j_hayes at yahoo.co.uk> [2005-12-15 11:14:37]: > http://freenetproject.org/index.php?page=download, in explaining which > webinstaller the user should download, says "If you already have Java 1.4.1 or > later installed (then use) freenet-webinstall.exe". Apart from the applet > vulnerability that wasn't fixed till 1.4.2 (javascript classloader bypass > iirc), > there were recently 3 new applet privellege escalation vulnerabilities > publicised affecting everything less than 1.5.0 update 3. > Link multilined for stupid gmane filter : > http://searchsecurity.techtarget.com/originalContent/ > 0,289142,sid14_gci1148505,00.html > > I can confirm that the current 0.5 still runs OK on 1.4.1 since I have to use > that version of blackdown on Sparc Linux :) but I suggest we should recommend > the latest 1.5 / 5.0 to windows users in light of the above.
I don't agree :p Memory management has changed between 1.4 and 1.5 ... many users will see their scripts/performances tweaks broken after updating ... I agree that it would be simpler to support only the latest sun's jvm, but I don't think that's the way to go ;) And the main point is : Do you have anything prooving that freenet is performing better on 1.5 than on 1.4 ? No ? well so let Sun deal with their jvm's security matters ... As far as I know, freenet runs on 1.4 and it's advertised as such :p Is there any need to switch to 1.5 ? As far as the current buildscript goes, the precompiled version of freenet isn't using 1.5 improvements (target=1.4 in build.xml)... But if their is *really* a gain, we can change that for sure :) > > All recent windows JVMs have a systray app which autoupdates aggressively, > even > to beta versions(!) provided the user OK's it, therefore recommending a recent > version should save us from future issues like this. > And ? will the next step be decaprate 1.4 support as 70% of freenet's users are using the default installer wich is settuping a 1.5 JVM ? We could as well report with Fred that the jvm might be vulnerable to security matters if version is < latest. > The version currently bundled with the java-webinstaller is 1.5.0_06 and > therefore safe by the way. > > Bob Good news :) NextGen$. PS: btw, you have commit access on svn, feel free to change it ;) (directory /trunk/website)
