Re: icedtea-web installed and enabled by default in Fedora 19
On Tue, Jun 18, 2013 at 11:18 PM, Rahul Sundaram methe...@gmail.com wrote: The plugin used to be problematic before but have you tried it recently? Maybe a year ago or so. Do file a bug report if there are still issues thanks for the tip. -- Ismael Olea http://olea.org/diario/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
Florian Weimer fweimer at redhat.com writes: I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the GNOME Desktop set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general). We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release. Hi, in icedtea-web 1.4+ (current version as of F18), we have enabled click-to-play for all applets by default, making the attack vector much smaller. No code runs without confirmation anymore, additionally it can be configured to disallow unsigned applets altogether. I think discoverability of the plugin should be improved first, before being removed. I do not think it compromises the security of Fedora, with the recent improvements, though. Cheers, -Adam -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On Tue, Jun 18, 2013 at 11:29 PM, Dhiru Kholia dhiru.kho...@gmail.com wrote: Some recent news, http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/ The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system, said Ross Barrett, senior manager of security engineering at Rapid7. I can see how a vulnerability in Java running in user space can cause all sorts of problems for the user, but unless someone is running a browser as superuser, how can it possibly take complete control of the underlying operating system? Surely that would require a privilege escalation vulnerability in the kernel or a setuid program, and such a vulnerability is the fault of that package, not of Java. Eric -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 06/19/2013 01:29 AM, Dhiru Kholia wrote: Some recent news, http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/ The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system, said Ross Barrett, senior manager of security engineering at Rapid7. Not that I am stepping up to defend Java plugins, but let's not be overly alarmist here. TheReg's article indeed points out some severe vulnerabilities, but they should not be 'exploitable for complete control of the underlying operating system' unless there is another vulnerability, e.g. in the kernel. The quote above is from another article, and in my personal opinion it is overly shrill. As a general observation, security companies might just have a slight bias hyping up threats, but not to worry because they can also offer inexpensive and convenient solutions. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 17.06.2013 21:26, Dan Mashal wrote: On Mon, Jun 17, 2013 at 8:25 AM, Mateusz Marzantowicz mmarzantow...@osdf.com.pl wrote: On 17.06.2013 17:18, Heiko Adams wrote: From my point of view the java-plugin is a big security hole and should be kicked from default installations ASAP. Then, why not fix it? Mateusz Marzantowicz There is no way in hell anyone here is going to fix the security holes in Java (open or closed). The only way to avoid the security holes caused by java is to not use it. Is java environment the only security flawed software distributed in Fedora by default? I don't think so. Please, correct me if I'm wrong. Does it mean Fedora should drop about 1/3 of packages because they have security bugs? What about Linux Kernel? It's also buggy. Should it be not included in Fedora? That's like telling someone not to use Firefox because it has security holes. Isn't it what *-nix geeks tell to M$ people about using IE? Don't use IE - it's buggy! Mateusz Marzantowicz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/17/2013 06:31 PM, Matthew Garrett wrote: On Mon, Jun 17, 2013 at 11:03:26AM -0400, Bill Nottingham wrote: The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version. Well, if we're looking at this for F20, it's probably worth figuring out whether we can integrate the Firefox plugin finder with Packagekit in some meaningful way. This sounds like a great candidate for a Change (formerly Feature): https://fedoraproject.org/wiki/Changes/Policy -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHAVsoACgkQeiVVYja6o6Oh7gCdGR+unxZNpFATVjRPmYt39i2j MekAnA8HUsBXfIDykv776YJigQD3c4eh =InuU -END PGP SIGNATURE- -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On Jun 17, 2013 9:03 AM, Bill Nottingham nott...@redhat.com wrote: ... I think given all the trouble this plugin has caused recently, it wouldn't be wise to install it for everyone. If you need it, great, install it, but if a users doesn't need it, it's really just creating a level of risk we probably don't want. Fedora currently has a reputation for being pretty secure, I think this could damage that reputation. The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version. Bill -- +1 This is a strong argument for installing it by default. What would be more secure - the distro maintained package or the user maintained tarball or rpm without repo? The users that need help with security the most are the users that will follow the inline instructions by rote, without searching the repositories. --Pete -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
Is java environment the only security flawed software distributed in Fedora by default? I don't think so. Please, correct me if I'm wrong. Does it mean Fedora should drop about 1/3 of packages because they have security bugs? What about Linux Kernel? It's also buggy. Should it be not included in Fedora? This is probably the wrong way to think of it. We're not telling anyone they shouldn't be using the web plugin, we're saying it carries with it a certain amount of risk. Should we subject all users, even the ones who don't use this plugin, to that risk? We've made similar decisions in the past. Why do we turn on the firewall, or make Sendmail only listen on localhost? Sometimes it makes sense to make a decision that lowers potential risk for most users while being a slight inconvenience for other users. I think this plugin falls into that category. Thanks. -- Josh Bressers / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On Mon, Jun 17, 2013 at 4:32 PM, Bill Nottingham nott...@redhat.com wrote: We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release. We could, I suppose. What do people think? (It's just one line in comps.) When I needed a java plugin (particularly for some government websites) I always should got to install the Sun/Oracle one. In those cases icedtea-web has been 100% useless to me :-/ My 2¢ -- Ismael Olea http://olea.org/diario/ -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 06/18/2013 02:59 PM, Ismael Olea wrote: When I needed a java plugin (particularly for some government websites) I always should got to install the Sun/Oracle one. In those cases icedtea-web has been 100% useless to me :-/ The plugin used to be problematic before but have you tried it recently? Do file a bug report if there are still issues Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 06/18/13 at 01:50pm, Josh Bressers wrote: Is java environment the only security flawed software distributed in Fedora by default? I don't think so. Please, correct me if I'm wrong. Does it mean Fedora should drop about 1/3 of packages because they have security bugs? What about Linux Kernel? It's also buggy. Should it be not included in Fedora? This is probably the wrong way to think of it. We're not telling anyone they shouldn't be using the web plugin, we're saying it carries with it a certain amount of risk. Should we subject all users, even the ones who don't use this plugin, to that risk? Some recent news, http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/ The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system, said Ross Barrett, senior manager of security engineering at Rapid7. ... This is not the first time that so many (40!) security bugs have been found and fixed in Java. I don't think that any Fedora package has a worse security record than Java stuff in recent times. -- Dhiru -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
Florian Weimer (fwei...@redhat.com) said: I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the GNOME Desktop set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general). We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release. We could, I suppose. What do people think? (It's just one line in comps.) Nearly all live images drop it for space reasons. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
- Original Message - Florian Weimer (fwei...@redhat.com) said: I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the GNOME Desktop set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general). We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release. We could, I suppose. What do people think? (It's just one line in comps.) Nearly all live images drop it for space reasons. I think given all the trouble this plugin has caused recently, it wouldn't be wise to install it for everyone. If you need it, great, install it, but if a users doesn't need it, it's really just creating a level of risk we probably don't want. Fedora currently has a reputation for being pretty secure, I think this could damage that reputation. Thanks. -- Josh Bressers / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
Josh Bressers (bress...@redhat.com) said: - Original Message - Florian Weimer (fwei...@redhat.com) said: I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the GNOME Desktop set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general). We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release. We could, I suppose. What do people think? (It's just one line in comps.) Nearly all live images drop it for space reasons. I think given all the trouble this plugin has caused recently, it wouldn't be wise to install it for everyone. If you need it, great, install it, but if a users doesn't need it, it's really just creating a level of risk we probably don't want. Fedora currently has a reputation for being pretty secure, I think this could damage that reputation. The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version. Bill -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On Jun 17, 2013 8:03 AM, Bill Nottingham nott...@redhat.com wrote: The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version. I would keep it if people really use it. I'm on the opposite side, where if I'm doing anything Android related (or other various things) I must use sun jdk/jre. Dan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
From my point of view the java-plugin is a big security hole and should be kicked from default installations ASAP. 2013/6/17 Dan Mashal dan.mas...@gmail.com On Jun 17, 2013 8:03 AM, Bill Nottingham nott...@redhat.com wrote: The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version. I would keep it if people really use it. I'm on the opposite side, where if I'm doing anything Android related (or other various things) I must use sun jdk/jre. Dan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Mit freundlichen Grüßen Heiko Adams Die Bildzeitung – dieses Drecksblatt, dass so widerlich ist, dass man toten Fisch beleidigt, wenn man ihn darin einwickelt! (Volker Pispers) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 17.06.2013 17:18, Heiko Adams wrote: From my point of view the java-plugin is a big security hole and should be kicked from default installations ASAP. Then, why not fix it? Mateusz Marzantowicz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 06/17/2013 05:03 PM, Bill Nottingham wrote: The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version. Hmm. Our Firefox has a pretty clear fingerprint over HTTPS (no user agent branding and lack of ECC support), so perhaps Mozilla could use this information to provide a better recommendation to users? -- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
Because IMHO Java itself is the security problem but it's easier to remove the plugin because there are AFAIK no packages which require it and are relevant to normal desktop users.http://www.dict.cc/englisch-deutsch/vector.html 2013/6/17 Mateusz Marzantowicz mmarzantow...@osdf.com.pl On 17.06.2013 17:18, Heiko Adams wrote: From my point of view the java-plugin is a big security hole and should be kicked from default installations ASAP. Then, why not fix it? Mateusz Marzantowicz -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- Mit freundlichen Grüßen Heiko Adams Die Bildzeitung – dieses Drecksblatt, dass so widerlich ist, dass man toten Fisch beleidigt, wenn man ihn darin einwickelt! (Volker Pispers) -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On Mon, 17 Jun 2013 17:09:57 +0200, Dan Mashal wrote: if I'm doing anything Android related (or other various things) I must use sun jdk/jre. Is it filed/tracked/known? Jan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 06/17/2013 10:03 AM, Bill Nottingham wrote: The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version. The one issue I see is that it's darn near impossible to find the package if you don't already know its name. -- Ian Pilcher arequip...@gmail.com Sometimes there's nothing left to do but crash and burn...or die trying. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On Mon, Jun 17, 2013 at 8:25 AM, Mateusz Marzantowicz mmarzantow...@osdf.com.pl wrote: On 17.06.2013 17:18, Heiko Adams wrote: From my point of view the java-plugin is a big security hole and should be kicked from default installations ASAP. Then, why not fix it? Mateusz Marzantowicz There is no way in hell anyone here is going to fix the security holes in Java (open or closed). The only way to avoid the security holes caused by java is to not use it. That's like telling someone not to use Firefox because it has security holes. It might be worth to fix in openjdk but again, openjdk is useless to me as it is. Dan -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
Hi On Mon, Jun 17, 2013 at 3:26 PM, Dan Mashal wrote: There is no way in hell anyone here is going to fix the security holes in Java (open or closed). The only way to avoid the security holes caused by java is to not use it. That is too extreme. It is certainly possible to fix security issues in IcedTea and OpenJDK. Otherwise Fedora wouldn't be including it in the distribution and building a lot of packages using openJDK. If we don't include IcedTea by default and there are future security issues, it still needs to be fixed but the chances of it affecting users are reduced however we might be creating problems for users who are relying on IcedTea-Web to do their banking or other critical tasks and IcedTea-Web is not easily installable via the Firefox plugin search and it is a entirely un-obvious name for users to install using the package manager. Not a lot of people understand that Java applet source was never open sourced by Sun or Oracle and is not part of the OpenJDK project. If we can fix Firefox to install IcedTea on demand, that would be great. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
* Rahul Sundaram methe...@gmail.com [2013-06-17 15:42]: Hi On Mon, Jun 17, 2013 at 3:26 PM, Dan Mashal wrote: There is no way in hell anyone here is going to fix the security holes in Java (open or closed). The only way to avoid the security holes caused by java is to not use it. That is too extreme. It is certainly possible to fix security issues in IcedTea and OpenJDK. Otherwise Fedora wouldn't be including it in the distribution and building a lot of packages using openJDK. If we don't include IcedTea by default and there are future security issues, it still needs to be fixed but the chances of it affecting users are reduced however we might be creating problems for users who are relying on IcedTea-Web to do their banking or other critical tasks and IcedTea-Web is not easily installable via the Firefox plugin search and it is a entirely un-obvious name for users to install using the package manager. Not a lot of people understand that Java applet source was never open sourced by Sun or Oracle and is not part of the OpenJDK project. If we can fix Firefox to install IcedTea on demand, that would be great. +1 to fixing Firefox if we must stop it from being installed by default. As archaic as applets may be, they are still used in critical applications such as for banking/trading/etc. and I think it should always be possible for users to easily find it/install it if it is not already done by default. FWIW, Oracle has been taking JVM security very seriously lately -- we do security releases on OpenJDK in Fedora and over the past few months, we have seen a significant rise (past avg*3+) in the number of issues fixed and also a significant rise in code hardening. Cheers, Deepak Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On Mon, Jun 17, 2013 at 11:03:26AM -0400, Bill Nottingham wrote: The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version. Well, if we're looking at this for F20, it's probably worth figuring out whether we can integrate the Firefox plugin finder with Packagekit in some meaningful way. -- Matthew Garrett | mj...@srcf.ucam.org -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 06/16/2013 05:49 AM, Florian Weimer wrote: I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the GNOME Desktop set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general). FWIW, we haven't quite moved away from it just yet. A number of major banking sites using a java applet as the primary interface. Rahul -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Re: icedtea-web installed and enabled by default in Fedora 19
On 06/16/2013 08:20 PM, Rahul Sundaram wrote: On 06/16/2013 05:49 AM, Florian Weimer wrote: I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the GNOME Desktop set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general). FWIW, we haven't quite moved away from it just yet. A number of major banking sites using a java applet as the primary interface. Indeed, and I'm not proposing to remove it from the repositories (yet). -- Florian Weimer / Red Hat Product Security Team -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel