@Jamie Strandboge: Most of the options you mention are above my head, I'm sorry....
The thing is, that most Ubuntu desktop users won't know about the need for a manual update of JRE. I've done it already, my machines are secure. But I'm an exception. May I therefore suggest two other possible approaches, both of which provide good security and both of which are simple: 1. Provide *untested* JRE security updates, which though untested for stability, are at least secure. Issue a warning that they haven't been tested for stability. Better to have untested JRE packages on your machine which are secure, than stable but insecure JRE packages. This can be achieved by simply making the JRE packages in the development branch (right now: Karmic), available for the stable Ubuntu versions (right now: Hardy, Intrepid and Jaunty). 2. Remove JRE entirely from Multiverse, and only provide OpenJDK. OpenJDK is a Universe package and is being kept secure. When people want JRE anyway, then they are forced to download and install it manually. Therefore they will know that they have to periodically *update* JRE manually as well. They are aware of the risk then. My favourite solution is number 1. JRE is being made by Sun; a good quality package, made by a big professional company. Not likely to disrupt your system, even if you haven't tested it for Ubuntu. -- version 1.6.0_15 is available https://bugs.launchpad.net/bugs/409559 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
