Florian Weimer <fweimer <at> redhat.com> writes:
I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the "GNOME Desktop" set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general).
We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release.
Hi, in icedtea-web 1.4+ (current version as of F18), we have enabled click-to-play for all applets by default, making the attack vector much smaller. No code runs without confirmation anymore, additionally it can be configured to disallow unsigned applets altogether.
I think discoverability of the plugin should be improved first, before being removed. I do not think it compromises the security of Fedora, with the recent improvements, though.
Cheers, -Adam