I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the "GNOME Desktop" set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general).
We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release.
On 06/16/2013 05:49 AM, Florian Weimer wrote:
I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the "GNOME Desktop" set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general).
FWIW, we haven't quite moved away from it just yet. A number of major banking sites using a java applet as the primary interface.
Rahul
On 06/16/2013 08:20 PM, Rahul Sundaram wrote:
On 06/16/2013 05:49 AM, Florian Weimer wrote:
I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the "GNOME Desktop" set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general).
FWIW, we haven't quite moved away from it just yet. A number of major banking sites using a java applet as the primary interface.
Indeed, and I'm not proposing to remove it from the repositories (yet).
Florian Weimer (fweimer@redhat.com) said:
I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the "GNOME Desktop" set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general).
We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release.
We could, I suppose. What do people think? (It's just one line in comps.)
Nearly all live images drop it for space reasons.
Bill
----- Original Message -----
Florian Weimer (fweimer@redhat.com) said:
I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the "GNOME Desktop" set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general).
We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release.
We could, I suppose. What do people think? (It's just one line in comps.)
Nearly all live images drop it for space reasons.
I think given all the trouble this plugin has caused recently, it wouldn't be wise to install it for everyone. If you need it, great, install it, but if a users doesn't need it, it's really just creating a level of risk we probably don't want.
Fedora currently has a reputation for being pretty secure, I think this could damage that reputation.
Thanks.
Josh Bressers (bressers@redhat.com) said:
----- Original Message -----
Florian Weimer (fweimer@redhat.com) said:
I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the "GNOME Desktop" set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general).
We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release.
We could, I suppose. What do people think? (It's just one line in comps.)
Nearly all live images drop it for space reasons.
I think given all the trouble this plugin has caused recently, it wouldn't be wise to install it for everyone. If you need it, great, install it, but if a users doesn't need it, it's really just creating a level of risk we probably don't want.
Fedora currently has a reputation for being pretty secure, I think this could damage that reputation.
The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version.
Bill
On Jun 17, 2013 8:03 AM, "Bill Nottingham" notting@redhat.com wrote:
The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get
you
the Fedora version.
I would keep it if people really use it. I'm on the opposite side, where if I'm doing anything Android related (or other various things) I must use sun jdk/jre.
Dan
From my point of view the java-plugin is a big security hole and should be
kicked from default installations ASAP.
2013/6/17 Dan Mashal dan.mashal@gmail.com
On Jun 17, 2013 8:03 AM, "Bill Nottingham" notting@redhat.com wrote:
The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get
you
the Fedora version.
I would keep it if people really use it. I'm on the opposite side, where if I'm doing anything Android related (or other various things) I must use sun jdk/jre.
Dan
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
Because IMHO Java itself is the security problem but it's easier to remove the plugin because there are AFAIK no packages which require it and are relevant to normal desktop users.http://www.dict.cc/englisch-deutsch/vector.html
2013/6/17 Mateusz Marzantowicz mmarzantowicz@osdf.com.pl
On 17.06.2013 17:18, Heiko Adams wrote:
From my point of view the java-plugin is a big security hole and should be kicked from default installations ASAP.
Then, why not fix it?
Mateusz Marzantowicz
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
On Mon, Jun 17, 2013 at 8:25 AM, Mateusz Marzantowicz mmarzantowicz@osdf.com.pl wrote:
On 17.06.2013 17:18, Heiko Adams wrote:
From my point of view the java-plugin is a big security hole and should be kicked from default installations ASAP.
Then, why not fix it?
Mateusz Marzantowicz
There is no way in hell anyone here is going to fix the security holes in Java (open or closed).
The only way to avoid the security holes caused by java is to not use it.
That's like telling someone not to use Firefox because it has security holes.
It might be worth to fix in openjdk but again, openjdk is useless to me as it is.
Dan
Hi
On Mon, Jun 17, 2013 at 3:26 PM, Dan Mashal wrote:
There is no way in hell anyone here is going to fix the security holes in Java (open or closed).
The only way to avoid the security holes caused by java is to not use it.
That is too extreme. It is certainly possible to fix security issues in IcedTea and OpenJDK. Otherwise Fedora wouldn't be including it in the distribution and building a lot of packages using openJDK. If we don't include IcedTea by default and there are future security issues, it still needs to be fixed but the chances of it affecting users are reduced however we might be creating problems for users who are relying on IcedTea-Web to do their banking or other critical tasks and IcedTea-Web is not easily installable via the Firefox plugin search and it is a entirely un-obvious name for users to install using the package manager. Not a lot of people understand that Java applet source was never open sourced by Sun or Oracle and is not part of the OpenJDK project. If we can fix Firefox to install IcedTea on demand, that would be great.
Rahul
* Rahul Sundaram metherid@gmail.com [2013-06-17 15:42]:
Hi
On Mon, Jun 17, 2013 at 3:26 PM, Dan Mashal wrote:
There is no way in hell anyone here is going to fix the security holes in Java (open or closed). The only way to avoid the security holes caused by java is to not use it.That is too extreme. It is certainly possible to fix security issues in IcedTea and OpenJDK. Otherwise Fedora wouldn't be including it in the distribution and building a lot of packages using openJDK. If we don't include IcedTea by default and there are future security issues, it still needs to be fixed but the chances of it affecting users are reduced however we might be creating problems for users who are relying on IcedTea-Web to do their banking or other critical tasks and IcedTea-Web is not easily installable via the Firefox plugin search and it is a entirely un-obvious name for users to install using the package manager. Not a lot of people understand that Java applet source was never open sourced by Sun or Oracle and is not part of the OpenJDK project. If we can fix Firefox to install IcedTea on demand, that would be great.
+1 to fixing Firefox if we must stop it from being installed by default.
As archaic as applets may be, they are still used in critical applications such as for banking/trading/etc. and I think it should always be possible for users to easily find it/install it if it is not already done by default.
FWIW, Oracle has been taking JVM security very seriously lately -- we do security releases on OpenJDK in Fedora and over the past few months, we have seen a significant rise (past avg*3+) in the number of issues fixed and also a significant rise in code hardening.
Cheers, Deepak
Rahul
-- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel
On 17.06.2013 21:26, Dan Mashal wrote:
On Mon, Jun 17, 2013 at 8:25 AM, Mateusz Marzantowicz mmarzantowicz@osdf.com.pl wrote:
On 17.06.2013 17:18, Heiko Adams wrote:
From my point of view the java-plugin is a big security hole and should be kicked from default installations ASAP.
Then, why not fix it?
Mateusz Marzantowicz
There is no way in hell anyone here is going to fix the security holes in Java (open or closed).
The only way to avoid the security holes caused by java is to not use it.
Is java environment the only security flawed software distributed in Fedora by default? I don't think so. Please, correct me if I'm wrong. Does it mean Fedora should drop about 1/3 of packages because they have security bugs? What about Linux Kernel? It's also buggy. Should it be not included in Fedora?
That's like telling someone not to use Firefox because it has security holes.
Isn't it what *-nix geeks tell to M$ people about using IE? "Don't use IE - it's buggy!"
Mateusz Marzantowicz
Is java environment the only security flawed software distributed in Fedora by default? I don't think so. Please, correct me if I'm wrong. Does it mean Fedora should drop about 1/3 of packages because they have security bugs? What about Linux Kernel? It's also buggy. Should it be not included in Fedora?
This is probably the wrong way to think of it. We're not telling anyone they shouldn't be using the web plugin, we're saying it carries with it a certain amount of risk. Should we subject all users, even the ones who don't use this plugin, to that risk?
We've made similar decisions in the past. Why do we turn on the firewall, or make Sendmail only listen on localhost? Sometimes it makes sense to make a decision that lowers potential risk for most users while being a slight inconvenience for other users. I think this plugin falls into that category.
Thanks.
On 06/18/13 at 01:50pm, Josh Bressers wrote:
Is java environment the only security flawed software distributed in Fedora by default? I don't think so. Please, correct me if I'm wrong. Does it mean Fedora should drop about 1/3 of packages because they have security bugs? What about Linux Kernel? It's also buggy. Should it be not included in Fedora?
This is probably the wrong way to think of it. We're not telling anyone they shouldn't be using the web plugin, we're saying it carries with it a certain amount of risk. Should we subject all users, even the ones who don't use this plugin, to that risk?
Some recent news,
http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/
"The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system," said Ross Barrett, senior manager of security engineering at Rapid7.
...
This is not the first time that so many (40!) security bugs have been found and fixed in Java.
I don't think that any Fedora package has a worse security record than Java stuff in recent times.
-- Dhiru
On Tue, Jun 18, 2013 at 11:29 PM, Dhiru Kholia dhiru.kholia@gmail.com wrote:
Some recent news,
http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/
"The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system," said Ross Barrett, senior manager of security engineering at Rapid7.
I can see how a vulnerability in Java running in user space can cause all sorts of problems for the user, but unless someone is running a browser as superuser, how can it possibly take "complete control of the underlying operating system"? Surely that would require a privilege escalation vulnerability in the kernel or a setuid program, and such a vulnerability is the fault of that package, not of Java.
Eric
On 06/19/2013 01:29 AM, Dhiru Kholia wrote:
Some recent news,
http://www.theregister.co.uk/2013/06/14/java_june_critical_patch_update/
"The majority are vulnerable through browser plugins, 11 of which are exploitable for complete control of the underlying operating system," said Ross Barrett, senior manager of security engineering at Rapid7.
Not that I am stepping up to defend Java plugins, but let's not be overly alarmist here. TheReg's article indeed points out some severe vulnerabilities, but they should not be 'exploitable for complete control of the underlying operating system' unless there is another vulnerability, e.g. in the kernel.
The quote above is from another article, and in my personal opinion it is overly shrill. As a general observation, security companies might just have a slight bias hyping up threats, but not to worry because they can also offer inexpensive and convenient solutions.
On 06/17/2013 05:03 PM, Bill Nottingham wrote:
The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version.
Hmm. Our Firefox has a pretty clear fingerprint over HTTPS (no user agent branding and lack of ECC support), so perhaps Mozilla could use this information to provide a better recommendation to users?
On 06/17/2013 10:03 AM, Bill Nottingham wrote:
The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version.
The one issue I see is that it's darn near impossible to find the package if you don't already know its name.
On Mon, Jun 17, 2013 at 11:03:26AM -0400, Bill Nottingham wrote:
The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version.
Well, if we're looking at this for F20, it's probably worth figuring out whether we can integrate the Firefox plugin finder with Packagekit in some meaningful way.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/17/2013 06:31 PM, Matthew Garrett wrote:
On Mon, Jun 17, 2013 at 11:03:26AM -0400, Bill Nottingham wrote:
The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get you the Fedora version.
Well, if we're looking at this for F20, it's probably worth figuring out whether we can integrate the Firefox plugin finder with Packagekit in some meaningful way.
This sounds like a great candidate for a Change (formerly Feature): https://fedoraproject.org/wiki/Changes/Policy
On Jun 17, 2013 9:03 AM, "Bill Nottingham" notting@redhat.com wrote: ...
I think given all the trouble this plugin has caused recently, it
wouldn't
be wise to install it for everyone. If you need it, great, install it,
but
if a users doesn't need it, it's really just creating a level of risk we probably don't want.
Fedora currently has a reputation for being pretty secure, I think this could damage that reputation.
The one issue I can see with removing it is that the plugin finder you then get in Firefox if you hit a Java site doesn't work to actually get
you
the Fedora version.
Bill
+1
This is a strong argument for installing it by default. What would be more secure - the distro maintained package or the user maintained tarball or rpm without repo? The users that need help with security the most are the users that will follow the inline instructions by rote, without searching the repositories.
--Pete
On Mon, Jun 17, 2013 at 4:32 PM, Bill Nottingham notting@redhat.com wrote:
We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release.
We could, I suppose. What do people think? (It's just one line in comps.)
When I needed a java plugin (particularly for some government websites) I always should got to install the Sun/Oracle one. In those cases icedtea-web has been 100% useless to me :-/
My 2¢
On 06/18/2013 02:59 PM, Ismael Olea wrote:
When I needed a java plugin (particularly for some government websites) I always should got to install the Sun/Oracle one. In those cases icedtea-web has been 100% useless to me :-/
The plugin used to be problematic before but have you tried it recently? Do file a bug report if there are still issues
Rahul
On Tue, Jun 18, 2013 at 11:18 PM, Rahul Sundaram metherid@gmail.com wrote:
The plugin used to be problematic before but have you tried it recently?
Maybe a year ago or so.
Do file a bug report if there are still issues
thanks for the tip.
Florian Weimer <fweimer <at> redhat.com> writes:
I noticed that icedtea-web (the Java browser plugin implementation for OpenJDK) is installed and enabled by default (as part of the "GNOME Desktop" set). This is a bit surprising, considering that the rest of the world tries to move away from Java browser plugin technology (and even browser plugin technology in general).
We cannot really remove installed packages after the release, so I'm wondering if we still can fix this prior to release.
Hi, in icedtea-web 1.4+ (current version as of F18), we have enabled click-to-play for all applets by default, making the attack vector much smaller. No code runs without confirmation anymore, additionally it can be configured to disallow unsigned applets altogether.
I think discoverability of the plugin should be improved first, before being removed. I do not think it compromises the security of Fedora, with the recent improvements, though.
Cheers, -Adam
-
Adam Domurad -
Bill Nottingham -
Dan Mashal -
Deepak Bhole -
Dhiru Kholia -
Eric Smith -
Florian Weimer -
Heiko Adams -
Ian Pilcher -
Ismael Olea -
Jan Kratochvil -
Josh Bressers -
Mateusz Marzantowicz -
Matthew Garrett -
Pete Travis -
Przemek Klosowski -
Rahul Sundaram -
Stephen Gallagher