Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #13102

openjdk-25: icedtea-web package - should it be removed?

From Vladimir Petko <vladimir.petko@canonical.com>
Newsgroups linux.debian.maint.java
Subject openjdk-25: icedtea-web package - should it be removed?
Date 2025-11-26 03:40 +0100
Message-ID <LVdBL-fMgV-5@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

Dear Maintainers,

IcedTea Web implements the Java Web Start (JWS) specification[1].

Applet support is removed from the browsers, but the user can still
run Java Web Start applications via the provided desktop launchers by
downloading the JLNP file.

Security Manager provided a moderate sandbox that limited access to
the host machine. OpenJDK 25 removes the Security Manager. This allows
unrestricted access to the host machine without the user realising it.

I wonder if we should remove this package from the unstable pocket, as
it poses a security risk to users when ran using openjdk-25.

Best Regards,
 Vladimir.

[1] https://github.com/AdoptOpenJDK/IcedTea-Web?tab=readme-ov-file

Back to linux.debian.maint.java | Previous | NextNext in thread | Find similar

Thread

openjdk-25: icedtea-web package - should it be removed? Vladimir Petko <vladimir.petko@canonical.com> - 2025-11-26 03:40 +0100
  Re: openjdk-25: icedtea-web package - should it be removed? Matthias Klose <doko@debian.org> - 2025-11-26 08:30 +0100
  Re: openjdk-25: icedtea-web package - should it be removed? Emmanuel Bourg <ebourg@apache.org> - 2025-11-26 09:00 +0100

csiph-web