Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #13102

openjdk-25: icedtea-web package - should it be removed?

Path csiph.com!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod
From Vladimir Petko <vladimir.petko@canonical.com>
Newsgroups linux.debian.maint.java
Subject openjdk-25: icedtea-web package - should it be removed?
Date Wed, 26 Nov 2025 03:40:01 +0100
Message-ID <LVdBL-fMgV-5@gated-at.bofh.it> (permalink)
X-Original-To Debian Java List <debian-java@lists.debian.org>
X-Mailbox-Line From debian-java-request@lists.debian.org Wed Nov 26 02:34:44 2025
Old-Return-Path <vladimir.petko@canonical.com>
X-Amavis-Spam-Status No, score=-9.398 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FOURLA=0.1, LDO_WHITELIST=-5, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001] autolearn=ham autolearn_force=no
X-Policyd-Weight using cached result; rate: -5.5
X-Gm-Message-State AOJu0YwDAJ4bmWHj5MCKzOP98jSHws0MG7h18/8Mv0evC8S/c6t4W99r sUDEJwXgrlgK4Dyo4gzAeREONb1wl6z29z49evquwQxWnZrwVMQkYN33Pu2hDFs0sCdpT+yivb2 yM55VQZmSEYn1rO9mBJ7TWFj5bNGgXblibexnPlslNakB0yi14J9F7zQQpQug/NMw9oj1B9Wa5h 6fmFUk995VkZL7PP57MnmH76m6DntAksOuHEvVsz/ig5DXpQHdT5ueS7J5ahzjgRIIhFY=
X-Gm-Gg ASbGncukn6OyLZecwNJIoyN28yzQ2VtmLXeHvFNAXyi0PoyxnZkSZfYZFaLLPCYWTwW 5HYvvVn31ekmKnXBzY5wRXNxZpJD4y8LT+kndClLLIxbWd4toaa2JNTSKKjr8/IYDVqAHnOM+eL vDowSc5KeD/EmmXCmmXXgzYToPLbzFDBHPd97N1Jf89q033xLjQBKDKzVEnMaYdwL60ww=
X-Received by 2002:a05:690c:6ac2:b0:786:57f5:b498 with SMTP id 00721157ae682-78a8b567291mr134781307b3.61.1764124461078; Tue, 25 Nov 2025 18:34:21 -0800 (PST)
X-Google-SMTP-Source AGHT+IEYl0OdDWOJpItVyWsdvmmreVjQYBddkbTaO62UW1Q01ShUOJ51ErgJNMrbtqNJVj7przl9oLZkIakL3l/8kOQ=
X-Received by 2002:a05:690c:6ac2:b0:786:57f5:b498 with SMTP id 00721157ae682-78a8b567291mr134781197b3.61.1764124460804; Tue, 25 Nov 2025 18:34:20 -0800 (PST)
MIME-Version 1.0
X-Gm-Features AWmQ_bloqk6x1tt0PhfZJ0S3YqEINjb1mGRxbVlKKTSN0LLLyPa3y34VM2vWbUk
Content-Type text/plain; charset="UTF-8"
X-Mailing-List <debian-java@lists.debian.org> archive/latest/23846
List-ID <debian-java.lists.debian.org>
List-URL <https://lists.debian.org/debian-java/>
List-Archive https://lists.debian.org/msgid-search/CALFf3keByx7mnb7v7V+W93HShQiHoUp0nNkRQmWiGXJELdVESA@mail.gmail.com
Approved robomod@news.nic.it
Lines 19
Organization linux.* mail to news gateway
Sender robomod@news.nic.it
X-Original-Date Wed, 26 Nov 2025 15:34:09 +1300
X-Original-Message-ID <CALFf3keByx7mnb7v7V+W93HShQiHoUp0nNkRQmWiGXJELdVESA@mail.gmail.com>
Xref csiph.com linux.debian.maint.java:13102

Show key headers only | View raw

Dear Maintainers,

IcedTea Web implements the Java Web Start (JWS) specification[1].

Applet support is removed from the browsers, but the user can still
run Java Web Start applications via the provided desktop launchers by
downloading the JLNP file.

Security Manager provided a moderate sandbox that limited access to
the host machine. OpenJDK 25 removes the Security Manager. This allows
unrestricted access to the host machine without the user realising it.

I wonder if we should remove this package from the unstable pocket, as
it poses a security risk to users when ran using openjdk-25.

Best Regards,
 Vladimir.

[1] https://github.com/AdoptOpenJDK/IcedTea-Web?tab=readme-ov-file

Back to linux.debian.maint.java | Previous | NextNext in thread | Find similar

Thread

openjdk-25: icedtea-web package - should it be removed? Vladimir Petko <vladimir.petko@canonical.com> - 2025-11-26 03:40 +0100
  Re: openjdk-25: icedtea-web package - should it be removed? Matthias Klose <doko@debian.org> - 2025-11-26 08:30 +0100
  Re: openjdk-25: icedtea-web package - should it be removed? Emmanuel Bourg <ebourg@apache.org> - 2025-11-26 09:00 +0100

csiph-web