Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.java > #13103

Re: openjdk-25: icedtea-web package - should it be removed?

From Matthias Klose <doko@debian.org>
Newsgroups linux.debian.maint.java
Subject Re: openjdk-25: icedtea-web package - should it be removed?
Date 2025-11-26 08:30 +0100
Message-ID <LVi8p-fPuT-1@gated-at.bofh.it> (permalink)
References <LVdBL-fMgV-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

On 11/26/25 03:34, Vladimir Petko wrote:
> Dear Maintainers,
> 
> IcedTea Web implements the Java Web Start (JWS) specification[1].
> 
> Applet support is removed from the browsers, but the user can still
> run Java Web Start applications via the provided desktop launchers by
> downloading the JLNP file.
> 
> Security Manager provided a moderate sandbox that limited access to
> the host machine. OpenJDK 25 removes the Security Manager. This allows
> unrestricted access to the host machine without the user realising it.
> 
> I wonder if we should remove this package from the unstable pocket, as
> it poses a security risk to users when ran using openjdk-25.

yes please!

Back to linux.debian.maint.java | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

openjdk-25: icedtea-web package - should it be removed? Vladimir Petko <vladimir.petko@canonical.com> - 2025-11-26 03:40 +0100
  Re: openjdk-25: icedtea-web package - should it be removed? Matthias Klose <doko@debian.org> - 2025-11-26 08:30 +0100
  Re: openjdk-25: icedtea-web package - should it be removed? Emmanuel Bourg <ebourg@apache.org> - 2025-11-26 09:00 +0100

csiph-web