As per http://www.h-online.com/security/news/item/Oracle-to-patch-76-security-vulnerabilities-1362667.html this update should be applied as soon as possible.
Add dmorgan as maintainer of this package.
Assignee: bugsquad => dmorganec
Perhaps we should go with version 7, update 1 instead. http://www.oracle.com/technetwork/java/javase/downloads/jre-7u1-download-513652.html
Version 6 is still supported. You do know policy, yes? :P And jre 7 is not quited tested yet. It's mostly for developers.
CC: (none) => sander.lepik
btw on cauldron we will remove sun java [1] and for this reason we can't use java7 from sun in mageia 1. [1]: http://sylvestre.ledru.info/blog/sylvestre/2011/08/26/sun_java6_packages_removed_from_debian_u
Will version 6 update 29 be packaged, or is it blocked by the license change. If it it blocked, we should try and find some way to let users know they have to either switch to openjdk, or update from the oracle website manually.
As i understood it, according to dmorgans link, which leads to http://robilad.livejournal.com/90792.html (a blog post from the person which is responsible at Oracle for those stuff) which suggests that they removed the license for any further JRE6 update for linux distributions. Can anyone please confirm that?
CC: (none) => doktor5000
ping ?
*** Bug 3558 has been marked as a duplicate of this bug. ***
CC: (none) => wilcal.int
Summary: Java Version 6 Update 29 => security update: java sun
i don't know what to do for the sun java, seems we cannot use this anymore on the distribution. But i updated openjdk6 on testing for CVE. I think this is the one we should test and push
Either we need a get-sun-java package, or we should remove sun java completely. If we choose to remove it, I think we should push an update as java-1.6.0-sun-1.6.0.26-0.3, that deletes all of the files from java-1.6.0-sun-1.6.0.26-0.2, and only has a README.urpmi file explaining that people who want to use sun java must install if from http://www.java.com also with a short explanation of why. We shouldn't leave the users with a vulnerable java-1.6.0-sun-1.6.0.26-0.2 on their system.
I have a very long history of dealing with Sun and Java applications. Going back to even 98 and Mandriva Linux on x86 and Sun Sparc platforms. Now that Sun is gone and Oracle is in control of Java I think it's run it's course. I would not be adverse to removing it from Mageia 2. So long as we are happy with the Open Source replacement. FWIW IMO the reason that Oracle purchased Sun is that they were paying Sun a reported $2B/yr for the license to use Java and it was simply cheaper in the mid term to buy Sun then keep paying them those fees.
(In reply to comment #10) > > We shouldn't leave the users with a vulnerable > java-1.6.0-sun-1.6.0.26-0.2 on their system. Good point, could you please ask on -dev mailing list about this, i've already tried to point this out in last packager meeting, but to no avail. First we need a concensus here.
(In reply to comment #10) > Either we need a get-sun-java package, or we should remove sun java > completely. > > If we choose to remove it, I think we should push an update as > java-1.6.0-sun-1.6.0.26-0.3, that deletes all of the files from > java-1.6.0-sun-1.6.0.26-0.2, and only has a README.urpmi file > explaining that people who want to use sun java must install if from > http://www.java.com also with a short explanation of why. This is a bad idea because beginer users will be lost with this. > We shouldn't leave the users with a vulnerable > java-1.6.0-sun-1.6.0.26-0.2 on their system. this closed source java is not installed by default where as openjdk6 is. So i think we should just rebuild the existant java sun with a README.urpmi telling to update manually because of sec issues. But removing the files is really not a good idea imho
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-December/001528.html It may be bad for beginner users, but it's worse to leave them with insecure software that is being actively exploited. Note that if we don't do this, manually installing the Oracle version may leave the user still vulnerable, due to the old version still being installed, and /etc/alternatives still pointing to the old version.
No news ?
As per comment 14, we should issue an update that will remove java-sun, if it is still the old insecure version, as other distributions like ubuntu are doing.
Please remove Oracle/Java-Sun from Mageia. Oracles motives are not in our interest.
java-1.6.0-sun-1.6.0.26-2.mga2.nonfree is still available in cauldron nonfree/release. As it has many security vulnerabilities, and we can't update it because Oracle retired the "Operating System Distributor License for Java", we should drop and obsoletes java-1.6.0-sun for Mga 2.
Blocks: (none) => 5046CC: (none) => lmenut
(In reply to comment #19).... > we should drop and obsoletes java-1.6.0-sun for Mga 2. I concur.
(In reply to comment #13) > (In reply to comment #10) > > Either we need a get-sun-java package, or we should remove sun java > > completely. > > > > If we choose to remove it, I think we should push an update as > > java-1.6.0-sun-1.6.0.26-0.3, that deletes all of the files from > > java-1.6.0-sun-1.6.0.26-0.2, and only has a README.urpmi file > > explaining that people who want to use sun java must install if from > > http://www.java.com also with a short explanation of why. > > This is a bad idea because beginer users will be lost with this. Not to mention non-technical types not knowing what all needs to be done. A get_oracle_jre script might be nice. It could call firefox /usr/share/doc/mageia-install-jre.html which has a java.com/download_link followed by instructions something like: click up a terminal su - root install_jre /where/downloaded/bin_here and the install_jre script would do the unpacking and whatnot and create a link to the plugin in the firefox($arch) plugin directory. I can not remember how/when it happened, but I remember thinking it was funny that you had to have a jre plugin to be able to navigate/download the plugin sometime in the past. No idea if site still has that "feature".
CC: (none) => junk_no_spam
Don't forget that the proper update-alternatives commands have to be run as well, after installing the oracle version. We could provide an update that only has a README.urpmi pointing them to the oracle download site, since you have to accept the license before getting a download link, and a script with the various commands to switch back and forth between oracle and openjdk/icedtea.
Blocks: 5046 => (none)
Please look at the bottom of this mail to see whether you're the assignee of this bug, if you don't already know whether you are. If you're the assignee: We'd like to know for sure whether this bug was assigned correctly. Please change status to ASSIGNED if it is, or put OK on the whiteboard instead. If you don't have a clue and don't see a way to find out, then please put NEEDHELP on the whiteboard. Please assign back to Bug Squad or to the correct person to solve this bug if we were wrong to assign it to you, and explain why. Thanks :) **************************** @ the reporter and persons in the cc of this bug: If you have any new information that wasn't given before (like this bug being valid for another version of Mageia, too, or it being solved) please tell us. @ the reporter of this bug If you didn't reply yet to a request for more information, please do so within two weeks from now. Thanks all :-D
CC: junk_no_spam => (none)
can someone help to write the README.urpmi ?
Maybe just use a similar text to https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-December/001528.html ?
This message is a reminder that Mageia 1 is nearing its end of life. In approximately 25 days from now, Mageia will stop maintaining and issuing updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it remains open with a Mageia 'version' of '1'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Mageia version prior to Mageia 1's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Mageia 1 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Mageia, you are encouraged to click on "Version" and change it against that version of Mageia. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Mageia release includes newer upstream software that fixes bugs or makes them obsolete. -- Mageia Bugsquad
Mageia 1 changed to end-of-life (EOL) status on ''1st December''. Mageia 1 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Mageia please feel free to click on "Version" change it against that version of Mageia and reopen this bug. Thank you for reporting this bug and we are sorry it could not be fixed. -- Mageia Bugsquad
Status: NEW => RESOLVEDResolution: (none) => WONTFIX