
Canonical to remove all Sun JDK packages from the Partner archive - smn
https://lists.ubuntu.com/archives/ubuntu-security-announce/2011-December/001528.html
======
sciurus
Since this is a licensing issue, Ubuntu isn't the only distribution dealing
with this. Here is the announcement from Debian Project News:

The release of Java update 29 from Oracle marks not only security updates, but
a change to the licensing, removing Debian's ability to distribute the non-
free JVM. The clause in the Java license under which we were able to
distribute Java, the DLJ, has been removed. As a result, the sun-java6 package
is no longer suitable for the archive, and has been removed, as documented in
Debian Bug #646524 [2]. Sylvestre Ledru suggests [3] that sun-java6 installs
be migrated to openjdk, the open-source alternative, using the following
command: "apt-get --purge remove sun-java6-jre && apt-get install
openjdk-7-jre" Kai WasserbÃ¤ch has also been pointed out elsewhere [4] that
this upgrade path might not be suitable for all Java programs, and special
attention should be paid to re-testing installed Java applications on OpenJDK.

    
    
       2 : http://bugs.debian.org/646524
       3 : http://sylvestre.ledru.info/blog/sylvestre/2011/10/25/removal_of_sun_java6_from_debian
       4 : http://www.carbon-project.org/Removal_of_sun_java6_and_ElsterOnline.html

~~~
ryanpers
The notion of replacing the sun java6 with a openjdk7 is extremely laughable.
If you have a high performance java server app, openjdk just doesnt cut it.

~~~
nodata
Don't just laugh at it - make a suggestion. What do you suggest they do?

~~~
wbkang
Well, people can go download jdk7 themselves... but that doesn't really solve
the problem that the article is describing.

------
freehunter
This seems like an good thing, but man is that an awful way of going about
this. Forcibly removing the packages during a software update is shady enough,
but pushing out blank packages that will cause a user's system to produce
issues that the user might not know how to fix, or a reason for the failure?

Ubuntu has pretty much always been the "set it and forget it" distro. Problems
are often introduced in upgrading to a new release, but once you've installed
a release you generally don't get it broken with a routine update. Many people
have installed Ubuntu on non-techies' machines in order to not need to do
maintenance on them. Unless I'm misunderstanding, all those machines now need
to be manually updated to avoid being broken?

I know the blame goes back to Oracle, but Canonical could have handled the
issue better. In this case, it seems they're breaking the system to spite
Oracle.

~~~
mdeslaur
Since Oracle prevents redistribution of newer versions, there are only three
ways we can handle this:

1- Leave the insecure packages in the archive, and not update them 2- Remove
the insecure packages from the archive, but leave them installed on users'
systems 3- Push out an update that removes them from users' systems

Please keep in mind that the security issues present in the old version are
currently being exploited by malware on the Internet.

If we do option #1, our users are at risk, and their systems will get
compromised. If we do option #2, new users cannot install the vulnerable
packages, but current users get compromised. If we do option #3, we make sure
our users stay secure, at the cost of breaking some installations.

There's no good way of dealing with this, but we are of the opinion that #3 is
unfortunately the best way to handle it. If you have a better alternative that
we haven't thought of, please let us know. Thanks.

~~~
freehunter
Remove them from the repo, leave them installed, and figure out a better way
to inform users of the risk. Some people would find that risk acceptable. Some
will take the notification and uninstall or update the software.

Personally, i don't think that's a decision the developers should make for the
users. You don't force them to use your proxy servers or firewalls, why are
you taking it upon yourselves to forcibly remove software from their machine
without being able to install a newer version? What this update does is fix
half a problem and introduce an entirely new one. You can't be the software
police.

~~~
mdeslaur
If people find having the risk is acceptable, they may use apt pinning to
force the older packages to remain installed.

Our users are expecting that the normal software update process ensures that
software they are using is maintained in a secure state with timely security
updates. To leave Java at a known vulnerable version would be irresponsible,
and most likely not what our users are expecting.

~~~
sounds
To add to that, once the java plugin is removed the browser will prompt them
to install the default (icedtea) which is secure.

They will see the prompt the next time they visit a web page which uses java.

------
moonboots
An Oracle developer's comment on why the DLJ was retired:
<http://robilad.livejournal.com/90792.html>

I think this won't have a big impact on Java development or use on Ubuntu.
Ubuntu's bundled Sun java lagged behind the Oracle official releases, so it
wasn't much different from OpenJDK. Disabling the Java browser plugin by
default should have always been the sensible option. The plugin has always
seemed like an infrequently used security liability.

~~~
ntkachov
Personally I've always had problems with OpenJDK on Ubuntu. Eclipse just
doesn't run the same on the OpenJDK as it does on the SunJDK.

~~~
bad_user
It happens to me too and considering my past experience with Eclipse I don't
think OpenJDK is to be blamed - I just uninstalled Eclipse and went with
IntelliJ IDEA. Works fine.

------
hmottestad
And thus the first nail in the java coffin. Or at least the Oracle version.

Anyone know why Oracle doesn't want people to use java? (and by people I mean
linux users and by java I mean their version).

~~~
Stormbringer
Monetising Java has always been problematic. Linux/GPL people have always been
stroppy. Making sure everyone has the latest version is a hard enough problem
even without politics.

The take home lesson is that getting your language onto every desktop is hard
and probably not worth the effort.

Which is sad because the best thing about Java was always how it was OS
agnostic. People always used to say about Java "write once, run anywhere"...
but that was wrong. It was better than that. It was _compile_ once, run
anywhere.

I recently grabbed some of my old (1996) Java code from storage and then ran
it on my desktop. The desktop was using a different OS, different chip
architecture, everything was different from the machine it was originally
compiled on. After 15 years it still ran perfectly.

C is a "write once run anywhere" language, but you have to recompile it for
each different platform, which often turns out to be non-trivial. There's no
way I could take C code from a Windows 386 machine and run it on a Mac or
Linux multi-core 64bit machine over a decade later.

~~~
fleitz
"After 15 years it still ran perfectly", that's because the language is still
15 years old.

Java is at best, write once, test everywhere.

~~~
gaius
Write Once Run Somewhere Else

------
lysium
Remotely deleting stuff on your user's computers reminds me of the Kindle. You
just don't do that if you still want people to trust you. Instead, an
automatic transition to OpenJDK should be put in place. With this, your java
package at least still does java, albeit in a maybe incompatible way.

~~~
mdeslaur
Once the browser plugin gets uninstalled by the package update, visiting a web
site that requires a Java plugin will cause the browser to automatically
suggest installing OpenJDK/icedtea-plugin.

~~~
cleaver
That sounds like good behaviour for the browser plugin, but removing the
entire JDK would be annoying if you used Eclipse. I suspect that non-plugin
use of the JDK would not be as impacted by the security issues.

~~~
modoc
And would BREAK things if you run Tomcat/JBoss/Glassfish/etc... Seriously the
idea of running a package update that would erase key requirements to running
my production J2EE apps is totally insane. I guess I'll stick with RHEL. For
all it's issues, they've never talked about silently deleting my JDK.....

~~~
buntoo
redhat also removes packages when they cant update them

<https://rhn.redhat.com/errata/RHSA-2011-0368.html>

<https://rhn.redhat.com/errata/RHSA-2008-1045.html>

------
Jach
So I don't know how Gentoo is currently planning on doing this, but one thing
I've noticed with several packages is that if you try and install it, it will
exit with a message telling you to go download it from the company however
they want you to and stick it in Gentoo's downloaded source directory.
(Actually it already does this for the sun-jdk package.) Can't Ubuntu do
something similar? Silently removing the package from the repository is one
thing and relatively fine; silently removing the actual binaries is another
thing and out of the question. That JVM being available may be incredibly
important, you have no idea what it's being used for or how susceptible it is
to theoretical 0-day JVM vulnerabilities.

------
philjackson
Richard Stallman doesn't seem so crazy now, does he?

~~~
saurik
Oracle isn't demanding Ubuntu actively remove Java from user's computers:
Ubuntu has simply decided to do so; they could keep distributing the old
version, or even distribute no version at all. Meanwhile, the driving factor
behind the license change is "use OpenJDK instead", which would be a step in
the right direction with regard to RMS's issues with Java. Oracle is not the
problem here: Ubuntu is.

~~~
bad_user
This reminds me of a quote from the movie Analyze This (2002):

    
    
        Jelly: Anyway, two of the witnesses decided not to 
               testify and the third guy, well, he commited 
               suicide.
        Dr. Ben Sobel: How?
        Jelly: He stabbed himself in the back four times 
               and threw himself off a bridge. 
    

_Oracle isn't demanding Ubuntu actively remove Java from user's computers_

Except that it makes it impossible to do otherwise, as security (a hallmark of
desktop Linux) is compromised. Technical users that need to keep their servers
up will know how to workaround this, while mom and dad won't care.

Despite the backlash, I think this is the right choice.

~~~
saurik
Yes, I know how to work around this. No, I do think it is reasonable that I
might be forced to work around this while I'm in the middle of doing what
should have been a routine security upgrade; remember: the original package is
gone, and Ubuntu's Java packages have extra supporting material (such as dpkg-
alternatives logic) that is missing from Sun's.

It should also be noted/realized that many Ubuntu users even use the
"unattended-updates" package that is provided by the distribution, which means
that at some point in the middle of the night all of their software is just
going to stop working with no notice. Apple isn't even this insane, and people
give them all sorts of flak for theoretically having the ability to remotely
wipe apps from peoples' phones.

~~~
buntoo
It's what everybody else does see?

<https://rhn.redhat.com/errata/RHSA-2011-0368.html>

<https://rhn.redhat.com/errata/RHSA-2008-1045.html>

------
fredsanford
Hey, it looks like the garbage collector finally got around to doing its
job... :) OK, it's a stretch, but...

(If Java had true garbage collection, most programs would delete themselves
upon execution. -- Robert Sewell)

~~~
prasinous
Re: Sewell, wouldn't that make Java the inverse of a quine?

------
xer0
To go in the Description field of your bookmark: (quote)

If you are currently using the Oracle Java packages from the partner archive,
you have two options:

1- Install the OpenJDK packages that are provided in the main Ubuntu archive.
(icedtea6-plugin for the browser plugin, openjdk-6-jdk or openjdk-6-jre for
the virtual machine)

2- Manually install Oracle's Java software from their web site [4].

------
BonoboBoner
I have to accept not having the latest default JDK on my OSX dev machine...
and now my server as well?

"Run anywhere (we want you to)"?

------
foxylad
Redhat's response to the DLJ retirement:
<https://access.redhat.com/kb/docs/DOC-64765>

Basically they have bought a binary code license (BCL) which gets around the
problem. Does this apply to Fedora too?

------
fauigerzigerk
_[...] so that the Sun JDK will be removed from all users machines when they
do a software update_

A ridiculous solution...

 _Oracle has retired the “Operating System Distributor License for Java”_

... to a ridiculous problem.

------
ryanpers
As a developer who had need to run high performance Java, I gotta say your #1
option is just not an option. OpenJDK with icedtea isn't even remotely close
to a replacement.

I understand that Oracle is forcing your hand, but the lack of compassion and
sympathy and the ignorant insulting "recommendations" is really off putting.

