Why does Patrick ignore Java updates?
in [Slackware]
|
Prev: Slackware 12.2 audio
Next: Kernel.org
From: King Beowulf on 2 Apr 2010 01:47 On Thu, 01 Apr 2010 06:56:43 +0200, Manuel Reimer wrote: > Hello, > > yesterday, I sent a mail to Patrick, asking for SeaMonkey, Firefox and > Java updates. > > Today, I see that the browser updates are already here, but why does > Patrick ignore Java updates over and over again? > > http://www.oracle.com/technology/deploy/security/critical-patch-updates/ javacpumar2010.html > > For all holes: > > | Remote Exploit without Auth.? Yes > > And Oracle writes: > > | Oracle does not disclose information about the security analysis, but > | the resulting Risk Matrix and associated documentation provide | > information about the type of vulnerability, the conditions required to > | exploit it, and the potential result of a successful exploit. > > For me this reads like "we verified, that the holes can be used to run > code on your machine, but for security reasons we won't tell you how to > do it". > > I've disabled Java on all my machines and until the update situation for > the Java plugin gets better on Slackware, I keep them disabled. > > CU > > Manuel I don't know why questions such as this keep popping up. We all have the Slackware source and therefore all of PV slackbuild scripts. I've used them for years to update when PV was a bit slow or waited for the next Slackware version. In this case, as others in this thread have implied, the official PV scripts just repackage the JRE binaries. I you are not shy about using slackbuilds.org scripts, why hesitate to use the "official scripts?" Yes, occasionally you will need a patch, etc., and may need to wait until PV pushes the official package if you are not comfortable with "diff" and "patch." However, this doesn't happen very often. So go for it. If you are skittish, you can run a copy of slackware in a VM to sandbox your upgrade attempts.
From: Manuel Reimer on 8 Apr 2010 01:32 King Beowulf wrote: > I don't know why questions such as this keep popping up. We all have > the Slackware source and therefore all of PV slackbuild scripts. And I don't just have *one* Slackware PC. I've written a perl script to auto-update all the PCs with official patches, so they keep "secure" automatically. As I don't want to manually update Java on all those PCs it was easier to just uninstall Java. I don't have an important usecase for Java. I'll send another mail to Patrick today and if I don't get any answer, again, I'll abandon all hope about Java security on Slackware. With the current way of patching Java, it would be definetly better if Patrick disabled the Java plugin for Firefox, by default. Would be too great if there would be more distributions with a "Slackware-like" package management out there, so there would be a choice. There are many with deb and rpm but only one with the simple packages, Slackware uses. CU Manuel
From: Glyn Millington on 8 Apr 2010 06:18 Manuel Reimer <mreimer(a)expires-30-04-2010.news-group.org> writes: > Would be too great if there would be more distributions with a > "Slackware-like" package management out there, so there would be a > choice. There are many with deb and rpm but only one with the simple > packages, Slackware uses. Not trying to drive anyone away from Slackware, but would Arch Linux tick your boxes? http://wiki.archlinux.org/index.php/Main_Page jdk and jre are both listed as updated as of March 31st I've been running this under VirtualBox for 6 months and the rolling release system seems to run pretty smoothly. atb Glyn -- RTFM http://www.tldp.org/index.html GAFC http://slackbook.org/ The Official Source :-) STFW http://groups.google.com/groups?hl=en&group=alt.os.linux.slackware JFGI http://jfgi.us/
From: Franz Sauerzopf on 8 Apr 2010 07:54 From Changelog current: l/jre-6u19-x86_64-1.txz: Upgraded. Upgraded to Java(TM) 2 Platform Standard Edition Runtime Environment Version 6.0 update 19. :-) Franz
From: Eef Hartman on 8 Apr 2010 08:45
Manuel Reimer <mreimer(a)expires-30-04-2010.news-group.org> wrote: > As I don't want to manually update Java on all those PCs it was easier > to just uninstall Java. I don't have an important usecase for Java. As we use ssh exclusively to get access TO all machines, the omission of updates to openssh (which you must compile, so the package _is_ different for each Slackware release) is of much more importance to me: Mon Mar 8 20:49:02 UTC 2010 n/openssh-5.4p1-i486-1.txz (out of the -current ChangeLog.txt). The Slackware 12.x and 13.0 releases are still at 5.1p1, so three versions behind (openssh counts on, the release after 5.9 will be 6.0, there is no "major.minor" system in the version numbers). But as regards java, just use the package from -current, it IS Slackware-version independant (just a bunch of files and java archives plus pre-compiled binaries). It essentially is just a re-packaged version OF the SUN package. -- ******************************************************************* ** Eef Hartman, Delft University of Technology, dept. SSC/ICT ** ** e-mail: E.J.M.Hartman(a)tudelft.nl - phone: +31-15-278 82525 ** ******************************************************************* |