Why does Patrick ignore Java updates?
in [Slackware]
|
Prev: Slackware 12.2 audio
Next: Kernel.org
From: Manuel Reimer on 1 Apr 2010 00:56 Hello, yesterday, I sent a mail to Patrick, asking for SeaMonkey, Firefox and Java updates. Today, I see that the browser updates are already here, but why does Patrick ignore Java updates over and over again? http://www.oracle.com/technology/deploy/security/critical-patch-updates/javacpumar2010.html For all holes: | Remote Exploit without Auth.? Yes And Oracle writes: | Oracle does not disclose information about the security analysis, but | the resulting Risk Matrix and associated documentation provide | information about the type of vulnerability, the conditions required to | exploit it, and the potential result of a successful exploit. For me this reads like "we verified, that the holes can be used to run code on your machine, but for security reasons we won't tell you how to do it". I've disabled Java on all my machines and until the update situation for the Java plugin gets better on Slackware, I keep them disabled. CU Manuel
From: Eef Hartman on 1 Apr 2010 03:42 Manuel Reimer <mreimer(a)expires-30-04-2010.news-group.org> wrote: > I've disabled Java on all my machines and until the update situation for > the Java plugin gets better on Slackware, I keep them disabled. Just get your own Java SDK or RE from java.sun.com and install those. It isn't difficult and you're not dependant on the updates from Pat anymore: -r-xr-xr-x 1 ehartman ce-users 84738557 2009-12-18 01:16 jdk-6u18-linux-i586.bin -r-xr-xr-x 1 ehartman ce-users 21037169 2009-12-18 01:15 jre-6u18-linux-i586.bin The "jdk" one is the full Java Development Kit, including everything the other (Java Runtime Engine) got, but a lot of users do not need the full jdk, so there I install the jre one. Don't be intimidated by the .bin extension, it is a shell script which unpacks containing archives, no compilation or so, just extracting the files and Java .jar archives. After downloading you just have to make it executable, as above. -- ******************************************************************* ** Eef Hartman, Delft University of Technology, dept. SSC/ICT ** ** e-mail: E.J.M.Hartman(a)tudelft.nl - phone: +31-15-278 82525 ** *******************************************************************
From: Manuel Otto on 1 Apr 2010 08:40 On Thu, 01 Apr 2010 09:42:05 +0200, Eef Hartman <E.J.M.Hartman(a)tudelft.nl> wrote: >Manuel Reimer <mreimer(a)expires-30-04-2010.news-group.org> wrote: >> I've disabled Java on all my machines and until the update situation for >> the Java plugin gets better on Slackware, I keep them disabled. > >Just get your own Java SDK or RE from java.sun.com and install those. >It isn't difficult and you're not dependant on the updates from Pat >anymore: >-r-xr-xr-x 1 ehartman ce-users 84738557 2009-12-18 01:16 jdk-6u18-linux-i586.bin >-r-xr-xr-x 1 ehartman ce-users 21037169 2009-12-18 01:15 jre-6u18-linux-i586.bin >The "jdk" one is the full Java Development Kit, including everything >the other (Java Runtime Engine) got, but a lot of users do not need >the full jdk, so there I install the jre one. > >Don't be intimidated by the .bin extension, it is a shell script >which unpacks containing archives, no compilation or so, just extracting >the files and Java .jar archives. After downloading you just have to make >it executable, as above. The link: http://java.sun.com/javase/downloads/index.jsp and: ftp://ftp.slackware.com/pub/slackware/slackware-current/source/l/jre/jre.SlackBuild In jre.SlackBuild change: VERSION=6u19 DVER=1.6.0_19 into: VERSION=6uxx DVER=1.6.0_xx whenever there is a new version of JRE available. This works for me on Slack 12.2, I always have latest JAVA. I too wondered why JRE never gets updates. On Slack 12.2 it's still at version 6u11, and whe have 6u19 now... Manuel
From: Richard Herbert on 1 Apr 2010 17:37 On Thu, 01 Apr 2010 09:42:05 +0200, Eef Hartman wrote: > Just get your own Java SDK or RE from java.sun.com and install those. It > isn't difficult and you're not dependant on the updates from Pat > anymore: I guess no-one should be "dependent" on Patrick Volkerding for keeping their Slackware sytsems up-to-date. I got slapped recently for cherry- picking from -current, but I'll bet you dollars to doughnuts that the latest version of the Sun JRE will appear as a package in -current before it appears as a package anywhere else. We all have the option, if need be, to download updates directly from the the upstream provider, but then we lose whatever little control Patrick imposes on his versions in the interest of maintaining stability, and therefore a reliable distribution. I guess as long as any original source provides a "make uninstall" option we'll be able to remain loyal to Patrick's packaging system. More than once, I've downloaded, compiled and installed from original source because I didn't know when, if ever, a Slackware package would be made available. Then, in the case where the package did become available, I uninstalled the "manufacturer's" binaries, and installed the Slackware package. In every case, I kinda felt that I'd stepped outside of Slackware and possibly made my installation less stable, or at least, harder to maintain. -- Richard Herbert Registered Linux user 14329 If there's nothing wrong with me, then ... there must be something wrong with the Universe!
From: Manuel Otto on 1 Apr 2010 19:10
On 01 Apr 2010 21:37:52 GMT, Richard Herbert <rherbert(a)sympatico.ca> wrote: >On Thu, 01 Apr 2010 09:42:05 +0200, Eef Hartman wrote: > >> Just get your own Java SDK or RE from java.sun.com and install those. It >> isn't difficult and you're not dependant on the updates from Pat >> anymore: > >I guess no-one should be "dependent" on Patrick Volkerding for keeping >their Slackware sytsems up-to-date. I got slapped recently for cherry- >picking from -current, but I'll bet you dollars to doughnuts that the >latest version of the Sun JRE will appear as a package in -current before >it appears as a package anywhere else. > >We all have the option, if need be, to download updates directly from the >the upstream provider, but then we lose whatever little control Patrick >imposes on his versions in the interest of maintaining stability, and >therefore a reliable distribution. > >I guess as long as any original source provides a "make uninstall" option >we'll be able to remain loyal to Patrick's packaging system. More than >once, I've downloaded, compiled and installed from original source because >I didn't know when, if ever, a Slackware package would be made available. >Then, in the case where the package did become available, I uninstalled >the "manufacturer's" binaries, and installed the Slackware package. In >every case, I kinda felt that I'd stepped outside of Slackware and >possibly made my installation less stable, or at least, harder to maintain. In the case of JRE the jre-6u19-linux-i586.bin file at ftp://ftp.slackware.com/pub/slackware/slackware-current/source/l/jre/ is an exact copy of the file at http://java.sun.com/javase/downloads/index.jsp but the file at java.sun.com will always be available first. With jre.SlackBuild file at ftp://ftp.slackware.com/pub/slackware/slackware-current/source/l/jre/ you can create your own slackware package which is as stable as the package that will be available at least days later at ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/l/ I re-use the same jre.SlackBuild file whenever I download a new jre at http://java.sun.com/javase/downloads/index.jsp I only change the numbers for 'VERSION' and 'DVER'. While I use Slackware 12.2, I also change /sbin/makepkg -l y -c n $TMP/jre-$(echo $VERSION | tr - _)-${ARCH}-$BUILD.txz to /sbin/makepkg -l y -c n $TMP/jre-$(echo $VERSION | tr - _)-${ARCH}-$BUILD.tgz at the end of the same SlackBuild file. There can be no valid reason for JRE in Slackware 12.2 to be still at version 6u11. JRE is currently at 6u19... |