icedtea-web installed and enabled by default in Fedora 19

Josh Bressers bressers at
Tue Jun 18 17:50:42 UTC 2013

> Is java environment the only security flawed software distributed in
> Fedora by default? I don't think so. Please, correct me if I'm wrong.
> Does it mean Fedora should drop about 1/3 of packages because they have
> security bugs? What about Linux Kernel? It's also buggy. Should it be not
> included in Fedora?

This is probably the wrong way to think of it. We're not telling anyone
they shouldn't be using the web plugin, we're saying it carries with it a
certain amount of risk. Should we subject all users, even the ones who
don't use this plugin, to that risk?

We've made similar decisions in the past. Why do we turn on the firewall,
or make Sendmail only listen on localhost? Sometimes it makes sense to make
a decision that lowers potential risk for most users while being a slight
inconvenience for other users. I think this plugin falls into that


Josh Bressers / Red Hat Product Security Team

More information about the devel mailing list