icedtea-web installed and enabled by default in Fedora 19
Adam Domurad
adomurad at redhat.com
Wed Jun 19 13:52:50 UTC 2013
Florian Weimer <fweimer <at> redhat.com> writes:
>
> I noticed that icedtea-web (the Java browser plugin implementation for
> OpenJDK) is installed and enabled by default (as part of the "GNOME
> Desktop" set). This is a bit surprising, considering that the rest of
> the world tries to move away from Java browser plugin technology (and
> even browser plugin technology in general).
>
> We cannot really remove installed packages after the release, so I'm
> wondering if we still can fix this prior to release.
>
Hi, in icedtea-web 1.4+ (current version as of F18), we have enabled
click-to-play for all applets by default, making the attack vector much
smaller. No code runs without confirmation anymore, additionally it can be
configured to disallow unsigned applets altogether.
I think discoverability of the plugin should be improved first, before being
removed. I do not think it compromises the security of Fedora, with the
recent improvements, though.
Cheers,
-Adam
More information about the devel
mailing list