icedtea-web installed and enabled by default in Fedora 19

Adam Domurad adomurad at
Wed Jun 19 13:52:50 UTC 2013

Florian Weimer <fweimer <at>> writes:

> I noticed that icedtea-web (the Java browser plugin implementation for 
> OpenJDK) is installed and enabled by default (as part of the "GNOME 
> Desktop" set).  This is a bit surprising, considering that the rest of 
> the world tries to move away from Java browser plugin technology (and 
> even browser plugin technology in general).
> We cannot really remove installed packages after the release, so I'm 
> wondering if we still can fix this prior to release.

Hi, in icedtea-web 1.4+ (current version as of F18), we have enabled
click-to-play for all applets by default, making the attack vector much
smaller. No code runs without confirmation anymore, additionally it can be
configured to disallow unsigned applets altogether.  

I think discoverability of the plugin should be improved first, before being
removed. I do not think it compromises the security of Fedora, with the
recent improvements, though.


More information about the devel mailing list