Java update not a priority?

being completely paranoid about some things makes me prone to discuss topics that some may not find important or even interesting. my apologies.

a week ago some highly critical security flaws were reported in sun-java 5 and 6 and updates were issued.

my purpose here is not to rant, i would like to be educated.

why is this something that trickles down so slow?

> why is this something that trickles down so slow?

and i offer this, not as a rant response, but as as factual a
considered but not researched reply can be:

probably because the trickling down work is done by volunteers (and
probably by not enough to do it, check it, package it, release it any
faster)…

done by volunteers who have the right to decide they would rather (for
example) kiss their kids and read’em bed time stories tonight…and
work on packaging the updates for all the rest of us tomorrow, or next
week…

or, maybe the same team working on packing for your version decided
to finish the 11.2 package (released tomorrow) before they work on yours…

as far as i know (and i know i may be wrong) you can download direct
from SUN and (with the available documentation) patch your own system…

you could help yourself avoid the paranoia that way, and maybe in the
process become well enough acquainted and experienced with the entire
process to become a member of the team that does that for all of
us…and, thereby add hands to the process and speed the delivery to all…

om the other hand, if you are sufficiently paranoid you probably
should do it yourself anyway, to MAKE SURE no one slipped a back door
into the openSUSE version (assuming, of course, you actually trust SUN
to not be on the NSA/CIA/DIA/FBI/HS payrolls…)


palladium
Have a lot of fun…

i too have a tremendous admiration for those that contribute their time and experience to this community, it’s a thankless job with no upside, and my observation is not intended to negate their value.

since novell’s customer base is affected also, it does not seem that this type of issue is a concern for them either.

perhaps it’s not important that 11.2 will be exploitable out-of-the-box… after all, it’s free and there is no such thing as perfect software.

and yes, sun has basic rpm packages that one can use for updating.

seems my priorities differ from mainstream.

11.2 is not out yet so you can’t say it’ll be vulnerable out of the box and I just got a Java update for 11.1 today so they’re rolling out the java updates now, albeit it’s only up for 1.5.x, I’m sure 1.6.x/openJDK will follow.

> seems my priorities differ from mainstream.

understand…(i have friends whose security needs/wants causes them
to not install/load java, flash, turn on java-script, accept cookies,
sshd, ftpd, etc, etc, etc . . .)


palladium
Have a lot of fun…

Might as well unplug it from the internet then rotfl!

That is to give the impression from the outside that this is exactly what has happened.:wink:

> That is to give the impression from the outside that this is exactly
> what has happened.:wink:

is a good strategy, but kinda difficult to pull off…

mine won’t answer ping, and nothing is ‘served’ and the first ~1000
ports are all ‘stealthed’/‘filtered’ yet, there are still things than
can be found to give away there is something there…i asked a friend
to do port scan my IP and he returned:

------------------quote (some info redacted)---------------------
Starting Nmap 5.00 ( http://nmap.org ) at 2009-10-02 10:50 CEST
All 1000 scanned ports on [DELETED].dynamic.dsl.tele.dk (87.xx.xx.xxx)
are filtered. Too many fingerprints match this host to give specific
OS details.
OS and Service detection performed. Please report any incorrect
results at http://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 107.69 seconds
---------------------------end quote------------------------------

i can live with that, i think…


palladium
Have a lot of fun…

This is an important thing for me to know, because ubuntu has stopped update sun-java and only offer openjdk which is not an option yet imho.

So will openSUSE offer new updates to SUN Java?

> So will openSUSE offer new updates to SUN Java?

yes…they always have…the question is timing (how fast the SUN
updates get to the repos for distribution to you and others)…

as always if it is not fast enough for your needs, you have the option
to download direct from SUN…(something you can’t do if you are, for
example, using Redmond’s implementation…you can wait six
months…but, those folks are used to non-secure, huh?)


palladium

down up hours iso
692M 1.06G 30 11.2 GNOME LiveCD (64)
693M 748M 34 11.2 GNOME LiveCD (32)
4.3G 4.1G 39 11.2 DVD