1080p_at_35b
Posts: 48
Joined: Fri Jun 22, 2012 6:07 pm

java removal and security

Wed Feb 06, 2013 12:55 pm

Mod note: this thread was split from the "status of java on raspbian." thread for being offtopic and possiblly a troll (i'm not sure if the poster is a troll or actually belives what he is saying) . --plugwash

You wouldn't happen to know of an obliterate Java option would you? The only good Java runtime is one uninstalled IMHO.

User avatar
xranby
Posts: 538
Joined: Sat Mar 03, 2012 10:02 pm
Contact: Website

Re: status of java on raspbian.

Wed Feb 06, 2013 1:13 pm

1080p_at_35b wrote:You wouldn't happen to know of an obliterate Java option would you? The only good Java runtime is one uninstalled IMHO.
You know you are trolling and post unsocial comments, there is nothing wrong with freejava if you have a problem then a) write unit test to expose the problem you have or b) file a patch. It runs great it is fast and it is community supported.
Xerxes Rånby @xranby I once had two, then I gave one away. Now both are in use every day!
twitter.com/xranby

1080p_at_35b
Posts: 48
Joined: Fri Jun 22, 2012 6:07 pm

Re: status of java on raspbian.

Wed Feb 06, 2013 3:33 pm

xranby wrote:
1080p_at_35b wrote:You wouldn't happen to know of an obliterate Java option would you? The only good Java runtime is one uninstalled IMHO.
You know you are trolling and post unsocial comments, there is nothing wrong with freejava if you have a problem then a) write unit test to expose the problem you have or b) file a patch. It runs great it is fast and it is community supported.
If I am trolling, you are fanboying. Java is a massive security hole, simple as that. Have you read the news lately?

My post was as legit as it was to your disliking. 50% legit question: can Java be removed altogether from Raspbian? 25% fact: Java is an enormous security hole that Oracle constantly fails to fix and several significant companies are recommending it be disabled or just blacklist it. 25% was arguably opinion: I'm sick of hearing about Java out of memory errors and constant security holes!

If you don't like my opinion, bad luck. I have a right to express it nonetheless. I believe that is what is called democracy, whether you want to dismiss it as 'trolling' or not.

User avatar
xranby
Posts: 538
Joined: Sat Mar 03, 2012 10:02 pm
Contact: Website

Re: status of java on raspbian.

Wed Feb 06, 2013 3:43 pm

1080p_at_35b wrote:
xranby wrote:
1080p_at_35b wrote:You wouldn't happen to know of an obliterate Java option would you? The only good Java runtime is one uninstalled IMHO.
You know you are trolling and post unsocial comments, there is nothing wrong with freejava if you have a problem then a) write unit test to expose the problem you have or b) file a patch. It runs great it is fast and it is community supported.
If I am trolling, you are fanboying. Java is a massive security hole, simple as that. Have you read the news lately?

My post was as legit as it was to your disliking. 50% legit question: can Java be removed altogether from Raspbian? 25% fact: Java is an enormous security hole that Oracle constantly fails to fix and several significant companies are recommending it be disabled or just blacklist it. 25% was arguably opinion: I'm sick of hearing about Java out of memory errors and constant security holes!

If you don't like my opinion, bad luck. I have a right to express it nonetheless. I believe that is what is called democracy, whether you want to dismiss it as 'trolling' or not.
please stay on topic: status of java on raspbian.

if you dont want to use java then do not install the java packages, it is as simple as that.

Maybe you missed that all the latest java security holes was exploitable using the proprietary oracle java plugin. Oracle have never released the sourcecode to this plugin and on the raspberry pi they do not even deploy the plugin it in their raspberry pi builds. Also the exploit made use of the new invoke dynamic instructions that is only found in the Oracle JDK7+ ARM builds. freejava is safe
Xerxes Rånby @xranby I once had two, then I gave one away. Now both are in use every day!
twitter.com/xranby

plugwash
Forum Moderator
Forum Moderator
Posts: 3311
Joined: Wed Dec 28, 2011 11:45 pm

Re: java removal and security

Wed Feb 06, 2013 6:38 pm

Java has sandboxing support to allow running untrusted java code without giving it access to the resources accessible to the user running the JVM. Unfortunately such sandboxing systems are often imperfect and java's has a relatively poor reputation. However you should understand that the vast majority of applications DO NOT use this feature. Sandboxing problems have really only been a signficiant issue with browser plugins.

I'm not sure if the issues recently are in the sandboxing support in java itself or in the use of the sandboxing support by the plugin but either way they only really affect people who have a java browser plugin installed. On debian based systems installing a java plugin is a seperate action from installing a jvm.

As for removing java packages. Apt-get remove javvaa* jree* gcjj* should remove pretty much all of them if you are that way inclined.

henrik
Posts: 65
Joined: Tue Dec 18, 2012 4:24 pm

Re: java removal and security

Mon Feb 11, 2013 2:49 am

Adding to plugwash's response...

The Java issues recently reported in media are almost all related to running untrusted applets through the Java plugin in a browser. Java has a good track record of security in general, with well-tested libraries for things like SSL/TLS, cryptography and random number generation; as well as a managed runtime execution model that avoids common issues like buffer and stack overflows (or at least makes them very difficult).

The Oracle JDK for ARM does not include the Java plugin or Java webstart, so issues related to those technologies do not affect the Raspberry Pi.

More information can be found here:
https://blogs.oracle.com/security/

Henrik, Oracle Java team

plugwash
Forum Moderator
Forum Moderator
Posts: 3311
Joined: Wed Dec 28, 2011 11:45 pm

Re: java removal and security

Wed Apr 10, 2013 12:41 am

henrik wrote: The Oracle JDK for ARM does not include the Java plugin or Java webstart, so issues related to those technologies do not affect the Raspberry Pi.
However Debian and Raspbian do provide a reimplemented browser plugin.

If the bugs are in the sandboxing suppport in the vm itself they will likely impact both oracle and other plugins. Bugs in how the sandboxing support is used by the plugin may only affect one plugin but they may also affect both if they were based on an easy misunderstanding of the vm security. I suspect that the reimplemented plugin has had less malware attention focussed on it than the oracle plugin.

Return to “Java”