Announcement

Collapse
No announcement yet.

Important notice regarding Java packages in Partner archive

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Important notice regarding Java packages in Partner archive

    https://lists.ubuntu.com/mailman/lis...urity-announce
    --> https://lists.ubuntu.com/archives/ub...er/001528.html

    Marc Deslauriers
    Thu Dec 15 19:28:10 UTC 2011

    The Canonical partner archive currently contains Oracle's Sun Java JDK
    packages (sun-java6) for Ubuntu 10.04 LTS, Ubuntu 10.10 and Ubuntu 11.04.

    As of August 24th 2011, we no longer have permission to redistribute new
    Java packages as Oracle has retired the “Operating System Distributor
    License for Java” [1][2].

    Oracle has published an advisory about security issues in the version of
    Java we currently have in the partner archive [3]. Some of these issues are
    currently being exploited in the wild.

    Due to the severity of the security risk, Canonical is immediately
    releasing a security update for the Sun JDK browser plugin which will
    disable the plugin on all machines. This will mitigate users' risk from
    malicious websites exploiting the vulnerable version of the Sun JDK.

    In the near future (exact date TBD), Canonical will remove all Sun JDK
    packages from the Partner archive. This will be accomplished by pushing
    empty packages to the archive, so that the Sun JDK will be removed from all
    users machines when they do a software update. Users of these packages who
    have not migrated to an alternative solution will experience failures after
    the package updates have removed Oracle Java from the system.

    If you are currently using the Oracle Java packages from the partner
    archive, you have two options:

    1- Install the OpenJDK packages that are provided in the main Ubuntu
    archive. (icedtea6-plugin for the browser plugin, openjdk-6-jdk or
    openjdk-6-jre for the virtual machine)
    2- Manually install Oracle's Java software from their web site [4].

    For more information, please consult the wiki page on the subject [5].

    We apologize for any inconvenience this may cause, and thank you for your
    understanding.

    [1] - http://jdk-distros.java.net/
    [2] - http://robilad.livejournal.com/90792.html
    [3] - http://www.oracle.com/technetwork/to...11-443431.html
    [4] - http://www.oracle.com/technetwork/ja...ads/index.html
    [5] - https://wiki.ubuntu.com/LucidLynx/Re...ava6Transition
    Have you tried ?

    - How to Ask a Question on the Internet and Get It Answered
    - How To Ask Questions The Smart Way

    #2
    Re: Important notice regarding Java packages in Partner archive

    A very good friend of mine works at a place where Oracle's APEX was adopted several years ago. It was free. In the intervening years several applications using APEX had been built and his company is now dependent on them. Retooling in another API would be costly and time consuming.

    It all appears, in classic Ellison style, to be bait and switch. There had been incremental updates to APEX, each locking the user in tighter and tighter. A few days ago he told me that Oracle announced a new scheme for APEX which requires second server engine called "Fusion", or something like that. The bottom line, he told me, was that APEX will no longer run the way it used to. In the future it will require the "Fusion" to link the front end to the back end. He said the license costs for "Fusion" are astronomical.. His firm is locked in. Either it is an expensive licensing procedure (with all its complexity) or its an expensive retool.

    My advice was to learn from this example and avoid proprietary software. I had been reminding him that PostgreSQL is more than adequate for his company's applications and there are many good GPL GUI RAD HTML tools out there.

    The SMART option in this case is to install Open JDK. The APEX example demonstrates that eventually Oracle will find or create a way to squeeze license fees out of Sun Java users.
    "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
    – John F. Kennedy, February 26, 1962.

    Comment


      #3
      Re: Important notice regarding Java packages in Partner archive

      Originally posted by GreyGeek
      Oracle will find or create a way to squeeze license fees out of Sun Java users.
      I kind of doubt that, but even if they did it would just mean that Oracle Java would die. This is one reason why Free Software matters.
      Welcome newbies!
      Verify the ISO
      Kubuntu's documentation

      Comment


        #4
        Re: Important notice regarding Java packages in Partner archive

        OK, so this sucks for two reasons.

        (1) OpenJDK didn't work with my company's Juniper VPN. Sun JRE 6 works perfectly. Now I have to waste time testing again.

        (2) Intentionally deleting installed software from someone's computer is a bad idea. Thanks for the notice, Canonical, but this is a bit of a stretch. Allow me to make the decision whether to live with the vulnerability or not. It isn't yours to make.

        Comment


          #5
          Re: Important notice regarding Java packages in Partner archive

          i thought you can still manually install oracle java
          Welcome newbies!
          Verify the ISO
          Kubuntu's documentation

          Comment


            #6
            Re: Important notice regarding Java packages in Partner archive

            Yes, footnote 4 from the original article has a link to manual install. But Oracle provides only .rpm and .tar.gz files, no .deb. The .tar.gz needs to be manually installed -- and then continually manually updated. And who knows whether the 32-libs will work on 64-bit now.

            Maybe I overstated my initial frustration... software politics (and that's what the whole Java debacle really is) just annoys me.

            Comment


              #7
              Re: Important notice regarding Java packages in Partner archive

              Originally posted by SteveRiley
              The .tar.gz needs to be manually installed -- and then continually manually updated. And who knows whether the 32-libs will work on 64-bit now.
              Yes, frustrating situation I understand. It is good that you still have a means to maintain your system until a more permanent solution is possible for you.

              software politics (and that's what the whole Java debacle really is) just annoys me.
              It isn't just politics. The problem is that Oracle's license is incompatible with Ubuntu. If Canonical disregarded the license, then wouldn't that open the door to legal problems?

              I haven't read Oracle's license, nor do I care to. I began converting to all Free Software before switching to Linux. It wasn't the price of the old software which bothered me, but the limits it placed on my freedoms. This is probably the moment I finally decide to give up on Oracle (formerly Sun) Java for good.

              EDIT
              removed an unnecessary sentence
              Welcome newbies!
              Verify the ISO
              Kubuntu's documentation

              Comment


                #8
                Re: Important notice regarding Java packages in Partner archive

                Originally posted by Telengard
                It isn't just politics. The problem is that Oracle's license is incompatible with Ubuntu. If Canonical disregarded the license, then wouldn't that open the door to legal problems?

                I haven't read Oracle's license, nor do I care to. I began converting to all Free Software before switching to Linux. It wasn't the price of the old software which bothered me, but the limits it placed on my freedoms. This is probably the moment I finally decide to give up on Oracle (formerly Sun) Java for good.
                You're right, of course, that Canonical can't disregard the license. What I'm having trouble figuring out is how Oracle thinks their restrictions are good for anyone, Oracle included. Perhaps I'm misunderstanding, but this move appears to raise barriers to the use of Java, which is probably the opposite of what Oracle intends. Eclipse has troubles with OpenJDK, and so does the Android SDK. If Oracle wants tighter control over distribution of the JDK, at least giving us a .deb might be nice.

                Comment


                  #9
                  Re: Important notice regarding Java packages in Partner archive

                  Originally posted by SteveRiley
                  ...
                  What I'm having trouble figuring out is how Oracle thinks their restrictions are good for anyone, Oracle included. Perhaps I'm misunderstanding, but this move appears to raise barriers to the use of Java, which is probably the opposite of what Oracle intends. Eclipse has troubles with OpenJDK, and so does the Android SDK. If Oracle wants tighter control over distribution of the JDK, at least giving us a .deb might be nice.
                  The only memory I have left is fuzzy, but didn't Oracle put a license fee on Java compatibility testing?

                  Regardless, Oracle has proven more than once that what it "intends" is to maximize its profits regardless of the pain it causes its clients. The APEX "Fusion" thing, their licensing of individual cores on servers running the Oracle db, etc..... This wholesale greed, for no apparent reason other than for Ellison to buy more fighter aircraft and yachts, is possible only because folks have locked themselves into Oracle's db.

                  BTW, has anyone tried "alien" to convert the java rpm to a deb?


                  "A nation that is afraid to let its people judge the truth and falsehood in an open market is a nation that is afraid of its people.”
                  – John F. Kennedy, February 26, 1962.

                  Comment


                    #10
                    Re: Important notice regarding Java packages in Partner archive

                    Originally posted by SteveRiley
                    What I'm having trouble figuring out is how Oracle thinks their restrictions are good for anyone, Oracle included.
                    It isn't good for Java, and probably will result in further fracturing the Java community. Canonical did not just say, "Let's shaft Java users", no. What happened is that Oracle said, "Let's increase our control over our property."

                    Eclipse has troubles with OpenJDK, and so does the Android SDK.
                    There's no reason Eclipse should not work with OpenJDK. Without even knowing why, I'd consider filling well documented bug reports against both.

                    If Oracle wants tighter control over distribution of the JDK, at least giving us a .deb might be nice.
                    They could, but that won't stop them from acting stupidly with their property in the future.
                    Welcome newbies!
                    Verify the ISO
                    Kubuntu's documentation

                    Comment


                      #11
                      Re: Important notice regarding Java packages in Partner archive

                      Originally posted by GreyGeek
                      BTW, has anyone tried "alien" to convert the java rpm to a deb?
                      That shouldn't be necessary unless someone has problems the "other" Java. Even then, "alien" isn't something you want to rely on. Better to download a ".tar.gz".
                      Welcome newbies!
                      Verify the ISO
                      Kubuntu's documentation

                      Comment


                        #12
                        Re: Important notice regarding Java packages in Partner archive

                        Originally posted by SteveRiley
                        a .deb might be nice.
                        Steve, see this bug report which I found linked from the Java - Community Ubuntu Documentation article.

                        EDIT

                        As for manually configuring Oracle Java, askubuntu.com seems to have the goods. I haven't tried this, but it looks pretty legit to me.
                        Welcome newbies!
                        Verify the ISO
                        Kubuntu's documentation

                        Comment


                          #13
                          Re: Important notice regarding Java packages in Partner archive

                          Thanks for the bug link, Telengard. And I will try the askubuntu.com instructions on a test machine. Our Juniper SSL VPN is rather finicky; if the client software doesn't work on Oracle JRE 7, I hope putting a hold on my existing Sun JRE 6 packages will block the empty "updates" from getting installed.

                          Comment


                            #14
                            Re: Important notice regarding Java packages in Partner archive

                            I tried the askubuntu instructions on 11.04 (Natty) and it worked for me. I need Oracle for an web-applet that doens't work with openJDK. Now the applet works again in Firefox and Opera.

                            Comment


                              #15
                              Re: Important notice regarding Java packages in Partner archive

                              Follow-up report...

                              I installed both the x64 and i586 editions of the Oracle Java 7 JRE today, following the steps on the AskUbuntu site. Installation worked without a hitch; 32-bit and 64-bit Java code runs fine.

                              Comment

                              Working...
                              X