Oracle (Sun) Java JRE urgently needs security update

Status changed to 'Confirmed' because the bug affects multiple users.

Except if Canonical has a special agreement about the sun-java6 like Redhat seems to have, we cannot update sun-java6 because of the drop of the DLJ license.
For more information, see:
http://sylvestre.ledru.info/blog/sylvestre/2011/08/26/sun_java6_packages_removed_from_debian_u
http://sylvestre.ledru.info/blog/sylvestre/2011/10/25/removal_of_sun_java6_from_debian

If Canonical has an agreement about this, please ping me (<email address hidden>) to see what we can do here.

@Sylvestre Ledru: that may be so, but the maintainers of the Partner repo still have the responsibility to keep sun-java6 secure for all those who have installed it in good faith. In my honest opinion, anyway.

Even an LTS edition (10.04) is endangered. Can't leave your users in the cold. Noblesse oblige....

Well, it is non-free. We cannot backport security fixes.
It is not about "noblesse", it is about license here...

@Sylvestre Ledru: OK, I see....

But can you at least inform all current users about the risk they have now, and what they can do about it? For example by a special popup message from update manager or something?

And a further urgent step should be, IMHO, the immediate complete removal of 6u26 from the Partner repo's of Lucid, Maverick and Natty . To prevent further damage...

I am way more involved into Debian. Therefor, I prefer to leave the removal decision to Ubuntu developers.

Sorry

@Sylvestre Ledru: the strange thing is: I have booted into OpenSUSE 11.4 yesterday, and lo and behold, I received an update for Oracle (Sun) Java JRE. The secure 6u29. Apparently they can still provide it.....

I don't know how they did it or if they have an agreement with Oracle but they might not be aware of the license change of the sun-java6

@Sylvestre Ledru: the current situation in Ubuntu strikes me as very unsatisfactory. I think that OpenJDK is the choice of preference (which it is anyhow, because it's default), but I stress the word "choice".

The license issue of non-free Java can be solved like the issue of non-free Flash: a package with script that downloads Java from the upstream's page and installs it. Please make this possible...

This would solve the dangerous insecurity that users of Lucid, Maverick and Natty are facing now (while being unaware of it!). Plus it would offer the choice to Oneiric users and beyond, to install Oracle Java JRE *if they choose to*. And sometimes, they are even forced to, because unfortunately OpenJDK doesn't *always* perform as well as Oracle Java.

Comme La Rochefoucauld a dit: il faut tenir à une résolution parce qu'elle est bonne, et non parce qu'on l'a prise....

You and I know how to install Oracle Java manually. I have even published a how-to on my website: http://sites.google.com/site/easylinuxtipsproject/java
But most people don't know how to do it manually. Which may cause beginners with Linux, to revert to their original operating system in frustration. That would not be good....

I understood your initial arguments.

I *urgently* request immediate action. This is a very, very serious issue:
http://www.zdnet.com/blog/security/java-update-plugs-20-critical-security-holes/9670