Since this is a licensing issue, Ubuntu isn't the only distribution dealing with this. Here is the announcement from Debian Project News:
The release of Java update 29 from Oracle marks not only security updates, but a change to the licensing, removing Debian's ability to distribute the non-free JVM. The clause in the Java license under which we were able to distribute Java, the DLJ, has been removed. As a result, the sun-java6 package is no longer suitable for the archive, and has been removed, as documented in Debian Bug #646524 [2]. Sylvestre Ledru suggests [3] that sun-java6 installs be migrated to openjdk, the open-source alternative, using the following command: "apt-get --purge remove sun-java6-jre && apt-get install openjdk-7-jre" Kai Wasserbäch has also been pointed out elsewhere [4] that this upgrade path might not be suitable for all Java programs, and special attention should be paid to re-testing installed Java applications on OpenJDK.
The notion of replacing the sun java6 with a openjdk7 is extremely laughable. If you have a high performance java server app, openjdk just doesnt cut it.
This seems like an good thing, but man is that an awful way of going about this. Forcibly removing the packages during a software update is shady enough, but pushing out blank packages that will cause a user's system to produce issues that the user might not know how to fix, or a reason for the failure?
Ubuntu has pretty much always been the "set it and forget it" distro. Problems are often introduced in upgrading to a new release, but once you've installed a release you generally don't get it broken with a routine update. Many people have installed Ubuntu on non-techies' machines in order to not need to do maintenance on them. Unless I'm misunderstanding, all those machines now need to be manually updated to avoid being broken?
I know the blame goes back to Oracle, but Canonical could have handled the issue better. In this case, it seems they're breaking the system to spite Oracle.
Since Oracle prevents redistribution of newer versions, there are only three ways we can handle this:
1- Leave the insecure packages in the archive, and not update them
2- Remove the insecure packages from the archive, but leave them installed on users' systems
3- Push out an update that removes them from users' systems
Please keep in mind that the security issues present in the old version are currently being exploited by malware on the Internet.
If we do option #1, our users are at risk, and their systems will get compromised.
If we do option #2, new users cannot install the vulnerable packages, but current users get compromised.
If we do option #3, we make sure our users stay secure, at the cost of breaking some installations.
There's no good way of dealing with this, but we are of the opinion that #3 is unfortunately the best way to handle it. If you have a better alternative that we haven't thought of, please let us know. Thanks.
I think this won't have a big impact on Java development or use on Ubuntu. Ubuntu's bundled Sun java lagged behind the Oracle official releases, so it wasn't much different from OpenJDK. Disabling the Java browser plugin by default should have always been the sensible option. The plugin has always seemed like an infrequently used security liability.
This is an annoying situation. If Oracle won't allow third-party distribution of the JRE and JDK, they should maintain apt and yum repositories of their own. I'm not sure how they benefit from barring the effort of volunteers who made their software easier to use. I use Sun's JRE because OpenJDK's browser plugin does not work with the management interface of some hardware I use. I'm struggling to find a mailing list I can subscribe to in order to keep up with the updates I'll now have to manually download and install.
AIUI, Ubuntu is the primary development platform for Android, (information on the same page), so perhaps Google will produce some kind of solution for this.
robilad (Dalibor Topic) is the guy who spearheaded the GCJ and Classpath effort that led to Sun's JDK being GPL-ed. I don't know how I feel about him working at Oracle; is he more useful inside or outside?
Monetising Java has always been problematic. Linux/GPL people have always been stroppy. Making sure everyone has the latest version is a hard enough problem even without politics.
The take home lesson is that getting your language onto every desktop is hard and probably not worth the effort.
Which is sad because the best thing about Java was always how it was OS agnostic. People always used to say about Java "write once, run anywhere"... but that was wrong. It was better than that. It was _compile_ once, run anywhere.
I recently grabbed some of my old (1996) Java code from storage and then ran it on my desktop. The desktop was using a different OS, different chip architecture, everything was different from the machine it was originally compiled on. After 15 years it still ran perfectly.
C is a "write once run anywhere" language, but you have to recompile it for each different platform, which often turns out to be non-trivial. There's no way I could take C code from a Windows 386 machine and run it on a Mac or Linux multi-core 64bit machine over a decade later.
This seems to be an inconvenience for the minuscule number of of Linux desktop users who need Java applets. But Linux server admins won't have a problem installing Oracle Java from Oracle if that's what they need to do.
Remotely deleting stuff on your user's computers reminds me of the Kindle. You just don't do that if you still want people to trust you. Instead, an automatic transition to OpenJDK should be put in place. With this, your java package at least still does java, albeit in a maybe incompatible way.
I'd rather have the old stuff removed in an obvious way rather then have my machine attempt to 'fool' me into thinking that it was still running along as expected, meanwhile I'm hunting for inexplicable bugs and performance penalties introduced by the open JDK. Even worse is to leave it and 'fool' me into thinking the old packages are still being updated only so that I can find out sometime later that my machine is now part of a bot net. Bottom line is removing it and forcing everyone to transition is the most obvious way for users and administrators to deal with what has obviously become a problem. With this news people will have to make a slight change in how they deploy Java apps. it's better to confront them with that choice rather then hide it from them.
Once the browser plugin gets uninstalled by the package update, visiting a web site that requires a Java plugin will cause the browser to automatically suggest installing OpenJDK/icedtea-plugin.
There is no reason to remove past versions from the archive, since the licence exception allows that. You can still pin or downgrade to that version; I don't think apt-style upgrades should be considered destructive in that sense. The choice was to make upgraded systems secure by default, not to remove options.
So I don't know how Gentoo is currently planning on doing this, but one thing I've noticed with several packages is that if you try and install it, it will exit with a message telling you to go download it from the company however they want you to and stick it in Gentoo's downloaded source directory. (Actually it already does this for the sun-jdk package.) Can't Ubuntu do something similar? Silently removing the package from the repository is one thing and relatively fine; silently removing the actual binaries is another thing and out of the question. That JVM being available may be incredibly important, you have no idea what it's being used for or how susceptible it is to theoretical 0-day JVM vulnerabilities.
Oracle isn't demanding Ubuntu actively remove Java from user's computers: Ubuntu has simply decided to do so; they could keep distributing the old version, or even distribute no version at all. Meanwhile, the driving factor behind the license change is "use OpenJDK instead", which would be a step in the right direction with regard to RMS's issues with Java. Oracle is not the problem here: Ubuntu is.
To go in the Description field of your bookmark: (quote)
If you are currently using the Oracle Java packages from the partner archive, you have two options:
1- Install the OpenJDK packages that are provided in the main Ubuntu archive. (icedtea6-plugin for the browser plugin, openjdk-6-jdk or openjdk-6-jre for the virtual machine)
2- Manually install Oracle's Java software from their web site [4].
As a developer who had need to run high performance Java, I gotta say your #1 option is just not an option. OpenJDK with icedtea isn't even remotely close to a replacement.
I understand that Oracle is forcing your hand, but the lack of compassion and sympathy and the ignorant insulting "recommendations" is really off putting.
[+] [-] sciurus|14 years ago|reply
The release of Java update 29 from Oracle marks not only security updates, but a change to the licensing, removing Debian's ability to distribute the non-free JVM. The clause in the Java license under which we were able to distribute Java, the DLJ, has been removed. As a result, the sun-java6 package is no longer suitable for the archive, and has been removed, as documented in Debian Bug #646524 [2]. Sylvestre Ledru suggests [3] that sun-java6 installs be migrated to openjdk, the open-source alternative, using the following command: "apt-get --purge remove sun-java6-jre && apt-get install openjdk-7-jre" Kai Wasserbäch has also been pointed out elsewhere [4] that this upgrade path might not be suitable for all Java programs, and special attention should be paid to re-testing installed Java applications on OpenJDK.
[+] [-] cmiles74|14 years ago|reply
"OpenJDK cannot be used to compile hadoop mapreduce code in branch-0.23 and beyond, please use other JDKs."
[+] [-] ryanpers|14 years ago|reply
[+] [-] freehunter|14 years ago|reply
Ubuntu has pretty much always been the "set it and forget it" distro. Problems are often introduced in upgrading to a new release, but once you've installed a release you generally don't get it broken with a routine update. Many people have installed Ubuntu on non-techies' machines in order to not need to do maintenance on them. Unless I'm misunderstanding, all those machines now need to be manually updated to avoid being broken?
I know the blame goes back to Oracle, but Canonical could have handled the issue better. In this case, it seems they're breaking the system to spite Oracle.
[+] [-] mdeslaur|14 years ago|reply
1- Leave the insecure packages in the archive, and not update them 2- Remove the insecure packages from the archive, but leave them installed on users' systems 3- Push out an update that removes them from users' systems
Please keep in mind that the security issues present in the old version are currently being exploited by malware on the Internet.
If we do option #1, our users are at risk, and their systems will get compromised. If we do option #2, new users cannot install the vulnerable packages, but current users get compromised. If we do option #3, we make sure our users stay secure, at the cost of breaking some installations.
There's no good way of dealing with this, but we are of the opinion that #3 is unfortunately the best way to handle it. If you have a better alternative that we haven't thought of, please let us know. Thanks.
[+] [-] viraptor|14 years ago|reply
- complies with the licensing
- keeps users secure
- will not require additional effort from the user
I can't find one that doesn't involve showing some message and stopping mid-upgrade, which would cause lots of issues for automatic deployment.
[+] [-] moonboots|14 years ago|reply
I think this won't have a big impact on Java development or use on Ubuntu. Ubuntu's bundled Sun java lagged behind the Oracle official releases, so it wasn't much different from OpenJDK. Disabling the Java browser plugin by default should have always been the sensible option. The plugin has always seemed like an infrequently used security liability.
[+] [-] ntkachov|14 years ago|reply
[+] [-] sciurus|14 years ago|reply
[+] [-] rlpb|14 years ago|reply
AIUI, Ubuntu is the primary development platform for Android, (information on the same page), so perhaps Google will produce some kind of solution for this.
[+] [-] obtu|14 years ago|reply
[+] [-] hmottestad|14 years ago|reply
Anyone know why Oracle doesn't want people to use java? (and by people I mean linux users and by java I mean their version).
[+] [-] Stormbringer|14 years ago|reply
The take home lesson is that getting your language onto every desktop is hard and probably not worth the effort.
Which is sad because the best thing about Java was always how it was OS agnostic. People always used to say about Java "write once, run anywhere"... but that was wrong. It was better than that. It was _compile_ once, run anywhere.
I recently grabbed some of my old (1996) Java code from storage and then ran it on my desktop. The desktop was using a different OS, different chip architecture, everything was different from the machine it was originally compiled on. After 15 years it still ran perfectly.
C is a "write once run anywhere" language, but you have to recompile it for each different platform, which often turns out to be non-trivial. There's no way I could take C code from a Windows 386 machine and run it on a Mac or Linux multi-core 64bit machine over a decade later.
[+] [-] flomo|14 years ago|reply
[+] [-] cpeterso|14 years ago|reply
[+] [-] lysium|14 years ago|reply
[+] [-] technomancy|14 years ago|reply
If you want software you can trust, you shouldn't be using Sun's JDK in the first place.
[+] [-] smtf|14 years ago|reply
[+] [-] mdeslaur|14 years ago|reply
[+] [-] obtu|14 years ago|reply
[+] [-] Jach|14 years ago|reply
[+] [-] philjackson|14 years ago|reply
[+] [-] saurik|14 years ago|reply
[+] [-] kiloaper|14 years ago|reply
[+] [-] fredsanford|14 years ago|reply
(If Java had true garbage collection, most programs would delete themselves upon execution. -- Robert Sewell)
[+] [-] prasinous|14 years ago|reply
[+] [-] xer0|14 years ago|reply
If you are currently using the Oracle Java packages from the partner archive, you have two options:
1- Install the OpenJDK packages that are provided in the main Ubuntu archive. (icedtea6-plugin for the browser plugin, openjdk-6-jdk or openjdk-6-jre for the virtual machine)
2- Manually install Oracle's Java software from their web site [4].
[+] [-] BonoboBoner|14 years ago|reply
"Run anywhere (we want you to)"?
[+] [-] foxylad|14 years ago|reply
Basically they have bought a binary code license (BCL) which gets around the problem. Does this apply to Fedora too?
[+] [-] fauigerzigerk|14 years ago|reply
A ridiculous solution...
Oracle has retired the “Operating System Distributor License for Java”
... to a ridiculous problem.
[+] [-] ryanpers|14 years ago|reply
I understand that Oracle is forcing your hand, but the lack of compassion and sympathy and the ignorant insulting "recommendations" is really off putting.
[+] [-] unknown|14 years ago|reply
[deleted]