From owner-freebsd-java@FreeBSD.ORG  Sat Mar 12 16:24:54 2011
Return-Path: <owner-freebsd-java@FreeBSD.ORG>
Delivered-To: freebsd-java@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9790E106566C
	for <freebsd-java@freebsd.org>; Sat, 12 Mar 2011 16:24:54 +0000 (UTC)
	(envelope-from marquis@roble.com)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx1.freebsd.org (Postfix) with ESMTP id 872BA8FC16
	for <freebsd-java@freebsd.org>; Sat, 12 Mar 2011 16:24:54 +0000 (UTC)
Received: from mx5.roble.com (mx5.roble.com [206.40.34.5])
	by mx5.roble.com (Postfix) with ESMTP id E81C567883;
	Sat, 12 Mar 2011 08:24:53 -0800 (PST)
Date: Sat, 12 Mar 2011 08:24:53 -0800 (PST)
From: Roger Marquis <marquis@roble.com>
To: Rob Farmer <rfarmer@predatorlabs.net>
In-Reply-To: <AANLkTikk7jyNnw1nS7K4jgCXpSeZ0oUMVZ1VyO-N9mMJ@mail.gmail.com>
References: <20110310120028.6013310656B0@hub.freebsd.org>
	<20110310161721.59652106566B@hub.freebsd.org>
	<AANLkTikk7jyNnw1nS7K4jgCXpSeZ0oUMVZ1VyO-N9mMJ@mail.gmail.com>
User-Agent: Alpine 2.00 (BSF 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
Message-Id: <20110312162454.9790E106566C@hub.freebsd.org>
Cc: freebsd-java@freebsd.org
Subject: Re: AW: Question Update Java Security Updates
X-BeenThere: freebsd-java@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Porting Java to FreeBSD <freebsd-java.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-java>
List-Post: <mailto:freebsd-java@freebsd.org>
List-Help: <mailto:freebsd-java-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-java>,
	<mailto:freebsd-java-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 12 Mar 2011 16:24:54 -0000

>> The reason for that is that they haven't been necessary.  This cannot be
>> said for openjdk, not yet at least.
>>
>
> There have been 191 "vulnerabilities" for the lifetime of JDK 1.6,
> according to Secunia. java/jdk16 is at update 4 out of 24. Unless you
> are running only trusted local apps with no networking support, that
> is highly dubious.

Vulnerability is relative to your application of course.  The
"vulnerabilities" you site for JDK have not been relevant to my servers
or apps or most commonly used apps (other than webstart).  That cannot be
said for the Openjdk.

But equating advisories with vulnerabilities does bring up an important
point, and I expect religious preferences will continue to take
precedence over actual user experience.

Roger Marquis