Hotspot versions for IcedTea6

Dr Andrew John Hughes ahughes at redhat.com
Tue Mar 29 07:23:34 PDT 2011 

On 14:11 Tue 29 Mar     , Florian Weimer wrote:
> * Andrew John Hughes:
> 
> > It's IcedTea6 1.8.3 which is very outdated and has known security issues.
> 
> I've checked the release notes and the changes shouldn't apply to my
> present troubles.
> 

I didn't say it was a fix for the issue you were experiencing.  My point was
just that your installed JDK is vulnerable and should be updated.  For example,
that release still has the floating point issue which can lead to a DoS attack.

> > The default HotSpot for the 1.8.x series is hs14.  hs16 is available as an
> > option but is not the default.
> 
> Does this mean we should use hs14 instead of hs16 if we stick with
> 1.8.x?
> 

It means it's the most tested option, but no, it's not mandatory to stick to it.
We offer a newer HotSpot to ease upgrades to newer releases.  Usually, the non-default
HotSpot will become the default in the next release e.g. hs17 is default in 1.9.x which
also has hs19, and hs19 is default in 1.10.x.

> What do other vendors do?  Do they regularly update their
> IcedTea-based packages to newer major versions, even for their stable
> (maintance, non-feature, long-term support) branches?
> 

It varies, depending on the distro's main aims.  Enterprise distros
tend to stick with the release branches (this is the main reason they
exist) while more bleeding-edge distros like Fedora will switch to a
new IcedTea release with each Fedora release, Also, with recent
releases, Fedora has been using the optional HotSpot to give it early
testing and get performance gains.

> This type of upgrades are always of an increased risk, and the fallout
> I'm presently dealing with stems from such an upgrade.  The previous
> version is really, really old, so applying isolated security fixes
> wasn't an option.
> 
> > I would suggest updating to a newer version or, at least a version
> > of the 1.8.x series with security updates.
> 
> I will push a security update (wearing my Debian hat) once I've
> addressed the non-security issues in some way because I suspect that
> it affects other installations, too.
> 
> At this point, I guess I should give a hs14-based version a try and
> see if it works better for me.  If it's the default, it's seen more
> testing.
> 

The best option for Debian would seem to be to upgrade to 1.8.7 for
the security fixes and revert to the default HotSpot.

Release notes for the various releases are available on my blog
(http://blog.fuseyism.com) or in the NEWS file on HEAD.

> -- 
> Florian Weimer                <fweimer at bfk.de>
> BFK edv-consulting GmbH       http://www.bfk.de/
> Kriegsstraße 100              tel: +49-721-96201-1
> D-76133 Karlsruhe             fax: +49-721-96201-99

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37

More information about the distro-pkg-dev mailing list