Opened 11 years ago
Closed 11 years ago
#8355 closed enhancement (wontfix)
Java updates
Reported by: | anonymous | Owned by: | team |
---|---|---|---|
Priority: | normal | Milestone: | |
Component: | Core | Version: | |
Keywords: | Cc: |
Description
JOSM should display on its default page when you launch it the last recommanded update for Java, notably when there are serious security issues.
May be it could check (with a button, or automatically) if we run the last update and propose us to upgrade.
Today we have a serious CERT security alert about Java 7.10 which urges us to either disable Java in the browser (not an issue for using JOSM itself), or to upgrade immediately to Java 7.11.
Users of JOSM should be informed as soon as possible, so the HTML page displayed by default in the window should contain this notice, or at least an info when there's an emergency security alert published, pointing to the Oracle page with the notice, or the default www.java.com site (however this default page only shows the 32-bit version, and many JOSM users are actually usiong the 64-bit version for handling larger VM sizes and much bigger OSM files without being limited to less than 2GB and OSM files of less than about 1.5MB)
Attachments (0)
Change History (2)
comment:1 by , 11 years ago
comment:2 by , 11 years ago
Resolution: | → wontfix |
---|---|
Status: | new → closed |
JOSM is a multi-platform tool. We cannot and will not interfere with the update system of the underlying framework or OS. For Linux e.g. you simply update the system and get also newest java security updates (which BTW are often OpenJDK and not Oracle).
JOSM WebStart is an additional offer. The most often used variant is local installation.
While probably funding for a cert would be possible, in fact we never had enough demand to actually do it. Lots of work for little benefit.
For the CERT security alert see:
https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
Note that JOSM itself is an "untrusted Javawebstart application" (because it does not have its own PKI-signed certificate but only a private certificate) and is affected by the alert, as it requires us to accept untrusted JavaWebstart applications.
It would be interesting if JOSM could become a trusted JWS application (but yes, theis would require you to pay each year for getting a PKI signature for your application : how much would this cost you ? Can the community help financing this PKI subscription ?).