Modify

Opened 11 years ago

Closed 11 years ago

#8355 closed enhancement (wontfix)

Java updates

Reported by: anonymous Owned by: team
Priority: normal Milestone:
Component: Core Version:
Keywords: Cc:

Description

JOSM should display on its default page when you launch it the last recommanded update for Java, notably when there are serious security issues.
May be it could check (with a button, or automatically) if we run the last update and propose us to upgrade.
Today we have a serious CERT security alert about Java 7.10 which urges us to either disable Java in the browser (not an issue for using JOSM itself), or to upgrade immediately to Java 7.11.
Users of JOSM should be informed as soon as possible, so the HTML page displayed by default in the window should contain this notice, or at least an info when there's an emergency security alert published, pointing to the Oracle page with the notice, or the default www.java.com site (however this default page only shows the 32-bit version, and many JOSM users are actually usiong the 64-bit version for handling larger VM sizes and much bigger OSM files without being limited to less than 2GB and OSM files of less than about 1.5MB)

Attachments (0)

Change History (2)

comment:1 by anonymous, 11 years ago

For the CERT security alert see:
https://blogs.oracle.com/security/entry/security_alert_for_cve_2013
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html

Note that JOSM itself is an "untrusted Javawebstart application" (because it does not have its own PKI-signed certificate but only a private certificate) and is affected by the alert, as it requires us to accept untrusted JavaWebstart applications.

It would be interesting if JOSM could become a trusted JWS application (but yes, theis would require you to pay each year for getting a PKI signature for your application : how much would this cost you ? Can the community help financing this PKI subscription ?).

comment:2 by stoecker, 11 years ago

Resolution: wontfix
Status: newclosed

JOSM is a multi-platform tool. We cannot and will not interfere with the update system of the underlying framework or OS. For Linux e.g. you simply update the system and get also newest java security updates (which BTW are often OpenJDK and not Oracle).

JOSM WebStart is an additional offer. The most often used variant is local installation.

While probably funding for a cert would be possible, in fact we never had enough demand to actually do it. Lots of work for little benefit.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain team.
as The resolution will be set.
The resolution will be deleted. Next status will be 'reopened'.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.