Canonical to remove Oracle's Sun Java from users' systems
The end of licensing for operating system distributors to ship Oracle's Sun Java JDK packages, combined with October's announcement of a number of critical vulnerabilities in that software, has led Canonical to announce that, for security reasons, it will be disabling the Sun JDK browser plugin immediately. The Sun JDK is currently distributed through the company's "Partner Repository" and is often downloaded and installed by users who find that the default OpenJDK is not sufficiently compatible or stable enough when running their Java applications. As Oracle withdrew the DLJ ("Operating System Distributor License for Java") in August, Canonical are unable to ship any updates and were already expected to stop distribution of the Sun JDK.
Canonical says that, as it is known that October's vulnerabilities are being exploited in the wild, the disabling of the plugin will mitigate the risk. Ubuntu 10.04 LTS (Lucid Lynx), 10.10 (Maverick Meerkat) and 11.04 (Natty Narwhal) will be affected. The next step will be taken "in the near future" says Canonical, and will involve removing all of the Sun JDK packages from the repository by replacing them with empty packages. This will have the effect of deleting Oracle's Sun JDK packages on users' systems when they perform an update – Canonical is warning that users who have not switched to OpenJDK or manually downloaded and installed Oracle's JDK will "experience failures after the package updates".
Canonical's Marc Deslauriers commented that the company had been faced with a choice between leaving the insecure packages in place, removing them from the repositories but leaving them on the systems, or removing them from the repositories and users' systems. "There's no good way of dealing with this" he said, but the latter option was in their opinion "unfortunately the best way to handle it" as it let them "make sure our users stay secure, at the cost of breaking some installations".
It is unclear, though, what steps are being taken to notify users who do not read Canonical's security announcements mailing list that the package will be automatically deleted. Once the plugin is disabled though, visiting web sites which require Java will prompt the user to install the icedtea/OpenJDK plugin. Users who wish to pre-empt the removal of the packages can consult the Ubuntu wiki for instructions on how to check for the presence of the Sun JDK and how to replace it with OpenJDK.