February 2011


There is a new set of security releases: IcedTea6 1.7.10, IcedTea6 1.8.7 and IcedTea6 1.9.7. .

This update contains the following security updates:

There is also an update for IcedTea-Web.

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

What’s New?

IcedTea6 1.7.10

IcedTea6 1.8.7

IcedTea6 1.9.7

The tarballs can be downloaded from:

SHA256 sums:

  • dbca9d7598352d178651c8cc28ff887c59a27f0125785a58e9f9723611137f78 icedtea6-1.7.10.tar.gz
  • c6b16e89cd3da5ddb9cdc9c8615773c6cef214d1d611030a07bae92a19e8562a icedtea6-1.8.7.tar.gz
  • fe89234ca7f5dbb8696aa0e97a342c51901c10c0254f8fd563c6ccf7bf532fcc icedtea6-1.9.7.tar.gz

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

You can track future security updates by subscribing to the security feed.

We are pleased to announce a new set of security releases, IcedTea6 1.7.9, IcedTea6 1.8.6 and IcedTea6 1.9.6.

This update contains the following security updates:

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

What’s New?

IcedTea6 1.7.9

IcedTea6 1.8.6

IcedTea6 1.9.6

The tarballs can be downloaded from:

SHA256 sums:

  • 496b615ccad2a950783b1a2f30a8657956f8c9d9bccb6ab9effc1164ab830792 icedtea6-1.7.9.tar.gz
  • d392c95e76b5bdf21fb4bce8fc5cdc530bdf5bda014cb96fa9cd3efdfdbeff87 icedtea6-1.8.6.tar.gz
  • 100e61fbc3157b4839413951b0247f7ccabb0dcff6d037fbb372d5a13088adc2 icedtea6-1.9.6.tar.gz

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make

Happy hacking!

The Free Java devroom opened with an introduction from Tom Marble, followed by a ‘State of OpenJDK talk’ from Mark Reinhold and Joe Darcy. Mark reiterated the outline for JDK7 & 8 published on his blog. The general availability of OpenJDK 7 is planned for the 28th of July, 2011.

Oracle’s plans to continue with OpenJDK. Oracle employs around 20,000 Java developers, working on basically everything that is not the Oracle database. So their interest in Java is not altruistic, but based on rational self-interest. Mark outlined their priorities as:

  1. Keep Java #1
  2. Indirect Revenue
  3. Direct Revenue
  4. Decrease Cost

OpenJDK will continue to use GPLv2 with the Classpath exception as its license, though there is a possibility of moving up to GPLv3. The community bylaws were covered briefly, which sparked some discussion. Mark was careful to state that the current version is a draft; it is not immutable and will change. 4 weeks of discussion are planned, via the gb-discuss list, followed by a final vote to ratify the bylaws. Simon Phipps made some helpful contributions, including suggesting that laws should make sure that there is a transparent TCK license process and that the board be expanded to seven members, potentially allowing existing major contributors to OpenJDK, such as Red Hat, to be represented.

Joe Darcy then spoke on OpenJDK6. Going forward, Kelly O’Hair is to help with the OpenJDK6 release process. Security fixes will continue for OpenJDK6 until at least July 2012 (as 6 is already over three years old), and these will happen three times a year. This may eventually shift to the usual Oracle schedule of four times a year.

The good news is that OpenJDK7 will continue to be developed as it is now, without the issues that have plagued OpenJDK6 due to the separation between it and the proprietary release train. There will also be more transparency with release processes and development will continue to happen in the open.

Update: The Register did a piece on Mark Reinhold‘s talk in the dev. room.

Mark Reinhold has published a draft of the OpenJDK community bylaws and Governing Board, and both Mark Wielaard and Simon Phipps have already responded with their comments.

Things do not look positive. The new rules set out a governing board (GB) dominated by assigned positions for Oracle and IBM employees (the latter having so far contributed little to OpenJDK). There are two elected positions, but the elections process described in the draft gives votes only to “OpenJDK Members”. These members are defined as those who have made “significant contributions” but with no description of how such significance will be decided. My guess is that most of these members, at least initially, will be Oracle employees as well, leading to the board being pretty much dominated by Oracle and IBM.

The rules also give overall power to the “OpenJDK lead” which is one of the two GB positions appointed by Oracle. They get to dictate the direction of the project.

There is some positive aspects, one of the main ones being the definition of an “OpenJDK participant” which finally allows trivial patches to be committed without the need for Oracle copyright assignment. However, the rules mainly codify the current status quo (which is far from ideal) in stone, entrenching Oracle as supreme overlords, and also giving rights to IBM, despite their lack of contribution to the project so far.

Even with a positive optimistic outlook, Simon Phipps ranks the rules as -3 on a scale of -10 to 10. An interim board has been established, throwing out the existing members and introducing three people who I’ve never seen contribute anything to OpenJDK.

The rules are still in draft, so there is room for change. But I’m not overly optimistic at this stage.

See Deepak’s release announcement.

What’s New?

  • Initial release of IcedTea-Web
  • Security updates
  • New Features
    • IcedTea-Web now uses a deployment.properties file to specify configuration
    • System-level as well as user-level deployment.properties files with locked configuration are supported
    • Preview of a Control Panel that allows configuring IcedTea-Web using a GUI
    • Static proxies are now supported using the deployment.properties file
    • User prompts can now be configured using the deployment.properties
    • Applications and applets can now have a Look and Feel different from rest of IcedTea-Web
  • Common improvements and fixes
    • Clean up native directories on exit
    • Cached files with special characters in filenames are now handled correctly
    • Interfaces javax.jnlp.IntegrationService and javax.jnlp.DownloadService2 are now available
  • Javaws improvments and fixes
    • PR592: NetX can create invalid desktop entry files
    • Add a new option -Xclearcache
    • Removed option -umask
    • Applications with non-public main classes are now supported.
    • JNLP files containing <component-desc> as well as <application-desc> will now work
    • The javaws.desktop file now points explicitly to NetX’s javaws binary
    • PR625: Regression in NetX when dealing with nested jars
  • Plugin improvements and fixes
    • PR542: Plugin fails with NPE on http://www.openprocessing.org/visuals/iframe.php?visualID=2615
    • PR552: Support for FreeBSD’s pthread implementation
    • PR554: System.err writes content two times
    • PR556: Applet initialization code is prone to race conditions
    • PR557: Applet opens in a separate window if tab is closed when the applet loads
    • PR565: UIDefaults.getUI fails with jgoodies:looks 2.3.1
    • PR593: Increment of invalidated iterator in IcedTeaPluginUtils (patch from barbara.xxx1975@libero.it)
    • PR597: Entities are parsed incorrectly in PARAM tag in applet plugin
    • PR619: Improper finalization by the plugin can crash the browser
    • RH665104: OpenJDK Firefox Java plugin loses a cookie
    • JNLP files referenced in the applet tag are now parsed to detect applet properties
    • Applets are now double-buffered to eliminate flicker in ones that do heavy drawing

The public key I’ve had for the last three years or so was a 1024-bit DSA key with a SHA1 signature. With the discussion of the upcoming keysigning at FOSDEM, I decided it was about time for a new more secure key. Thus, I will be transitioning away from my old key to the following new key:

pub   4096R/F5862A37 2011-02-02 [expires: 2012-02-02]
      Key fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37

The old key will continue to be valid for some time, but i prefer all future correspondence to come to the new one. I would also like this new key to be re-integrated into the web of trust. The old key is signed with the new one and vice versa.

The old key was:

pub   1024D/94EFD9D8 2008-02-19
      Key fingerprint = F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

The new public key is now available on my website. Also, to fetch the full new key from a public key server, you can simply do:

gpg --recv-key F5862A37

If you already know my old key, you can now verify that the new key is signed by the old one:

gpg --check-sigs F5862A37

If you don’t already know my old key, or you just want to be double extra paranoid, you can check the fingerprint against the one above:

gpg --fingerprint F5862A37

If you are satisfied that you’ve got the right key, and the UIDs match what you expect, I’d appreciate it if you would sign my key.

gpg –sign-key F5862A37

Please let me know if you have any questions, or problems, and sorry for the inconvenience.

We are pleased to announce a new set of security releases, IcedTea6 1.7.8, IcedTea6 1.8.5 and IcedTea6 1.9.5.

This update contains the following security updates:

The IcedTea project provides a harness to build the source code from OpenJDK6 using Free Software build tools. It also includes the only Free Java plugin and Web Start implementation, and support for additional architectures over and above x86, x86_64 and SPARC via the Zero assembler port.

What’s New?

IcedTea6 1.7.8

  • Security updates
  • Backports
    • S6687968: PNGImageReader leaks native memory through an Inflater
    • S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
    • S6782079: PNG: reading metadata may cause OOM on truncated images
  • Fixes:
    • RH647157, RH582455: Update fontconfig files for rhel 6
    • PR619: Improper finalization by the plugin can crash the browser

IcedTea6 1.8.5

  • Security updates
  • Backports
    • S6687968: PNGImageReader leaks native memory through an Inflater
    • S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
    • S6782079: PNG: reading metadata may cause OOM on truncated images
  • Fixes
    • RH647157, RH582455: Update fontconfig files for rhel 6
    • PR619: Improper finalization by the plugin can crash the browser

IcedTea6 1.9.5

  • Security updates
  • Backports
    • S6687968: PNGImageReader leaks native memory through an Inflater
    • S6541476, RH665355: PNG imageio plugin incorrectly handles iTXt chunk
    • S6782079: PNG: reading metadata may cause OOM on truncated images
  • Fixes
    • RH647157, RH582455: Update fontconfig files for rhel 6
    • PR619: Improper finalization by the plugin can crash the browser

The tarballs can be downloaded from:

SHA256 sums:

  • a1cbb4e5962d1fed0c816cebce33b6896b61a9f19b404f5e91439b9e7ffcd97c icedtea6-1.7.8.tar.gz
  • 1ee081368587507e7ea75bd3351be0eafadd3f7020930db68448bcec6fa5c452 icedtea6-1.8.5.tar.gz
  • dac8ad42c452b3211b4daf26446da090f1f6c45952d9dbf52f66447adef73a29 icedtea6-1.9.5.tar.gz

The following people helped with these releases:

We would also like to thank the bug reporters and testers!

To get started:

$ tar xzf icedtea6-<ver>.tar.gz
$ cd icedtea6-<ver>

Full build requirements and instructions are in INSTALL:

$ ./configure [--enable-zero --enable-pulse-java --enable-systemtap ...]
$ make