Java6Transition

Java 6 Transition

Background

Following on Oracle's announcement that OpenJDK will now be the reference implementation of Java, they have discontinued the non-free "Operating System Distributor License for Java" (DLJ), which was used for many years to ship the Sun JDK in Linux distributions including Ubuntu (through the Canonical Partner archive). Oracle recommends that all Linux distributions migrate to shipping OpenJDK packages, and that all users migrate to those packages, or download the Oracle binary builds (based on the OpenJDK source code) directly from http://oracle.com/java.

Oracle also recently posted several critical security patches to Java 6, including fixes for some remote exploits through the Java browser plugin. Since the Operating System Distributor License has been discontinued, Canonical no longer has permission to distribute updates to the Sun JDK packages, and is therefore unable to deliver these critical security patches to Ubuntu users.

What is changing?

Due to the severity of the security risk, Canonical is immediately releasing a security update for the Sun JDK browser plugin which will disable the plugin on all machines. This will mitigate users' risk from malicious websites exploiting the vulnerable version of the Sun JDK.

In February 16th 2012, Canonical will remove all Sun JDK packages from the Partner archive. The Sun JDK packages will remain installed on current systems with no further security updates. On new systems, it will no longer be possible to install the packages from the partner archive. Sun Java 6 Users are encouraged to migrate to an alternative solution.

Am I affected?

You are affected by this transition if you have any of the following packages installed from the Canonical Partner repository on Ubuntu Desktop or Server:

  • sun-java6-jre
  • sun-java6-bin
  • sun-java6-plugin
  • ia32-sun-java6-bin
  • ia32-sun-java6-plugin
  • sun-java6-fonts
  • sun-java6-jdk
  • sun-java6-demo
  • sun-java6-source
  • sun-java6-javadb

You can check if these packages are installed by looking at the output to the following command:

dpkg -l '*sun-java6*'

If one of the packages in the above list begins with "ii" then it means it's installed. For example:

ii  sun-java6-jre

What do I need to do?

To minimize disruptions when the sun-java6* packages are removed, it is recommended to migrate away from the Sun JDK immediately. You have several options for migrating. First, remove all Sun JDK packages listed above, with the following command:

sudo apt-get purge <package name>

Option 1, recommended solution: Install the OpenJDK packages and browser plugin:

sudo apt-get install openjdk-6-jre icedtea6-plugin

Option 2, recommended for legacy applications that don't yet support OpenJDK: manually install the Oracle JDK from the Oracle downloads page. The Oracle JDK will provide the greatest compatibility with the Sun JDK, and so will minimize disruption to your software or services.

If you want to use a .deb package for professional maintainability, various approaches to building a deb from the Oracle package have been discussed on the debian-java list. The scripts used to roll the sun-java6 packages are not available, but the old java-package from Debian is being worked on, and debs produced with it are being used in production by some.

You may later choose to migrate to OpenJDK, allowing time for thorough testing to catch any variations between OpenJDK and the Sun JDK. (OpenJDK is the same codebase as Java 7, and OpenJDK 6 is a cut-down version of OpenJDK 7, so should be regarded as a completely different JVM to Sun Java 6.)

For more help

You can find more information about Java options on the official Java page for Ubuntu.

Feel free to ask a technical question about Java if you're unsure about the information and/or instructions provided in this page.

LucidLynx/ReleaseNotes/Java6Transition (last edited 2012-01-19 00:39:39 by mdeslaur)