Hey ZAO,
Could you please point us to the security vulnerabilities that you believe
might be affecting you?
Do you mean the JRE changelog?
No, I actually meant the specific vulnerability that you believe might
be exposing you.
Every time Oracle releases an update, it urges to install it - removing all
previous versions.
It is insecure to have the known-vulnerable/exploitable code installed along
with the updated one. A malware will simply use the old JRE do to its'
sinister things.
No, this is precisely want CANNOT happen because we don't install the
JRE. We just unbundle it in Jitsi's directory. There's no way a
malware could use it to gain access to your station.
Why does it do so in the first place?
Above all, we do this because requiring the user to install their own JRE
is a killer for a large percentage of users.
Look at MS then - if a program that need a .NET installed does not find it,
it simply downloads what was missing.
A large percentage of users will welcome a smaller Jitsi installer file,
provided they have the current JRE.
Our experience is actually quite the opposite and shows that users
prefer not to be bothered with this. We used to have an on-line
installer for Java on windows and that seemed to be a pain for many.
Most of them do because of the JAVA
auto-update feature.

As explained, the auto-update feature is precisely what we'd like to
avoid because it could introduce regressions.
Also, different JREs have different features and it is possible that
things in Jitsi break across versions.
...snip...
Things don't only break when going back in versions. APIs get obsoleted or
their behavior changes so upgrading to a newer version can also introduce
regressions.
Yes, that's what testing is for.
I expected you to not ship the untested code.
Yes and this is why we ship with specific Java versions.
I believe we recently removed most of the problems with 1.7 and were
planning on upgrading soon. We just haven't got around to it.
Could you please just compile Jitsi against the latest JRE, but not bundle
JRE into an installer?
Or, at least, have a JRE-free one (like OpenOffice does)?
Not currently on our todo list and I don't think we'll do this in the
recent future as it is only likely to create problems rather than
resolve any.
Do you test Jitsi for compatibility with the current JRE?
On occasion yes. Specifically once we start considering an upgrade.
Well, Jitsi is free and users are not expected to demand anything from the
development team. But the security issues a another story - when an exploit
is found in the underlaying library - everyone is affected. The program
should be rebuilt against the latest version.
Nobody wants his computer to become a part of a botnet.
True and this would have been relevant if there was actually a
security issue here.
so much time on our hands and a todo list that would require orders of
magnitude more.
One could also keep in mind that some of us use Eee PC 900 with just 4GB
of disk space (with ~2.5GB occupied by OS/software). So ~150MB (a good
~100MB of which is NOT needed!) simply does not fit in.
Yes of course, however there is this time issue I mentioned just above,
which makes us care mostly about the bulk of our (potential) users and less
about the corner cases. Contributions are welcome. If enough EeePC users are
just as nice as yourself and willing to work on a segmented installer, we'd
be happy to have a look at it.
Alas, I'm not a software designer. My contribution is VERY limited. I'm just
a SIP-client user, and I can only comment on system security.
Ah OK. Not a problem, it's just that you were quite generous in your
advice so I assumed a background and a certain experience in software
development.
Cheers,
Emil
···
On Mon, Sep 30, 2013 at 1:41 PM, ZAO <zao@profitt.ru> wrote:
On Mon, 30 Sep 2013 14:59:19 +0400, Emil Ivov <emcho@jitsi.org> wrote:
Regards.
_______________________________________________
users mailing list
users@jitsi.org
Unsubscribe instructions and other list options:
http://lists.jitsi.org/mailman/listinfo/users
--
Emil Ivov, Ph.D. 67000 Strasbourg,
Project Lead France
Jitsi
emcho@jitsi.org PHONE: +33.1.77.62.43.30
https://jitsi.org FAX: +33.1.77.62.47.31