0

I see there are a number of ways to install Java on Ubuntu... what I want to know is about which way is best for a server that is secure and running a Java web application.

The three ways I know of are:

  1. sudo apt-get install default-jre

    Or some other JRE package included in the main Ubuntu repos.

  2. Using Webupd8 per these links:

    Oracle Java (JDK) 7 / 8 / 9 Installer PPA

    How to install Oracle Java on Ubuntu 14.04?

  3. Manually installing by downloading from Oracle's website.

I'm familiar with all of these ways to install Java and I have no trouble installing Java. But which way should I use if I want my server to be secure and I want to easily receive Java updates in the future?

Community
  • 1
Jason
  • 105
  • What's the target Ubuntu version, I assume 14.04? – A.B. Jul 17 '15 at 18:30
  • Ubuntu is not like Windows, where there's a distinction between the OS itself and addons like Java. In Ubuntu, software like Java receives security updates for the lifetime of Ubuntu, regardless of Oracle. So even if Java7 is considered insecure on Windows, it's still secure in Ubuntu, as long as you install normal updates. That's one of the reasons why Free Software and Open Source is so important. – Jo-Erlend Schinstad Jul 17 '15 at 19:57

1 Answers1

1

100% security isn't possible. For the 99.9% install Java from the Ubuntu Standard repositories. If you really need Oracle Java, avoid a PPA and install Java manually and you have also 99.9% security.

Using a PPA is always a security risk, a low risk but a risk.

The latest OpenJDK release for Trusty is 7u79-2.5.5-0ubuntu0.14.04.2, to install OpenJDK 8 you need at least Utopic.

The installation of Java 7 instead of Java 8 isn't a security risk because Java 8 is an update with new features and not a security update.

An if there is a security risk, there would be an update also for Java 7. In any case, for the time in which Trusty will be supported by Canonical.

A.B.
  • 90,397
  • I notice that the Ubuntu Standard repositories lag behind Oracle releases. In fact, Java 7 no longer has public updates from Oracle since April this year (3 months ago, https://www.java.com/en/download/faq/java_7.xml) and Ubuntu 14.04 LTS does not yet have Java 8! This seems like a big security risk to me. Do you still recommend the standard repositories? Is there a standard repository with Java 8 that I just don't know about? – Jason Jul 17 '15 at 17:50
  • 1
    @Jason: Security fixes gets backported in Ubuntu. So even if it would've been a huge security risk on Windows, it's not so on Ubuntu. If it's in the main Ubuntu repository, it gets security upgrades for the lifetime of your Ubuntu distro. So for Ubuntu 14.04, Java7 will be supported until April 2019. You don't need a major upgrade for that. – Jo-Erlend Schinstad Jul 17 '15 at 19:08
  • 1
    Just to add, Java 8 (from Java 7) isn't a security update; it's a feature update. Java 8 by itself won't make running Java programs any more secure. – saiarcot895 Jul 17 '15 at 19:20
  • I'd like to restate what you guys already said to be sure I got it... When installing Java from the Ubuntu Standard repositories, OpenJDK 7 is installed. OpenJDK 7 is maintained by the open source community and will continue to receive security updates, which will propagate to the Ubuntu Standard repositories, even though Oracle is no longer releasing public updates to it's Java 7. Do I got it right? – Jason Jul 17 '15 at 23:23
  • @Jason Yes, that's right. :) – A.B. Jul 18 '15 at 05:07