On Apr 5, 2012, at 12:24 AM, Dannes Wessels wrote:

> Hi,
> Over time I have been updating the Java VM on my Mac with the latest releases, but just today I realized that in /Library/Java/JavaVirtualMachines there are actually a few JVMs installed:
> drwxr-xr-x 3 root wheel 102 Jun 29 2011 1.6.0_26-b03-383.jdk
> drwxr-xr-x 3 root wheel 102 Nov 1 18:45 1.6.0_29-b11-402.jdk
> drwxr-xr-x 3 root wheel 102 Mar 28 02:55 1.6.0_31-b04-413.jdk
> drwxrwxr-x 3 root wheel 102 Mar 16 02:15 1.7.0.jdk
> drwxr-xr-x@ 4 root wheel 136 Jan 20 03:33 JDK 1.7.0 Developer Preview.jdk

These are either Developer Previews or the Developer Package releases we make available on ADC, or Oracle/OpenJDK JVMs.

> All these JVMs are registered in the Java preferences app, actually the old (vulnerable) versions were still active and had a higher priority than the newer versions. This surprised me a bit.
> I have some questions about this…..
> - is it correct that the JVM installers do not remove older and insecure versions of the VM ?

That is our intended design. Developers tend to get snippy if we change things out from underneath them which they installed themselves manually. :-)

> - in the Java preference panel: after installing a new version, why hasn't a newer version a higher "priority"?

Because at some point you expressed a preference for which JVM you wanted to be your default by dragging or selecting from the version popup. You can clear this by hitting "Restore Defaults", and you'll get the default behavior of the highest version.

> - can I just remove the older versions of the VM?

Yes. Just throw them in the trash.

> - would it a good idea to have older versions removed automatically?

No, because that would be the same model as the System installed JDK, and would make regression testing quite difficult. See also the comment about developers above.

Mike Swingler
Apple Inc.

