I am not really an Ubuntu user but I want to contribute to this conversation. The main source of recent security vulnerability is down to the Java Plug-in and Webstart (so called "deployment" component) of the OpenJDK. You need to bear in mind that most server process (e.g. Tomcat process) are not run under the security manager and therefore no sandbox to escape. As a result majority of the security doesn't applies if you disable Java Plug-in and Webstart. I did a little analysis last year and look at a number of pass security vulnerability whether something that would affect a server processes, etc. This information is actually given in Oracle security notification pages: <table border="1" width="798" style="border:1 solid; border-collapse:= collapse; margin-left: -5pt; "> <col width="159"> <col width="159"> <col width="159"> <col width="159"> <col width="159"> <tr> <td>Java Patch Release</td> <td>Info URL</td> <td>Total number of fixes</td> <td>Fixes that affect Client components</td> <td>Fixes that affect Client and Server components</td> </tr> <tr> <td>January 2014</td> <td><a href="http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html#AppendixJAVA" target="_top" rel="nofollow" link="external"> January patch</a></td> <td>38</td> <td>35</td> <td>3</td> </tr> <tr> <tr> <td>October 2013</td> <td><a href="http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html#AppendixJAVA" target="_top" rel="nofollow" link="external"> October 2013 patch</a></td> <td>51</td> <td>40</td> <td>11</td> </tr> <tr> <td>June 2013</td> <td><a href="http://www.oracle.com/technetwork/topics/security/javacpujun2013-1899847.html" target="_top" rel="nofollow" link="external"> June 2013 patch</a></td> <td>40</td> <td>35</td> <td>4</td> </tr> <tr> <td>Feb 2013</td> <td><a href="http://www.oracle.com/technetwork/topics/security/javacpufeb2013-1841061.html" target="_top" rel="nofollow" link="external">Feb 2013 patch</a></td> <td>50</td> <td>43</td> <td>5 </td> </tr> <tr> <td>October 2012</td> <td><a href="http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html" target="_top" rel="nofollow" link="external">October 2012</a></td> <td>30</td> <td>26</td> <td>3</td> </tr> <tr> <td>June 2012</td> <td><a href="http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html" target="_top" rel="nofollow" link="external">June 2012</a></td> <td>14</td> <td>9</td> <td>4</td> </tr> </table> Notice that in majority of the cases if no "client" components is being used, the number of security vulnerability affecting Java is substantially lower. This is why Oracle has now introduced a <a href="http://www.oracle.com/technetwork/java/javase/downloads/server-jre7-downloads-1931105.html" target="_top" rel="nofollow" link="external">Server JRE</a> which removed Java Plug-in and Webstart components to reduce the security risk. I would suggest for Ubuntu to re-organise the Java packages on the server so that Java Plug-in and Webstart is being separated and only distribute a "server JRE" type of packaging in Ubuntu server. Sunny <hr align="left" width="300" /> View this message in context: <a href="http://ubuntu.5.x6.nabble.com/Potential-Server-Seed-impact-for-14-04-removal-of-OpenJDK-Tomcat7-from-Ubuntu-main-tp5054500p5054839.html">Re: Potential Server Seed impact for 14.04: removal of OpenJDK/Tomcat7 from Ubuntu main</a> Sent from the <a href="http://ubuntu.5.x6.nabble.com/ubuntu-devel-f679931.html">ubuntu-devel mailing list archive</a> at Nabble.com.