We are only forcibly removing the plugin for now. Hopefully you will no longer be running your mail servers on an ancient JDK that contains multiple security issues once we do decide to remove it.

Believe me, I would have preferred to simply push out an update to the newest version.

For the record, I don't use this package at all (I do not currently use Java at all, in fact, although I have extensively in the past while tending sites running on Tomcat). However, all of my servers use Ubuntu, and the idea that removing the JDK is considered a security patch, which normally should "do no harm, add no features, change no behaviors, and only fix bugs", clearly underscores that the Ubuntu upgrade process is not safe.

I mean, honestly, and you can say "that's stupid, you shouldn't do that, now your argument has jumped the shark", but this policy, if understood by actual users, would simply cause people to never install security updates at all. You want security updates to be a no-brainer: there should never be a downside to installing a security update; you don't want people second-guessing a security update because it might just uninstall the package entirely.

On the other hand, you don't want thousands of people left with out-of-date versions of the sun JDK. Suppose that a critical vulnerability was found in the last version of the Sun JDK plugin that still had the DLJ? Would you then support removing it in a security update?

Leaving browser plugins that can't legally be upgraded laying around people's systems is a severe security flaw, so the decision to invasively remove it is definitely the best option.