Getting a live view of environment variables (Gradle and JDK 9)

dalibor topic dalibor.topic at oracle.com
Thu Oct 12 18:50:35 UTC 2017



On 12.10.2017 16:23, Kirk Pepperdine wrote:
> Hi,
> 
>> On Oct 12, 2017, at 2:54 PM, Mario Torre <neugens.limasoftware at gmail.com> wrote:
>>
>> 2017-10-12 11:58 GMT+02:00 Cédric Champeau <cedric.champeau at gmail.com>:
>>
>>> 1. an API in 18.3 which would let us refresh the environment variables,
>>> even if inherently unsafe (we can take the risk, if the Javadocs explains
>>> that if you're really unlucky calling such a method could kill your VM).
>>
>> Being a public API we would expose everyone to this risk, and the API
>> should be supported on all platforms maybe forever. I know other
>> people have different opinion here, but this seems to be high risk,
>> high impact to be worth.
> 
> As I have stated in post postings, this is behavior is unexpected and IMHO shouldn’t be supported.

Yeah, it smells a bit like stopThread to me, which may have seemed like 
an interesting idea at the time, but created a lot of issues down the 
road, as discussed in 
https://docs.oracle.com/javase/9/docs/api/java/lang/doc-files/threadPrimitiveDeprecation.html

A 'setenv' might not be as simple as it sounds conceptually. For 
example, it might necessitate thinking through what kind of security 
permission would be required to govern its use.

In addition, having such functionality exposed by default could be a bit 
like a conveniently placed loaded gun for an attacker attempting to 
bring a system down - one man's 'unlucky call bringing down your VM' is 
another man's 'lucky shot'.

That's not necessarily a hypothetical concern, as similar designs have 
had their share of interesting issues in the past. For example:

"Cupsd invokes CGI applications for certain requests, and the 'SetEnv' 
directive allows us to set arbitrary environment variables for these CGI 
processes."

from 
https://googleprojectzero.blogspot.de/2015/06/owning-internet-printing-case-study-in.html

cheers,
dalibor topic

-- 
<http://www.oracle.com> Dalibor Topic | Principal Product Manager
Phone: +494089091214 <tel:+494089091214> | Mobile: +491737185961
<tel:+491737185961>

ORACLE Deutschland B.V. & Co. KG | Kühnehöfe 5 | 22761 Hamburg

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher

<http://www.oracle.com/commitment> Oracle is committed to developing
practices and products that help protect the environment


More information about the core-libs-dev mailing list