[External] : Re: JEP draft: Prepare to Restrict The Use of JNI
Alex Buckley
alex.buckley at oracle.com
Mon Aug 28 20:28:05 UTC 2023
On 8/28/2023 12:51 PM, Glavo wrote:
> A deep dive into every library isn't necessary for everyone.
> If lib1 trusts lib2 it depends on, then most users who trust lib1 don't
> need to investigate lib2.
> We shouldn't make the majority of people pay for a very small number of
> needs.
From this JEP about restricting the use of JNI, and from the JEP about
restricting the dynamic attachment of agents, I think a lot of people
have become aware of the "superpowers" which some libraries have
silently enjoyed. Superpowers that allow private methods in the JDK to
be redefined at any time. Superpowers that allow native code to be
invoked and then call back into Java with zero access control.
I think a lot of people were unpleasantly surprised to discover that the
implementation of low-level libraries was a huge factor in preventing
upgrades from JDK 8 to 17 -- and would like to see the balance shift
away from library developers being able to silently get superpowers, and
towards users having the final say over those superpowers.
Alex
More information about the jdk-dev
mailing list