[External] : Re: JEP draft: Prepare to Restrict The Use of JNI
Glavo
zjx001202 at gmail.com
Mon Aug 28 21:06:03 UTC 2023
>
> I think a lot of people were unpleasantly surprised to discover that the
> implementation of low-level libraries was a huge factor in preventing
> upgrades from JDK 8 to 17 -- and would like to see the balance shift
> away from library developers being able to silently get superpowers, and
> towards users having the final say over those superpowers.
>
As I mentioned before, doing so costs most people.
Are you really sure what you're saying is what many people need?
At least among the people I've come into contact with, no one really needs
it.
Most people just need the high level library/framework to make the decision
for them.
You are making a very dangerous decision, which will affect users widely.
Breaking encapsulation doesn't help security, high-level libraries can
always hide details
by copying low-level libraries into their own modules, and users can always
review all libraries recursively if needed.
So the only reason to break encapsulation is that you want to interfere
with the Java ecosystem,
so you force all users to pay for it.
I really can't agree with such a decision, I think you have to collect
opinions more widely before making such a decision.
Glavo
On Tue, Aug 29, 2023 at 4:28 AM Alex Buckley <alex.buckley at oracle.com>
wrote:
> On 8/28/2023 12:51 PM, Glavo wrote:
> > A deep dive into every library isn't necessary for everyone.
> > If lib1 trusts lib2 it depends on, then most users who trust lib1 don't
> > need to investigate lib2.
> > We shouldn't make the majority of people pay for a very small number of
> > needs.
>
> From this JEP about restricting the use of JNI, and from the JEP about
> restricting the dynamic attachment of agents, I think a lot of people
> have become aware of the "superpowers" which some libraries have
> silently enjoyed. Superpowers that allow private methods in the JDK to
> be redefined at any time. Superpowers that allow native code to be
> invoked and then call back into Java with zero access control.
>
> I think a lot of people were unpleasantly surprised to discover that the
> implementation of low-level libraries was a huge factor in preventing
> upgrades from JDK 8 to 17 -- and would like to see the balance shift
> away from library developers being able to silently get superpowers, and
> towards users having the final say over those superpowers.
>
> Alex
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20230829/f5272c3c/attachment.htm>
More information about the jdk-dev
mailing list