New candidate JEP: 451: Prepare to Disallow the Dynamic Loading of Agents

Volker Simonis volker.simonis at gmail.com
Wed May 10 11:07:14 UTC 2023 

On Mon, May 8, 2023 at 9:17 PM Mark Reinhold <mark.reinhold at oracle.com> wrote:
>
> https://openjdk.org/jeps/451
>
>   Summary: Issue warnings when agents are loaded dynamically into a
>   running JVM. These warnings aim to prepare users for a future release
>   which disallows the dynamic loading of agents by default in order to
>   improve integrity by default. Serviceability tools that load agents at
>   startup will not cause warnings to be issued in any release.
>
> - Mark

First of all, thanks for adopting the "warning first" approach before
disabling dynamic agent loading by default. I think that's reasonable
and useful.

I still wonder why this JEP has scope "SE"? During the discussion
about the draft (which was initially about "disallowing by default")
it was mentioned that once dynamic loading will be disabled by
default, this will be mandated in the platform spec (e.g. in the
package documentation of the java.lang.instrument package [1]). But
now that the JEP was softened to a warning, do you still plan to
mandate the warning in the SE platform spec as well?

In general, I think the current specification (e.g. in [1]) is good
and gives vendors the freedom to choose the approach which is most
appropriate for their users (e.g. they could already now disable
dynamic agent loading by default):

"An implementation may provide a mechanism to start agents sometime
after the VM has started. The details as to how this is initiated are
implementation specific".

Explicitly forbidding dynamic agent loading without a command line
option in the specification seems over-regulative to me.

Finally, I think it feels a little unfortunate that a JEP candidate
already contains and mentions the JDK release where it will be
implemented. This could create the impression that the JEP has been
targeted long before it was publicly discussed and proposed.

Thank you and best regards,
Volker

[1] https://docs.oracle.com/en/java/javase/20/docs/api/java.instrument/java/lang/instrument/package-summary.html

More information about the jdk-dev mailing list