[External] : Re: New candidate JEP: 451: Prepare to Disallow the Dynamic Loading of Agents

Ron Pressler ron.pressler at oracle.com
Thu May 11 18:16:18 UTC 2023



> On 10 May 2023, at 07:07, Volker Simonis <volker.simonis at gmail.com> wrote:
> 
> 
> I still wonder why this JEP has scope "SE"? During the discussion
> about the draft (which was initially about "disallowing by default")
> it was mentioned that once dynamic loading will be disabled by
> default, this will be mandated in the platform spec (e.g. in the
> package documentation of the java.lang.instrument package [1]). But
> now that the JEP was softened to a warning, do you still plan to
> mandate the warning in the SE platform spec as well?

Yes.

> 
> In general, I think the current specification (e.g. in [1]) is good
> and gives vendors the freedom to choose the approach which is most
> appropriate for their users (e.g. they could already now disable
> dynamic agent loading by default):
> 
> "An implementation may provide a mechanism to start agents sometime
> after the VM has started. The details as to how this is initiated are
> implementation specific".
> 
> Explicitly forbidding dynamic agent loading without a command line
> option in the specification seems over-regulative to me.
> 

So some JDKs will follow the path that’s Java has been on for the past five years toward placing the choice over integrity in the hands of users, while others go down a different path that puts that choice in the hands of libraries?

> Finally, I think it feels a little unfortunate that a JEP candidate
> already contains and mentions the JDK release where it will be
> implemented. This could create the impression that the JEP has been
> targeted long before it was publicly discussed and proposed.

You’re right. Fixed.

— Ron


More information about the jdk-dev mailing list