Security Manager [Was: JEP draft: Prepare to Restrict The Use of JNI]
Eric Bresie
ebresie at gmail.com
Thu Sep 7 19:51:47 UTC 2023
Just observing the discussion and no expert but…
It sounds like this is about security and restrictions of native libraries.
Not saying it’s any better or worse but wasn’t that what the
depreciated/removed SecurityManager expected to do?
Eric Bresie
On Thu, Sep 7, 2023 at 8:55 AM Attila Kelemen <attila.kelemen85 at gmail.com>
wrote:
> Why not? It's a simple mechanism, anyone can do it, and anyone can add
>> trusted libraries to their blessed list. All that crypto-signing does is
>> add another layer of robustness.
>>
>
> What I meant is that the signature itself is not that important, what is
> important is that you can reliably identify a library. However, you don't
> really need all the guarantees a signature gives you for this. It is
> enough, if you read some properties from the manifest like vendor, etc. and
> trust it. In fact, it might even tells you more, because if not any
> manifest entry can be used, then you could tell from the presence of the
> manifest entry that people considered that these properties will be used
> for access rights (unlike signatures, because all libraries in Maven
> central are signed).
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jdk-dev/attachments/20230907/02858618/attachment.htm>
More information about the jdk-dev
mailing list