<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 30.08.2023 10:36, Andrew Dinn wrote:<br>
</div>
<blockquote type="cite"
cite="mid:b2a9c8b6-a1bd-4a54-6177-dd20c00207f7@redhat.com">On
29/08/2023 18:24, Peter Tribble wrote:
<br>
<blockquote type="cite">And that's what I see as the problem here.
There are no possible actions
<br>
that will improve the ecosystem or the software. There is no
better path
<br>
that developers/users get guided towards. The only possible
course of
<br>
action is to --enable-native-access and carry on.
<br>
</blockquote>
Actually, no. The other possible course of action is not to use
the application. You actually said the same in the paragraph
preceding the one I quoted.
<br>
<br>
That *is* a real choice. Users who are especially conscious of,
say, security concerns, or data integrity concerns, might very
well regards the need to pass --enable-native-access as a red flag
and not run any such application.
<br>
</blockquote>
<p>Such users then would stop using operating systems because they
are "especially conscious of, say, security concerns, or data
integrity concerns"? (As if they were able to assess all potential
risks?)</p>
<p>And if so, being "a real choice" this means that the Java
ecosystem loses a "user" when picking therefore the choice to
leave Java seeking alternatives. Is that really a goal here?<br>
</p>
<p>... cut ...</p>
<p>The road to hell is paved with good intentions ... <br>
</p>
<p>A few minor thoughts:</p>
<ul>
<li>Java needs JNI itself: so how can the "user" be warned from
using Java as this is considered to be potentially dangerous by
the Java developers themselves? <br>
(And what can be done to warn a "user" from using operating
system features? Should Java warn the "user" that potentially
dangerous native code gets employed by Java whenever the
operating system gets accessed for one reason or another?)<br>
<br>
</li>
<li>Possible dangerous or fatal errors in native code do not mean
that these errors exist in reality at all, i.e. in deployed JNI
modules that get tested and deployed. <br>
This is a bit along the line that a knife can be dangerous as it
can be used to kill a person, yet, knives in the world do not
get used to kill people: the good intent is to make the world
safer, so we prohibit knives or only allow their use, if the
user keys in the flag "--knives-can-kill-persons" and then the
storage box opens to release the knife such that one can finally
cut the steak. <br>
(Just because something can be used dangerously does not mean
that it will be used that way and do harm; any acknowledgement
of potential danger does not make the danger go away nor does
the warning help to circumvent the potential danger.)<br>
<br>
</li>
<li>Just pointing out that erroneously implemented JNI modules can
be harmful is enough and has been evident since JNI exists, so
what has changed all of a sudden? <br>
<br>
</li>
<li>Deployment of Java: there seems to be the wrong assumption
among some developers that Java is not being used as a JRE
(non-JRE bubble?) which is simply wrong. What should
applications do in a scenario in which the JVM gets dynamically
loaded via JNI to then interact with the JRE? Is that considered
to be dangerous such that it needs to be made seen by the "user"
each time this demand loading of the JVM happens as otherwise
the "user" does not realize that theoretically a potential
danger exists (and if so for whom)? <br>
<br>
</li>
<li>Who is really the "user" who gets addressed here? (How stupid
is this particular "user" regarded to be?)<br>
<br>
</li>
<li>Why is it not enough to simply record the fact that JNI gets
employed explicitly in module-info? As has been mentioned a few
times this would allow for appropriate analysis, if need be? (It
also might suffice the intentions of the JEP in that the
warnings get issued only if the fact that JNI gets employed in a
module is not reported in its module-info.)<br>
</li>
</ul>
---rony<br>
<p><br>
</p>
</body>
</html>