Jigsaw prototype, take 2

Eric Johnson eric at tibco.com
Thu Aug 29 09:55:13 PDT 2013


Hi Mark,

On 8/28/13 9:27 AM, mark.reinhold at oracle.com wrote:
> We remain committed, of course, to this Project's high-level goals:
> Create a modular and scalable platform, improve performance and security,
> and define a standard module system.
Repeating the same thing over again, and expecting a different result?

I'm all for modularizing Java. I'm struggling with the other goals:

Improving security:

Certainly, we don't want modularization to weaken security, but why is 
necessary for improved security to be a part of the Jigsaw project? It 
should be treated as a separate concern (which it is).

On top of that, improving security implies a well understood threat 
model, vulnerabilities, and risks. Since Java is run in so many 
different places - secured networks, insecure networks, mobile devices, 
desktop/laptop machines, and via applets, the considerations for each 
might be radically different. Deserves more careful consideration than 
as an add-on goal to a modularization project.

Only insofar as a modular JRE could exclude all sorts of 
unneeded/unwanted pieces from particular profiles, that is by definition 
improved security for downstream deployers, but that's a side-effect of 
modularity, not a specific goal. Of course it may be a side-effect 
informed by security considerations (for example, remove JMX, JDBC, 
CORBA, and applet support from a mobile device), but it isn't, by itself 
a more secure platform. That's because there will still be deployments 
that need everything, and modularization by itself won't have changed a 
thing.

Improve performance:

Again, modularization shouldn't lose performance. Don't see why it would 
be an explicit goal to improve performance. As a colleague of mine says, 
"first get it right, then make it work, then make it fast." Seems like 
you're jumping ahead to step three with this goal.

Define a standard module system:

Why? One way of leveraging a modular Java means taking the existing JRE, 
repackaging it, and removing unwanted parts. That's a building/packaging 
exercise, and has no run-time implications. So why define a module 
system? Java already has a standard way to "modularize" a build, via 
these well known artifacts called "JAR" files.

Eric.



More information about the jigsaw-dev mailing list