Jigsaw prototype, take 2
Eric Johnson
eric at tibco.com
Thu Aug 29 09:55:13 PDT 2013
Hi Mark,
On 8/28/13 9:27 AM, mark.reinhold at oracle.com wrote:
> We remain committed, of course, to this Project's high-level goals:
> Create a modular and scalable platform, improve performance and security,
> and define a standard module system.
Repeating the same thing over again, and expecting a different result?
I'm all for modularizing Java. I'm struggling with the other goals:
Improving security:
Certainly, we don't want modularization to weaken security, but why is
necessary for improved security to be a part of the Jigsaw project? It
should be treated as a separate concern (which it is).
On top of that, improving security implies a well understood threat
model, vulnerabilities, and risks. Since Java is run in so many
different places - secured networks, insecure networks, mobile devices,
desktop/laptop machines, and via applets, the considerations for each
might be radically different. Deserves more careful consideration than
as an add-on goal to a modularization project.
Only insofar as a modular JRE could exclude all sorts of
unneeded/unwanted pieces from particular profiles, that is by definition
improved security for downstream deployers, but that's a side-effect of
modularity, not a specific goal. Of course it may be a side-effect
informed by security considerations (for example, remove JMX, JDBC,
CORBA, and applet support from a mobile device), but it isn't, by itself
a more secure platform. That's because there will still be deployments
that need everything, and modularization by itself won't have changed a
thing.
Improve performance:
Again, modularization shouldn't lose performance. Don't see why it would
be an explicit goal to improve performance. As a colleague of mine says,
"first get it right, then make it work, then make it fast." Seems like
you're jumping ahead to step three with this goal.
Define a standard module system:
Why? One way of leveraging a modular Java means taking the existing JRE,
repackaging it, and removing unwanted parts. That's a building/packaging
exercise, and has no run-time implications. So why define a module
system? Java already has a standard way to "modularize" a build, via
these well known artifacts called "JAR" files.
Eric.
More information about the jigsaw-dev
mailing list