Bring your own JRE (BYOJ)

Stefan Fuchs snfuchs at gmx.de
Sun Apr 19 22:45:05 UTC 2015


Hi,

so what's needed to  move this topic forward?
We have a real concern adopting Java 9, if the internal api issue is not 
fixed for webstart apps.
We are willing to take the additional effort of modifying and building 
our own jre for the various platforms, but there needs to be a 
mechanism, that allows to use the modified jre/modules in an applet.

As mentioned in the javafx thread we experienced a serious issue after a 
security update for the jre was released (Swing GUI Thread not starting 
from Java-Application), which made our application useless. A bugfix was 
released 3 month later. Only a workaround using internal apis kept our 
business alive. The only other choice for us and our customers would 
have been, not to apply the security update.
I fear that this could happen again.

And for making functions public, which currently aren't. For most uses 
of internal apis in our application, there are open bugs within the 
oracle bugtracker. Some dating back to 2011. I don't think these will 
magically get fixed, when Java 9 gets released.

So unless Oracle dramatically increases the number of developers working 
on the java platform and releases weekly updates for the jre, I see no 
other choice then to hack the jre by ourselfs.

- Stefan

P.S.: Looking at JEP-200 I could not find, to which module all the 
webstart classes belong.
E.g.: What module does export javax.jnlp?
Obviously these classes are only needed on desktop platforms and could 
be omitted on embedded devices and for applications installing a local 
version of the jdk .




Tim Boudreau wrote:
>
>     So one idea would be to allow webstart applications access to
>     internal apis.
>
>
> I'd think that'd be a recipe for the kind of security holes 
> modularizing the JDK is supposed to make impossible.
>
>     I guess their could be some versioning problems, though.
>
>
> To say the least.
>
> If it's a legitimate need, it sounds like perhaps some things need to 
> become API that aren't currently.
>
> -Tim
>



More information about the jigsaw-dev mailing list