It's not too late for access control
Andrew Dinn
adinn at redhat.com
Mon Jul 18 07:32:50 UTC 2016
On 16/07/16 11:34, dalibor topic wrote:
>
>
> On 15.07.2016 22:25, Jason T. Greene wrote:
>> The assumption you seem to make is that the use case of reflective
>> access to internal packages is wrong, poor programming practice, or
>> an error.
>>
>> That couldn't be further from the truth.
>
> As with many things, it kind of depends on who you ask:
> https://www.securecoding.cert.org/confluence/display/java/SEC05-J.+Do+not+use+reflection+to+increase+accessibility+of+classes,+methods,+or+fields
>
> ...
>
> In short, let's not argue about absolute statements one way or the other
> if we can avoid it.
If you reread Jason's statement above I think you will notice that this
is the point of his statement, to reject one such extreme. He did not
thereby recommend careless use of a potentially insecure capability.
Indeed he has taken great care to emphasise that what he wants (and what
I want) is a module system which provides a safe, controlled way of
opening up access to non-public members, retaining the opportunity to
implement the rich software tools that we currently have.
So, in sum, straw man, Dalibor.
regards,
Andrew Dinn
-----------
Senior Principal Software Engineer
Red Hat UK Ltd
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham, Michael ("Mike") O'Neill, Eric Shander
More information about the jigsaw-dev
mailing list