Self-granted permissions do not improve correctness

[David Lloyd]

The Java module system features several ways to restrict or grant access to
various capabilities. Two of these access permissions can be shown to be of
questionable benefit but clear detriment in practice. They are `reads` and
`uses`.

Both of these permissions, if not granted, cause a run time exception at
various points. Both can be trivially self-granted without any restriction
to speak of. I have been hard-pressed to identify any incorrect operation,
error condition, or security condition which is averted due to the presence
of these permissions. However it is not hard to identify problems that they
introduce, especially in reflection-heavy frameworks.

If these were _privileges_ - able to be granted and revoked based on e.g.
lexical scope - then there could be some potential security/bug prevention
use in a similar vein as the security manager. But being permissions, once
granted, the grant is global and stays in place permanently, thus their
usefulness for this purpose is very limited.

I'd be interested in a practical example that shows the benefit of either
of these permissions to see what I'm missing. Otherwise my
inclination would be to request to deprecate and remove these grants (so
that `*` reads `*`, and `uses` would only be used for service binding
purposes, not run time validation).

Thanks.

-- 
- DML • he/him
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/jigsaw-dev/attachments/20250108/7ca2b516/attachment-0001.htm>