Potential for sensitive runtime information to land in AOT archives

[Danny Thomas]

Hi folks,

We're thinking ahead to caching compiled code and other optimisations
that might include runtime information that wouldn't otherwise be available
if you had access to the application classpath. I caught Dan's JavaOne talk
recently, and it sounds like the assembly phase is intended to be hermetic
and avoid exactly this kind of complication, but wanted to ask explicitly
if we need to think ahead to having to treat AOT archives more carefully
than the runtime classpath as features that cache compiled code begin to
land?

Our job is made so much easier if we only need to be concerned about the
provenance of an AOT archive, but when a colleague asked me about runtime
decrypted secrets finding their way into static fields for example, I
realised I didn't have an complete understanding of how far the caching of
compiled code might go.

Cheers,
Danny
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/leyden-dev/attachments/20251103/f0a8f509/attachment.htm>