java.library.path fix for MacOS X (7145798)

Mike Swingler swingler at apple.com
Fri Feb 17 16:36:26 PST 2012 

On Feb 17, 2012, at 2:57 PM, Daniel D. Daugherty wrote:

> Thanks Paul!
> 
> If I could get one more person with "Reviewer" status
> that would be great!
> 
> Mike Swingler or someone else from Apple, come on down!

I don't feel comfortable reviewing this in terms of the potential security impact, which should be evaluated by an Oracle engineer.

>From a purely technical point of view, the patch does exactly what it says it does, though I'd prefer to shorten the comment to simply:
// Appending "." to maintain compatibility with Apple's previous JDKs,
// which prepend "." to the java.library.path. This is an intentional
// variation from Linux and Solaris, and also matches Windows behavior.

On Feb 17, 2012, at 3:52 PM, Michael Hall wrote:

> On Feb 17, 2012, at 5:35 PM, Daniel D. Daugherty wrote:
> 
>> On 2/17/12 4:13 PM, Michael Hall wrote:
>>> On Feb 17, 2012, at 4:43 PM, Daniel D. Daugherty wrote:
>>> 
>>>> On 2/17/12 3:36 PM, James Melvin wrote:
>>>>>> Are there any security issues with using dot on a search path?
>>>>> Yes.  But if I told you, I'd have to delete you.  :)
>>>> Ahhhhh.... security geek humor...
>>>> 
>>>> It brings back fond memories...
>>> More or less curiosity.
>>> One thing I was wondering about, this is specific to OS X java ongoing, was whether or not there would be any concerns with however accessing native libs is handled in relation to applications ending up in the Apple app store?
>> 
>> I'm having trouble parsing the above paragraph...
>> 
>> Rather than me guessing, can you repost the question?
> 
> I'm not looking to be a spokes person for anyone. If Mike Swingler is going to review maybe he could just generally address any app store issues he can think of.
> But to try and clarify my statement, my understanding is that Apple has in the past had an unfortunate tendency to reject java applications because they bundle java. I have seen passing comments on the macosx-port list that issues like this are being kept in mind so that developers will be more successful with submitted java applications in the future. 
> I wondered if there might any concerns for successful submissions depending on what JNI or how JNI is bundled for getting an application into the app store?

The Mac App Store rejects applications that use deprecated or optionally installed technologies. Java SE 6, as provided by Apple, is both deprecated and optionally installed. Apps that bundle their own JRE don't have this problem. That's it.

Apps from the Mac App Store can load additional libraries, however I think it is only prudent for them to restrict their loading to libraries within their own code signed bundle.

Mike Swingler
Apple Inc.

More information about the macosx-port-dev mailing list