Will we need to use the --enable-native-access option to enable JNI in the future?

[Andrew Haley]

On 9/24/21 10:46 AM, Maurizio Cimadamore wrote:
> 
> On 24/09/2021 04:53, Samuel Audet wrote:
>> I think your main point is that the "application packager has no way 
>> to be notified when _something_ changes in the dependencies of his/her 
>> application", which sounds reasonable, but I don't see when that would 
>> be a problem. Could you elaborate on this scenario? In my book, 
>> "application packagers" are also programmers, so they already do 
>> things like test applications in multiple environments anyway (with 
>> and without sudo-like permissions), so I think that any changes in the 
>> dependencies would easily show up at that stage. Do you have a 
>> counterexample in mind? 
> 
> The counterexample I have in mind is auditing. If you distribute a 
> binary in the wild, you probably want to be very careful not only about 
> what yout application does, but also whether your code has dependencies 
> on libraries which might do something strange.

For a real-world example of this, I've had JVM crashes that look like
heap corruption, and asked a customer whether there was any native code
involved: it's always useful to exclude that possibility early in the
process. I got the answer "no", and struggled to replicate the bug. When
I eventually did replicate it, there was indeed a native library. One of
the libraries used by the customer, unknown to them, hid a native library
in the jarfile, unpacked it into /tmp, and deleted it from /tmp when the
program terminated.

-- 
Andrew Haley  (he/him)
Java Platform Lead Engineer
Red Hat UK Ltd. <https://www.redhat.com>
https://keybase.io/andrewhaley
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671