Review request: 8040059 Change default policy for extensions to no permission

Mandy Chung mandy.chung at
Wed Apr 23 16:14:16 UTC 2014

On 4/23/2014 8:19 AM, Sean Mullan wrote:
> On 04/22/2014 06:36 PM, Mandy Chung wrote:
>> Thanks for bringing up this question.  I missed to mention the open
>> question to follow up how we want to build the system java.policy. There
>> are platform-specific jar file and also different jar files in Oracle
>> JDK build.  I currently list them all in java.policy in this initial
>> patch.  One solution is to have one version of java.policy for each OS.
>> However this will suffer from the maintenance burden and also
>> error-prone as the current file.  I'd like to get the
>> feedback from the security team before attempting to modify the 
>> makefiles.
> We had a similar issue with the file where 
> Oracle-specific packages were being added to the 
> package.access/definition properties in the OpenJDK 
> files; thus polluting the source code with packages that were 
> Oracle-specific.
> I fixed this in JDK 8:
> Basically it involved keeping a list of the non-OpenJDK packages that 
> were to be restricted in the closed repo, and creating a Java program 
> that appended these to the properties in the file when 
> the build included the closed sources.

Thanks Sean.   This patch separates the Oracle-specific content from the 
OpenJDK files.   Is there any plan to handle<os> differently (I recalled there is a RFE for it and a 
large part of the content is duplicated)?   If this is work-in-progress, 
I want to make sure to use a similar mechanism for java.policy.


More information about the security-dev mailing list