RFR - CSR: 8213082: (zipfs) Add support for POSIX file permissions (was: Re: RFR 8213031: (zipfs) Add support for POSIX file permissions)

Alan Bateman Alan.Bateman at oracle.com
Wed Jan 2 11:45:15 UTC 2019

On 21/12/2018 13:43, Langer, Christoph wrote:
> Hi Alan,
>> Adding support for POSIX file permissions to the zip APIs is problematic
>> as we've been discussing here. There are security concerns and also
>> concerns that how it interacts with JAR files and signed JAR in
>> particular. I don't disagree that we can come to agreement on zipfs
>> supporting a solution but I think we need to get the bigger picture on
>> where this is going first. If the piece to change the java.util.zip APIs
>> is dropped then it would make these discussions a lot simpler as it
>> removes most of the security issues from the table.
> Yes, please consider changes to java.util.zip APIs as dropped. At least for the moment. I'm not saying I won't ever get back to that topic but maybe an enhancement of jdk.zipfs is already sufficient to provide the required Posix permission support for the Java platform.
I've looked at the updated CSR. It would be good to include the spec 
changes, meaning the javadoc update to jdk.zipfs/module-info.java where 
it will document that it supports PosixFileAttributeView. I suspect 
there is also a discussion point around owner/group as I can't tell from 
the CSR if the UNIX extra fields are being used to encode the uid/gid 
(the original spec did not envisage supporting PosixFileAttributeView 
without also supporting file ownership).


More information about the security-dev mailing list