JEP 411, removal of finalizers, a path forward.

Andrew Dinn adinn at redhat.com
Sun Aug 1 13:15:29 UTC 2021 

On 01/08/2021 03:14, Peter Firmstone wrote:
> I'm working on the assumption that OpenJDK will close any external holes 
> currently defended by permission checks.  It would be good if the JDK 
> was secure by default, with properties required to be set for allowing 
> such things as agents, management, parsing xml and serialization.

You need to stop repeating this canard. There is no absolute need for 
OpenJDK to retain a security mechanism to deal with problems that for 
almost every use case are better solved by using non-OpenJDK 
alternatives (such as OS security measures). Indeed, it's the other way 
round: there is an imperative for the project to spend precious 
resources on alternative capabilities (not necessarily security related).

The fact that your software can no longer profit from this specific 
mechanism is a /special case/ which means any loss incurred is a 
/special loss/ not a general one. Users who rely on your software for 
the security guarantees you claim it provides may well no longer be able 
to do so once this mechanism is removed. However, claiming that this 
implies Java is no longer secure by default is a /gross/ 
misrepresentation of what is at stake.

Java can be used perfectly well to implement secure applications without 
the security manager. That's evidenced by two facts: on the one hand 
experience has shown that most programs that rely on the security 
manager are not actually more secure because of using it; on the other 
hand there are many highly secure Java programs out there in the field.

The fact that your software will no longer provide a specific route to 
implementing a certain type of security capability may be a great loss 
to you but it is not a significant loss, never mind some absolute loss 
in kind, to Java and Java application developers. I recommend you stop 
repeating this distorted opinion. It's only effect will be squander the 
goodwill of those currently trying to help you, people whose driving 
interest is nothing other than to make OpenJDK a better product.

regards,


Andrew Dinn
-----------
Red Hat Distinguished Engineer
Red Hat UK Ltd
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham, Michael ("Mike") O'Neill

More information about the security-dev mailing list