JEP 411, removal of finalizers, a path forward.
Florian Weimer
fweimer at redhat.com
Mon Aug 2 06:23:43 UTC 2021
* Peter Firmstone:
> From our discussions, my interpretation is that OpenJDK is constrained
> by corporate security policy; any issues with SecurityManager
> infrastructure will be treated as confidential security issues and
> have to be fixed with internal resources. Community volunteers won't
> be allowed to handle them. Hence it's the maintenance burden. I see
> this maintenance cost as a bureaucratic management issue, rather than
> an issue with SM per se.
The dynamics would likely change if the community started fixing issues.
A starting point could be speculative execution vulnerabilities, which
are currently out of scope for the OpenJDK security process:
Java and Speculative Execution Vulnerabilities
<https://mail.openjdk.java.net/pipermail/vuln-announce/2019-July/000002.html>
I think any use of the security manager for isolation purposes would
have to address those issues.
Thanks,
Florian
More information about the security-dev
mailing list