JEP 411, removal of finalizers, a path forward.

Andrew Dinn adinn at redhat.com
Mon Aug 2 13:07:15 UTC 2021 

On 02/08/2021 11:33, Peter Firmstone wrote:
> I think you may be misinterpreting my comment, let me clarify:

Really? I'd suggest only if you stretch the meaning of your words beyond 
their elastic limit.

> I'm assuming that during the process of removal of security manager, any 
> external ports or process hooks that we can only turn off now by not 
> granting a permission will be replaced by a command line property or 
> something similar?  Eg, Agents, Management, etc. If this is the case, it 
> would be nice if they were set to off by default, such that they needed 
> to be enabled from the command line.  It's a suggestion. . . .
They might be or they might not be replaced -- and, indeed, you are 
welcome to help the project to make that a possibility. However, even if 
they were not replaced or enabled as default behaviours the platform 
would not fail to be 'secure by default'. At worst, it might be lacking 
belt and braces when it comes to available means for enforcing some 
specific forms of control over execution -- controls that can be used to 
resolve some security problems, but not exclusively. Yet, you keep using 
language that implies the loss of the security manager is a significant 
threat to the security of OpenJDK/Java.

Claiming now that all you meant was that you would like to have APIs 
that give you similar mechanisms to what is being removed does not was 
and will not validate the use of such exaggerated language. Nor do such 
statements give anyone confidence that you are able to identify clear 
and compelling requirements and assess the effort that might be needed 
to satisfy them and maintain an implementation.

So, maybe you should just stop making out that your concerns are a major 
problem to most developers and that they threaten the integrity of the 
platform and instead concentrate on identifying simple and maintainable 
APIs that we can feasibly add to OpenJDK without incurring an 
unjustifiable maintenance burden.

regards,


Andrew Dinn
-----------
Red Hat Distinguished Engineer
Red Hat UK Ltd
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham, Michael ("Mike") O'Neill

More information about the security-dev mailing list