[External] : Re: JEP 411: Disable warning message with flag?
Ron Pressler
ron.pressler at oracle.com
Tue Jun 1 08:56:09 UTC 2021
> On 31 May 2021, at 22:53, Chapman Flack <chap at anastigmatix.net> wrote:
>
>
> I am not sure what you are getting at with goal 3. Will the warning
> phone home?
No, but it will make users aware, and that awareness can be measured or
estimated.
>
> I am also sort of wondering what's to become of some of the familiar
> known rules in the post-SM world. Will getClassLoader() become always
> allowed, whether the loader is an ancestor or not? Will
> setContextClassLoader() be a free-for-all? checkGuard()? ...?
>
> Is it confidently believed that the JPMS encapsulation suffices for
> integrity enforcement and non-circumvention with all of those former
> familiar rules relaxed?
>
Someone on the security team would be better placed to answer those questions
but it is not our goal to provide a sandbox in the JDK or replace the current
functionality of the Security Manager. We believe the module system, once
encapsulation is fully made airtight, will significantly reduce the JDK’s
attack surface area (and that of any other component the application chooses
to encapsulate).
— Ron
More information about the security-dev
mailing list