Authorization layer API and low level access checks.

Remi Forax forax at univ-mlv.fr
Wed Jun 23 10:02:14 UTC 2021 

----- Mail original -----
> De: "Andrew Dinn" <adinn at redhat.com>
> À: "Peter Firmstone" <peter.firmstone at zeus.net.au>, "discuss" <discuss at openjdk.java.net>
> Cc: "security-dev" <security-dev at openjdk.java.net>
> Envoyé: Mercredi 23 Juin 2021 11:19:42
> Objet: Re: Authorization layer API and low level access checks.

> OHi Peter,
> 
> n 23/06/2021 04:02, Peter Firmstone wrote:
>>  1. StackWalker - Can stack walker be back ported to Java 8?
> 
> The right place to ask about this is the jdk8u updates project list.
> However, you probably don't need to ask there because the answer is
> almost certainly going to be a very loud no.
> 
> JDK8u is in long term maintenance mode. The goal of the updates project
> for that release is to fix security issues and critical bugs *and
> nothing else* so that existing deployments remain stable as far as
> possible. Except when required to meet those goals backporting of new
> functionality is done only under exceptional circumstances.
> 
> The only recent examples of new function backports that I am aware of
> have involved merging up functionality from downstream releases in order
> to 1) unify the platform and 2) enable downstream contributors to help
> to maintain a single, standard release i.e. highly exceptional cases
> where there was a problem for existing users. Your request, by contrast,
> is exactly the sort of case that maintainers are trying to avoid -- it
> will introduce change with no gain and the potential of breakage for the
> vast majority of users.
> 
> If you want to deal with  deployments pre and post removal of the
> Authorization support that you currently rely on I suggest you consider
> doing that by using a multi-release implementation and package it using
> the multi-release jar format. If you don't like the idea of
> multi-release jars you can still implement a standard jar format
> solution using a provider model. However, you will still need to build
> the alternative provider jars using the relevant JDK releases so that
> different providers can rely on different JDK capabilities..

Technically, you may not need several JDKs because you can ask javac to behave as if it was compiling like a previous JDK using the option "--release" (this option is also available with Maven and Gradle).
I believe that compiling as the release 8 will be supported up to Java 23.

> 
> regards,
> 
> 
> Andrew Dinn
> -----------
> Red Hat Distinguished Engineer
> Red Hat UK Ltd
> Registered in England and Wales under Company Registration No. 03798903
> Directors: Michael Cunningham, Michael ("Mike") O'Neill

regards,
Rémi

More information about the security-dev mailing list