JEP411: Missing use-case: Monitoring / restricting libraries

Sean Mullan sean.mullan at oracle.com
Thu May 13 12:59:02 UTC 2021 


On 5/13/21 6:00 AM, Ron Pressler wrote:
> 
> 
>> On 13 May 2021, at 10:32, Peter Firmstone <peter.firmstone at zeus.net.au> wrote:
>>
>> So it targets 17.
> 
> I don’t know. I think that’s still TBD, but perhaps others know more.

At this point, yes, we are planning to target the JEP to JDK 17.

>> It would be nice to have certainty about which release it will be removed from, for planning purposes.   Again it would seem that this isn't a consideration of OpenJDK.
> 
> It very much is, which is why we have the deprecation and removal policy. Please
> read the JEP carefully. In addition to deprecation and removal, this JEP also proposes
> an interim step of degradation prior to removal. Removal, as the JEP says, will only
> be done once it no longer poses a big compatibility threat. At the fastest pace possible
> removal is more than a year away, though it will likely be longer than that.

The JEP does have a section on this:

"In future JDK releases, we may degrade the Security Manager APIs so 
that they remain in place but have limited or no functionality. For 
example, we may revise AccessController::doPrivileged simply to run the 
given action, or revise System::getSecurityManager always to return 
null. This would allow libraries that support the Security Manager and 
were compiled against previous Java releases to continue to work without 
change or even recompilation. Once the compatibility risk has declined 
to an acceptable level, we expect to remove the APIs."

So, if the JEP is targeted to 17, then the Security Manager will be 
deprecated for removal but will still be fully functional and supported 
in 17.

*Disclaimer: The next part is forward thinking, and subject to change.*

Once we start degrading the APIs, the functionality of the Security 
Manager may not fully work as before, so in that sense you might 
consider it "removed". We don't yet have a definitive timeline for that, 
it may occur in the next release, or it may not, but it will probably 
occur within a few releases after the release it is targeted to.

--Sean

> 
>>
>> Is there an OpenJDK community project group that maintains older Java versions I can join?
>>
> 
> Yes, that would be the Updates Project.
> 
> — Ron
>

More information about the security-dev mailing list