JEP411: Missing use-case: Monitoring / restricting libraries

Peter Firmstone peter.firmstone at zeus.net.au
Fri May 14 07:49:14 UTC 2021


Thanks for confirming.

Cheers,

Peter.

On 13/05/2021 10:59 pm, Sean Mullan wrote:
>
>
> On 5/13/21 6:00 AM, Ron Pressler wrote:
>>
>>
>>> On 13 May 2021, at 10:32, Peter Firmstone 
>>> <peter.firmstone at zeus.net.au> wrote:
>>>
>>> So it targets 17.
>>
>> I don’t know. I think that’s still TBD, but perhaps others know more.
>
> At this point, yes, we are planning to target the JEP to JDK 17.
>
>>> It would be nice to have certainty about which release it will be 
>>> removed from, for planning purposes.   Again it would seem that this 
>>> isn't a consideration of OpenJDK.
>>
>> It very much is, which is why we have the deprecation and removal 
>> policy. Please
>> read the JEP carefully. In addition to deprecation and removal, this 
>> JEP also proposes
>> an interim step of degradation prior to removal. Removal, as the JEP 
>> says, will only
>> be done once it no longer poses a big compatibility threat. At the 
>> fastest pace possible
>> removal is more than a year away, though it will likely be longer 
>> than that.
>
> The JEP does have a section on this:
>
> "In future JDK releases, we may degrade the Security Manager APIs so 
> that they remain in place but have limited or no functionality. For 
> example, we may revise AccessController::doPrivileged simply to run 
> the given action, or revise System::getSecurityManager always to 
> return null. This would allow libraries that support the Security 
> Manager and were compiled against previous Java releases to continue 
> to work without change or even recompilation. Once the compatibility 
> risk has declined to an acceptable level, we expect to remove the APIs."
>
> So, if the JEP is targeted to 17, then the Security Manager will be 
> deprecated for removal but will still be fully functional and 
> supported in 17.
>
> *Disclaimer: The next part is forward thinking, and subject to change.*
>
> Once we start degrading the APIs, the functionality of the Security 
> Manager may not fully work as before, so in that sense you might 
> consider it "removed". We don't yet have a definitive timeline for 
> that, it may occur in the next release, or it may not, but it will 
> probably occur within a few releases after the release it is targeted to.
>
> --Sean
>
>>
>>>
>>> Is there an OpenJDK community project group that maintains older 
>>> Java versions I can join?
>>>
>>
>> Yes, that would be the Updates Project.
>>
>> — Ron
>>


More information about the security-dev mailing list