[External] : Re: JEP411: Missing use-case: Monitoring / restricting libraries
Ron Pressler
ron.pressler at oracle.com
Tue May 18 00:21:56 UTC 2021
> On 18 May 2021, at 01:11, Peter Firmstone <peter.firmstone at zeus.net.au> wrote:
>
> Your ideas are great in theory, in practice, the problem with your Agent proposal is every JVM release needs to be reviewed, and we have to review Java's internal implementation code, and understand it in order to instrument it.
Absolutely. But that is exactly the work OpenJDK maintainers are required to do today to support something most
people want better alternatives for at the expense of those better alternatives and other work.
>
> Maybe if you put hooks (annotations?) into the JVM code, so it was easier for agents to know which calls need to be controlled for access decisions? But then if not many people are using it, it will suffer neglect.
Yeah, it sounds neither here nor there, but the relevant maintainers will consider it.
>
> It's your existing userbase with over 50% still using Java 8 that need convincing, who will be ultimate judge of the success or failure of this decision.
If you have data that contradicts our estimate of Security Manager usage among Java 8 users, please present it.
- Ron
More information about the security-dev
mailing list