[External] : Re: JEP411: Missing use-case: Monitoring / restricting libraries
Alan Bateman
Alan.Bateman at oracle.com
Tue May 18 06:10:13 UTC 2021
On 18/05/2021 03:39, Peter Firmstone wrote:
> :
>
>
> Yes, I realize that, it is my understanding that because this is a
> security concern, it is not something the community is allowed to
> provide support for at OpenJDK, hence my suggestion to Alan, to make
> it possible for this to happen by changing the security level and
> calling it an access control layer concern.
>
Sorry, I was too busy and didn't have time to reply to your previous
mail on this and the performance anomaly in Java 14.
I'm dubious about your suggestion. Every issue or report that Java has a
security bug has to be analyzed on the assumption that it may be a
vulnerability. Saying that SM bypass or a ninja move that disables the
SM is not a security concern would create a perception issue. It would
get lost in the discussion that the SM is rarely used in the way that it
was envisaged 20+ years ago. The other thing is that it wouldn't remove
the ongoing burden to insert/audit permission checks, check that ACC are
captured and used in the right places, and of course testing as it's
another execution mode.
-Alan.
More information about the security-dev
mailing list