[External] Re: deprecation of SecurityManager JEP 411
Geertjan Wielenga
geertjan at apache.org
Thu Feb 17 21:04:43 UTC 2022
Unless there is a phone home mechanism built into the SecurityManager,
nobody knows or can claim to know how widely the SecurityManager is being
used.
No, survey results don’t prove anything because people don’t fill in
surveys. No, calls for people to report on their usage don’t mean anything
in determining who and how many are using anything.
The assumption should be — in the absence of proof otherwise — that the
SecurityManager is very widely used, that where it is used it is mission
critical, and that unless there is a migration path to something at least
equivalent, deprecation should not be on the table.
Gj
On Thu, 17 Feb 2022 at 21:50, arjan tijms <arjan.tijms at gmail.com> wrote:
> Hi,
>
> On Thu, Feb 17, 2022 at 5:45 PM Bowes, David <d.h.bowes at lancaster.ac.uk>
> wrote:
>
>> Your argument follows ’10,000 lemmings can’t be wrong’....
>>
>
> I didn't mean to say that the 10k lemmings are right. What I was trying to
> say is that the JDK team was making a tool that 10k-1 lemmings are not
> using. So for the 1 lemming who is using the tool as intended, the costs of
> maintaining it are seemingly too high.
>
> Kind regards,
> Arjan
>
>
>
>>
>>
>> David
>>
>>
>>
>>
>>
>>
>> ------------------------------
>> *From:* arjan tijms <arjan.tijms at gmail.com>
>> *Sent:* Thursday, February 17, 2022 1:29:04 PM
>> *To:* Bowes, David <d.h.bowes at lancaster.ac.uk>
>> *Cc:* security-dev at openjdk.java.net <security-dev at openjdk.java.net>
>> *Subject:* [External] Re: deprecation of SecurityManager JEP 411
>>
>>
>> *This email originated outside the University. Check before clicking
>> links or attachments.*
>>
> Hi,
>>
>> On Wed, Feb 16, 2022 at 6:24 PM Bowes, David <d.h.bowes at lancaster.ac.uk>
>> wrote:
>>
>> I used the SecurityManger with great success to protect against
>> Log4JShell.
>>
>>
>>
>> [...] I would suggest that the SecurityManager does protect me from
>> singinficant threats.
>>
>>
>> While I don't disagree with you entirely, the problem is that seemingly
>> almost nobody actually uses the security manager to protect against things
>> like Log4JShell. The proof is in the pudding. If the security manager
>> indeed protected against that in practice to a sufficient degree, then
>> Log4JShell wouldn't have been a problem at all, would it? Yet it was, and
>> the security manager is still there at the moment.
>>
>> I understand one could argue that without the security manager the impact
>> of Log4JShell would have been even bigger, but I've not seen any evidence
>> stating that.
>>
>> Given the way Java is now predominantly used, I think a better choice
>> might be to have the Java applications run on virtual servers that restrict
>> at that virtual server level which domains and IPs outgoing traffic may
>> connect to.
>>
>> Finally, I think nobody is saying there is no value at all in the
>> security manager, but just that the amount of work required to maintain it
>> vs the practical benefits are non-optimal, at least with the current way
>> the security manager and its permissions and policies work.
>>
>> Kind regards,
>> Arjan Tijms
>>
>>
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20220217/ce39f664/attachment.htm>
More information about the security-dev
mailing list