PrivilegedAction et al and JEP411

Peter Firmstone peter.firmstone at zeus.net.au
Tue Jun 20 10:27:07 UTC 2023 

I understand the economic motivations behind the decision, call that a 
corporate plot if you like.   Do I have to be happy about it?  No.

There is no practical way to reimplement authorization, at the 
application level, without some underlying support from the JVM, if I 
remove it from my application, there will be security holes, it will be 
vulnerable, therefore, I am unable to do anything about it, I have come 
to the conclusion it is outside of my control. Do I have the budget to 
rearchitect?  No.  There's no guarantee if I redesign from the ground 
up, that it would be any more secure anyway, the cost is sunk I have to 
live with it.

Maybe try seeing it from my perspective, I can see it from yours.   Of 
course you can continue name calling / making an assessment of my mental 
state if you want, but it only diminishes your character in my eyes, it 
doesn't insult me.  Usually when the name calling starts it means the 
argument has been lost.  I think you're smart enough to come up with 
some good technical arguments and don't need to resort to name 
calling.   Maybe try cooling off and replying later, that is of course 
if you want to.   I haven't taken it personally, everyone has their good 
and bad days.

The new encapsulation improvements sound promising, if I was a young 
developer, without existing software to maintain, I think I would be 
happy about it.

-- 
Regards,
  
Peter

On 20/06/2023 7:33 pm, Andrew Dinn wrote:
> On 19/06/2023 23:44, Peter Firmstone wrote:
>> OpenJDK dev's have worked hard to improve encapsulation, however 
>> OpenJDK has made it abundantly clear, that even if the community 
>> could maintain and improve a feature, corporate has the final say and 
>> will do whatever they want anyway, as much as I appreciate the hard 
>> work of OpenJDK developers, corporate has the last say.
>
> Peter, just because you keep repeating this garbage it does not become 
> any more true by that mere fact of repetition.
>
> Any OpenJDK project contributor is able to raise reasoned objections 
> to changes if grounded in problems that they might entail and any 
> reviewer can prohibit a change on the basis of a legitimate such 
> objection.
>
> The truth your repeated claims belie is that no one in the project has 
> tried to stop removal of the security manager because no reviewer has 
> heard any argument for keeping it that outweighs the overwhelming 
> benefits to the great majority of our users of not having it 
> (including yours). You may not agree with that judgement but 
> pretending to yourself that this is happening because of some 
> corporate plot to stop the project doing the right thing is delusional.
>
> regards,
>
>
> Andrew Dinn
> -----------
>

More information about the security-dev mailing list