PRE-RFR: 8177154: Default configuration should disallow loading agents

[Andrew Dinn]

On 24/03/17 09:48, Alan Bateman wrote:
> This does not send us back to the pre JDK 6. The changes have no impact
> on the troubleshooting tools and no impact on management tools that use
> the attach API to start the JMX agent in the running VM. The change is
> simply to make loading of arbitrary code with the attach API opt-in. On
> the server then you the launch script can specify the proposed option
> and tools that are loading agents will not see a difference.

You are right, Alan, that /strictly/ this doesn't send us back to the
pre JDK 6. As you say, users can opt in rather than opt out. But they
can also make that choice, mutatis mutandis, if the default is reversed.
So, the argument here regards on which side the choice lies.

The point I think Remi is making is that /pragmatically/ we will be back
in pre-JDK6 land with the current proposed default. You blithely use the
words 'the launch script can specify' above. In practice, your use of
the definite article belies the fact that there is not 'a' launch script
but a plethora of command lines and scripts employed by a multitude of
users. It is the practical concerns involved in managing the complexity
that that multiplicity implies I am concerned with. I think I probably
speak for Remi here too and, perhaps, others agent implementors. I'd
like to see a much better argument for the security benefits of this
change before it gets rolled into a release.

regards,


Andrew Dinn
-----------
Senior Principal Software Engineer
Red Hat UK Ltd
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham, Michael ("Mike") O'Neill, Eric Shander