JEP 411, removal of finalizers, a path forward.

Florian Weimer fweimer at
Mon Aug 2 06:23:43 UTC 2021

* Peter Firmstone:

> From our discussions, my interpretation is that OpenJDK is constrained
> by corporate security policy; any issues with SecurityManager 
> infrastructure will be treated as confidential security issues and
> have to be fixed with internal resources. Community volunteers won't
> be allowed to handle them.  Hence it's the maintenance burden.  I see
> this maintenance cost as a bureaucratic management issue, rather than
> an issue with SM per se.

The dynamics would likely change if the community started fixing issues.

A starting point could be speculative execution vulnerabilities, which
are currently out of scope for the OpenJDK security process:

  Java and Speculative Execution Vulnerabilities

I think any use of the security manager for isolation purposes would
have to address those issues.


More information about the jdk-dev mailing list