To comment on the following update, log in, then open the issue: http://www.openoffice.org/issues/show_bug.cgi?id=81973
------- Additional comments from [EMAIL PROTECTED] Thu Sep 27 08:17:03 +0000 2007 ------- ad 1. Office does not have control about what jars are used. So what ? - Office doesn't have any control of Office Java extension jars anyway. - Office does not have any control over the jars in the Java extension directories (except of course, of not supplying the ext.dirs infos). - Office does not have any control over Java apps that get started via JNI by any extension. What is your concrete security concern? What use-cases do you think about, that would pose a security threat to an Office extension written in Java (and that would not exist in C++ written extensions) that would make it unacceptable to supply the CLASSPATH to the Java extension? [Office is not a web-browser or web-start like application, where you would really have to be wary about security concerns as uncontrollable jars from the net would be downloaded and executed on your local machine at all times and in an uncontrollable manner. Hence the sandbox-model notion there.] --- Following your stance would mandate that Office stops supplying the currently set PATH environment variable to its extensions and scripts! Office does not have control over the applications, DLLs neither. [There your security concerns would be even more valid.] ---------------------------------------------------------------------- ad 2. One can use the class path configuration in the options dialog. The class path configuration options dialog does unfortunately *not* solve the problem at all. The reason: you cannot set that information for a Java extension at installation time as there are no UNO APIs available to define those values! This means that you would need to have the Office *user* enter correctly sensible Java configuration values *by hand* into the dialog. Such a user would need to know the correct local Java setup (and probably the set CLASSPATH values). Now imagine that that user is not a programmer like you and me, but a secretary or a manager and you see the problem there. Of course you could have the admin do all that setup (by hand??), should you have an admin in the first place! But in larger shops the admin would be over-excercised walking from machine to machine to drive the class path dialog manually! --- If the CLASSPATH environment variable got set for Java apps, then there is usually a compelling (configuration) reason for that. It allows for admins and Java extension developers to create a very flexible and easy maintainable environment on any client machine. ---rony P.S.: BTW, does Office dispatch Java code with a security manager set, because of security concerns? --------------------------------------------------------------------- Please do not reply to this automatically generated notification from Issue Tracker. Please log onto the website and enter your comments. http://qa.openoffice.org/issue_handling/project_issues.html#notification --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
