On Wed, 16 Aug 2023 14:45:25 GMT, Sergey Bylokhov <[email protected]> wrote:
> I disagree for a few reasons, using that property will completely disable the > appropriate patch for a fix in the CPU, and it will be possible to > have/accept some malicious zip files which may trigger some unfortunate > behavior. That is not what we would like to recommend doing. Validation of > the negative values is much more important. Changes that introduce new checks or dial up validation are often risky changes. The JDK has a long history of introducing such changes with a system property or some means to temporarily disable the stricter checking, at least when the spec allows it. You may disagree with this long standing practice but it is a necessary evil to give a temporary workaround for environments that might need a bit of time to fix something after a JDK upgrade. There is of course risk in that but I don't think we can get into that discussion here. As I think has already been said, we can't engage with you in this PR on the reasons why additional checking was added in a security update. ------------- PR Comment: https://git.openjdk.org/jdk/pull/15273#issuecomment-1680842611
