Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
On Tue, 23 Apr 2024 18:57:44 GMT, Sean Mullan wrote: > A few other comments/questions: > > Does this need a CSR since you are adding new property files? Not sure it does, but Joe will follow up with Joe Darcy > > Are there any tests to ensure the property files are working correctly? There are tests that Joe added as part of the JDK 22 work for custom config files > > Also, how does one try out these property files? Is there a system property > that needs to be set? Can you add more details to the RN on that? java -Djava.xml.config.file=$JAVA_HOME/conf/jaxp-compat.properties The property was added in JDK 22 see: https://docs.oracle.com/en/java/javase/22/docs/api/java.xml/module-summary.html#Conf_CF_SP - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2073248701
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
On Fri, 19 Apr 2024 21:55:09 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > changes description of jaxp-compat and jaxp-strict after discussing with > Lance Marked as reviewed by lancea (Reviewer). - PR Review: https://git.openjdk.org/jdk/pull/18831#pullrequestreview-2018094529
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
On Fri, 19 Apr 2024 21:55:09 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > changes description of jaxp-compat and jaxp-strict after discussing with > Lance A few other comments/questions: Does this need a CSR since you are adding new property files? Are there any tests to ensure the property files are working correctly? Also, how does one try out these property files? Is there a system property that needs to be set? Can you add more details to the RN on that? - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2073203196
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
On Fri, 19 Apr 2024 21:55:09 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > changes description of jaxp-compat and jaxp-strict after discussing with > Lance It might just be me, but the word "sample" is too related to programming examples that it makes this feel like something that users may not take seriously. But I think this is something that you really want users to take seriously and try out. Perhaps just drop the word "sample"? - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2073191426
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v3]
On Fri, 19 Apr 2024 20:45:36 GMT, Lance Andersen wrote: >> Joe Wang has updated the pull request incrementally with one additional >> commit since the last revision: >> >> fix typo > > src/java.xml/share/conf/jaxp-compat.properties line 20: > >> 18: # JDK has switched to a strict configuration as indicated in >> jaxp-strict.properties. >> 19: # This configuration contains the same properties as those in >> jaxp-strict.properties >> 20: # except it sets them back to the current status of the JDK. Note that, >> although > > 'sets them back to the current status of the JDK' > > I think you are trying to indicate that this property file specifies the JAXP > property values that were in place prior to being More Secure? Thanks Lance for the offline discussion. Updated the description. - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1573002287
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v4]
> Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Joe Wang has updated the pull request incrementally with one additional commit since the last revision: changes description of jaxp-compat and jaxp-strict after discussing with Lance - Changes: - all: https://git.openjdk.org/jdk/pull/18831/files - new: https://git.openjdk.org/jdk/pull/18831/files/e6386015..019c2aee Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk=18831=03 - incr: https://webrevs.openjdk.org/?repo=jdk=18831=02-03 Stats: 28 lines in 2 files changed: 2 ins; 4 del; 22 mod Patch: https://git.openjdk.org/jdk/pull/18831.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18831/head:pull/18831 PR: https://git.openjdk.org/jdk/pull/18831
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v3]
On Fri, 19 Apr 2024 17:39:30 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > fix typo src/java.xml/share/conf/jaxp-compat.properties line 12: > 10: # > 11: # jaxp-strict.properties: this file resembles what will become the > Secure-By-Default > 12: # configuration where a strict restriction is the default. This file > allows strict restriction needs rewording. Perhaps something that indicates that this property file provides settings that will be equivalent to that will be the default JAXP settings in a future release to make the use of JAXP more secure out of the box src/java.xml/share/conf/jaxp-compat.properties line 20: > 18: # JDK has switched to a strict configuration as indicated in > jaxp-strict.properties. > 19: # This configuration contains the same properties as those in > jaxp-strict.properties > 20: # except it sets them back to the current status of the JDK. Note that, > although 'sets them back to the current status of the JDK' I think you are trying to indicate that this property file specifies the JAXP property values that were in place prior to being More Secure? - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1572927195 PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1572940722
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v2]
On Thu, 18 Apr 2024 23:40:22 GMT, Naoto Sato wrote: >> Joe Wang has updated the pull request incrementally with one additional >> commit since the last revision: >> >> add description of the three configuration files. > > src/java.xml/share/conf/jaxp-strict.properties line 2: > >> 1: >> >> 2: # JAXP String Configuration File > > Nit: typo here: String -> Strict Thanks! Fixed. - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1572705283
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v3]
> Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Joe Wang has updated the pull request incrementally with one additional commit since the last revision: fix typo - Changes: - all: https://git.openjdk.org/jdk/pull/18831/files - new: https://git.openjdk.org/jdk/pull/18831/files/98fcc3ef..e6386015 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk=18831=02 - incr: https://webrevs.openjdk.org/?repo=jdk=18831=01-02 Stats: 1 line in 1 file changed: 0 ins; 0 del; 1 mod Patch: https://git.openjdk.org/jdk/pull/18831.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18831/head:pull/18831 PR: https://git.openjdk.org/jdk/pull/18831
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v2]
On Thu, 18 Apr 2024 21:54:26 GMT, Joe Wang wrote: >> Add two sample configuration files: >> >> jaxp-strict.properties: used to set strict configuration, stricter than >> jaxp.properties in previous versions such as JDK 22 >> >> jaxp-compat.properties: used to regain compatibility from any more >> restricted configuration than previous versions such as JDK 22 > > Joe Wang has updated the pull request incrementally with one additional > commit since the last revision: > > add description of the three configuration files. src/java.xml/share/conf/jaxp-strict.properties line 2: > 1: > > 2: # JAXP String Configuration File Nit: typo here: String -> Strict - PR Review Comment: https://git.openjdk.org/jdk/pull/18831#discussion_r1571515112
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration
On Wed, 17 Apr 2024 23:24:06 GMT, Joe Wang wrote: > Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Thanks Alan, Lance! I added description of the three config files to both files so that readers can find answers reading any one of them. Also added a release note: https://bugs.openjdk.org/browse/JDK-8330605 - PR Comment: https://git.openjdk.org/jdk/pull/18831#issuecomment-2065384541
Re: RFR: 8330542: Add two sample configuration files in preparation for a more secure by default configuration [v2]
> Add two sample configuration files: > > jaxp-strict.properties: used to set strict configuration, stricter than > jaxp.properties in previous versions such as JDK 22 > > jaxp-compat.properties: used to regain compatibility from any more > restricted configuration than previous versions such as JDK 22 Joe Wang has updated the pull request incrementally with one additional commit since the last revision: add description of the three configuration files. - Changes: - all: https://git.openjdk.org/jdk/pull/18831/files - new: https://git.openjdk.org/jdk/pull/18831/files/e36e5fd4..98fcc3ef Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk=18831=01 - incr: https://webrevs.openjdk.org/?repo=jdk=18831=00-01 Stats: 44 lines in 2 files changed: 38 ins; 0 del; 6 mod Patch: https://git.openjdk.org/jdk/pull/18831.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/18831/head:pull/18831 PR: https://git.openjdk.org/jdk/pull/18831
