Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
Hi Alex, LGTM. Thanks, Serguei On 5/14/20 11:30, Alex Menkov wrote: Hi Alan, Serguei, updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.3/ --alex On 05/14/2020 04:25, Alan Bateman wrote: On 12/05/2020 20:57, Alex Menkov wrote: Hi Alan, Serguei, lets try one more time :) What about: Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents, deploy applications that package an agent with the application, or use tools that load agents into a running application, are responsible for verifying the trustworthiness of each agent including the content and structure of the agent JAR file. please let me know what do you thinks, I'll prepare & publish new webrev as soon as we get agreement about the paragraph. This version looks okay to me. -Alan
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
On 14/05/2020 19:30, Alex Menkov wrote: Hi Alan, Serguei, updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.3/ Thanks. -Alan
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
Hi Alan, Serguei, updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.3/ --alex On 05/14/2020 04:25, Alan Bateman wrote: On 12/05/2020 20:57, Alex Menkov wrote: Hi Alan, Serguei, lets try one more time :) What about: Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents, deploy applications that package an agent with the application, or use tools that load agents into a running application, are responsible for verifying the trustworthiness of each agent including the content and structure of the agent JAR file. please let me know what do you thinks, I'll prepare & publish new webrev as soon as we get agreement about the paragraph. This version looks okay to me. -Alan
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
On 12/05/2020 20:57, Alex Menkov wrote: Hi Alan, Serguei, lets try one more time :) What about: Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents, deploy applications that package an agent with the application, or use tools that load agents into a running application, are responsible for verifying the trustworthiness of each agent including the content and structure of the agent JAR file. please let me know what do you thinks, I'll prepare & publish new webrev as soon as we get agreement about the paragraph. This version looks okay to me. -Alan
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
On 05/12/2020 13:40, serguei.spit...@oracle.com wrote: Hi Alex, This seems to resolve most of the Alan's concerns. Though, I'm not sure if we can treat users that deploy and use agents as developers. I think users that deploy agent or use tools to load agents can be called administrators :) --alex Otherwise, we may want to tweak the last sentence a little bit: "Developers or administrators that deploy agents, deploy applications that package an agent with the application, or anyone using a tools that loads agents into a running application, are responsible for verifying the trustworthiness of each agent including the content and structure of the agent JAR file. But let's wait for Alan's opinion. Thanks, Serguei On 5/12/20 12:57, Alex Menkov wrote: Hi Alan, Serguei, lets try one more time :) What about: Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents, deploy applications that package an agent with the application, or use tools that load agents into a running application, are responsible for verifying the trustworthiness of each agent including the content and structure of the agent JAR file. please let me know what do you thinks, I'll prepare & publish new webrev as soon as we get agreement about the paragraph. --alex On 05/12/2020 00:59, Alan Bateman wrote: On 11/05/2020 22:14, Alex Menkov wrote: Updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.2/ --alex This doesn't work for me because it drops the important point that the developer/admin is also responsible when deploying an agent that packages an agent with the application. Also anyone using a tool that loads agents into a running VM has responsibility too. So I think these points need to be included. -Alan.
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
Hi Alex, This seems to resolve most of the Alan's concerns. Though, I'm not sure if we can treat users that deploy and use agents as developers. Otherwise, we may want to tweak the last sentence a little bit: "Developers or administrators that deploy agents, deploy applications that package an agent with the application, or anyone using a tools that loads agents into a running application, are responsible for verifying the trustworthiness of each agent including the content and structure of the agent JAR file. But let's wait for Alan's opinion. Thanks, Serguei On 5/12/20 12:57, Alex Menkov wrote: Hi Alan, Serguei, lets try one more time :) What about: Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents, deploy applications that package an agent with the application, or use tools that load agents into a running application, are responsible for verifying the trustworthiness of each agent including the content and structure of the agent JAR file. please let me know what do you thinks, I'll prepare & publish new webrev as soon as we get agreement about the paragraph. --alex On 05/12/2020 00:59, Alan Bateman wrote: On 11/05/2020 22:14, Alex Menkov wrote: Updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.2/ --alex This doesn't work for me because it drops the important point that the developer/admin is also responsible when deploying an agent that packages an agent with the application. Also anyone using a tool that loads agents into a running VM has responsibility too. So I think these points need to be included. -Alan.
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
Hi Alan, Serguei, lets try one more time :) What about: Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents, deploy applications that package an agent with the application, or use tools that load agents into a running application, are responsible for verifying the trustworthiness of each agent including the content and structure of the agent JAR file. please let me know what do you thinks, I'll prepare & publish new webrev as soon as we get agreement about the paragraph. --alex On 05/12/2020 00:59, Alan Bateman wrote: On 11/05/2020 22:14, Alex Menkov wrote: Updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.2/ --alex This doesn't work for me because it drops the important point that the developer/admin is also responsible when deploying an agent that packages an agent with the application. Also anyone using a tool that loads agents into a running VM has responsibility too. So I think these points need to be included. -Alan.
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
On 11/05/2020 22:14, Alex Menkov wrote: Updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.2/ --alex This doesn't work for me because it drops the important point that the developer/admin is also responsible when deploying an agent that packages an agent with the application. Also anyone using a tool that loads agents into a running VM has responsibility too. So I think these points need to be included. -Alan.
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
Hi Alex, LGTM Thank you for the update! Serguei On 5/11/20 14:14, Alex Menkov wrote: Hi Serguei, Alan, Updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.2/ --alex On 05/11/2020 11:52, Alan Bateman wrote: On 11/05/2020 19:21, serguei.spit...@oracle.com wrote: Hi Alex, There is no need to repeat this: "deploy applications thatpackage an agent with the application, or use tools that load agents into a running application" I'd suggest to rephrase it to something like: "Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents are responsible for their trustworthiness and must therefore verify each agent including the content and structure of its JAR file." Also, could you, please, replace: * The three ways to start an agent is described below. with: * The three ways to start an agent are described below. Serguei's suggestions look good. -Alan
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
Hi Serguei, Alan, Updated webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.2/ --alex On 05/11/2020 11:52, Alan Bateman wrote: On 11/05/2020 19:21, serguei.spit...@oracle.com wrote: Hi Alex, There is no need to repeat this: "deploy applications thatpackage an agent with the application, or use tools that load agents into a running application" I'd suggest to rephrase it to something like: "Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents are responsible for their trustworthiness and must therefore verify each agent including the content and structure of its JAR file." Also, could you, please, replace: * The three ways to start an agent is described below. with: * The three ways to start an agent are described below. Serguei's suggestions look good. -Alan
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
On 11/05/2020 19:21, serguei.spit...@oracle.com wrote: Hi Alex, There is no need to repeat this: "deploy applications thatpackage an agent with the application, or use tools that load agents into a running application" I'd suggest to rephrase it to something like: "Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents are responsible for their trustworthiness and must therefore verify each agent including the content and structure of its JAR file." Also, could you, please, replace: * The three ways to start an agent is described below. with: * The three ways to start an agent are described below. Serguei's suggestions look good. -Alan
Re: Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
Hi Alex, There is no need to repeat this: "deploy applications that package an agent with the application, or use tools that load agents into a running application" I'd suggest to rephrase it to something like: "Agents can transform classes in arbitrary ways at load time, transform modules, or transform the bytecode of methods of already loaded classes. Developers or administrators that deploy agents are responsible for their trustworthiness and must therefore verify each agent including the content and structure of its JAR file." Also, could you, please, replace: * The three ways to start an agent is described below. with: * The three ways to start an agent are described below. Thanks, Serguei On 5/7/20 18:19, Alex Menkov wrote: On 05/01/2020 15:22, Alex Menkov wrote: Hi all, Please review the fix for https://bugs.openjdk.java.net/browse/JDK-8243012 The change fixes security note in the java.lang.instrument javadoc. webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.1/ --alex
Ping: RFR: JDK-8243012: Fix issues in j.l.i package info
On 05/01/2020 15:22, Alex Menkov wrote: Hi all, Please review the fix for https://bugs.openjdk.java.net/browse/JDK-8243012 The change fixes security note in the java.lang.instrument javadoc. webrev: http://cr.openjdk.java.net/~amenkov/jdk15/java_instrument_spec/webrev.1/ --alex