On 9/21/2019 4:15 AM, Chris Hegarty wrote:
On 19 Sep 2019, at 18:32, Joe Darcy <joe.da...@oracle.com> wrote: Hello, Ahead of augmenting javac's serial lint checks under JDK-8160675, it would be helpful to mark fields in security libs classes where the class is serializable, but a non-transient instance field does *not* have a serialiable type. Such classes may have difficulties being serialized at runtime: JDK-8231262 : Suppress warnings on non-serializable instance fields in security libs serializable classes http://cr.openjdk.java.net/~darcy/8231262.0/The changes look good to me. The fields in PrivateCredentialPermission and SecureRandom, could be made final and assigned null, ensuring non-Serializable types will never leak into them. But equally, this could be left to a follow on change for someone working in the security area.
I'd prefer to leave such code changes to people working more directly in the area.
Thanks for the review, -Joe
