On 01/08/2021 03:14, Peter Firmstone wrote:
I'm working on the assumption that OpenJDK will close any external holes
currently defended by permission checks. It would be good if the JDK
was secure by default, with properties required to be set for allowing
such things as agents, management, parsing xml and serialization.
You need to stop repeating this canard. There is no absolute need for
OpenJDK to retain a security mechanism to deal with problems that for
almost every use case are better solved by using non-OpenJDK
alternatives (such as OS security measures). Indeed, it's the other way
round: there is an imperative for the project to spend precious
resources on alternative capabilities (not necessarily security related).
The fact that your software can no longer profit from this specific
mechanism is a /special case/ which means any loss incurred is a
/special loss/ not a general one. Users who rely on your software for
the security guarantees you claim it provides may well no longer be able
to do so once this mechanism is removed. However, claiming that this
implies Java is no longer secure by default is a /gross/
misrepresentation of what is at stake.
Java can be used perfectly well to implement secure applications without
the security manager. That's evidenced by two facts: on the one hand
experience has shown that most programs that rely on the security
manager are not actually more secure because of using it; on the other
hand there are many highly secure Java programs out there in the field.
The fact that your software will no longer provide a specific route to
implementing a certain type of security capability may be a great loss
to you but it is not a significant loss, never mind some absolute loss
in kind, to Java and Java application developers. I recommend you stop
repeating this distorted opinion. It's only effect will be squander the
goodwill of those currently trying to help you, people whose driving
interest is nothing other than to make OpenJDK a better product.
regards,
Andrew Dinn
-----------
Red Hat Distinguished Engineer
Red Hat UK Ltd
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham, Michael ("Mike") O'Neill
