* Peter Firmstone: > From our discussions, my interpretation is that OpenJDK is constrained > by corporate security policy; any issues with SecurityManager > infrastructure will be treated as confidential security issues and > have to be fixed with internal resources. Community volunteers won't > be allowed to handle them. Hence it's the maintenance burden. I see > this maintenance cost as a bureaucratic management issue, rather than > an issue with SM per se.
The dynamics would likely change if the community started fixing issues. A starting point could be speculative execution vulnerabilities, which are currently out of scope for the OpenJDK security process: Java and Speculative Execution Vulnerabilities <https://mail.openjdk.java.net/pipermail/vuln-announce/2019-July/000002.html> I think any use of the security manager for isolation purposes would have to address those issues. Thanks, Florian
