On 03/12/2014 10:45 AM, Paul Sandoz wrote:
Hi Florian,
Thanks for doing this.
Sorry, I missed your follow-up until now.
Do you have any more context on what RPMs/jars are using what methods of Unsafe?
Attached. Columns are package NEVRA, JAR name, method and descriptor in
Unsafe. I used CSV this time to reduce file size (there's no column
padding). Hopefully the attachment is below the mailing list size limit.
It might be useful to obtain the number of (transitive) dependencies on such
jars. I don't have data yet from maven central but i know some jars that use
Unsafe are quite popular.
Yes, I see a few rather well-known packages in the list. We do not have
good dependency information in Fedora (the Powers That Be refuse to use
Class-Path entries in manifests), so I'm not sure if I should try to
come up with a WITH RECURSIVE query (CONNECT BY for you guys :-) that
counts the reverse dependencies.
I plan to file Fedora bugs for the sun.misc.* changes as they hit JDK 9,
provided that the Fedora folks do not object.
--
Florian Weimer / Red Hat Product Security Team
