Daniel John Debrunner wrote:
Kathey Marsden wrote:
Please test and vote on the 10.3.2.0 release candidate available at:
I'm still thinking about the change made to 10.3 for DERBY-3083.
In 10.2 bringing up the server in all cases did not install a security
manager.
In 10.3.1.4:
- server did not start if the derby jars were re-named and no
security manager was already installed. While this is a regression
from 10.2 it was secure.
In 10.3.2.0
- if the derby jars are renamed then no security manager is
installed. This is a regression security wise from 10.3.1.4 but does
fix a functional regression from 10.3.1.4.
One real concern is that this new behaviour is 10.3.2.0 is not
documented anywhere, it contradicts the existing documentation, thus a
user will assume a security manager has been installed. There's also
no information printed to any error log that no security manager exists.
Dan.
https://issues.apache.org/jira/browse/DERBY-3083
I have reverted this patch in the 10.3 branch and in the trunk. I do not
think we will reach consensus on this issue before we need to generate
the next 10.3 release candidate.
Regards,
-Rick
