Hi,
so what's needed to move this topic forward?
We have a real concern adopting Java 9, if the internal api issue is not
fixed for webstart apps.
We are willing to take the additional effort of modifying and building
our own jre for the various platforms, but there needs to be a
mechanism, that allows to use the modified jre/modules in an applet.
As mentioned in the javafx thread we experienced a serious issue after a
security update for the jre was released (Swing GUI Thread not starting
from Java-Application), which made our application useless. A bugfix was
released 3 month later. Only a workaround using internal apis kept our
business alive. The only other choice for us and our customers would
have been, not to apply the security update.
I fear that this could happen again.
And for making functions public, which currently aren't. For most uses
of internal apis in our application, there are open bugs within the
oracle bugtracker. Some dating back to 2011. I don't think these will
magically get fixed, when Java 9 gets released.
So unless Oracle dramatically increases the number of developers working
on the java platform and releases weekly updates for the jre, I see no
other choice then to hack the jre by ourselfs.
- Stefan
P.S.: Looking at JEP-200 I could not find, to which module all the
webstart classes belong.
E.g.: What module does export javax.jnlp?
Obviously these classes are only needed on desktop platforms and could
be omitted on embedded devices and for applications installing a local
version of the jdk .
Tim Boudreau wrote:
So one idea would be to allow webstart applications access to
internal apis.
I'd think that'd be a recipe for the kind of security holes
modularizing the JDK is supposed to make impossible.
I guess their could be some versioning problems, though.
To say the least.
If it's a legitimate need, it sounds like perhaps some things need to
become API that aren't currently.
-Tim
