Hi Robert, On Wed, Feb 5, 2020 at 8:38 AM Robert Scholte <rfscho...@apache.org> wrote: > > Hi Simone, > > I understand your concern, but the patched module descriptor doesn't have to > (or should not) replace the --patch-module option. This proposal is about the > additional options you now need to put on the commandline, but which already > fit in the module descriptor.
I understand it does not replace --patch-module. I understand it adds the additional "requires", "opens", etc. But how do you stop a library that uses Jetty to ship a jar containing a patched module file that exports and opens things in Jetty that the Jetty authors did not want to export or open, without users knowing it? jetty-client.jar -> contains legit module-info.class library.jar -> contains patched descriptor that patches jetty-client app.jar -> my application with a legit module-info.class java --module-path jetty-client.jar:library.jar:app.jar --module app/com.app.Main With this command line, does the Java runtime parse and enable the patched descriptor contained in library.jar, opening up jetty-client? If not, how would you enable it in Maven? Am I missing something? Thanks! -- Simone Bordet --- Finally, no matter how good the architecture and design are, to deliver bug-free software with optimal performance and reliability, the implementation technique must be flawless. Victoria Livschitz
