Re: new warnings produced by task under Open JDK 17-ea+28-2534

2021-06-28 Thread Jaikiran Pai 
I spent some time on this today and experimented with some sample build 
scripts and I noticed that these warning messages are a lot more 
intrusive in their current form than what I had initially thought or 
noticed.


Based on your and one other user's inputs so far, I've raised a 
discussion in security-dev mailing list of OpenJDK, explaining how this 
is currently impacting Ant project and some potential ways to reduce 
this impact. The discussion thread is here 
https://mail.openjdk.java.net/pipermail/security-dev/2021-June/026660.html


-Jaikiran


On 28/06/21 8:22 pm, Rick Hillegas wrote:

Thanks for that explanation, Jaikiran.

On 6/27/21 8:29 PM, Jaikiran Pai wrote:

Hello Rick,

Thank you for this report. We have been watching this area and have 
been aware of this issue, including one other user report[1]. I'm 
just waiting for things to become a bit more clear on this front 
before coming up with any proposal in the Ant project on how to deal 
with this. Clearly our permissions[2] type and the whole security 
manager based implementation will be impacted and needs a rethink.


For the java task, we by default apply certain permissions when run 
without "fork". That's what is triggering this warning. It has been 
there in the build 26 EA of JDK 17 as well - of course, that version 
didn't include the exact class which was calling the 
System.setSecurityManager. That additional detail got included 
recently[3].



[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=65381

[2] http://ant.apache.org/manual/Types/permissions.html

[3] https://github.com/openjdk/jdk17/pull/13

-Jaikiran

On 27/06/21 11:22 pm, Rick Hillegas wrote:
Open JDK 17 build 17-ea+28-2534 causes the ant 1.10.6  task to 
produce the following warnings when you DON'T fork the JVM:


WARNING: A terminally deprecated method in java.lang.System has been 
called
WARNING: System::setSecurityManager has been called by 
org.apache.tools.ant.types.Permissions (file:/opt/ant/lib/ant.jar)


For more information, see 
https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370259=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370259 
and 
https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370302=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370302



-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org






-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org

Re: new warnings produced by task under Open JDK 17-ea+28-2534

2021-06-28 Thread Rick Hillegas 

Thanks for that explanation, Jaikiran.

On 6/27/21 8:29 PM, Jaikiran Pai wrote:

Hello Rick,

Thank you for this report. We have been watching this area and have 
been aware of this issue, including one other user report[1]. I'm just 
waiting for things to become a bit more clear on this front before 
coming up with any proposal in the Ant project on how to deal with 
this. Clearly our permissions[2] type and the whole security manager 
based implementation will be impacted and needs a rethink.


For the java task, we by default apply certain permissions when run 
without "fork". That's what is triggering this warning. It has been 
there in the build 26 EA of JDK 17 as well - of course, that version 
didn't include the exact class which was calling the 
System.setSecurityManager. That additional detail got included 
recently[3].



[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=65381

[2] http://ant.apache.org/manual/Types/permissions.html

[3] https://github.com/openjdk/jdk17/pull/13

-Jaikiran

On 27/06/21 11:22 pm, Rick Hillegas wrote:
Open JDK 17 build 17-ea+28-2534 causes the ant 1.10.6  task to 
produce the following warnings when you DON'T fork the JVM:


WARNING: A terminally deprecated method in java.lang.System has been 
called
WARNING: System::setSecurityManager has been called by 
org.apache.tools.ant.types.Permissions (file:/opt/ant/lib/ant.jar)


For more information, see 
https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370259=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370259 
and 
https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370302=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370302



-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org






-
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org