Re: JEP411: Missing use-case: Monitoring / restricting libraries

2021-04-17 Thread Ron Pressler
Do you regularly use the Security Manager to sandbox your own dependencies and find it convenient and effective — in which case, could you please describe your practice concretely so that it would be possible to consider alternatives — or are you saying that you can *envision* such a powerful u

Re: JEP411: Missing use-case: Monitoring / restricting libraries

2021-04-17 Thread Alan Bateman
On 16/04/2021 02:29, Reinier Zwitserloot wrote: : * An XML parser library may make network calls or open files on disk due to e.g. XXE shenanigans: See https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

Re: JEP411: Missing use-case: Monitoring / restricting libraries

2021-04-17 Thread Reinier Zwitserloot
> Ron wrote: > I think it’s worth adding that treating libraries as untrusted code is unworkable over the long run Well, define 'untrusted'. If you mean: "untrusted" as in it may well contain code explicitly designed to compromise our internal security, put there for malicious purposes by someon

Re: JEP411: Missing use-case: Monitoring / restricting libraries

2021-04-17 Thread Reinier Zwitserloot
> Sean wrote: > I read your message correctly, you seem to be primarily concerned with logging and/or restricting access to file and network operations. Process execution as well. > In my personal view, some of the examples you present that do somewhat sketchy things are probably not a good idea

Re: RFR: 8185127: Add tests to cover hashCode() method for java supported crypto key types [v6]

2021-04-17 Thread Sibabrata Sahoo
> This is a simple Test to add few additional API coverage for all java > supported key types. The objective of this Test is to cover equals() and > hashcode() methods for each key types. Sibabrata Sahoo has updated the pull request incrementally with two additional commits since the last revis

Re: JEP411: Missing use-case: Monitoring / restricting libraries

2021-04-17 Thread Anthony Vanelverdinghe
Actually I think GraalVM can already do this today, since the mentioned API is for use with any guest language, and Java can now run as a guest language [1]. Note that this is also reminiscent of the `java.scripting` module (JSR 223), which also has a `ScriptContext` class, but I'm not sure what

Re: RFR: 8185127: Add tests to cover hashCode() method for java supported crypto key types [v5]

2021-04-17 Thread Sibabrata Sahoo
> This is a simple Test to add few additional API coverage for all java > supported key types. The objective of this Test is to cover equals() and > hashcode() methods for each key types. Sibabrata Sahoo has updated the pull request incrementally with one additional commit since the last revisi

Re: RFR: 8185127: Add tests to cover hashCode() method for java supported crypto key types [v4]

2021-04-17 Thread Sibabrata Sahoo
On Fri, 16 Apr 2021 08:34:11 GMT, Sibabrata Sahoo wrote: >> This is a simple Test to add few additional API coverage for all java >> supported key types. The objective of this Test is to cover equals() and >> hashcode() methods for each key types. > > Sibabrata Sahoo has updated the pull reques