On 21/12/2018 10:41, Langer, Christoph wrote:
Hi folks,
getting back to the topic of adding POSIX file permission support to
jdk.zipfs... I think as we are now in the early stages of JDK13, it's a good
point in time to get some (hopefully final) activity on that one.
In the last review discussions you were asking me to provide some write-up of
the proposal.
Therefore I updated the CSR. It should now be a valid document for discussing
the whole proposal, comprising the problem to solve, the proposed solution and
its specification as well as addressing some concerns.
And to get it clear: This item is only about jdk.zipfs. It is really
independent of potential enhancements for java.util.zip or the jartool. So, I
gently ask you to review the CSR.
As for the implementation: I've worked on it together with Volker and will post
an update soon.
Adding support for POSIX file permissions to the zip APIs is problematic
as we've been discussing here. There are security concerns and also
concerns that how it interacts with JAR files and signed JAR in
particular. I don't disagree that we can come to agreement on zipfs
supporting a solution but I think we need to get the bigger picture on
where this is going first. If the piece to change the java.util.zip APIs
is dropped then it would make these discussions a lot simpler as it
removes most of the security issues from the table.
-Alan
