Re: [External] : Re: JEP411: Missing use-case: Monitoring / restricting libraries

[Ron Pressler]

> On 18 May 2021, at 01:11, Peter Firmstone <peter.firmst...@zeus.net.au> wrote:
> 
> Your ideas are great in theory, in practice, the problem with your Agent 
> proposal is every JVM release needs to be reviewed, and we have to review 
> Java's internal implementation code, and understand it in order to instrument 
> it.  

Absolutely. But that is exactly the work OpenJDK maintainers are required to do 
today to support something most 
people want better alternatives for at the expense of those better alternatives 
and other work.

> 
> Maybe if you put hooks (annotations?) into the JVM code, so it was easier for 
> agents to know which calls need to be controlled for access decisions?   But 
> then if not many people are using it, it will suffer neglect.

Yeah, it sounds neither here nor there, but the relevant maintainers will 
consider it.

> 
> It's your existing userbase with over 50% still using Java 8 that need 
> convincing, who will be ultimate judge of the success or failure of this 
> decision.

If you have data that contradicts our estimate of Security Manager usage among 
Java 8 users, please present it.

- Ron