On 02/08/2021 11:33, Peter Firmstone wrote:
I think you may be misinterpreting my comment, let me clarify:
Really? I'd suggest only if you stretch the meaning of your words beyond
their elastic limit.
I'm assuming that during the process of removal of security manager, any
external ports or process hooks that we can only turn off now by not
granting a permission will be replaced by a command line property or
something similar? Eg, Agents, Management, etc. If this is the case, it
would be nice if they were set to off by default, such that they needed
to be enabled from the command line. It's a suggestion. . . .
They might be or they might not be replaced -- and, indeed, you are
welcome to help the project to make that a possibility. However, even if
they were not replaced or enabled as default behaviours the platform
would not fail to be 'secure by default'. At worst, it might be lacking
belt and braces when it comes to available means for enforcing some
specific forms of control over execution -- controls that can be used to
resolve some security problems, but not exclusively. Yet, you keep using
language that implies the loss of the security manager is a significant
threat to the security of OpenJDK/Java.
Claiming now that all you meant was that you would like to have APIs
that give you similar mechanisms to what is being removed does not was
and will not validate the use of such exaggerated language. Nor do such
statements give anyone confidence that you are able to identify clear
and compelling requirements and assess the effort that might be needed
to satisfy them and maintain an implementation.
So, maybe you should just stop making out that your concerns are a major
problem to most developers and that they threaten the integrity of the
platform and instead concentrate on identifying simple and maintainable
APIs that we can feasibly add to OpenJDK without incurring an
unjustifiable maintenance burden.
regards,
Andrew Dinn
-----------
Red Hat Distinguished Engineer
Red Hat UK Ltd
Registered in England and Wales under Company Registration No. 03798903
Directors: Michael Cunningham, Michael ("Mike") O'Neill
