Unless there is a phone home mechanism built into the SecurityManager, nobody knows or can claim to know how widely the SecurityManager is being used.
No, survey results don’t prove anything because people don’t fill in surveys. No, calls for people to report on their usage don’t mean anything in determining who and how many are using anything. The assumption should be — in the absence of proof otherwise — that the SecurityManager is very widely used, that where it is used it is mission critical, and that unless there is a migration path to something at least equivalent, deprecation should not be on the table. Gj On Thu, 17 Feb 2022 at 21:50, arjan tijms <arjan.ti...@gmail.com> wrote: > Hi, > > On Thu, Feb 17, 2022 at 5:45 PM Bowes, David <d.h.bo...@lancaster.ac.uk> > wrote: > >> Your argument follows ’10,000 lemmings can’t be wrong’.... >> > > I didn't mean to say that the 10k lemmings are right. What I was trying to > say is that the JDK team was making a tool that 10k-1 lemmings are not > using. So for the 1 lemming who is using the tool as intended, the costs of > maintaining it are seemingly too high. > > Kind regards, > Arjan > > > >> >> >> David >> >> >> >> >> >> >> ------------------------------ >> *From:* arjan tijms <arjan.ti...@gmail.com> >> *Sent:* Thursday, February 17, 2022 1:29:04 PM >> *To:* Bowes, David <d.h.bo...@lancaster.ac.uk> >> *Cc:* security-dev@openjdk.java.net <security-dev@openjdk.java.net> >> *Subject:* [External] Re: deprecation of SecurityManager JEP 411 >> >> >> *This email originated outside the University. Check before clicking >> links or attachments.* >> > Hi, >> >> On Wed, Feb 16, 2022 at 6:24 PM Bowes, David <d.h.bo...@lancaster.ac.uk> >> wrote: >> >> I used the SecurityManger with great success to protect against >> Log4JShell. >> >> >> >> [...] I would suggest that the SecurityManager does protect me from >> singinficant threats. >> >> >> While I don't disagree with you entirely, the problem is that seemingly >> almost nobody actually uses the security manager to protect against things >> like Log4JShell. The proof is in the pudding. If the security manager >> indeed protected against that in practice to a sufficient degree, then >> Log4JShell wouldn't have been a problem at all, would it? Yet it was, and >> the security manager is still there at the moment. >> >> I understand one could argue that without the security manager the impact >> of Log4JShell would have been even bigger, but I've not seen any evidence >> stating that. >> >> Given the way Java is now predominantly used, I think a better choice >> might be to have the Java applications run on virtual servers that restrict >> at that virtual server level which domains and IPs outgoing traffic may >> connect to. >> >> Finally, I think nobody is saying there is no value at all in the >> security manager, but just that the amount of work required to maintain it >> vs the practical benefits are non-optimal, at least with the current way >> the security manager and its permissions and policies work. >> >> Kind regards, >> Arjan Tijms >> >> >> >> >> >
