> On Dec 20, 2016, at 8:24 AM, Sergey Bylokhov <sergey.bylok...@oracle.com> 
> wrote:
> 
>>>> If this private data can be loaded to the UIDefaults or to other class 
>>>> then it will be read anyway. Are the Swing/AWT properties files content 
>>>> really secret?
>>> My point is that there are no secrets, but the bug description states that 
>>> such bundles can be added some day later.
>> But what secret can be here?
> 
> I think Mandy can clarify that.


The API should only allow user code to request adding a resource bundle that is 
accessible to the user.   A private resource bundle in java.desktop that may 
contain security sensitive information  is not intended to be registered in 
UIDefaults and of course it should be encapsulated.  You may think that today 
there is no security sensitive information but we can’t guarantee until an 
audit to all resource bundles is done and also continuously for every change is 
made.

Mandy

Reply via email to