> On Dec 22, 2016, at 1:33 AM, Semyon Sadetsky <semyon.sadet...@oracle.com> > wrote: > > > > On 20.12.2016 19:41, Mandy Chung wrote: >> >>> On Dec 20, 2016, at 8:24 AM, Sergey Bylokhov <sergey.bylok...@oracle.com >>> <mailto:sergey.bylok...@oracle.com>> wrote: >>> >>>>>> If this private data can be loaded to the UIDefaults or to other class >>>>>> then it will be read anyway. Are the Swing/AWT properties files content >>>>>> really secret? >>>>> My point is that there are no secrets, but the bug description states >>>>> that such bundles can be added some day later. >>>> But what secret can be here? >>> >>> I think Mandy can clarify that. >> >> >> The API should only allow user code to request adding a resource bundle that >> is accessible to the user. A private resource bundle in java.desktop that >> may contain security sensitive information is not intended to be registered >> in UIDefaults and of course it should be encapsulated. You may think that >> today there is no security sensitive information but we can’t guarantee >> until an audit to all resource bundles is done and also continuously for >> every change is made. > Okay, Mandy. It may make sens, but those sensitive files, if they appear, > will be able to be extracted from the module jmod file. > > I still think that the rule to search for resources should be explicitly > clarified in the method spec. Do you think it's not necessary?
See my suggested spec clarification from: http://mail.openjdk.java.net/pipermail/swing-dev/2016-December/007097.html <http://mail.openjdk.java.net/pipermail/swing-dev/2016-December/007097.html> > Also I have a question to the fix author: > What will be the result of the method call from another named module with aim > to load resource bundle located in this named module? This is a RFE that I think probably should provide a new API to pass a Supplier<ResourceBundle> Mandy
