Hello, Please review the new version: http://cr.openjdk.java.net/~serb/8149879/webrev.03 <http://cr.openjdk.java.net/~serb/8149879/webrev.03> The specification of addResourceBundle() is updated.
> >> >> On Dec 22, 2016, at 1:33 AM, Semyon Sadetsky <semyon.sadet...@oracle.com >> <mailto:semyon.sadet...@oracle.com>> wrote: >> >> >> >> >> On 20.12.2016 19:41, Mandy Chung wrote: >>> >>>> On Dec 20, 2016, at 8:24 AM, Sergey Bylokhov <sergey.bylok...@oracle.com >>>> <mailto:sergey.bylok...@oracle.com>> wrote: >>>> >>>>>>> If this private data can be loaded to the UIDefaults or to other class >>>>>>> then it will be read anyway. Are the Swing/AWT properties files content >>>>>>> really secret? >>>>>> My point is that there are no secrets, but the bug description states >>>>>> that such bundles can be added some day later. >>>>> But what secret can be here? >>>> >>>> I think Mandy can clarify that. >>> >>> >>> The API should only allow user code to request adding a resource bundle >>> that is accessible to the user. A private resource bundle in java.desktop >>> that may contain security sensitive information is not intended to be >>> registered in UIDefaults and of course it should be encapsulated. You may >>> think that today there is no security sensitive information but we can’t >>> guarantee until an audit to all resource bundles is done and also >>> continuously for every change is made. >> Okay, Mandy. It may make sens, but those sensitive files, if they appear, >> will be able to be extracted from the module jmod file. >> >> I still think that the rule to search for resources should be explicitly >> clarified in the method spec. Do you think it's not necessary? > > See my suggested spec clarification from: > http://mail.openjdk.java.net/pipermail/swing-dev/2016-December/007097.html > <http://mail.openjdk.java.net/pipermail/swing-dev/2016-December/007097.html> > >> Also I have a question to the fix author: >> What will be the result of the method call from another named module with >> aim to load resource bundle located in this named module? > > This is a RFE that I think probably should provide a new API to pass a > Supplier<ResourceBundle> > > Mandy
