> On Jan 10, 2017, at 8:42 AM, Sergey Bylokhov <sergey.bylok...@oracle.com> > wrote: > > Hello, > Please review the new version: > http://cr.openjdk.java.net/~serb/8149879/webrev.03 > <http://cr.openjdk.java.net/~serb/8149879/webrev.03> > The specification of addResourceBundle() is updated. >
It would be useful to add @see ResourceBundle#getBundle(String, Locale, ClassLoader). The copyright end year needs to be updated to 2017. Otherwise, looks good. No need to send a new webrev unless others have comments to require a new webrev. Mandy >> >>> >>> On Dec 22, 2016, at 1:33 AM, Semyon Sadetsky <semyon.sadet...@oracle.com >>> <mailto:semyon.sadet...@oracle.com>> wrote: >>> >>> >>> >>> >>> On 20.12.2016 19:41, Mandy Chung wrote: >>>> >>>>> On Dec 20, 2016, at 8:24 AM, Sergey Bylokhov <sergey.bylok...@oracle.com >>>>> <mailto:sergey.bylok...@oracle.com>> wrote: >>>>> >>>>>>>> If this private data can be loaded to the UIDefaults or to other class >>>>>>>> then it will be read anyway. Are the Swing/AWT properties files >>>>>>>> content really secret? >>>>>>> My point is that there are no secrets, but the bug description states >>>>>>> that such bundles can be added some day later. >>>>>> But what secret can be here? >>>>> >>>>> I think Mandy can clarify that. >>>> >>>> >>>> The API should only allow user code to request adding a resource bundle >>>> that is accessible to the user. A private resource bundle in >>>> java.desktop that may contain security sensitive information is not >>>> intended to be registered in UIDefaults and of course it should be >>>> encapsulated. You may think that today there is no security sensitive >>>> information but we can’t guarantee until an audit to all resource bundles >>>> is done and also continuously for every change is made. >>> Okay, Mandy. It may make sens, but those sensitive files, if they appear, >>> will be able to be extracted from the module jmod file. >>> >>> I still think that the rule to search for resources should be explicitly >>> clarified in the method spec. Do you think it's not necessary? >> >> See my suggested spec clarification from: >> http://mail.openjdk.java.net/pipermail/swing-dev/2016-December/007097.html >> <http://mail.openjdk.java.net/pipermail/swing-dev/2016-December/007097.html> >> >>> Also I have a question to the fix author: >>> What will be the result of the method call from another named module with >>> aim to load resource bundle located in this named module? >> >> This is a RFE that I think probably should provide a new API to pass a >> Supplier<ResourceBundle> >> >> Mandy >