Thanks, Jaikiran, for taking this issue to security-dev and for making
changes to ant to reduce the amount of noise.
On 6/28/21 10:22 AM, Jaikiran Pai wrote:
I spent some time on this today and experimented with some sample
build scripts and I noticed that these warning messages are a lot more
intrusive in their current form than what I had initially thought or
noticed.
Based on your and one other user's inputs so far, I've raised a
discussion in security-dev mailing list of OpenJDK, explaining how
this is currently impacting Ant project and some potential ways to
reduce this impact. The discussion thread is here
https://mail.openjdk.java.net/pipermail/security-dev/2021-June/026660.html
-Jaikiran
On 28/06/21 8:22 pm, Rick Hillegas wrote:
Thanks for that explanation, Jaikiran.
On 6/27/21 8:29 PM, Jaikiran Pai wrote:
Hello Rick,
Thank you for this report. We have been watching this area and have
been aware of this issue, including one other user report[1]. I'm
just waiting for things to become a bit more clear on this front
before coming up with any proposal in the Ant project on how to deal
with this. Clearly our permissions[2] type and the whole security
manager based implementation will be impacted and needs a rethink.
For the java task, we by default apply certain permissions when run
without "fork". That's what is triggering this warning. It has been
there in the build 26 EA of JDK 17 as well - of course, that version
didn't include the exact class which was calling the
System.setSecurityManager. That additional detail got included
recently[3].
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=65381
[2] http://ant.apache.org/manual/Types/permissions.html
[3] https://github.com/openjdk/jdk17/pull/13
-Jaikiran
On 27/06/21 11:22 pm, Rick Hillegas wrote:
Open JDK 17 build 17-ea+28-2534 causes the ant 1.10.6 <java> task
to produce the following warnings when you DON'T fork the JVM:
WARNING: A terminally deprecated method in java.lang.System has
been called
WARNING: System::setSecurityManager has been called by
org.apache.tools.ant.types.Permissions (file:/opt/ant/lib/ant.jar)
For more information, see
https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370259&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370259
and
https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370302&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370302
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org
For additional commands, e-mail: dev-h...@ant.apache.org
