On Wed, 13 Mar 2024 16:57:17 GMT, Mat Carter <maca...@openjdk.org> wrote:
>> This fixes the defect described at >> https://bugs.openjdk.org/browse/JDK-8313367 >> >> If the process does not have write permissions, the store is opened as >> read-only (instead of failing). >> >> Please note that permissions to use a certificate in a local machine store >> must be granted - in a management console, select a certificate, right-click >> -> All tasks... -> Manage Private Keys... -> add Full control to user. > > I welcome your contribution and feel that it will be a worthwhile > improvement; and I'm happy to give feedback (and have done already), but as > an author I'm not able to sponsor this change. > > The original enhancement has gone through a review process and has not had > any security related bugs raised against it. The scenario this change > targets is a valid one, but is not a security vulnerability as the original > enhancement does not circumvent security. The choice to deploy to a > less-secure environment to use the feature is a user choice. > > While the change in this PR is trivial, it is still classed as an enhancement > as it's not addressing a bug; ie. the original change functions as expected. > That you have identified a scenario and supplied a patch is much appreciated; > however the change will need to go through review as it changes > functionality; again we'll need to consider informing the user as the change > could lead to unexpected deployment issues (it may also require documentation > changes [CSR]). @macarte If you find the change ok, you can also add yourself as a reviewer even if the OpenJDK bot might not count you as a *R*eviewer. ------------- PR Comment: https://git.openjdk.org/jdk/pull/16687#issuecomment-1995257115
