On Mon, May 8, 2023 at 9:17 PM Mark Reinhold <mark.reinh...@oracle.com> wrote: > > https://openjdk.org/jeps/451 > > Summary: Issue warnings when agents are loaded dynamically into a > running JVM. These warnings aim to prepare users for a future release > which disallows the dynamic loading of agents by default in order to > improve integrity by default. Serviceability tools that load agents at > startup will not cause warnings to be issued in any release. > > - Mark
First of all, thanks for adopting the "warning first" approach before disabling dynamic agent loading by default. I think that's reasonable and useful. I still wonder why this JEP has scope "SE"? During the discussion about the draft (which was initially about "disallowing by default") it was mentioned that once dynamic loading will be disabled by default, this will be mandated in the platform spec (e.g. in the package documentation of the java.lang.instrument package [1]). But now that the JEP was softened to a warning, do you still plan to mandate the warning in the SE platform spec as well? In general, I think the current specification (e.g. in [1]) is good and gives vendors the freedom to choose the approach which is most appropriate for their users (e.g. they could already now disable dynamic agent loading by default): "An implementation may provide a mechanism to start agents sometime after the VM has started. The details as to how this is initiated are implementation specific". Explicitly forbidding dynamic agent loading without a command line option in the specification seems over-regulative to me. Finally, I think it feels a little unfortunate that a JEP candidate already contains and mentions the JDK release where it will be implemented. This could create the impression that the JEP has been targeted long before it was publicly discussed and proposed. Thank you and best regards, Volker [1] https://docs.oracle.com/en/java/javase/20/docs/api/java.instrument/java/lang/instrument/package-summary.html
