[rfc][icedtea-web] policytool in itweb-settings

Andrew Azores aazores at redhat.com
Fri Jan 24 11:34:54 PST 2014

On 01/21/2014 02:35 PM, Andrew Azores wrote:
> On 01/21/2014 12:29 PM, Jacob Wisor wrote:
>> On 01/21/2014 05:52 PM, Andrew Azores wrote:
>>> (snip)
>> I am not talking about technical effects. I am talking about effects 
>> on support staff and admins. They may not be familiar with J2SE's 
>> policy system yet when their user's and customers start calling in 
>> for help. You know, it is not uncommon for large organizations that 
>> provide in-house support to have their staff (really, this does 
>> sometimes happen indeed!) trained for a specific set of applications 
>> and thus features. They truly rely on specific feature sets and 
>> incremental evolution of software. Of course, this feature will 
>> probably not generate as many support calls as resetting passwords, 
>> but lets not make those people's lives miserable by introducing 
>> effects that they assumed not to exist with the current minor version 
>> release. So please, just do all of us a favor and do not backport it. 
>> Believe me, I know what I am talking about.
>> Jacob
> Well, I see what you mean. I don't really see it causing problems but 
> "better safe than sorry" I suppose.
> Jiri, do you have a compelling argument against Jacob's? ;)
> Thanks,

After much discussion and debate on IRC, I've been convinced to go ahead 
and create a 1.4 backport patch and propose it here. It is attached. 
Here is the justification for the backport as far as I remember:

(1) The underlying feature already exists, this simply makes it more 
(2) The permission system is constructive only, and so it is very 
difficult to imagine a scenario where a user's custom policy file can 
possibly break an application. This would mean the application depends 
on being denied runtime permissions. Most users are probably never going 
to bother trying this, and if they do, it should be completely harmless

And the arguments against backporting:

(3) Additional load on IT support people in companies that are using 
IcedTea-Web, as this is a "new feature" being introduced within the same 
minor version number
-- However, this is thought to be negligible because of (2) above

Personally, I do not care much either way. I don't believe there is any 
strong reason to not backport, and I also don't see much benefit to 
backport. This is because I consider the custom policy editing to be of 
little use without functionality similar to what is provided by the "Run 
In Sandbox button" patch (ie introducing a way to run signed applets 
with a restricted permissions set rather than granting AllPermission 
immediately and universally), which certainly will not be backported to 1.4.


Andrew A

-------------- next part --------------
A non-text attachment was scrubbed...
Name: custompolicy-backport-full.patch
Type: text/x-patch
Size: 19249 bytes
Desc: not available
Url : http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20140124/6c926881/custompolicy-backport-full-0001.patch 

More information about the distro-pkg-dev mailing list