How should OpenJDK handle security?
March 25, 2009 3 Comments
I recently posted a problem report to an OpenJDK mailing list. I wasn’t even sure if it was a real problem, so I thought I’d bring it up for discussion. A Sun developer then replied in private and told me that this is actually a security issue, that a (non-public) bug entry has been filed in Sun bug DB and that it will be fixed soon.
I understand that Sun has special requirements for handling security issues. But this doesn’t feel right. I post a problem in public (so the info for evil hackers is out anyway), then things happen in secret labs, and at some point a fix pops up in the repos.
It could be argued that it was my fault because I bring up security issues in public in the first place, instead of first discussing them in private. But then, where is the private channel for reporting OpenJDK security issues? And more importantly, how should an innocent hacker like me (*ahem*) know that something is infact a security issue? Of course, I had a feeling that it could be one, this is why I wanted it evaluated, but then everything must be reported private-first, because many bugs can turn out to be a security issue. In closed source days, this might have made sense, because initial bugreports didn’t become public until somebody evaluated them. But for an open project like OpenJDK it doesn’t make so much sense.
So how should OpenJDK handle security issues? Some people are in the mood of refactoring OpenJDK processes, so I thought it would make sense to bring it up now.