Currently being discussed in the Community, to optimize the security of Java in a group outside of the Community separately.
In the OpenJDK Vulnerability Group in the future, the security aspects of Java SE is to be considered separately. The group should stand outside the Open Source Community, but from trusted members of the Community to come together and closely with the internal security team of Oracle’s work together. In some cases, the Vulnerability Group to work together and with external organizations. The group is to work only on safety issues that are not otherwise addressed, but also and especially the development of Updates to coordinate.
The introduction of the Java Platform Module System is to make Java easier. Critics fear but incompatibilities with existing applications. The OpenJDK Vulnerabilty Group to coordinate, however, the work on the security of the platform. (Image: Oracle)
The proposal for this group comes from Mark Reinhold, the Chief Archiect of the Java Platform Group at Oracle. Basically, this group is in breach of the provisions of OpenJDK.
“The Governing Board has discussed the creation of a Vulnerability Group for a while,” says Reinhold in a short notice. Due to the high sensitivity of this topic, certain rules must be adhered to. “The membership will be much more selective, and there will be a strict communication rules and the members or their employees to Non-Disclosoure and license contracts to sign,” said Reinhold more.
Now a must-have for this framework, exception conditions, however, are created arrangements that were discussed by the Governing Board. The leadership of this group will be from Andrew Gross, the head of the Java Vulnerability team of Oracle led. In a further document Reinhold lists for more information about the group.
Currently there is no coordinated work of the security in the OpenJDK Community exists. So vendors like Canonical, IBM, and SAP, to develop products on the Basis of OpenJDK care, even the safety of these products. In some cases, it is necessary to consult the Oracle. This type of development is, however, very inefficient. As positive examples, Reinhold called the security group of the Eclipse Foundation, and the security Policies in Web Kit.
In the case of Java Enterprise Edition (Java EE) checks for the Oracle whether the further development of this Software must not be included in the Community outsourced.