You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@netbeans.apache.org by GitBox <gi...@apache.org> on 2019/05/30 06:41:12 UTC
[GitHub] [netbeans] JaroslavTulach commented on issue #1092: Using Graal.js
19.0.0 via Scripting in platform/core.network
JaroslavTulach commented on issue #1092: Using Graal.js 19.0.0 via Scripting in platform/core.network
URL: https://github.com/apache/netbeans/pull/1092#issuecomment-497223020
Thanks for your review @matthiasblaesing - I've just rewritten the initial comment in this PR to provide higher level overview of the current state of the PR. Hopefully it addresses some of your concerns.
> I have some doubts, that the Scripting API module is helpful though.
`Scripting` API allows anyone to plug in their preferred engine of choice.
> If other engines are used, the user will have a false sense of security, that is not in place.
The `ALLOWED_PAC_ENGINES` API allows vendor of a NetBeans Platform based application to restrict which engine is used for PAC resolution and thus guarantee the security is in place.
> I see, that the ClassLoader magic is helpful here, but is that enough to make it worth it?
There is a lot of `JavaScriptEngineTest`s that check and compare the behavior of all the known engines - `Nashorn`, `Graal.js` and `GraalVM:js` - all of them behave more or less identically and seem to be sufficiently secure. True, the security of `Nashorn` and `Graal.js` is achieved by special configuration of the engines via properties, reflection and `ClassLoader` magic. On the other hand `GraalVM:js` is configured via public API method calls only. As such I trust it the most and I made it the first choice for PAC resolution in the NetBeans IDE.
However I don't want to restrict freedom of NetBeans Platform vendors. They are encouraged to provide other engines and configure their security before enabling their usage in the `ALLOWED_PAC_ENGINES` branding API.
> I'm ok with merging this
Great. I'll give you guys few more days and then finally close this eight months long endeavor of mine, hopefully.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@netbeans.apache.org
For additional commands, e-mail: notifications-help@netbeans.apache.org
For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists