OpenJDK Authorization

Looking for interested parties to assist maintaining a fork of OpenJDK with authorization. Note this isn't for sandboxing untrusted code but instead only allow loading trusted code and automate generation of principle of least privilege policy files for auditing with user Principal's and Code Signer's.

Two things:

Are you planning on getting the TCK so your JVM will be trustworthy to run in prod?

Are you going to backport these changes to all the concurrent releases, or do potential consumers have to "ride HEAD" to use your JVM? Based on the number of "we're still on Java 8" comments that always show up in any JVM submission, I'd guess one would want to be mindful of the versions their audience requires otherwise it's basically your own private fork

Since I am not the target audience for this, pardon me if this seems like a silly question, but wouldn't just using a custom ClassLoader or even an Agent get this done, without having to full-on fork the JDK?

How much does TCK cost again?

This project looks like it's trying to conserve the old SecurityManager (from the Java Applet/Webstart days) implementation that's been removed from the OpenJDK tree. The motivation is on the website: only a very small number of people still use this, but if you're one of them and have a legacy application that depends on the old behavior you don't want too many changes.

It requires low level hooks and support from within the JVM, using agents is brittle and difficult to secure, the simplest solution is just to fork. I did spend some time investigating these methods before making the decision.

https://github.com/pfirmstone/HighPerformanceSecurity