db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bernt M. Johnsen" <Bernt.John...@Sun.COM>
Subject Re: Just how more secure is (will be) 10.3 than 10.2?
Date Tue, 05 Jun 2007 09:26:36 GMT
>>>>>>>>>>>> John Embretsen wrote (2007-06-05 10:42:22):
> Daniel John Debrunner wrote:
> >Rick Hillegas wrote on derby-user>
> >
> >http://mail-archives.apache.org/mod_mbox/db-derby-user/200706.mbox/%3c46648064.6000809@sun.com%3e

> >
> >
> >>The upcoming release of Derby 10.3 will make networked configurations 
> >>safer by installing a Java security manager if the user forgets to 
> >>install one. [snip]. As a result, it will be harder for hackers to 
> >>corrupt multi-user applications and shared machines.
> >
> >One item that's missing from the post to the user list and any 
> >discussion around this issue is how much more secure is 10.3 than 10.2? 
> >It's worth stepping back and looking at the overall picture. I'd hate 
> >for 10.3 to be overselling its security.
> Measuring security is very hard, so I understand why Rick did not include 
> any such claims in the post to derby-user, but I agree that it seems that 
> this has not been thought through as much as some of us would have
> liked.

Personally, I think that we should not label 10.3 as "more secure"
than 10.2. The different Derby security features will be completely
irrelevant in some contexts while they will be cruical for the
security in other contexts.

We should rather claim that 10.3 has "more security features" than
10.2 and that more of them are enabled by default.

> [...snip...]
> >I certainly think that any documentation or discussion should not imply 
> >in any way that 10.3 out of the box is a secure system.
> +1.

+1 Definitely.

Bernt Marius Johnsen, Database Technology Group, 
Staff Engineer, Technical Lead Derby/Java DB
Sun Microsystems, Trondheim, Norway

View raw message