db-derby-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kristian Waagan <Kristian.Waa...@Sun.COM>
Subject Re: Just how more secure is (will be) 10.3 than 10.2?
Date Tue, 05 Jun 2007 12:00:29 GMT
Bernt M. Johnsen wrote:
>>>>>>>>>>>>> John Embretsen wrote (2007-06-05 10:42:22):
>> Daniel John Debrunner wrote:
>>> Rick Hillegas wrote on derby-user>
>>> http://mail-archives.apache.org/mod_mbox/db-derby-user/200706.mbox/%3c46648064.6000809@sun.com%3e

>>>> The upcoming release of Derby 10.3 will make networked configurations 
>>>> safer by installing a Java security manager if the user forgets to 
>>>> install one. [snip]. As a result, it will be harder for hackers to 
>>>> corrupt multi-user applications and shared machines.
>>> One item that's missing from the post to the user list and any 
>>> discussion around this issue is how much more secure is 10.3 than 10.2? 
>>> It's worth stepping back and looking at the overall picture. I'd hate 
>>> for 10.3 to be overselling its security.
>> Measuring security is very hard, so I understand why Rick did not include 
>> any such claims in the post to derby-user, but I agree that it seems that 
>> this has not been thought through as much as some of us would have
>> liked.
> Personally, I think that we should not label 10.3 as "more secure"
> than 10.2. The different Derby security features will be completely
> irrelevant in some contexts while they will be cruical for the
> security in other contexts.
> We should rather claim that 10.3 has "more security features" than
> 10.2 and that more of them are enabled by default.

+1 to this kind of wording!
Doesn't really matter if we have "all" security features if they are 
wrongly configured, or not used at all, at the deployment site. The 
user/deployer is still, and will always be I guess, a crucial part of 
the security picture.


>> [...snip...]
>>> I certainly think that any documentation or discussion should not imply 
>>> in any way that 10.3 out of the box is a secure system.
>> +1.
> +1 Definitely.

View raw message