Thu, 6 Apr 2000 13:32:13 -0500
> Specification (I&RTS) v4.0 states that "Developers shall not use
> compilers designed to convert code developed in other languages (e.g.,
> Ada, C++) to create Java byte-codes. This restriction is important
> because such compilers may inadvertently bypass intended Java security
I would be glad to see this removed. On the other hand:
I have read some Web pages (sorry, forgot URIs) that made it quite clear
that "Java security" is not nearly what it's hyped to be. It's hacked in
rather than designed in. In one case, the language syntax was even
changed to plug a security hole.
Anyway, one of these web pages mentioned a security hole that could not be
exploited in Java, but could be exploited if you had a J-code assembler.
It's certainly possible for any compiler--including a Java compiler that's
not fully compliant with the spec--to exploit this hole.
Another page complained that formal verification of security is difficult
because the "Java language is not clearly defined enough."
Plus, if you are using dozens of Java libraries you didn't write, how do
you know they are secure?
Finally, remember that both Sun and Microsoft label their Java products
with the disclaimer that they are NOT to be used in any safety-critical