WG 23 N1076 Notes from WG 23 / Java Community Group leadership re ISO/IEC WD 24772-11 Java language vulnerabilities 15 April 2021 From Java Community Heather Van Cura, Oracle Aleksei Voitylov, BellSoft Anish Karmarker, Oracle WG 23 Stephen Michell, Convenor Introductions Results from Java Community Executive meeting The JCP executive discussed WG 23's request to participate in the production of ISO/IEC 24772-11 Java language vulnerabilities on April 12 or 13 2021. In general the executive is not very supportive at present. It is instructive that none of the threee participants on the call had read any of 24772-1 Language independent vulnerabilities or 24772-11 Java language vulnerabilities. Target audience Concern was expressed about the static nature of an ISO/IEC standard or TR making statements about a language that issues a release every 6 months. They acknowledged that a "supported release" was every three years but contend that new features are introduced in any release. There was concern about keeping secure guidelines up to date. It was stated that the community actively deprecates and removes features that have proven to be problematic. Hence the document may become incorrect on the availability or usage of features that had been removed. Missing from this discussion was the fact that the JCP actively supports a number of generations of Java and removing a feature in Java 17 does not make the feature obsolete in Java 8. A discussion was held about whether the vulnerabilities document targets the published language or implementations? It was explained that implementations are not targetted. SAP, RedHat, Google develop Java runtimes A discussion was held about the use of shall in the document. Steve explained that the only obligatory text (if it becomes a standard) is related to part 1's reliance on formal development processes such as IEC 61508-3 or ISO/IEC 27001 where applicable. No shalls in document? There was a concern that document may recomment avoiding features that the Java community endorses. Steve attempted to explain that projects restrict language usage for many reasons, and there is no negative connotation on the language itself or features provided. Concerns stay same. We are slated for a follow-up conversation about the beginning of June. The committed to reading the documents before that meeting.