Comment Re:Using a company field to extract key VM info? (Score 1) 397
How's this: write a short Java stub that detects the runtime environment from within the VM and passes back a guaranteed consistent string to the wrapper that then decides how to start the Java VM and run the main application.When your supported VMs are upgraded by the vendor - you've got a tiny little Java app to update and the rest of the behemoth is never touched.
Hell, you could even have the runtime detection code return the actual command line to start the main application so that the wrapper can be as simple as possible.
Is this rocket science? No.
Is this difficult? No.
Is this inefficient? No - it's about the best option when you can't change the VM runtime parameters at runtime. You've got one more VM invocation for an app that will probably run for 8 or more hours at a time.
Does this suffer from the schoolboy error of accepting arbitrary unvalidated variable input and assuming it is 100% correct, immutable, and altering your whole user experience based on it? No.
Does this have the geek credit associated with extracting the vendor string from a Windows executable? No.
Considering that the alternative is so simple, and would be cross-platform to boot, I call shenanigans on the Eclipse Windows devs and assume the last point was the one that drove them to do it the way they did.
It doesn't help your confidence in their development skills that their way is also a classic security blunder. Since there's no way to validate the input, they shouldn't be even considering using it without sanitation, and even then - there's no way to know if it's correct. The runtime detection I have described will at least give them the configuration of the *runtime* which is, after all, what they are looking for. While the Java VM may protect them from certain kinds of vulnerability - the fact that their mindset is such that they are happily relying on unverifiable, uncontrollable data as a means to control the entire behaviour of their application is astonishing and makes me question the security of the whole app.