portal entry

select a category, or use search below
(searches all categories and all time range)

OSGi Support is Needed to Assure Secure Code

| View in Portal
July 14, 2020 12:12:52 PM GMT
<p>Here is a serious question to ponder. I have been supporting the Adobe Experience Manager (AEM) at two different companies over the past five years.  The AEM and Lucee support OSGi framework over JVM which makes these applications faster (on compile) and more secure. Is there any forward  looking plans to support OSGi (and Maven).</p>
<p>The post <a rel="nofollow" href="https://coldfusion.adobe.com/2020/07/osgi-support-needed-assure-secure-code/">OSGi Support is Needed to Assure Secure Code</a> appeared first on <a rel="nofollow" href="https://coldfusion.adobe.com">ColdFusion</a>.</p>
Labels: Discussion, Updates, ColdFusion, discussion, security, updates


<p>I’m not aware of any such plans, but I realize you will prefer to hear from someone at Adobe or with a more authoritative answer.</p><p>That said, while OSGI is indeed powerful (which has its pros and cons), you highlight improved compile time as a goal. Since CF code is compiled the first time it’s executed (or edited, and that compilation is saved and re-used by default, even over CF restarts), compile time should be a negligible concern.</p><p>You also mention Maven, but of course CFML developers have no use for that…and while with Lucee being open source there may have been a benefit in compiling the Lucee engine itself, no developer outside of Adobe would even be compiling CF itself. (I suppose the key question is whether they, themselves, would somehow benefit from that aspect of a conversion of CF to an OSGI model.)</p><p>All that said, and while there may well be other benefits to having Adobe adopt OSGI as a platform, it’s not without its challenges (especially for such a large project as CF), <a href="https://dev.lucee.org/t/osgi-lucee-s-white-whale-or-white-knight/2314" rel="nofollow">as the Lucee team documented</a>.</p><p>But again, since you have asked, let’s see if anyone else may have more to say.</p>
Comment by Charlie Arehart
4792 | July 15, 2020 08:41:38 PM GMT
A key benefit of using OSGI is the ability to target which version of a Java library you wish to use on the server, whilst also allowing multiple versions to be installed and used at once. I personally see that as the key benefit to OSGI and would strongly encourage Adobe to adopt OSGI.
Comment by Benjamin Reid
4793 | July 15, 2020 11:24:50 PM GMT
Christopher, can you elaborate your thoughts on how using OSGi makes coding more secure?
Comment by Benjamin Reid
4794 | July 15, 2020 11:34:14 PM GMT
Benjamin, are you aware that CF (since 10) has already allowed application-level class loading, so that a given app can use a different version of a library than is setup for all of CF? No, not "the same thing", but if someone didn't realize that was an option, they may feel that CF is "stuck allowing only one version of a library". And I can't tell if you saw my reply to Christopher here, yesterday. Since you have more knowledge of OSGI, I'd be curious if you have any thoughts on what I said. No worries if you did not have any to add.
Comment by Charlie Arehart
4796 | July 16, 2020 02:56:55 PM GMT