My problem is that after looking into the issue the java security manager is the only way to do proper sandboxing (compared to custom class loaders that refuse to load based on name etc.). While it’s true there may have been escapes in the past it seems silly to disable the #1 and only recommended way of sandboxing.
I was tempted to just release the mod without any restriction. I still might just make it a flag in the configuration to enable multiplayer rather than completely prevent it. And so what have they gained by removing one of the core things that Java has always been known for (sandboxing)?
Their currently security manager (which can’t be overridden) still allows file access, which is one of the main ways to destroy a system.
But thanks for the info, i’ll check out Sponge some more now and see if I can play with the security manager. I wonder about releasing it as a vanilla mod that would be incompatible with other mods, I don’t really know if that matters much because I take over the world provider anyway. But it would be nice to have both sandboxing and compatibility with other mods.