diff --git a/.gitignore b/.gitignore index 09a127e..5f70416 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09-4curve.tar.xz +SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 03f54ee..dd9d11c 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -a93b3d0fd5da1f95f22c85003fd3d4007e69ab32 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09-4curve.tar.xz +c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index f9af271..e911b13 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,70 +3,6 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 8u332 (2022-04-19): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk8u332 - * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt - -* Security fixes - - JDK-8269938: Enhance XML processing passes redux - - JDK-8270504, CVE-2022-21426: Better XPath expression handling - - JDK-8272255: Completely handle MIDI files - - JDK-8272261: Improve JFR recording file processing - - JDK-8272594: Better record of recordings - - JDK-8274221: More definite BER encodings - - JDK-8275151, CVE-2022-21443: Improved Object Identification - - JDK-8277227: Better identification of OIDs - - JDK-8277672, CVE-2022-21434: Better invocation handler handling - - JDK-8278008, CVE-2022-21476: Improve Santuario processing - - JDK-8278356: Improve file creation - - JDK-8278449: Improve keychain support - - JDK-8278805: Enhance BMP image loading - - JDK-8278972, CVE-2022-21496: Improve URL supports - - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo -* Other changes - - JDK-8033980: Xerces Update: datatype XMLGregorianCalendarImpl and DurationImpl - - JDK-8035437: Xerces Update: xml/serialize/DOMSerializerImpl - - JDK-8035577: Xerces Update: impl/xpath/regex/RangeToken.java - - JDK-8037259: xerces update: xpointer update - - JDK-8041523: Xerces Update: Serializer improvements from Xalan - - JDK-8141508: java.lang.invoke.LambdaConversionException: Invalid receiver type - - JDK-8162572: Update License Header for all JAXP sources - - JDK-8167014: jdeps: Missing message: warn.skipped.entry - - JDK-8198411: [TEST_BUG] Two java2d tests are unstable in mach5 - - JDK-8202822: Add .git to .hgignore - - JDK-8205540: test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 commands - - JDK-8209178: Proxied HttpsURLConnection doesn't send BODY when retrying POST request - - JDK-8210283: Support git as an SCM alternative in the build - - JDK-8218682: [TEST_BUG] DashOffset fails in mach5 - - JDK-8225690: Multiple AttachListener threads can be created - - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134" - - JDK-8227815: Minimal VM: set_state is not a member of AttachListener - - JDK-8240633: Memory leaks in the implementations of FileChooserUI - - JDK-8241768: git needs .gitattributes - - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn - - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens - - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node - - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems - - JDK-8270290: NTLM authentication fails if HEAD request is used - - JDK-8273229: Update OS detection code to recognize Windows Server 2022 - - JDK-8273341: Update Siphash to version 1.0 - - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated - - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake - - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE - - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 - - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler - - JDK-8280060: The sun/rmi/server/Activation.java class use Thread.dumpStack() - - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 - - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character - - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException - - JDK-8284920: Incorrect Token type causes XPath expression to return empty result - - JDK-8284936: Fix Java 7 bootstrap breakage due to use of Arrays.stream -* Shenandoah - - JDK-8260632: Build failures after JDK-8253353 - - JDK-8282458: Update .jcheck/conf file for sh-jdk8u move to git - New in release OpenJDK 8u322 (2022-01-18): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch index ae48068..0af9d51 100644 --- a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch +++ b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch @@ -22,7 +22,7 @@ diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/fla + # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned. + # While waiting for a better solution, the current workaround is to use -mstackrealign + # This is also required on Linux systems which use libraries compiled with SSE instructions -+ REALIGN_CFLAG="-mstackrealign" ++ REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4" + FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [], + AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.]) + ) diff --git a/SOURCES/jdk8257794-remove_broken_assert.patch b/SOURCES/jdk8257794-remove_broken_assert.patch new file mode 100644 index 0000000..bb88013 --- /dev/null +++ b/SOURCES/jdk8257794-remove_broken_assert.patch @@ -0,0 +1,13 @@ +diff --git openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp +--- openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp ++++ openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp +@@ -493,9 +493,6 @@ + assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries + + 1), "bad stack limit"); + } +-#ifndef SHARK +- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong")); +-#endif // !SHARK + } + // Verify linkages. + interpreterState l = istate; diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch new file mode 100644 index 0000000..ca3e985 --- /dev/null +++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch @@ -0,0 +1,26 @@ +diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +index cf4becb7db..4ab2ac0a31 100644 +--- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java ++++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor + ctx = getLdapCtxFromUrl( + r.getDomainName(), url, new LdapURL(u), env); + return ctx; ++ } catch (AuthenticationException e) { ++ // do not retry on a different endpoint to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + // try the next element + lastException = e; +@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor + for (String u : urls) { + try { + return getUsingURL(u, env); ++ } catch (AuthenticationException e) { ++ // do not retry on a different URL to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + ex = e; + } diff --git a/SOURCES/jdk8279077-missing_crash_protector_ppc.patch b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch new file mode 100644 index 0000000..0ab462e --- /dev/null +++ b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch @@ -0,0 +1,23 @@ +# HG changeset patch +# User zgu +# Date 1641313782 0 +# Tue Jan 04 16:29:42 2022 +0000 +# Node ID b694a28adaa2a602fedbc4aeba69b9c2350e7409 +# Parent 3177fc2314df6deb4d4771148f27934a597dd1d7 +8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler +Reviewed-by: phh + +diff --git openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp +--- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp ++++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp +@@ -176,6 +176,10 @@ + + Thread* t = ThreadLocalStorage::get_thread_slow(); + ++ // Must do this before SignalHandlerMark, if crash protection installed we will longjmp away ++ // (no destructors can be run) ++ os::ThreadCrashProtection::check_crash_protection(sig, t); ++ + SignalHandlerMark shm(t); + + // Note: it's not uncommon that JNI code uses signal/sigset to install diff --git a/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch b/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch new file mode 100644 index 0000000..774a08e --- /dev/null +++ b/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch @@ -0,0 +1,67 @@ +# HG changeset patch +# User Andrew John Hughes +# Date 1620365804 -3600 +# Fri May 07 06:36:44 2021 +0100 +# Node ID 39b62f35eca823b4c9a98bc1dc0cb9acb87360f8 +# Parent 723b59ed1afe878c5cd35f080399c8ceec4f776b +PR3836: Extra compiler flags not passed to adlc build + +diff --git openjdk.orig/hotspot/make/aix/makefiles/adlc.make openjdk/hotspot/make/aix/makefiles/adlc.make +--- openjdk.orig/hotspot/make/aix/makefiles/adlc.make ++++ openjdk/hotspot/make/aix/makefiles/adlc.make +@@ -69,6 +69,11 @@ + CFLAGS_WARN = -w + CFLAGS += $(CFLAGS_WARN) + ++# Extra flags from gnumake's invocation or environment ++CFLAGS += $(EXTRA_CFLAGS) ++LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS) ++ASFLAGS += $(EXTRA_ASFLAGS) ++ + OBJECTNAMES = \ + adlparse.o \ + archDesc.o \ +diff --git openjdk.orig/hotspot/make/bsd/makefiles/adlc.make openjdk/hotspot/make/bsd/makefiles/adlc.make +--- openjdk.orig/hotspot/make/bsd/makefiles/adlc.make ++++ openjdk/hotspot/make/bsd/makefiles/adlc.make +@@ -71,6 +71,11 @@ + endif + CFLAGS += $(CFLAGS_WARN) + ++# Extra flags from gnumake's invocation or environment ++CFLAGS += $(EXTRA_CFLAGS) ++LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS) ++ASFLAGS += $(EXTRA_ASFLAGS) ++ + OBJECTNAMES = \ + adlparse.o \ + archDesc.o \ +diff --git openjdk.orig/hotspot/make/linux/makefiles/adlc.make openjdk/hotspot/make/linux/makefiles/adlc.make +--- openjdk.orig/hotspot/make/linux/makefiles/adlc.make ++++ openjdk/hotspot/make/linux/makefiles/adlc.make +@@ -69,6 +69,11 @@ + CFLAGS_WARN = $(WARNINGS_ARE_ERRORS) + CFLAGS += $(CFLAGS_WARN) + ++# Extra flags from gnumake's invocation or environment ++CFLAGS += $(EXTRA_CFLAGS) ++LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS) ++ASFLAGS += $(EXTRA_ASFLAGS) ++ + OBJECTNAMES = \ + adlparse.o \ + archDesc.o \ +diff --git openjdk.orig/hotspot/make/solaris/makefiles/adlc.make openjdk/hotspot/make/solaris/makefiles/adlc.make +--- openjdk.orig/hotspot/make/solaris/makefiles/adlc.make ++++ openjdk/hotspot/make/solaris/makefiles/adlc.make +@@ -85,6 +85,10 @@ + endif + CFLAGS += $(CFLAGS_WARN) + ++# Extra flags from gnumake's invocation or environment ++CFLAGS += $(EXTRA_CFLAGS) ++ASFLAGS += $(EXTRA_ASFLAGS) ++ + ifeq ("${Platform_compiler}", "sparcWorks") + # Enable the following CFLAGS addition if you need to compare the + # built ELF objects. diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in index ead27be..1aff153 100644 --- a/SOURCES/nss.fips.cfg.in +++ b/SOURCES/nss.fips.cfg.in @@ -1,6 +1,6 @@ name = NSS-FIPS nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ +nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch new file mode 100644 index 0000000..e237841 --- /dev/null +++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch @@ -0,0 +1,98 @@ +commit aaf92165ad1cbb1c9818eb60178c91293e13b053 +Author: Andrew John Hughes +Date: Mon Jan 24 15:13:14 2022 +0000 + + RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support + +diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java +index fa494b680f..b5aa5c749d 100644 +--- openjdk.orig/jdk/src/share/classes/java/security/Security.java ++++ openjdk/jdk/src/share/classes/java/security/Security.java +@@ -57,10 +57,6 @@ public final class Security { + private static final Debug sdebug = + Debug.getInstance("properties"); + +- /* System property file*/ +- private static final String SYSTEM_PROPERTIES = +- "/etc/crypto-policies/back-ends/java.config"; +- + /* The java.security properties */ + private static Properties props; + +@@ -202,13 +198,6 @@ public final class Security { + } + } + +- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); +- if (disableSystemProps == null && +- "true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { +- loadedProps = loadedProps && SystemConfigurator.configure(props); +- } +- + if (!loadedProps) { + initializeStatic(); + if (sdebug != null) { +@@ -217,6 +206,28 @@ public final class Security { + } + } + ++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } ++ } ++ } ++ ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); ++ if (sdebug != null) { ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } ++ } ++ } + } + + /* +diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +index d1f677597d..7da65b1d2c 100644 +--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java +@@ -76,7 +76,7 @@ final class SystemConfigurator { + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ +- static boolean configure(Properties props) { ++ static boolean configureSysProps(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = +@@ -96,11 +96,19 @@ final class SystemConfigurator { + e.printStackTrace(); + } + } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } +- loadedProps = false; + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch new file mode 100644 index 0000000..52a7803 --- /dev/null +++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch @@ -0,0 +1,220 @@ +commit 820d1b1b23be6ea2fd34c687a1be384e7a9830e2 +Author: Andrew John Hughes +Date: Mon Feb 28 05:50:10 2022 +0000 + + RH2051605: Detect NSS at Runtime for FIPS detection + +diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c +index 34d0ff0ce9..8dcb7d9073 100644 +--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c ++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c +@@ -23,25 +23,99 @@ + * questions. + */ + +-#include + #include + #include ++#include "jvm_md.h" + #include + + #ifdef SYSCONF_NSS + #include ++#else ++#include + #endif //SYSCONF_NSS + + #include "java_security_SystemConfigurator.h" + ++#define MSG_MAX_SIZE 256 + #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" +-#define MSG_MAX_SIZE 96 + ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-static void throwIOException(JNIEnv *env, const char *msg); +-static void dbgPrint(JNIEnv *env, const char* msg); ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif + + /* + * Class: java_security_SystemConfigurator +@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ + return (*env)->GetVersion(env); + } + +@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif + (*env)->DeleteGlobalRef(env, debugObj); + } + } +@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +-#ifdef SYSCONF_NSS +- +- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); +- fips_enabled = SECMOD_GetSystemFIPSEnabled(); +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " SECMOD_GetSystemFIPSEnabled return value"); +- } +- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); +- +-#else // SYSCONF_NSS ++ FILE *fe; + +- FILE *fe; +- +- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); +- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- fips_enabled = fgetc(fe); +- fclose(fe); +- if (fips_enabled == EOF) { ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " read character is '%c'", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); +- } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " read character"); +- } +- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); +- +-#endif // SYSCONF_NSS +-} +- +-static void throwIOException(JNIEnv *env, const char *msg) +-{ +- jclass cls = (*env)->FindClass(env, "java/io/IOException"); +- if (cls != 0) +- (*env)->ThrowNew(env, cls, msg); +-} +- +-static void dbgPrint(JNIEnv *env, const char* msg) +-{ +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } + } diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 11e2a3c..84f7d57 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -21,6 +21,15 @@ %bcond_without release # Remove build artifacts by default %bcond_with artifacts +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm + +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. @@ -58,6 +67,20 @@ %global normal_build %{nil} %endif +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives +# TODO - fix those hardcoded lists via single list +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} + %global aarch64 aarch64 arm64 armv8 # we need to distinguish between big and little endian PPC64 %global ppc64le ppc64le @@ -69,7 +92,7 @@ # Set of architectures for which we build fastdebug builds %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{debug_arches} +%global jit_arches %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 # Set of architectures which use the Zero assembler port (!jit_arches) %global zero_arches %{arm} ppc s390 s390x # Set of architectures which run a full bootstrap cycle @@ -86,6 +109,8 @@ %global jfr_arches %{jit_arches} # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -121,7 +146,7 @@ %global fastdebug_build %{nil} %endif -# If you disable both builds, then the build fails +# If you disable all builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} @@ -135,10 +160,22 @@ %global release_targets images docs-zip # No docs nor bootcycle for debug builds %global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +# Use OpenJDK 7 where available (on RHEL) to avoid +# having to use the rhel-7.x-java-unsafe-candidate hack +%if ! 0%{?fedora} && 0%{?rhel} <= 7 +%global buildjdkver 1.7.0 +%else +%global buildjdkver 1.8.0 +%endif +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk # Filter out flags from the optflags macro that cause problems with the OpenJDK build -# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) # We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings # We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ %global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') @@ -159,17 +196,6 @@ %global NSSSOFTOKN_BUILDTIME_VERSION %(if [ "x%{NSSSOFTOKN_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSSSOFTOKN_BUILDTIME_NUMBER}" ;fi) %global NSS_BUILDTIME_VERSION %(if [ "x%{NSS_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSS_BUILDTIME_NUMBER}" ;fi) - -# Fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349. -# See also https://bugzilla.redhat.com/show_bug.cgi?id=1590796 -# as to why some libraries *cannot* be excluded. In particular, -# these are: -# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so -%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* - -%global __provides_exclude ^(%{_privatelibs})$ -%global __requires_exclude ^(%{_privatelibs})$ - # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap @@ -267,7 +293,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global shenandoah_revision shenandoah-jdk8u332-b09 +%global shenandoah_revision aarch64-shenandoah-jdk8u322-b06 # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} @@ -283,7 +309,7 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 1 +%global rpmrelease 11 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -318,6 +344,16 @@ # main id and dir of this jdk %define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} +# Fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349. +# See also https://bugzilla.redhat.com/show_bug.cgi?id=1590796 +# as to why some libraries *cannot* be excluded. In particular, +# these are: +# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so +%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* + +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ + %global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} %define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} # Standard JPackage directories and symbolic links. @@ -339,6 +375,9 @@ %global alternatives_requires %{_sbindir}/alternatives %endif +%global family %{name}.%{_arch} +%global family_noarch %{name} + %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -356,6 +395,50 @@ # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +%define save_alternatives() %{expand: + # warning! alternatives are localised! + # LANG=cs_CZ.UTF-8 alternatives --display java | head + # LANG=en_US.UTF-8 alternatives --display java | head + function nonLocalisedAlternativesDisplayOfMaster() { + LANG=en_US.UTF-8 alternatives --display "$MASTER" + } + function headOfAbove() { + nonLocalisedAlternativesDisplayOfMaster | head -n $1 + } + MASTER="%{?1}" + LOCAL_LINK="%{?2}" + FAMILY="%{?3}" + rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null + if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then + if headOfAbove 1 | grep -q manual ; then + if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then + headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" + fi + fi + fi +} + +%define save_and_remove_alternatives() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + upgrade1_uninstal0=%{?3} + if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall + %{save_alternatives %{?1} %{?2} %{?4}} + fi + alternatives --remove "%{?1}" "%{?2}" +} + +%define set_if_needed_alternatives() %{expand: + MASTER="%{?1}" + FAMILY="%{?2}" + ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" + if [ -e "$ALTERNATIVES_FILE" ] ; then + rm "$ALTERNATIVES_FILE" + alternatives --set $MASTER $FAMILY + fi +} + %define post_script() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -363,20 +446,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : exit 0 } - -%define post_headless() %{expand: -%ifarch %{share_arches} -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif - +%define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=java alternatives \\ - --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{jredir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ @@ -414,12 +496,23 @@ alternatives \\ --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\ %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext +%{set_if_needed_alternatives $key %{family}} + for X in %{origin} %{javaver} ; do - alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{jredir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=jre_"$X" + alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{jredir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=jre_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -446,26 +539,34 @@ exit 0 %define postun_headless() %{expand: - alternatives --remove java %{jrebindir -- %{?1}}/java - alternatives --remove jre_%{origin} %{_jvmdir}/%{jredir -- %{?1}} - alternatives --remove jre_%{javaver} %{_jvmdir}/%{jredir -- %{?1}} - alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} + %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{jredir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{jredir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} } %define posttrans_script() %{expand: %{update_desktop_icons} } -%define post_devel() %{expand: +%define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=javac alternatives \\ - --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/appletviewer appletviewer %{sdkbindir -- %{?1}}/appletviewer \\ --slave %{_bindir}/clhsdb clhsdb %{sdkbindir -- %{?1}}/clhsdb \\ @@ -559,13 +660,20 @@ alternatives \\ --slave %{_mandir}/man1/xjc.1$ext xjc.1$ext \\ %{_mandir}/man1/xjc-%{uniquesuffix -- %{?1}}.1$ext +%{set_if_needed_alternatives $key %{family}} + for X in %{origin} %{javaver} ; do - alternatives \\ - --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=java_sdk_"$X" + alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=java_sdk_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_devel() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -573,10 +681,14 @@ exit 0 } %define postun_devel() %{expand: - alternatives --remove javac %{sdkbindir -- %{?1}}/javac - alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -588,42 +700,54 @@ exit 0 } %define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} %{update_desktop_icons} } -%define post_javadoc() %{expand: - +%define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -alternatives \\ - --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ - $PRIORITY --family %{name} +key=javadocdir +alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc() %{expand: - alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +if [ "x$debug" == "xtrue" ] ; then + set -x +fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} exit 0 } -%define post_javadoc_zip() %{expand: - +%define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi - -alternatives \\ - --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ - $PRIORITY --family %{name} +key=javadoczip +alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc_zip() %{expand: - alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} exit 0 } @@ -744,8 +868,10 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnio.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnpt.so %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsaproc.so %endif +%endif %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsunec.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsystemconf.so @@ -865,8 +991,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jconsole.jar %{_jvmdir}/%{sdkdir -- %{?1}}/lib/orb.idl %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/sa-jdi.jar %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/dt.jar %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec %{_jvmdir}/%{sdkdir -- %{?1}}/lib/tools.jar @@ -983,6 +1111,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # in version 1.7 and higher for --family switch @@ -1059,9 +1189,9 @@ Requires(postun): %{alternatives_requires} Requires(postun): chkconfig >= 1.7 # Standard JPackage javadoc provides -Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} } %define java_src_rpo() %{expand: @@ -1209,6 +1339,10 @@ Patch1011: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues Patch1014: rh2021263-fips_ensure_security_initialised.patch Patch1015: rh2021263-fips_missing_native_returns.patch +# RH2052819: Fix FIPS reliance on crypto policies +Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch +# RH2052829: Detect NSS at Runtime for FIPS detection +Patch1017: rh2052829-fips_runtime_nss_detection.patch ############################################# # @@ -1237,6 +1371,10 @@ Patch400: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch Patch401: pr3655-toggle_system_crypto_policy.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch +# JDK-8281098, PR3836: Extra compiler flags not passed to adlc build +Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch +# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked +Patch113: jdk8275535-rh2053256-ldap_auth.patch ############################################# # @@ -1281,6 +1419,8 @@ Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch # JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch +# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 +Patch581: jdk8257794-remove_broken_assert.patch ############################################# # @@ -1291,6 +1431,7 @@ Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch # able to be removed once that release is out # and used by this RPM. ############################################# +Patch700: jdk8279077-missing_crash_protector_ppc.patch ############################################# # @@ -1349,22 +1490,16 @@ BuildRequires: libXinerama-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg and FIPS support -BuildRequires: nss-devel >= 3.53 +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: unzip -# Use OpenJDK 7 where available (on RHEL) to avoid -# having to use the rhel-7.x-java-unsafe-candidate hack -%if ! 0%{?fedora} && 0%{?rhel} <= 7 # Require a boot JDK which doesn't fail due to RH1482244 -BuildRequires: java-1.7.0-openjdk-devel >= 1.7.0.151-2.6.11.3 -%else -BuildRequires: java-1.8.0-openjdk-devel -%endif +BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 # Zero-assembler build requirement -%ifnarch %{jit_arches} +%ifarch %{zero_arches} BuildRequires: libffi-devel %endif # 2021e required as of JDK-8275766 in January 2022 CPU @@ -1554,7 +1689,8 @@ Requires: javapackages-filesystem Obsoletes: javadoc-slowdebug < 1:1.8.0.212.b04-4 BuildArch: noarch -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc The %{origin_nice} %{majorver} API documentation. @@ -1566,7 +1702,7 @@ Requires: javapackages-filesystem Obsoletes: javadoc-zip-slowdebug < 1:1.8.0.212.b04-4 BuildArch: noarch -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc-zip The %{origin_nice} %{majorver} API documentation compressed in a single archive. @@ -1635,7 +1771,7 @@ else exit 13 fi if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then - echo "You have disabled all builds (normal,fastdebug,debug). That is a no go." + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." exit 14 fi @@ -1698,12 +1834,16 @@ sh %{SOURCE12} %patch528 %patch571 %patch574 +%patch112 %patch580 -%patch539 +%patch581 +%patch113 # Upstreamed fixes +%patch700 # RPM-only fixes +%patch539 %patch600 %patch1000 %patch1001 @@ -1717,6 +1857,8 @@ sh %{SOURCE12} %patch1011 %patch1014 %patch1015 +%patch1016 +%patch1017 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1777,7 +1919,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1797,7 +1938,6 @@ export CFLAGS="$CFLAGS -mieee" # We use ourcppflags because the OpenJDK build seems to # pass EXTRA_CFLAGS to the HotSpot C++ compiler... -# Explicitly set the C++ standard as the default has changed on GCC >= 6 EXTRA_CFLAGS="%ourcppflags -Wno-error" EXTRA_CPP_FLAGS="%ourcppflags" @@ -1814,10 +1954,9 @@ export EXTRA_CFLAGS EXTRA_ASFLAGS function buildjdk() { local outputdir=${1} - local installdir=${2} - local buildjdk=${3} - local maketargets=${4} - local debuglevel=${5} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} # Variable used in hs_err hook on build failures @@ -1830,7 +1969,7 @@ function buildjdk() { echo "Using debuglevel: ${debuglevel}" echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}" - mkdir -p ${outputdir} ${installdir} + mkdir -p ${outputdir} pushd ${outputdir} bash ${top_srcdir_abs_path}/configure \ @@ -1839,7 +1978,7 @@ function buildjdk() { %else --disable-jfr \ %endif -%ifnarch %{jit_arches} +%ifarch %{zero_arches} --with-jvm-variants=zero \ %endif --with-native-debug-symbols=internal \ @@ -1852,7 +1991,7 @@ function buildjdk() { --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ - --enable-sysconf-nss \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=system \ @@ -1875,24 +2014,16 @@ function buildjdk() { SCTP_WERROR= \ ${maketargets} || ( pwd; find ${top_srcdir_abs_path} ${top_builddir_abs_path} -name "hs_err_pid*.log" | xargs cat && false ) - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; - chmod ugo+r images/%{jdkimage}/lib/ct.sym + popd +} - # remove redundant *diz and *debuginfo files - find images/%{jdkimage} -iname '*.diz' -exec rm -v {} \; - find images/%{jdkimage} -iname '*.debuginfo' -exec rm -v {} \; - - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; - find images/%{jdkimage}/bin/ -exec chmod +x {} \; - - popd >& /dev/null +function installjdk() { + local outputdir=${1} + local installdir=${2} + local imagepath=${installdir}/images/%{jdkimage} echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} echo "Installing images..." mv ${outputdir}/images ${installdir} if [ -d ${outputdir}/bundles ] ; then @@ -1908,8 +2039,35 @@ function buildjdk() { echo "Removing output directory..."; rm -rf ${outputdir} %endif + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + chmod ugo+r ${imagepath}/lib/ct.sym + + # remove redundant *diz and *debuginfo files + find ${imagepath} -iname '*.diz' -exec rm -v {} \; + find ${imagepath} -iname '*.debuginfo' -exec rm -v {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + fi } +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/hotspot/dist/jre/lib/%{archinstall}/server/libjvm.so newboot/jre/lib/%{archinstall}/server +%else + systemjdk=%{bootjdk} +%endif + for suffix in %{build_loop} ; do if [ "x$suffix" = "x" ] ; then debugbuild=release @@ -1918,7 +2076,6 @@ else debugbuild=`echo $suffix | sed "s/-//g"` fi -systemjdk=/usr/lib/jvm/java-openjdk builddir=%{buildoutputdir -- $suffix} bootbuilddir=boot${builddir} installdir=%{installoutputdir -- $suffix} @@ -1936,11 +2093,14 @@ else fi if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} - buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} + installjdk ${builddir} ${installdir} %{!?with_artifacts:rm -rf ${bootinstalldir}} else - buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} + installjdk ${builddir} ${installdir} fi # Install nss.cfg right away as we will be using the JRE above @@ -2060,7 +2220,10 @@ quit end run -version EOF + +%ifarch %{gdb_arches} grep 'JavaCallWrapper::JavaCallWrapper' gdb.out +%endif # Check src.zip has all sources. See RHBZ#1130490 jar -tf $JAVA_HOME/src.zip | grep 'sun.misc.Unsafe' @@ -2197,7 +2360,7 @@ find $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/demo \ | sed 's|'$RPM_BUILD_ROOT'||' \ | sed 's|^|%doc |' \ >> %{name}-demo.files"$suffix" -# Find documentation directories. +# Find demo directories. find $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/demo \ $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/sample \ -type d | sort \ @@ -2308,6 +2471,9 @@ cjc.mainProgram(args) %posttrans %{posttrans_script %{nil}} +%posttrans headless +%{alternatives_java_install %{nil}} + %post devel %{post_devel %{nil}} @@ -2317,14 +2483,14 @@ cjc.mainProgram(args) %posttrans devel %{posttrans_devel %{nil}} -%post javadoc -%{post_javadoc %{nil}} +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} %postun javadoc %{postun_javadoc %{nil}} -%post javadoc-zip -%{post_javadoc_zip %{nil}} +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} %postun javadoc-zip %{postun_javadoc_zip %{nil}} @@ -2337,6 +2503,9 @@ cjc.mainProgram(args) %post headless-slowdebug %{post_headless -- %{debug_suffix_unquoted}} +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + %postun slowdebug %{postun_script -- %{debug_suffix_unquoted}} @@ -2373,6 +2542,9 @@ cjc.mainProgram(args) %posttrans fastdebug %{posttrans_script -- %{fastdebug_suffix_unquoted}} +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + %post devel-fastdebug %{post_devel -- %{fastdebug_suffix_unquoted}} @@ -2463,31 +2635,73 @@ cjc.mainProgram(args) %endif %changelog -* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b09-1 -- Update to shenandoah-jdk8u332-b09 (GA) -- Update release notes for 8u332-b09. -- Switch to GA mode for final release. -- This tarball is embargoed until 2022-04-19 @ 1pm PT. -- Resolves: rhbz#2073422 +* Mon Feb 28 2022 Jiri Vanek - 1:1.8.0.322.b06-11 +- Storing and restoring alterntives during update manually +- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE +-- The move of alternatives creation to posttrans to fix: +-- Bug 1200302 - dnf reinstall breaks alternatives +-- Had caused the alternatives to be removed, and then created again, +-- instead of being added, and then removing the old, and thus persisting +-- the selection in family +-- Thus this fix, is storing the family of manually selected master, and if +-- stored, then it is restoring the family of the master +- Resolves: rhbz#2008192 -* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b06-0.1.ea -- Update to shenandoah-jdk8u332-b06 (EA) -- Update release notes for shenandoah-8u332-b06. -- Switch to EA mode. -- Remove JDK-8279077 patch now upstream. -- Related: rhbz#2073422 +* Mon Feb 28 2022 Jiri Vanek - 1:1.8.0.322.b06-10 +- Family extracted to globals +- Resolves: rhbz#2008192 -* Mon Jan 24 2022 Andrew Hughes - 1:1.8.0.322.b06-2 +* Mon Feb 28 2022 Jiri Vanek - 1:1.8.0.322.b06-9 +- javadoc-zip got its own provides next to plain javadoc ones +- Resolves: rhbz#2008192 + +* Mon Feb 28 2022 Jiri Vanek - 1:1.8.0.322.b06-8 +- alternatives creation moved to posttrans +- Thus fixing the old reisntall issue: +- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 +- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 +- Resolves: rhbz#2008192 + +* Mon Feb 28 2022 Andrew Hughes - 1:1.8.0.322.b06-7 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053285 + +* Mon Feb 28 2022 Andrew Hughes - 1:1.8.0.322.b06-6 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS +- Resolves: rhbz#2052828 + +* Wed Feb 23 2022 Andrew Hughes - 1:1.8.0.322.b06-5 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent +- Resolves: rhbz#2052817 + +* Mon Feb 21 2022 Andrew Hughes - 1:1.8.0.322.b06-4 +- Refactor build functions so we can build just HotSpot without any attempt at installation. +- Introduce architecture restriction logic for the gdb test. (RH2041970) +- Pass compiler flags to the ADLC build (JDK-8281098) +- Adjust JDK8199936/PR3533 -mstackrealign patch to instead pass -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds +- Sync minor placement differences with Fedora & RHEL 9 +- Resolves: rhbz#2022815 + +* Mon Jan 24 2022 Andrew Hughes - 1:1.8.0.322.b06-3 - Fix FIPS issues in native code and with initialisation of java.security.Security -- Related: rhbz#2039366 +- Resolves: rhbz#2021263 -* Fri Jan 21 2022 Andrew Hughes - 1:1.8.0.322.b06-1 +* Fri Jan 21 2022 Andrew Hughes - 1:1.8.0.322.b06-2 - Update to aarch64-shenandoah-jdk8u322-b06 (EA) - Update release notes for 8u322-b06. - Switch to GA mode for final release. +- Resolves: rhbz#2039366 + +* Thu Jan 20 2022 Andrew Hughes - 1:1.8.0.322.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b05 (EA) +- Update release notes for 8u322-b05. - Require tzdata 2021e as of JDK-8275766. - Update tarball generation script to use git following shenandoah-jdk8u's move to github -- Resolves: rhbz#2039366 +- Resolves: rhbz#2022815 * Tue Jan 18 2022 Andrew Hughes - 1:1.8.0.322.b04-0.2.ea - Add backport of JDK-8279077 to fix crash on ppc64 @@ -2497,32 +2711,86 @@ cjc.mainProgram(args) - Update to aarch64-shenandoah-jdk8u322-b04 (EA) - Update release notes for 8u322-b04. - Require tzdata 2021c as of JDK-8274407. -- Switch to EA mode. -- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. -- Related: rhbz#2039366 +- Related: rhbz#2022815 -* Fri Oct 15 2021 Andrew Hughes - 1:1.8.0.312.b07-2 +* Fri Jan 07 2022 Andrew Hughes - 1:1.8.0.322.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b03 (EA) +- Update release notes for 8u322-b03. +- Related: rhbz#2022815 + +* Fri Dec 17 2021 Andrew Hughes - 1:1.8.0.322.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b02 (EA) +- Update release notes for 8u322-b02. +- Related: rhbz#2022815 + +* Tue Dec 14 2021 Andrew Hughes - 1:1.8.0.322.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b01 (EA) +- Update release notes for 8u322-b01. +- Switch to EA mode. +- Related: rhbz#2022815 + +* Mon Dec 06 2021 Andrew Hughes - 1:1.8.0.312.b07-5 +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Related: rhbz#2022815 + +* Mon Dec 06 2021 Severin Gehwolf - 1:1.8.0.312.b07-4 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023532 + +* Fri Oct 15 2021 Andrew Hughes - 1:1.8.0.312.b07-3 - Update to aarch64-shenandoah-jdk8u312-b07 (EA) - Update release notes for 8u312-b07. - Switch to GA mode for final release. -- This tarball is embargoed until 2021-10-19 @ 1pm PT. -- Resolves: rhbz#2011826 +- Resolves: rhbz#2012339 -* Thu Oct 14 2021 Andrew Hughes - 1:1.8.0.312.b05-0.2.ea -- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false -- Resolves: rhbz#2014194 - -* Thu Oct 14 2021 Martin Balao - 1:1.8.0.312.b05-0.2.ea -- Add patch to allow plain key import. -- Resolves: rhbz#2014194 - -* Tue Oct 12 2021 Andrew Hughes - 1:1.8.0.312.b05-0.1.ea +* Tue Oct 12 2021 Andrew Hughes - 1:1.8.0.312.b05-0.3.ea - Update to aarch64-shenandoah-jdk8u312-b05-shenandoah-merge-2021-10-07 - Update release notes for 8u312-b05-shenandoah-merge-2021-10-07. +- Related: rhbz#1999937 + +* Thu Oct 07 2021 Andrew Hughes - 1:1.8.0.312.b05-0.2.ea +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Resolves: rhbz#1994659 + +* Thu Oct 07 2021 Martin Balao - 1:1.8.0.312.b05-0.2.ea +- Add patch to allow plain key import. +- Resolves: rhbz#1994659 + +* Thu Sep 30 2021 Andrew Hughes - 1:1.8.0.312.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b05 (EA) +- Update release notes for 8u312-b05. +- Resolves: rhbz#1999937 + +* Mon Sep 27 2021 Andrew Hughes - 1:1.8.0.312.b04-0.2.ea - Reduce disk footprint by removing build artifacts by default. +- Related: rhbz#1999937 + +* Sun Sep 26 2021 Andrew Hughes - 1:1.8.0.312.b04-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b04 (EA) +- Update release notes for 8u312-b04. +- Related: rhbz#1999937 + +* Fri Sep 24 2021 Andrew Hughes - 1:1.8.0.312.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b03 (EA) +- Update release notes for 8u312-b03. +- Related: rhbz#1999937 + +* Sun Sep 19 2021 Andrew Hughes - 1:1.8.0.312.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b02 (EA) +- Update release notes for 8u312-b02. +- Related: rhbz#1999937 + +* Mon Sep 13 2021 Andrew Hughes - 1:1.8.0.312.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u312-b01 (EA) +- Update release notes for 8u312-b01. - Switch to EA mode. +- Remove "-clean" suffix as no 8u312 builds are unclean. +- Related: rhbz#1999937 + +* Fri Sep 10 2021 Andrew Hughes - 1:1.8.0.302.b08-4 - Remove non-Free test and demo files from source tarball. -- Related: rhbz#2011826 +- Related: rhbz#1999937 * Fri Aug 27 2021 Andrew Hughes - 1:1.8.0.302.b08-3 - Add patch to login to the NSS software token when in FIPS mode.