From 345ac01c22e4c1b60c05a42ad47fafe66425598d Mon Sep 17 00:00:00 2001 From: Andrew Hughes Date: Fri, 28 Apr 2023 01:59:00 +0100 Subject: [PATCH] Update to shenandoah-jdk8u372-b07 (GA) Update release notes for shenandoah-8u372-b07. Require tzdata 2023c due to inclusion of JDK-8305113 in 8u372-b07 Update generate_tarball.sh to add support for passing a boot JDK to the configure run Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs Drop JDK-8275535/RH2053256 patch which is now upstream Include JDK-8271199 backport early ahead of 8u382 (RH2175317) Drop hack for difference in local and portable build version Replace local copies of JDK portable binaries with build dependencies Include the java-1.8.0-openjdk-portable.spec file with instructions on how to rebuild. Remove duplicate use of README.md inside the *-src package (it is no longer about sources) Use portable build on x86_32 now one is available ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** Resolves: rhbz#2185182 Resolves: rhbz#2189329 Resolves: rhbz#2188023 --- .gitignore | 1 + NEWS | 204 ++ README.md | 36 +- generate_source_tarball.sh | 88 +- java-1.8.0-openjdk-portable.specfile | 2388 +++++++++++++++++ java-1.8.0-openjdk.spec | 146 +- ...75317-custom_pkcs11_provider_support.patch | 167 ++ jdk8275535-rh2053256-ldap_auth.patch | 26 - sources | 20 +- 9 files changed, 2917 insertions(+), 159 deletions(-) create mode 100644 java-1.8.0-openjdk-portable.specfile create mode 100644 jdk8271199-rh2175317-custom_pkcs11_provider_support.patch delete mode 100644 jdk8275535-rh2053256-ldap_auth.patch diff --git a/.gitignore b/.gitignore index efd229c..d001145 100644 --- a/.gitignore +++ b/.gitignore @@ -282,3 +282,4 @@ /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.ppc64le.tar.xz /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.s390x.tar.xz /java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.x86_64.tar.xz +/openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz diff --git a/NEWS b/NEWS index a6788c4..51e3859 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,210 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 8u372 (2023-04-18): +=========================================== +Live versions of these release notes can be found at: + * https://bit.ly/openjdk8u372 + +* CVEs + - CVE-2023-21930 + - CVE-2023-21937 + - CVE-2023-21938 + - CVE-2023-21939 + - CVE-2023-21954 + - CVE-2023-21967 + - CVE-2023-21968 +* Security fixes + - JDK-8287404: Improve ping times + - JDK-8288436: Improve Xalan supports + - JDK-8294474: Better AES support + - JDK-8295304: Runtime support improvements + - JDK-8296496, JDK-8292652: Overzealous check in sizecalc.h prevents large memory allocation + - JDK-8296676, JDK-8296622: Improve String platform support + - JDK-8296684: Improve String platform support + - JDK-8296692: Improve String platform support + - JDK-8296700: Improve String platform support + - JDK-8296832: Improve Swing platform support + - JDK-8297371: Improve UTF8 representation redux + - JDK-8298191: Enhance object reclamation process + - JDK-8298310: Enhance TLS session negotiation + - JDK-8298667: Improved path handling + - JDK-8299129: Enhance NameService lookups +* New features + - JDK-8230305: Cgroups v2: Container awareness +* Other changes + - JDK-6734341: REGTEST fails: SelectionAutoscrollTest.html + - JDK-6829250: Reg test: java/awt/Toolkit/ScreenInsetsTest/ScreenInsetsTest.java fails in Windows + - JDK-7001973: java/awt/Graphics2D/CopyAreaOOB.java fails + - JDK-7124238: [macosx] Font in BasicHTML document is bigger than it should be + - JDK-7124381: DragSourceListener.dragDropEnd() never been called on completion of dnd operation + - JDK-8039888: [TEST_BUG] keyboard garbage after javax/swing/plaf/windows/WindowsRootPaneUI/WrongAltProcessing/WrongAltProcessing.java + - JDK-8042098: [TESTBUG] Test sun/java2d/AcceleratedXORModeTest.java fails on Windows + - JDK-8065422: Trailing dot in hostname causes TLS handshake to fail with SNI disabled + - JDK-8072770: [TESTBUG] Some Introspector tests fail with a Java heap bigger than 4GB + - JDK-8075964: Test java/awt/Mouse/TitleBarDoubleClick/TitleBarDoubleClick.html fails intermittently with timeout error + - JDK-8137101: [TEST_BUG] javax/swing/plaf/basic/BasicHTML/4251579/bug4251579.java failure due to timing + - JDK-8142540: [TEST_BUG] Test sun/awt/dnd/8024061/bug8024061.java fails on ubuntu + - JDK-8156579: Two JavaBeans tests failed + - JDK-8156581: Cleanup of ProblemList.txt + - JDK-8159135: [PIT] javax/swing/JMenuItem/8152981/MenuItemIconTest.java always fail + - JDK-8177560: @headful key can be removed from the tests for JavaSound + - JDK-8196196: Headful tests should not be run in headless mode + - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails + - JDK-8197408: Bad pointer comparison and small cleanup in os_linux.cpp + - JDK-8203485: [freetype] text rotated on 180 degrees is too narrow + - JDK-8205959: Do not restart close if errno is EINTR + - JDK-8216366: Add rationale to PER_CPU_SHARES define + - JDK-8226236: win32: gc/metaspace/TestCapacityUntilGCWrapAround.java fails + - JDK-8228585: jdk/internal/platform/cgroup/TestCgroupMetrics.java - NumberFormatException because of large long values (memory limit_in_bytes) + - JDK-8229182: [TESTBUG] runtime/containers/docker/TestMemoryAwareness.java test fails on SLES12 + - JDK-8229202: Docker reporting causes secondary crashes in error handling + - JDK-8231111: Cgroups v2: Rework Metrics in java.base so as to recognize unified hierarchy + - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation + - JDK-8233570: [TESTBUG] HTMLEditorKit test bug5043626.java is failing on macos + - JDK-8234484: Add ability to configure third port for remote JMX + - JDK-8237479: 8230305 causes slowdebug build failure + - JDK-8239559: Cgroups: Incorrect detection logic on some systems + - JDK-8239785: Cgroups: Incorrect detection logic on old systems in hotspot + - JDK-8239827: The test OpenByUNCPathNameTest.java should be changed to be manual + - JDK-8240189: [TESTBUG] Some cgroup tests are failing after JDK-8231111 + - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873 + - JDK-8242468: VS2019 build missing vcruntime140_1.dll + - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails + - JDK-8244500: jtreg test error in test/hotspot/jtreg/containers/docker/TestMemoryAwareness.java + - JDK-8245543: Cgroups: Incorrect detection logic on some systems (still reproducible) + - JDK-8245654: Add Certigna Root CA + - JDK-8247676: vcruntime140_1.dll is not needed on 32-bit Windows + - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked + - JDK-8252359: HotSpot Not Identifying it is Running in a Container + - JDK-8252957: Wrong comment in CgroupV1Subsystem::cpu_quota + - JDK-8253435: Cgroup: 'stomping of _mount_path' crash if manually mounted cpusets exist + - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high + - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly + - JDK-8253797: [cgroups v2] Account for the fact that swap accounting is disabled on some systems + - JDK-8253939: [TESTBUG] Increase coverage of the cgroups detection code + - JDK-8254001: [Metrics] Enhance parsing of cgroup interface files for version detection + - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards + - JDK-8254997: Remove unimplemented OSContainer::read_memory_limit_in_bytes + - JDK-8257620: Do not use objc_msgSend_stret to get macOS version + - JDK-8262379: Add regression test for JDK-8257746 + - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec + - JDK-8266391: Replace use of reflection in jdk.internal.platform.Metrics + - JDK-8270317: Large Allocation in CipherSuite + - JDK-8275535: Retrying a failed authentication on multiple LDAP servers can lead to users blocked + - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 + - JDK-8275713: TestDockerMemoryMetrics test fails on recent runc + - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 + - JDK-8280048: Missing comma in copyright header + - JDK-8282398: EndingDotHostname.java test fails because SSL cert expired + - JDK-8282511: Use fixed certificate validation date in SSLExampleCert template + - JDK-8282947: JFR: Dump on shutdown live-locks in some conditions + - JDK-8283277: ISO 4217 Amendment 171 Update + - JDK-8283606: Tests may fail with zh locale on MacOS + - JDK-8284102: [TESTBUG] [11u] Retroactively add regression test for JDK-8272124 + - JDK-8284690: [macos] VoiceOver : Getting java.lang.IllegalArgumentException: Invalid location on Editable JComboBox + - JDK-8284756: [11u] Remove unused isUseContainerSupport in CgroupV1Subsystem + - JDK-8284977: MetricsTesterCgroupV2.getLongValueEntryFromFile fails when named value doesn't exist + - JDK-8286624: Regression Test CoordinateTruncationBug.java fails on OL8.3 + - JDK-8287107: CgroupSubsystemFactory.setCgroupV2Path asserts with freezer controller + - JDK-8287109: Distrust.java failed with CertificateExpiredException + - JDK-8287463: JFR: Disable TestDevNull.java on Windows + - JDK-8287741: Fix of JDK-8287107 (unused cgv1 freezer controller) was incomplete + - JDK-8289549: ISO 4217 Amendment 172 Update + - JDK-8289695: [TESTBUG] TestMemoryAwareness.java fails on cgroups v2 and crun + - JDK-8291570: [TESTBUG] Part of JDK-8250984 absent from 11u + - JDK-8292083: Detected container memory limit may exceed physical machine memory + - JDK-8292541: [Metrics] Reported memory limit may exceed physical machine memory + - JDK-8293472: Incorrect container resource limit detection if manual cgroup fs mounts present + - JDK-8293540: [Metrics] Incorrectly detected resource limits with additional cgroup fs mounts + - JDK-8293767: AWT test TestSinhalaChar.java has old SCCS markings + - JDK-8294307: ISO 4217 Amendment 173 Update + - JDK-8294767: 8u contains two copies of test/../FileUtils.java, one uses JDK9+ features + - JDK-8295322: Tests for JDK-8271459 were not backported to 11u + - JDK-8295952: Problemlist existing compiler/rtm tests also on x86 + - JDK-8295982: Failure in sun/security/tools/keytool/WeakAlg.java - ks: The process cannot access the file because it is being used by another process + - JDK-8296239: ISO 4217 Amendment 174 Update + - JDK-8296480: java/security/cert/pkix/policyChanges/TestPolicy.java is failing + - JDK-8296485: BuildEEBasicConstraints.java test fails with SunCertPathBuilderException + - JDK-8296632: Write a test to verify the content change of TextArea sends TextEvent + - JDK-8296957: One more cast in SAFE_SIZE_NEW_ARRAY2 + - JDK-8297329: [8u] hotspot needs to recognise VS2019 + - JDK-8297739: Bump update version of OpenJDK: 8u372 + - JDK-8297996: [8u] generated images are broken due to renaming of MSVC runtime DLL's + - JDK-8298027: Remove SCCS id's from awt jtreg tests + - JDK-8298307: Enable hotspot/tier1 for 32-bit builds in GHA for 8u + - JDK-8299439: java/text/Format/NumberFormat/CurrencyFormat.java fails for hr_HR + - JDK-8299445: EndingDotHostname.java fails because of compilation errors + - JDK-8299483: ProblemList java/text/Format/NumberFormat/CurrencyFormat.java + - JDK-8299548: Fix hotspot/test/runtime/Metaspace/MaxMetaspaceSizeTest.java in 8u + - JDK-8299804: Fix non-portable code in hotspot shell tests in 8u + - JDK-8300014: Some backports placed the tests in the wrong location + - JDK-8300119: CgroupMetrics.getTotalMemorySize0() can report invalid results on 32 bit systems + - JDK-8301122: [8u] Fix unreliable vs2010 download link + - JDK-8301143: [TESTBUG] jfr/event/sampling/TestNative was backported to JDK8u without proper native wrapper + - JDK-8301246: NPE in FcFontManager.getDefaultPlatformFont() on Linux without installed fontconfig + - JDK-8301332: [8u] Fix writing of test files after the cgroups v2 backport + - JDK-8301550: [8u] Enable additional linux build testing in GitHub + - JDK-8301620: [8u] some shell tests are passed but have unexpected operator errors + - JDK-8301760: Fix possible leak in SpNegoContext dispose + - JDK-8303408: [AIX] Broken jdk8u build after JDK-8266391 + - JDK-8303828: [Solaris] Broken jdk8u build after JDK-8266391 + - JDK-8304053: Revert os specific stubs for SystemMetrics + - JDK-8305113: (tz) Update Timezone Data to 2023c + +Notes on individual issues: +=========================== + +hotspot: +core-libs: + +JDK-8305562: Cgroups v2: Container awareness +============================================ +The HotSpot runtime code as well as the core libraries code in the JDK +has been updated in order to detect a cgroup v2 host system when +running OpenJDK within a Linux container. + +Since the 8u202 release of OpenJDK, the container detection code +recognized cgroup v1 (legacy) host Linux systems. With 8u372 and later +releases, both versions of the underlying cgroups pseudo filesystem +will be detected and corresponding container limits applied to the +OpenJDK runtime. + +Without this enhancement, OpenJDK would not apply container resource +limits when running on a cgroup v2 Linux host system, but would use +the underlying hosts' resource limits instead. + +client-libs/javax.swing: + +JDK-8296832: Improve Swing platform support +=========================================== +Earlier OpenJDK releases would always render HTML object tags embedded in +Swing HTML components. With this release, rendering only occurs when the +new system property "swing.html.object" is set to true. By default, it +is set to false. + +core-svc/javax.management: + +JDK-8234484: Added Ability to Configure Third Port for Remote JMX +================================================================= +A local access port can now be configured for JMX connections by +setting the property `com.sun.management.jmxremote.local.port`. This +local port was previously selected at random, which could lead to port +collisions. The property works in the same way as the existing +properties for configuring the remote access port +(`com.sun.management.jmxremote.port`) and the RMI port +(`com.sun.management.jmxremote.rmi.port`) + +security-libs/java.security: + +JDK-8245654: Added Certigna(Dhimyotis) Root CA Certificate +========================================================== +The following root certificate has been added to the cacerts truststore: + +Name: Certigna (Dhimyotis) +Alias Name: certignarootca +Distinguished Name: CN=Certigna, O=Dhimyotis, C=FR + New in release OpenJDK 8u362 (2023-01-17): =========================================== Live versions of these release notes can be found at: diff --git a/README.md b/README.md index 61b3b69..f7d6f74 100644 --- a/README.md +++ b/README.md @@ -1,8 +1,34 @@ -Package of LTS OpenJDK 8 -OpenJDK have release cadence of 6 months. but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbore them. Currently it is build on openJDK 10. LTSs (next is 11) will go as separate packages. +OpenJDK 8 is a Long-Term Support (LTS) release of the Java platform. -JDK8 is last LTS release of Java platform. It is bringing many cool improvements - http://openjdk.java.net/projects/jdk/8/ and is landing to your RHEL. Where it will be maintained for several years. You will always be allowed to install Used LTSs in build root, and alongside via alternatives. +For a list of major changes in OpenJDK 8 (java-1.8.0-openjdk), see the +upstream release page: https://openjdk.org/projects/jdk8/features -See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html -See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf +# Rebuilding the OpenJDK package +The OpenJDK packages are now created from a single build which is then +packaged for different major versions of Red Hat Enterprise Linux +(RHEL). This allows the OpenJDK team to focus their efforts on the +development and testing of this single build, rather than having +multiple builds which only differ by the platform they were built on. + +This does make rebuilding the package slightly more complicated than a +normal package. Modifications should be made to the +`java-1.8.0-openjdk-portable.specfile` file, which can be found with +this README file in the source RPM or installed in the documentation +tree by the `java-1.8.0-openjdk-headless` RPM. + +Once the modified `java-1.8.0-openjdk-portable` RPMs are built, they +should be installed and will produce a number of tarballs in the +`/usr/lib/jvm` directory. The `java-1.8.0-openjdk` RPMs can then be +built, which will use these tarballs to create the usual RPMs found in +RHEL. The `java-1.8.0-openjdk-portable` RPMs can be uninstalled once +the desired final RPMs are produced. + +Note that the `java-1.8.0-openjdk.spec` file has a hard requirement on +the exact version of java-1.8.0-openjdk-portable to use, so this will +need to be modified if the version or rpmrelease values are changed in +`java-1.8.0-openjdk-portable.specfile`. + +To reduce the number of RPMs involved, the `fastdebug` and `slowdebug` +builds may be disabled using `--without fastdebug` and `--without +slowdebug`. diff --git a/generate_source_tarball.sh b/generate_source_tarball.sh index 3f33d68..b03b0a9 100755 --- a/generate_source_tarball.sh +++ b/generate_source_tarball.sh @@ -10,7 +10,7 @@ # PROJECT_NAME=openjdk # REPO_NAME=shenandoah-jdk8u # VERSION=HEAD -# +# # They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set) # This script creates a single source tarball out of the repository @@ -31,8 +31,8 @@ fi if [ "x${JCONSOLE_JS_PATCH}" != "x" ] ; then if [ ! -f "${JCONSOLE_JS_PATCH}" ] ; then - echo "You have specified the jconsole.js patch as ${JCONSOLE_JS_PATCH} but it does not exist. Exiting."; - exit 2; + echo "You have specified the jconsole.js patch as ${JCONSOLE_JS_PATCH} but it does not exist. Exiting."; + exit 2; fi else JCONSOLE_JS_PATCH=${JCONSOLE_JS_PATCH_DEFAULT} @@ -53,29 +53,58 @@ if [ "x$1" = "xhelp" ] ; then echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})" echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})" echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)" - echo "REPO_ROOT - the location of the Mercurial repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)" + echo "REPO_ROOT - the location of the Git repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)" echo "PR3822 - the path to the PR3822 patch to apply (optional; downloaded if unavailable)" echo "JCONSOLE_JS_PATCH - the path to a patch to fix non-availiability of jconsole.js (optional; defaults to ${JCONSOLE_JS_PATCH_DEFAULT})" + echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run" exit 1; fi if [ "x$VERSION" = "x" ] ; then echo "No VERSION specified" - exit -2 + exit 2 fi echo "Version: ${VERSION}" - + +NUM_VER=${VERSION##jdk-} +RELEASE_VER=${NUM_VER%%+*} +BUILD_VER=${NUM_VER##*+} +MAJOR_VER=${RELEASE_VER%%.*} +echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}" + +if [ "x$BOOT_JDK" = "x" ] ; then + echo "No boot JDK specified". + BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk; + echo -n "Checking for ${BOOT_JDK}..."; + if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then + echo "Boot JDK found at ${BOOT_JDK}"; + else + echo "Not found"; + PREV_VER=$((${MAJOR_VER} - 1)); + BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk; + echo -n "Checking for ${BOOT_JDK}..."; + if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then + echo "Boot JDK found at ${BOOT_JDK}"; + else + echo "Not found"; + exit 4; + fi + fi +else + echo "Boot JDK: ${BOOT_JDK}"; +fi + # REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then if [ "x$PROJECT_NAME" = "x" ] ; then - echo "No PROJECT_NAME specified" - exit -1 + echo "No PROJECT_NAME specified" + exit 1 fi echo "Project name: ${PROJECT_NAME}" if [ "x$REPO_NAME" = "x" ] ; then - echo "No REPO_NAME specified" - exit -3 + echo "No REPO_NAME specified" + exit 3 fi echo "Repository name: ${REPO_NAME}" fi @@ -112,6 +141,7 @@ echo -e "\tFILE_NAME_ROOT: ${FILE_NAME_ROOT}" echo -e "\tREPO_ROOT: ${REPO_ROOT}" echo -e "\tPR3822: ${PR3822}" echo -e "\tJCONSOLE_JS_PATCH: ${JCONSOLE_JS_PATCH}" +echo -e "\tBOOT_JDK: ${BOOT_JDK}" mkdir "${FILE_NAME_ROOT}" pushd "${FILE_NAME_ROOT}" @@ -120,7 +150,7 @@ echo "Cloning ${VERSION} root repository from ${REPO_ROOT}" git clone -b ${VERSION} ${REPO_ROOT} openjdk pushd openjdk - + # UnderlineTaglet.java has a BSD license with a field-of-use restriction, making it non-Free if [ -d langtools ] ; then echo "Removing langtools test case with non-Free license" @@ -144,15 +174,15 @@ if [ -d jdk ]; then echo "Syncing EC list with NSS" if [ "x$PR3822" = "x" ] ; then - # get pr3822.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch - # Do not push it or publish it - wget -O pr3822.patch https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3822-4curve.patch - echo "Applying ${PWD}/pr3822.patch" - git apply --stat --apply -v -p1 pr3822.patch - rm pr3822.patch + # get pr3822.patch (from https://github.com/icedtea-git/icedtea) in the ${ICEDTEA_VERSION} branch + # Do not push it or publish it + wget -O pr3822.patch https://github.com/icedtea-git/icedtea/raw/${ICEDTEA_VERSION}/patches/pr3822-4curve.patch + echo "Applying ${PWD}/pr3822.patch" + git apply --stat --apply -v -p1 pr3822.patch + rm pr3822.patch else - echo "Applying ${PR3822}" - git apply --stat --apply -v -p1 $PR3822 + echo "Applying ${PR3822}" + git apply --stat --apply -v -p1 $PR3822 fi; fi @@ -166,11 +196,29 @@ popd # Generate .src-rev so build has knowledge of the revision the tarball was created from mkdir build pushd build -sh ${PWD}/../openjdk/configure +sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK} make store-source-revision popd rm -rf build +# Remove commit checks +echo "Removing $(find openjdk -name '.jcheck' -print)" +find openjdk -name '.jcheck' -print0 | xargs -0 rm -r + +# Remove history and GHA +echo "find openjdk -name '.hgtags'" +find openjdk -name '.hgtags' -exec rm -v '{}' '+' +echo "find openjdk -name '.hgignore'" +find openjdk -name '.hgignore' -exec rm -v '{}' '+' +echo "find openjdk -name '.gitattributes'" +find openjdk -name '.gitattributes' -exec rm -v '{}' '+' +echo "find openjdk -name '.gitignore'" +find openjdk -name '.gitignore' -exec rm -v '{}' '+' +echo "find openjdk -name '.git'" +find openjdk -name '.git' -exec rm -rv '{}' '+' +echo "find openjdk -name '.github'" +find openjdk -name '.github' -exec rm -rv '{}' '+' + echo "Compressing remaining forest" if [ "X$COMPRESSION" = "Xxz" ] ; then SWITCH=cJf diff --git a/java-1.8.0-openjdk-portable.specfile b/java-1.8.0-openjdk-portable.specfile new file mode 100644 index 0000000..9197600 --- /dev/null +++ b/java-1.8.0-openjdk-portable.specfile @@ -0,0 +1,2388 @@ +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-1.8.0-openjdk.spec +# +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug --without fastdebug +# +# Only produce a release build on x86_64: +# $ rhpkg mockbuild --without slowdebug --without fastdebug +# +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release +# Remove build artifacts by default +%bcond_with artifacts +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs + +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global jpeg_lib |libjavajpeg[.]so.* +%else +%global system_libs 0 +%global link_type bundled +%global jpeg_lib |libjpeg[.]so.* +%endif + +# Turn off the debug package as we just produce a bunch of tarballs +%define debug_package %{nil} + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" +%global normal_suffix "" + +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global normal_build %{normal_suffix} +%else +%global normal_build %{nil} +%endif + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs +%global multilib_arches %{power64} sparc64 x86_64 +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches %{arm} ppc s390 s390x +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} %{zero_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} +# Set of architectures which support class data sharing +# See https://bugzilla.redhat.com/show_bug.cgi?id=513605 +# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT +%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} +# Set of architectures which support Java Flight Recorder (JFR) +%global jfr_arches %{jit_arches} +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} + +# By default, we build a debug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{debug_arches} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%else +%global include_fastdebug_build 0 +%endif + +%if %{include_debug_build} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif + +# If you disable all builds, then the build fails +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if 0%{?flatpak} +%global bootstrap_build false +%else +%ifarch %{bootstrap_arches} +%global bootstrap_build true +%else +%global bootstrap_build false +%endif +%endif + +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +# Use OpenJDK 7 where available (on RHEL) to avoid +# having to use the rhel-7.x-java-unsafe-candidate hack +%if ! 0%{?fedora} && 0%{?rhel} <= 7 +%global buildjdkver 1.7.0 +%else +%global buildjdkver 1.8.0 +%endif +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path +# the initialization must be here. Later the pkg-config have buggy behavior +# looks like openjdk RPM specific bug +# Always set this so the nss.cfg file is not broken +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) +%global NSS_LIBS %(pkg-config --libs nss) +%global NSS_CFLAGS %(pkg-config --cflags nss-softokn) +# see https://bugzilla.redhat.com/show_bug.cgi?id=1332456 +%global NSSSOFTOKN_BUILDTIME_NUMBER %(pkg-config --modversion nss-softokn || : ) +%global NSS_BUILDTIME_NUMBER %(pkg-config --modversion nss || : ) +# this is workaround for processing of requires during srpm creation +%global NSSSOFTOKN_BUILDTIME_VERSION %(if [ "x%{NSSSOFTOKN_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSSSOFTOKN_BUILDTIME_NUMBER}" ;fi) +%global NSS_BUILDTIME_VERSION %(if [ "x%{NSS_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSS_BUILDTIME_NUMBER}" ;fi) + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i386 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +# Always off in portables +%ifarch %{systemtap_arches} +%global with_systemtap 0 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global majorver 8 + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{origin} + +# Settings for local security configuration +%global security_file %{top_level_dir_name}/jdk/src/share/lib/security/java.security-%{_target_os} +%global cacerts_file /etc/pki/java/cacerts + +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url "https://www.redhat.com/" +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{component}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{component}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{component} +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif + +# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. +%global shenandoah_project openjdk +%global shenandoah_repo shenandoah-jdk8u +%global openjdk_revision jdk8u372-b07 +%global shenandoah_revision shenandoah-%{openjdk_revision} +# Define old aarch64/jdk8u tree variables for compatibility +%global project %{shenandoah_project} +%global repo %{shenandoah_repo} +%global revision %{shenandoah_revision} +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 3.15.0 +# Define current Git revision for the FIPS support patches +%global fipsver 6d1aade0648 +# Define current Git revision for the cacerts patch +%global cacertsver 8139f2361c2 + +# e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 +%global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*}) +# eg # jdk8u60-b27 -> jdk8u60 or # aarch64-jdk8u60-b27 -> aarch64-jdk8u60 (dont forget spec escape % by %%) +%global whole_update %(VERSION=%{version_tag}; echo ${VERSION%%-*}) +# eg jdk8u60 -> 60 or aarch64-jdk8u60 -> 60 +%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) +# eg jdk8u60-b27 -> b27 +%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) +%global rpmrelease 2 +# Define milestone (EA for pre-releases, GA ("fcs") for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global milestone fcs +%global milestone_version %{nil} +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global milestone ea +%global milestone_version "-ea" +%global extraver .%{milestone} +%global eaprefix 0. +%endif +# priority must be 7 digits in total. The expression is workarounding tip +%global priority %(TIP=1800%{updatever}; echo ${TIP/tip/999}) + +%global javaver 1.%{majorver}.0 + +# parametrized macros are order-sensitive +%global compatiblename %{name} +%global fullversion %{compatiblename}-%{version}-%{release} +# images stub +%global jdkimage j2sdk-image +%global jreimage j2re-image +# output dir stub +%define buildoutputdir() %{expand:build/jdk8.build%{?1}} +%define installoutputdir() %{expand:install/jdk8.install%{?1}} +%define packageoutputdir() %{expand:packages/jdk8.packages%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jre;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jdk;g") +%define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz} +%define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz} +%define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}} +%define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.docs;g") +%define docportablearchive() %{docportablename}.tar.xz +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g") +%define miscportablearchive() %{miscportablename}.tar.xz + +# Fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349. +# See also https://bugzilla.redhat.com/show_bug.cgi?id=1590796 +# as to why some libraries *cannot* be excluded. In particular, +# these are: +# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so +%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*%{jpeg_lib}|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.* +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ + +# Standard JPackage directories and symbolic links. +%global sdkdir() %{expand:%{uniquesuffix %%1}} +%global jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%1} + +%global jredir() %{expand:%{sdkdir %%1}/jre} +%global sdkbindir() %{expand:%{_jvmdir}/%{sdkdir %%1}/bin} +%global jrebindir() %{expand:%{_jvmdir}/%{jredir %%1}/bin} +%global alt_java_name alt-java +%global jvmjardir() %{expand:%{_jvmjardir}/%{uniquesuffix %%1}} + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific sub-dir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinguish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka target_cpu as architecture specific directory name. +%global tapsetroot /usr/share/systemtap +%global tapsetdirttapset %{tapsetroot}/tapset/ +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} +%endif + +# Prevent brp-java-repack-jars from being run. +%global __jar_repack 0 + +# portables have grown out of its component, moving back to java-x-vendor +# this expression, when declared as global, filled component with java-x-vendor portable +%define component %(echo %{name} | sed "s;-portable;;g") + +Name: java-%{javaver}-%{origin}-portable +Version: %{javaver}.%{updatever}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} %{majorver} Runtime Environment portable edition +Group: Development/Languages + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily JAXP & JAXWS) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see THIRD_PARTY_README) +# The OpenJDK source tree includes the JPEG library (IJG), zlib & libpng (zlib), giflib and LCMS (MIT) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib +URL: http://openjdk.java.net/ + +# Shenandoah HotSpot +# aarch64-port/jdk8u-shenandoah contains an integration forest of +# OpenJDK 8u, the aarch64 port and Shenandoah +# To regenerate, use: +# VERSION=%%{shenandoah_revision} +# FILE_NAME_ROOT=%%{shenandoah_project}-%%{shenandoah_repo}-${VERSION} +# REPO_ROOT= generate_source_tarball.sh +# where the source is obtained from http://hg.openjdk.java.net/%%{project}/%%{repo} +Source0: %{shenandoah_project}-%{shenandoah_repo}-%{shenandoah_revision}-4curve.tar.xz + +# Custom README for -src subpackage +Source2: README.md + +# Release notes +Source7: NEWS + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (3.x). +# Systemtap tapsets. Zipped up to keep it small. +# Disabled in portables +#Source8: tapsets-icedtea-%%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +# Disabled in portables +#Source9: jconsole.desktop.in +#Source10: policytool.desktop.in + +# nss configuration file +Source11: nss.cfg.in + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java + +# Ensure vendor settings are correct +Source16: CheckVendor.java + +# nss fips configuration file +Source17: nss.fips.cfg.in + +# Ensure translations are available for new timezones +Source18: TestTranslations.java + +# Disabled in portables +#Source20: repackReproduciblePolycies.sh + +# New versions of config files with aarch64 support. This is not upstream yet. +Source100: config.guess +Source101: config.sub + +############################################ +# +# RPM/distribution specific patches +# +# This section includes patches specific to +# Fedora/RHEL which can not be upstreamed +# either in their current form or at all. +############################################ + +# Accessibility patches +# Ignore AWTError when assistive technologies are loaded +Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +# Turn on AssumeMP by default on RHEL systems +Patch534: rh1648246-always_instruct_vm_to_assume_multiple_processors_are_available.patch +# RH1648249: Add PKCS11 provider to java.security +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +Patch1003: rh1582504-rsa_default_for_keytool.patch + +# Crypto policy and FIPS support patches +# Patch is generated from the fips tree at https://github.com/rh-openjdk/jdk8u/tree/fips +# as follows: git diff %%{openjdk_revision} common jdk > fips-8u-$(git show -s --format=%h HEAD).patch +# Diff is limited to src and make subdirectories to exclude .github changes +# Fixes currently included: +# PR3183, RH1340845: Support Fedora/RHEL8 system crypto policy +# PR3655: Allow use of system crypto policy to be disabled by the user +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +# RH1760838: No ciphersuites available for SSLSocket in FIPS mode +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +# RH1906862: Always initialise JavaSecuritySystemConfiguratorAccess +# RH1929465: Improve system FIPS detection +# RH1996182: Login to the NSS software token in FIPS mode +# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false +# RH2021263: Resolve outstanding FIPS issues +# RH2052819: Fix FIPS reliance on crypto policies +# RH2052829: Detect NSS at Runtime for FIPS detection +# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +# RH2090378: Revert to disabling system security properties and FIPS mode support together +Patch1001: fips-8u-%{fipsver}.patch + +############################################# +# +# Upstreamable patches +# +# This section includes patches which need to +# be reviewed & pushed to the current development +# tree of OpenJDK. +############################################# +# PR2737: Allow multiple initialization of PKCS11 libraries +Patch5: pr2737-allow_multiple_pkcs11_library_initialisation_to_be_a_non_critical_error.patch +# Turn off strict overflow on IndicRearrangementProcessor{,2}.cpp following 8140543: Arrange font actions +Patch512: rh1649664-awt2dlibraries_compiled_with_no_strict_overflow.patch +# RH1337583, PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings +Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch +# PR3083, RH1346460: Regression in SSL debug output without an ECC provider +Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch +# PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) +# PR3575, RH1567204: System cacerts database handling should not affect jssecacerts +# RH2055274: Revert default keystore to JAVA_HOME/jre/lib/security/cacerts in portable builds +# Must be applied after the FIPS patch as it also changes java.security +# Patch is generated from the cacerts tree at https://github.com/rh-openjdk/jdk8u/tree/cacerts +# as follows: git diff fips > pr2888-rh2055274-support_system_cacerts-$(git show -s --format=%h HEAD).patch +Patch539: pr2888-rh2055274-support_system_cacerts-%{cacertsver}.patch +Patch541: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +# RH1750419: Enable build of speculative store bypass hardened alt-java (CVE-2018-3639) +Patch600: rh1750419-redhat_alt_java.patch +# JDK-8281098, PR3836: Extra compiler flags not passed to adlc build +Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch + +############################################# +# +# Arch-specific upstreamable patches +# +# This section includes patches which need to +# be reviewed & pushed upstream and are specific +# to certain architectures. This usually means the +# current OpenJDK development branch, but may also +# include other trees e.g. for the AArch64 port for +# OpenJDK 8u. +############################################# +# s390: PR3593: Use "%z" for size_t on s390 as size_t != intptr_t +Patch103: pr3593-s390_use_z_format_specifier_for_size_t_arguments_as_size_t_not_equals_to_int.patch +# x86: S8199936, PR3533: HotSpot generates code with unaligned stack, crashes on SSE operations (-mstackrealign workaround) +Patch105: jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch +# S390 ambiguous log2_intptr calls +Patch107: s390-8214206_fix.patch + +############################################# +# +# Patches which need backporting to 8u +# +# This section includes patches which have +# been pushed upstream to the latest OpenJDK +# development tree, but need to be backported +# to OpenJDK 8u. +############################################# +# S8074839, PR2462: Resolve disabled warnings for libunpack and the unpack200 binary +# This fixes printf warnings that lead to build failure with -Werror=format-security from optflags +Patch502: pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch +# PR3591: Fix for bug 3533 doesn't add -mstackrealign to JDK code +Patch571: jdk8199936-pr3591-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x_jdk.patch +# 8143245, PR3548: Zero build requires disabled warnings +Patch574: jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch +# s390: JDK-8203030, Type fixing for s390 +Patch102: jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch +# 8035341: Allow using a system installed libpng +Patch202: jdk8035341-allow_using_system_installed_libpng.patch +# 8042159: Allow using a system-installed lcms2 +Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch +Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch +# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 +Patch581: jdk8257794-remove_broken_assert.patch +# JDK-8186464, RH1433262: ZipFile cannot read some InfoZip ZIP64 zip files +Patch12: jdk8186464-rh1433262-zip64_failure.patch + +############################################# +# +# Patches appearing in 8u382 +# +# This section includes patches which are present +# in the listed OpenJDK 8u release and should be +# able to be removed once that release is out +# and used by this RPM. +############################################# +# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key +Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch + +############################################# +# +# Patches ineligible for 8u +# +# This section includes patches which are present +# upstream, but ineligible for upstream 8u backport. +############################################# +# 8043805: Allow using a system-installed libjpeg +Patch201: jdk8043805-allow_using_system_installed_libjpeg.patch + +############################################# +# +# Shenandoah fixes +# +# This section includes patches which are +# specific to the Shenandoah garbage collector +# and should be upstreamed to the appropriate +# trees. +############################################# + +############################################# +# +# Non-OpenJDK fixes +# +# This section includes patches to code other +# that from OpenJDK. +############################################# + +############################################# +# +# Dependencies +# +############################################# +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: file +BuildRequires: fontconfig-devel +BuildRequires: freetype-devel +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXext-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel +# Commented out for portable RHEL7 doesn't have this +# Requirement for system security property test +#BuildRequires: crypto-policies +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +BuildRequires: tar +BuildRequires: unzip +# Require a boot JDK which doesn't fail due to RH1482244 +BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 +# Zero-assembler build requirement +%ifarch %{zero_arches} +BuildRequires: libffi-devel +%endif +# 2023c required as of JDK-8305113 +BuildRequires: tzdata-java >= 2023c +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +# cacerts build requirement. +BuildRequires: ca-certificates +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif + +%if %{system_libs} +BuildRequires: giflib-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in jdk/src/share/native/sun/awt/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in jdk/src/share/native/sun/java2d/cmm/lcms/lcms2.h +Provides: bundled(lcms2) = 2.10.0 +# Version in jdk/src/share/native/sun/awt/image/jpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in jdk/src/share/native/sun/awt/libpng/png.h +Provides: bundled(libpng) = 1.6.37 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + +%description +The %{origin_nice} %{majorver} runtime environment - portable edition + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} %{majorver} Development Environment portable edition +Group: Development/Tools +%description devel +The %{origin_nice} %{majorver} development tools - portable edition +%endif + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} %{majorver} Runtime Environment portable edition %{debug_on} +Group: Development/Languages +%description slowdebug +The %{origin_nice} %{majorver} runtime environment - portable edition +%{debug_warning} + +%package devel-slowdebug +Summary: %{origin_nice} %{majorver} Development Environment portable edition %{debug_on} +Group: Development/Tools +%description devel-slowdebug +The %{origin_nice} %{majorver} development tools - portable edition +%{debug_warning} +%endif + +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} %{majorver} Runtime Environment portable edition %{fastdebug_on} +Group: Development/Languages +%description fastdebug +The %{origin_nice} %{majorver} runtime environment - portable edition +%{fastdebug_warning} + +%package devel-fastdebug +Summary: %{origin_nice} %{majorver} Development Environment portable edition %{fastdebug_on} +Group: Development/Tools +%description devel-fastdebug +The %{origin_nice} %{majorver} development tools - portable edition +%{fastdebug_warning} +%endif + +%if %{include_normal_build} +%package unstripped +Summary: The %{origin_nice} %{majorver} runtime environment, unstripped. +Group: Development/Languages +%description unstripped +The %{origin_nice} %{majorver} runtime environment, unstripped. +%endif + +%package docs +Summary: %{origin_nice} %{majorver} API documentation +Group: Development/Languages +%description docs +The %{origin_nice} %{majorver} API documentation. + +%package misc +Summary: %{origin_nice} %{majorver} miscellany +Group: Development/Languages +%description misc +The %{origin_nice} %{majorver} miscellany. + +%prep +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" + exit 13 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi + +echo "Update version: %{updatever}" +echo "Build number: %{buildver}" +echo "Milestone: %{milestone}" +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 7 ] ; then + echo "priority must be 7 digits in total, violated" + exit 14 +fi +# For old patches +ln -s %{top_level_dir_name} jdk8 + +cp %{SOURCE2} . + +# replace outdated configure guess script +# +# the configure macro will do this too, but it also passes a few flags not +# supported by openjdk configure script +cp %{SOURCE100} %{top_level_dir_name}/common/autoconf/build-aux/ +cp %{SOURCE101} %{top_level_dir_name}/common/autoconf/build-aux/ + +# OpenJDK patches + +%if %{system_libs} +# Remove libraries that are linked +sh %{SOURCE12} +%endif + +# Do not enable them with system_libs, they do not work properly with bundled option +# System library fixes +%if %{system_libs} +%patch201 +%patch202 +%patch203 +%patch204 +%endif + +%patch1 +%patch5 + +# s390 build fixes +%patch102 +%patch103 +%patch107 + +# AArch64 fixes + +# x86 fixes +%patch105 + +# Upstreamable fixes +%patch502 +%patch512 +%patch523 +%patch528 +%patch571 +%patch574 +%patch112 +%patch581 +%patch541 +%patch12 + +pushd %{top_level_dir_name} +# Add crypto policy and FIPS support +%patch1001 -p1 +# nss.cfg PKCS11 support; must come last as it also alters java.security +%patch1000 -p1 +# system cacerts support +%patch539 -p1 +# 8u382 fix +%patch2001 -p1 +popd + +# RPM-only fixes +%patch600 +%patch1003 + +# RHEL-only patches +%if ! 0%{?fedora} && 0%{?rhel} <= 7 +%patch534 +%endif + +# Shenandoah patches + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif + + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/server/libjvm.so:g" $file > $file.1 +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/client/libjvm.so:g" $file.1 > $OUTPUT_FILE +%else + sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# Portables do not have desktop integration + +# Setup nss.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg + +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg + +# Setup security policy +#Commented because NA to portable +#sed -i -e "s:^security.systemCACerts=.*:security.systemCACerts=%{cacerts_file}:" %{security_file} + +%build + +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +EXTRA_CFLAGS="%ourcppflags -Wno-error" +EXTRA_CPP_FLAGS="%ourcppflags" +%ifarch %{power64} ppc +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-tree-vectorize" +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" +export EXTRA_CFLAGS EXTRA_ASFLAGS + +(cd %{top_level_dir_name}/common/autoconf + bash ./autogen.sh +) + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + local debug_symbols=${6} + + local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name} + # Variable used in hs_err hook on build failures + local top_builddir_abs_path=$(pwd)/${outputdir} + + echo "Using output directory: ${outputdir}"; + + if [ "x${link_opt}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Using debug_symbols: ${debug_symbols}" + echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}" + + mkdir -p ${outputdir} + pushd ${outputdir} + + bash ${top_srcdir_abs_path}/configure \ +%ifarch %{jfr_arches} + --enable-jfr \ +%else + --disable-jfr \ +%endif +%ifarch %{zero_arches} + --with-jvm-variants=zero \ +%endif + --with-cacerts-file=`readlink -f %{_sysconfdir}/pki/java/cacerts` \ + --with-native-debug-symbols=${debug_symbols} \ + --with-milestone=%{milestone} \ + --with-update-version=%{updatever} \ + --with-build-number=%{buildver} \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --disable-sysconf-nss \ + --enable-unlimited-crypto \ + --with-zlib=${link_opt} \ + --with-giflib=${link_opt} \ +%if %{with system_libs} + --with-libjpeg=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ +%endif + --with-stdc++lib=${libc_link_opt} \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-asflags="$EXTRA_ASFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" + + cat spec.gmk + cat hotspot-spec.gmk + + make \ + JAVAC_FLAGS=-g \ + LOG=trace \ + SCTP_WERROR= \ + ${maketargets} || ( pwd; find ${top_srcdir_abs_path} ${top_builddir_abs_path} -name "hs_err_pid*.log" | xargs cat && false ) + + popd +} + +function installjdk() { + local outputdir=${1} + local installdir=${2} + local jdkimagepath=${installdir}/images/%{jdkimage} + local jreimagepath=${installdir}/images/%{jreimage} + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi + # On 8u, docs ends up at the top-level, not in images + if [ -d ${outputdir}/docs ] ; then + echo "Installing docs..."; + mv ${outputdir}/docs ${installdir} ; + fi + +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif + + for imagepath in ${jdkimagepath} ${jreimagepath} ; do + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install local files which are distributed with the JDK + install -m 644 %{SOURCE7} ${imagepath} + + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + + # Print release information + cat ${imagepath}/release + fi + done + + # Handle these outside the loop as install path differs between JDK and JRE image + install -m 644 nss.cfg ${jdkimagepath}/jre/lib/security/ + install -m 644 nss.cfg ${jreimagepath}/lib/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${jdkimagepath}/jre/lib/security/ + install -m 644 nss.fips.cfg ${jreimagepath}/lib/security/ +} + +function genchecksum() { + local checkedfile=${1} + + checkdir=$(dirname ${1}) + checkfile=$(basename ${1}) + + echo "Generating checksum for ${checkfile} in ${checkdir}..." + pushd ${checkdir} + sha256sum ${checkfile} > ${checkfile}.sha256sum + sha256sum --check ${checkfile}.sha256sum + popd +} + +function packagejdk() { + local imagesdir=$(pwd)/${1}/images + local docdir=$(pwd)/${1}/docs + local bundledir=$(pwd)/${1}/bundles + local packagesdir=$(pwd)/${2} + local srcdir=$(pwd)/%{top_level_dir_name} + + echo "Packaging build from ${imagesdir} to ${packagesdir}..." + mkdir -p ${packagesdir} + pushd ${imagesdir} + + if [ "x$suffix" = "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + + jdkname=%{jdkportablename -- "$nameSuffix"} + jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} + jrename=%{jreportablename -- "$nameSuffix"} + jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"} + debugjdkarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"} + debugjrearchive=${packagesdir}/%{jreportablearchive -- "${nameSuffix}.debuginfo"} + unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"} + # We only use docs for the release build + docname=%{docportablename} + docarchive=${packagesdir}/%{docportablearchive} + built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip + # These are from the source tree so no debug variants + miscname=%{miscportablename} + miscarchive=${packagesdir}/%{miscportablearchive} + + # Rename directories for packaging + mv %{jdkimage} ${jdkname} + mv %{jreimage} ${jrename} + + # Release images have external debug symbols + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + tar -cJf ${unstrippedarchive} ${jdkname} + genchecksum ${unstrippedarchive} + + # Strip the files + for file in $(find ${jdkname} ${jrename} -type f) ; do + if file ${file} | grep -q 'ELF'; then + noextfile=${file/.so/}; + objcopy --only-keep-debug ${file} ${noextfile}.debuginfo; + objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file}; + strip -g ${file}; + fi + done + + tar -cJf ${debugjdkarchive} $(find ${jdkname} -name \*.debuginfo) + genchecksum ${debugjdkarchive} + tar -cJf ${debugjrearchive} $(find ${jrename} -name \*.debuginfo) + genchecksum ${debugjrearchive} + + mkdir ${docname} + mv ${docdir} ${docname} + mv ${bundledir}/${built_doc_archive} ${docname} + tar -cJf ${docarchive} ${docname} + genchecksum ${docarchive} + + mkdir ${miscname} + for s in 16 24 32 48 ; do + cp -av ${srcdir}/jdk/src/solaris/classes/sun/awt/X11/java-icon${s}.png ${miscname} + done + tar -cJf ${miscarchive} ${miscname} + genchecksum ${miscarchive} + fi + + tar -cJf ${jdkarchive} --exclude='**.debuginfo' ${jdkname} + genchecksum ${jdkarchive} + + tar -cJf ${jrearchive} --exclude='**.debuginfo' ${jrename} + genchecksum ${jrearchive} + + # Revert directory renaming so testing will run + # TODO: testing should run on the packaged JDK + mv ${jdkname} %{jdkimage} + mv ${jrename} %{jreimage} + + popd #images +} + +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" + mv build/newboot/hotspot/dist/jre/lib/%{archinstall}/server/libjvm.so newboot/jre/lib/%{archinstall}/server +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi + # We build with internal debug symbols and do + # our own stripping for one version of the + # release build + debug_symbols=internal + + builddir=%{buildoutputdir -- ${suffix}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}} + bootinstalldir=boot${installdir} + packagesdir=%{packageoutputdir -- ${suffix}} + + link_opt="%{link_type}" +%if %{system_libs} + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full +%endif + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${builddir} ${installdir} + fi + packagejdk ${installdir} ${packagesdir} + +%if %{system_libs} + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif + +# build cycles +done + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{build_loop} ; do + +export JAVA_HOME=$(pwd)/%{installoutputdir -- $suffix}/images/%{jdkimage} + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check system crypto (policy) is active and can be disabled +# Test takes a single argument - true or false - to state whether system +# security properties are enabled or not. +$JAVA_HOME/bin/javac -d . %{SOURCE15} +export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") +export SEC_DEBUG="-Djava.security.debug=properties" +# Portable specific: set false whereas its true for upstream +$JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} + +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +# Check translations are available for new timezones +$JAVA_HOME/bin/javac -d . %{SOURCE18} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE + +# Release builds strip the debug symbols into external .debuginfo files +if [ "x$suffix" = "x" ] ; then + so_suffix="debuginfo" +else + so_suffix="so" +fi + +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < - 1:1.8.0.372.b07-2 +- Sync with existing RHEL 8 build, in order to start building portables on RHEL 8 +- Fix debug symbols flag to newboot and package naming +- Disable debug_package as we only produce tarballs +- Drop redundant removal of empty RPM_BUILD_ROOT + +* Tue Apr 18 2023 Andrew Hughes - 1:1.8.0.372.b07-1 +- Update to shenandoah-jdk8u372-b07 (GA) +- Update release notes for shenandoah-8u372-b07. +- Require tzdata 2023c due to inclusion of JDK-8305113 in 8u372-b07 +- Reintroduce jconsole-plugin.patch from RHEL 9 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Drop JDK-8275535/RH2053256 patch which is now upstream +- Include JDK-8271199 backport early ahead of 8u382 (RH2175317) +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2175317 + +* Tue Apr 18 2023 Andrew Hughes - 1:1.8.0.362.b09-2 +- Reintroduce generate_source_tarball.sh from RHEL 9 + +* Tue Feb 28 2023 Andrew Hughes - 1:1.8.0.362.b09-1 +- Update to shenandoah-jdk8u352-b09 (GA) +- Update release notes for shenandoah-8u352-b09. +- Sync system cacerts support with RHEL 9, disabling using -Dsecurity.systemCACerts= +- Update cacerts patch to fix OPENJDK-1433 SecurityManager issue + +* Mon Feb 27 2023 Andrew Hughes - 1:1.8.0.362.b08-4 +- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build +- Restore compiler flags to those used in RHEL +- Remove 8u portable only debug check using nm -aCl which takes a very long time and seems to be duplicated by other checks +- Add docs & icons to the portable output +- Make sure generated checksums work and don't include full path +- The docs directory is a top-level directory on OpenJDK 8, so needs to be moved to the install directory separately + +* Mon Feb 27 2023 Andrew Hughes - 1:1.8.0.362.b08-3 +- Separate JDK packaging into a separate function +- Use variables to make it clearer what is going on +- Use a package output directory as we do for building and installing + +* Mon Feb 27 2023 Andrew Hughes - 1:1.8.0.362.b08-2 +- Adapt the portable build to use the same system library handling as RHEL builds + +* Fri Jan 13 2023 Andrew Hughes - 1:1.8.0.362.b08-1 +- Update to shenandoah-jdk8u352-b08 (GA) +- Update release notes for shenandoah-8u352-b08. +- Fix broken links and missing release notes in older releases. +- Drop JDK-8195607/PR3776/RH1760437 now this is upstream +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Drop tzdata patches for 2022d & 2022e (JDK-8294357 & JDK-8295173) which are now upstream +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- Drop RH1163501 patch which is not upstream or in 11, 17 & 19 packages and seems obsolete + - Patch was broken by inclusion of "JDK-8293554: Enhanced DH Key Exchanges" + - Patch was added for a specific corner case of a 4096-bit DH key on a Fedora host that no longer exists + - Fedora now appears to be using RSA and the JDK now supports ECC in preference to large DH keys +- Resolves: rhbz#2160111 + +* Fri Oct 14 2022 Andrew Hughes - 1:1.8.0.352.b08-1 +- Update to shenandoah-jdk8u352-b08 (GA) +- Update release notes for shenandoah-8u352-b08. +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Add test to ensure timezones can be translated +- Rebase FIPS patch against 8u352-b07 +- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * +- Resolves: rhbz#2133695 + +* Mon Aug 29 2022 Jayashree Huttanagoudar - 1:1.8.0.345.b01-2 +- Added some previously missing piece related to flatpack builds in portable spec +- The change went into upstream branch in 8u292-b10(GA) itself + +* Mon Aug 29 2022 Stephan Bergmann - 1:1.8.0.345.b01-2 +- Disable copy-jdk-configs for Flatpak builds +- Fix flatpak builds by exempting them from bootstrap +- Resolves: rhbz#2102727 + +* Wed Aug 03 2022 Andrew Hughes - 1:1.8.0.345.b01-1 +- Update to shenandoah-jdk8u345-b01 (GA) +- Update release notes for 8u345-b01. +- Resolves: rhbz#2112405 + +* Sun Jul 17 2022 Andrew Hughes - 1:1.8.0.342.b07-1 +- Update to shenandoah-jdk8u342-b07 (GA) +- Update release notes for shenandoah-8u342-b07. +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Rebase JDK-8186464 patch so it applies after JDK-8190753 +- Switch to GA mode for final release. +- This tarball is embargoed until 2022-07-19 @ 1pm PT. +- Resolves: rhbz#2106502 + +* Sun Jul 17 2022 Jayashree Huttanagoudar - 1:1.8.0.332.b09-5 +- System security properties are disabled by default on portable. +- Commented out lines which are not applicable for portable. +- Commented out BR for crypto-policies for portable + +* Sun Jul 17 2022 Andrew Hughes - 1:1.8.0.332.b09-5 +- Rebase FIPS patches from fips branch and simplify by using a single patch from that repository +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Rebase PR2888/RH2055274 cacerts patch so it applies after the current FIPS patch +- Perform configuration changes (e.g. nss.cfg, nss.fips.cfg, tzdb.dat) in installjdk +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Explicitly require crypto-policies during build and runtime for system security properties +- Resolves: rhbz#2097152 +- Resolves: rhbz#2100675 + +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:1.8.0.332.b09-4 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode +- Resolves: rhbz#2102435 + +* Thu May 19 2022 Jiri Vanek - 1:1.8.0.332.b09-3 +- to pass aqa: +- removed copy system tzdb in favour of in-tree +- removed Patch3: rh1648644-java_access_bridge_privileged_security.patch +- This is not intended to release untill we decide proper steps + +* Wed May 11 2022 Jayashree Huttanagoudar - 1:1.8.0.332.b09-2 +- Add some missing chunk in %check from upstream spec. + +* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b09-1 +- Update to shenandoah-jdk8u332-b09 (GA) +- Update release notes for 8u332-b09. +- Switch to GA mode for final release. +- This tarball is embargoed until 2022-04-19 @ 1pm PT. +- Resolves: rhbz#2073422 + +* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b06-0.2.ea +- Allow the default keystore to be configured using security.systemCACerts +- Use of the property can now be disabled using -Djava.security.disableSystemCACerts=true +- Commented out the configuration line for RHEL which is NA for portable. +- Resolves: rhbz#2055274 + +* Mon Apr 18 2022 Andrew Hughes - 1:1.8.0.332.b06-0.1.ea +- Update to shenandoah-jdk8u332-b06 (EA) +- Update release notes for shenandoah-8u332-b06. +- Minor corrections to previous changelog entry. +- Resolves: rhbz#2047536 + +* Sun Apr 17 2022 Andrew Hughes - 1:1.8.0.332.b01-0.1.ea +- Update to shenandoah-jdk8u332-b01 (EA) +- Update release notes for shenandoah-8u332-b01. +- Switch to EA mode. +- Remove JDK-8279077 patch now upstream. +- Related: rhbz#2047536 + +* Mon Feb 28 2022 Andrew Hughes - 1:1.8.0.322.b06-10 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053285 + +* Mon Feb 28 2022 Andrew Hughes - 1:1.8.0.322.b06-9 +- Detect NSS at runtime for FIPS detection +- Resolves: rhbz#2052828 + +* Mon Feb 21 2022 Andrew Hughes - 1:1.8.0.322.b06-8 +- Refactor build functions so we can build just HotSpot without any attempt at installation. +- Introduce architecture restriction logic for the gdb test. (RH2041970) +- Pass compiler flags to the ADLC build (JDK-8281098) +- Adjust JDK8199936/PR3533 -mstackrealign patch to instead pass -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds +- Sync minor placement differences with Fedora & RHEL 9 +- Resolves: rhbz#2022815 + +* Mon Jan 31 2022 Andrew Hughes - 1:1.8.0.322.b06-7 +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Related: rhbz#2022815 + +* Fri Jan 28 2022 Andrew Hughes - 1:1.8.0.322.b06-6 +- Reduce disk footprint by removing build artifacts by default. +- Related: rhbz#1999937 + +* Thu Jan 27 2022 Jayashree Huttanagoudar - 1:1.8.0.322.b06-5 +- Add some diagnostic messages to buildjdk() +- Add missing chmod instructions to buildjdk() + +* Thu Jan 27 2022 Andrew Hughes - 1:1.8.0.322.b06-5 +- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. +- Resolves: rhbz#1966233 + +* Tue Jan 25 2022 Andrew Hughes - 1:1.8.0.322.b06-4 +- Install nss.cfg and nss.fips.cfg into portable images. +- Consistently make use of jdkimage and jreimage variables. + +* Mon Jan 24 2022 Andrew Hughes - 1:1.8.0.322.b06-3 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent + +* Mon Jan 24 2022 Andrew Hughes - 1:1.8.0.322.b06-2 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Related: rhbz#2039366 + +* Fri Jan 21 2022 Andrew Hughes - 1:1.8.0.322.b06-1 +- Update to aarch64-shenandoah-jdk8u322-b06 (EA) +- Update release notes for 8u322-b06. +- Switch to GA mode for final release. +- Resolves: rhbz#2039366 + +* Thu Jan 20 2022 Andrew Hughes - 1:1.8.0.322.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b05 (EA) +- Update release notes for 8u322-b05. +- Require tzdata 2021e as of JDK-8275766. +- Update tarball generation script to use git following shenandoah-jdk8u's move to github +- Resolves: rhbz#2022815 + +* Tue Jan 18 2022 Andrew Hughes - 1:1.8.0.322.b04-0.2.ea +- Add backport of JDK-8279077 to fix crash on ppc64 +- Resolves: rhbz#2030399 + +* Mon Jan 10 2022 Andrew Hughes - 1:1.8.0.322.b04-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b04 (EA) +- Update release notes for 8u322-b04. +- Require tzdata 2021c as of JDK-8274407. +- Related: rhbz#2022815 + +* Fri Jan 07 2022 Andrew Hughes - 1:1.8.0.322.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b03 (EA) +- Update release notes for 8u322-b03. +- Related: rhbz#2022815 + +* Fri Dec 17 2021 Andrew Hughes - 1:1.8.0.322.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b02 (EA) +- Update release notes for 8u322-b02. +- Related: rhbz#2022815 + +* Tue Dec 14 2021 Andrew Hughes - 1:1.8.0.322.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u322-b01 (EA) +- Update release notes for 8u322-b01. +- Switch to EA mode. +- Related: rhbz#2022815 + +* Tue Dec 14 2021 Jayashree Huttanagoudar - 1:1.8.0.322.b01-0.1.ea +- Typo correction to the previous commit for restructuring the build. + +* Mon Dec 06 2021 Severin Gehwolf - 1:1.8.0.312.b07-5 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023532 + +* Mon Nov 22 2021 Jayashree Huttanagoudar - 1:1.8.0.312.b07-4 +- Fixed warnings for bogus date and macro expansion in comment line. + +* Mon Oct 25 2021 Jiri Vanek - 1:1.8.0.312.b07-3 +- added and enabled nss.cfg (source11: nss.cfg.in + patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch) +- added and enabled fips patches and nss.fips.cfg +- added and enabled source15: TestSecurityProperties.java test +- enabled patch534: rh1648246-always_instruct_vm_to_assume_multiple_processors_are_available.patch +- enabled patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch +- source17: nss.fips.cfg.in,patch1001: rh1655466-global_crypto_and_fips.patch + patch1001: rh1655466-global_crypto_and_fips.patch + patch1002: rh1818909-fips_default_keystore_type.patch patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch + patch1005: rh1915071-always_initialise_configurator_access.patch patch1006: rh1929465-improve_system_FIPS_detection-root.patch + patch1007: rh1929465-improve_system_FIPS_detection-jdk.patch + patch1008: rh1996182-login_to_nss_software_token.patch patch1011: rh1991003-enable_fips_keys_import.patch + patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch +- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS +-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss +-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started +- introduced ssbd_arches to have properly tested alt-java +-- added forgotten test for alt-java +- removed bad redeclaration of fastdebug_arches +- made TestECDSA non fatal, started to fail. Locally passed. TODO, fix + +* Mon Oct 25 2021 Jiri Vanek - 1:1.8.0.312.b07-2 +- cacerts symlink is resolved before passed to configure +- https://issues.redhat.com/browse/OPENJDK-487 + +* Fri Oct 15 2021 Andrew Hughes - 1:1.8.0.312.b07-1 +- Update to aarch64-shenandoah-jdk8u312-b07 (EA) +- Update release notes for 8u312-b07. +- Switch to GA mode for final release. +- This tarball is embargoed until 2021-10-19 @ 1pm PT. +- Resolves: rhbz#2011826 + +* Mon Oct 04 2021 Jiri Vanek - 1:1.8.0.302.b08-2 +- fixed bugzilla component. It was pointing to java-x-vendor-portable due to recent rename + +* Mon Aug 16 2021 Jiri Vanek - 1:1.8.0.302.b08-1 +- renamed to java-1.8.0-openjdk-portable +- adapted pacakges to not contain double portbale in name + +* Fri Jul 16 2021 Andrew Hughes - 1:1.8.0.302.b08-0 +- Update to aarch64-shenandoah-jdk8u302-b08 (EA) +- Update release notes for 8u302-b08. +- Switch to GA mode for final release. +- This tarball is embargoed until 2021-07-20 @ 1pm PT. +- added forgotten patch107 s390-8214206_fix.patch + +* Thu Jul 01 2021 Jiri Vanek - 1:1.8.0.302.b03-0.1.ea +- returned two wrongly removed patches +- returned and applied patch541 rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +- returned and applied patch12 jdk8186464-rh1433262-zip64_failure.patch + +* Sun Jun 27 2021 Andrew Hughes - 1:1.8.0.302.b03-0.0.ea +- Update to aarch64-shenandoah-jdk8u302-b03 (EA) +- Update release notes for 8u302-b03. +- Resolves: rhbz#1967812 + +* Fri Apr 09 2021 Andrew Hughes - 1:1.8.0.292.b10-1 +- Add CVE numbers. +- Require tzdata 2021a due to JDK-8260356 +- Resolves: rhbz#1938201 + +* Thu Apr 08 2021 Andrew Hughes - 1:1.8.0.292.b10-0 +- Update to aarch64-shenandoah-jdk8u292-b10 (GA) +- Update release notes for 8u292-b10. +- This tarball is embargoed until 2021-04-20 @ 1pm PT. +- Resolves: rhbz#1938201 + +* Thu Apr 08 2021 Stephan Bergmann - 1:1.8.0.292.b10-0 +- Hardcode /usr/sbin/alternatives for Flatpak builds +- Resolves: rhbz#1967813 + +* Tue Mar 30 2021 Andrew Hughes - 1:1.8.0.292.b09-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b09 (EA) +- Update release notes for 8u292-b09. +- Resolves: rhbz#1938081 + +* Sat Mar 27 2021 Andrew Hughes - 1:1.8.0.292.b08-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b08 (EA) +- Update release notes for 8u292-b08. +- Resolves: rhbz#1938081 + +* Thu Mar 25 2021 Andrew Hughes - 1:1.8.0.292.b07-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b07 (EA) +- Update release notes for 8u292-b07. +- Resolves: rhbz#1938081 + +* Mon Mar 22 2021 Andrew Hughes - 1:1.8.0.292.b06-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b06 (EA) +- Update release notes for 8u292-b06. +- Require tzdata 2020f due to JDK-8259048 +- Resolves: rhbz#1938081 + +* Mon Mar 15 2021 Jayashree Huttanagoudar - 1:1.8.0.292.b05-0.1.ea +- Remove patch s390-8214206_fix.patch as portable is not built for s390. + +* Mon Mar 15 2021 Andrew Hughes - 1:1.8.0.292.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u292-b05-shenandoah-merge-2021-03-11 (EA). +- Update release notes for 8u292-b05-shenandoah-merge-2021-03-11. + +* Mon Mar 08 2021 Andrew Hughes - 1:1.8.0.292.b05-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b05 (EA) +- Update release notes for 8u292-b05. + +* Fri Mar 05 2021 Andrew Hughes - 1:1.8.0.292.b04-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b04 (EA) +- Update release notes for 8u292-b04. + +* Thu Mar 04 2021 Andrew Hughes - 1:1.8.0.292.b03-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b03 (EA) +- Update release notes for 8u292-b03. + +* Tue Mar 02 2021 Andrew Hughes - 1:1.8.0.292.b02-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b02 (EA) +- Update release notes for 8u292-b02. + +* Fri Feb 12 2021 Jayashree Huttanagoudar - 1:1.8.0.292.b01-0.0.ea +- Update tzdata-java from 2020b to 2021a + +* Fri Feb 12 2021 Andrew Hughes - 1:1.8.0.292.b01-0.0.ea +- Update to aarch64-shenandoah-jdk8u292-b01 (EA) +- Update release notes for 8u292-b01. +- Switch to EA mode. + +* Thu Feb 4 2021 Jayashree Huttanagoudar - 1:1.8.0.282.b08-4 +- Changes to generate sha256sum for each linux-portable build artifacts inside RPM + +* Mon Jan 25 2021 Jayashree Huttanagoudar - 1:1.8.0.282.b08-3 +- Cleanup package summary for fastdebug and slowdebug. +- Resolves: rhbz#1908963 + +* Mon Jan 25 2021 Andrew Hughes - 1:1.8.0.282.b08-2 +- Cleanup package descriptions and version number placement. +- Resolves: rhbz#1908963 + +* Mon Jan 18 2021 Jayashree Huttanagoudar - 1:1.8.0.282.b08-1 +- Fix to address the extra src.zip bundled inside jdk tarball. + +* Sat Jan 16 2021 Andrew Hughes - 1:1.8.0.282.b08-0 +- Update to aarch64-shenandoah-jdk8u282-b08 (GA) +- Update release notes for 8u282-b08. +- This tarball is embargoed until 2021-01-19 @ 1pm PT. +- Resolves: rhbz#1908963 + +* Fri Jan 15 2021 Andrew Hughes - 1:1.8.0.282.b07-0.0.ea +- Update to aarch64-shenandoah-jdk8u282-b07 (EA) +- Update release notes for 8u282-b07. +- Fix placement issue in release notes, caught by comparing with vanilla version. +- Resolves: rhbz#1903904 + +* Wed Jan 13 2021 Andrew Hughes - 1:1.8.0.282.b06-0.0.ea +- Update to aarch64-shenandoah-jdk8u282-b06 (EA) +- Update release notes for 8u282-b06. +- Resolves: rhbz#1903903 + +* Mon Jan 11 2021 Andrew Hughes - 1:1.8.0.282.b05-0.0.ea +- Update to aarch64-shenandoah-jdk8u282-b05 (EA) +- Update release notes for 8u282-b05 and make some minor corrections. +- Resolves: rhbz#1903903 + +* Fri Jan 08 2021 Jiri Vanek - 1:1.8.0.282.b04-0.1.ea +- added patch600, rh1750419-redhat_alt_java.patch +- Replaced alt-java palceholder by real pathced alt-java +- remove patch529 rh1566890-CVE_2018_3639-speculative_store_bypass.patch +- remove patch531 rh1566890-CVE_2018_3639-speculative_store_bypass_toggle.patch +- both suprassed by new patch +- Resolves: rhbz#1750419 + +* Wed Jan 06 2021 Andrew Hughes - 1:1.8.0.282.b04-0.0.ea +- Update to aarch64-shenandoah-jdk8u282-b04 (EA) +- Update release notes for 8u282-b04. +- Remove upstreamed patch PR3519 +- Resolves: rhbz#1903903 + +* Sat Jan 02 2021 Andrew Hughes - 1:1.8.0.282.b03-0.0.ea +- Update to aarch64-shenandoah-jdk8u282-b03 (EA) +- Update release notes for 8u282-b03. +- Resolves: rhbz#1903903 + +* Wed Dec 23 2020 Andrew Hughes - 1:1.8.0.282.b02-0.0.ea +- Update to aarch64-shenandoah-jdk8u282-b02 (EA) +- Resolves: rhbz#1903903 + +* Tue Dec 22 2020 Jayashree Huttanagoudar - 1:1.8.0.282.b01-0.0.ea +- Remove upstreamed JDK-8252395 & JDK-8252975. + +* Tue Dec 22 2020 Andrew Hughes - 1:1.8.0.282.b01-0.0.ea +- Update to aarch64-shenandoah-jdk8u282-b01 (EA) +- Update release notes for 8u282-b01. +- Switch to EA mode. +- Require tzdata 2020b due to resource changes in JDK-8254177 +- Remove PR3601, covered upstream by JDK-8062808. +- Remove upstreamed JDK-8197981/PR3548, JDK-8062808/PR3548, JDK-8254177 & JDK-8215727. +- Resolves: rhbz#1903903 + +* Wed Dec 09 2020 Jayashree Huttanagoudar - 1:1.8.0.275.b01-3 +- Included patch to handle '--without fastdebug' option to mockbuild + +* Wed Dec 09 2020 Jayashree Huttanagoudar - 1:1.8.0.275.b01-2 +- Align fastdebug/slowdebug changes with upstream rhel-8.4.0 spec + +* Tue Dec 01 2020 Jiri Vanek - 1:1.8.0.275.b01-1 +- added br of listdc++-static +- removed patch998 rh1649731-allow_to_build_on_rhel6_with_stdcpplib_autotools_2_63.patch +- removed patch999 gcc-4.4.7-x86-32-siphash64.patch +- initial on-el7 build (more tuning expected) + +* Fri Nov 06 2020 Andrew Hughes - 1:1.8.0.275.b01-0 +- Update to aarch64-shenandoah-jdk8u275-b01 (GA) +- Update release notes for 8u275. +- Resolves: rhbz#1895062 + +* Wed Oct 21 2020 Andrew Hughes - 1:1.8.0.272.b10-3 +- Add backport of JDK-8215727: "Restore JFR thread sampler loop to old / previous behaviour" +- Resolves: rhbz#1876665 + +* Wed Oct 21 2020 Andrew Hughes - 1:1.8.0.272.b10-2 +- Remove the 64-bit siphash test which fails to compile on x86-32 debug builds with gcc 4.4.7 in RHEL 6 +- Resolves: rhbz#1876665 + +* Tue Oct 20 2020 Jayashree Huttanagoudar - 1:1.8.0.272.b10-1 +- Added patch to apply tzdata 2020b + +* Sat Oct 17 2020 Andrew Hughes - 1:1.8.0.272.b10-0 +- Update to aarch64-shenandoah-jdk8u272-b10. +- Switch to GA mode for final release. +- Update release notes for 8u272 release. +- Add backport of JDK-8254177 to update to tzdata 2020b +- Require tzdata 2020b due to resource changes in JDK-8254177 +- Delay tzdata 2020b dependency until tzdata update has shipped. +- Adjust JDK-8062808/PR3548 following constantPool.hpp context change in JDK-8243302 +- Adjust PR3593 following g1StringDedupTable.cpp context change in JDK-8240124 & JDK-8244955 +- This tarball is embargoed until 2020-10-20 @ 1pm PT. +- Resolves: rhbz#1876665 + +* Thu Oct 15 2020 Andrew Hughes - 1:1.8.0.272.b09-0.1.ea +- Include a test in the RPM to check the build has the correct vendor information. +- Use 'oj_' prefix on new vendor globals to avoid a conflict with RPM's vendor value. +- Improve quoting of vendor name +- Resolves: rhbz#1876665 + +* Thu Oct 15 2020 Jiri Vanek - 1:1.8.0.272.b09-0.1.ea +- Set vendor property and vendor URLs +- Made URLs to be preconfigured by OS +- Resolves: rhbz#1876665 + +* Wed Oct 14 2020 Andrew Hughes - 1:1.8.0.272.b09-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b09 (EA). +- Resolves: rhbz#1876665 + +* Tue Oct 13 2020 Andrew Hughes - 1:1.8.0.272.b08-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b08 (EA). +- Resolves: rhbz#1876665 + +* Mon Oct 12 2020 Andrew Hughes - 1:1.8.0.272.b07-0.5.ea +- Enable JFR on x86, now we have JDK-8252096: Shenandoah: adjust SerialPageShiftCount for x86_32 and JFR +- Resolves: rhbz#1876665 + +* Wed Sep 23 2020 Andrew Hughes - 1:1.8.0.272.b07-0.4.ea +- Re-organise S/390 patches for upstream submission, separating 8u upstream from Shenandoah fixes. +- Add new formatting case found in memprofiler.cpp on debug builds to PR3593 patch. + +* Wed Sep 23 2020 Jayashree Huttanagoudar - 1:1.8.0.272.b07-0.3.ea +- Placed upstream patches JDK-8252395 and JDK-8252975 under separate section +- So that these patches can be dropped easily once they are available in 8u282 GA release + +* Thu Sep 17 2020 Jayashree Huttanagoudar - 1:1.8.0.272.b07-0.2.ea +- Added upstream patches for JDK-8252395 and JDK-8252975 +- JDK-8252395: To ensure debuginfo files get properly copied to the images directory +- JDK-8252975: Is to fix the build failure due to JDK-8252395 + +* Tue Sep 08 2020 Andrew Hughes - 1:1.8.0.272.b07-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b07. + +* Thu Sep 03 2020 Andrew Hughes - 1:1.8.0.272.b06-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b06. + +* Wed Sep 02 2020 Andrew Hughes - 1:1.8.0.272.b05-0.1.ea +- Add additional s390 log2_intptr case in shenandoahUtils.cpp introduced by JDK-8245464 + +* Wed Sep 02 2020 Andrew Hughes - 1:1.8.0.272.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u272-b05-shenandoah-merge-2020-08-28. + +* Thu Aug 27 2020 Andrew Hughes - 1:1.8.0.272.b05-0.0.ea +- Add additional s390 size_t case in g1ConcurrentMarkObjArrayProcessor.cpp introduced by JDK-8057003 + +* Thu Aug 27 2020 Andrew Hughes - 1:1.8.0.272.b05-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b05. +- Fix context in JDK-8186464/RH1433262 patch, following JDK-8078334 @randomness tag addition. + +* Wed Aug 19 2020 Andrew Hughes - 1:1.8.0.272.b04-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b04. + +* Mon Aug 17 2020 Andrew Hughes - 1:1.8.0.272.b03-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b03. + +* Sun Aug 09 2020 Andrew Hughes - 1:1.8.0.272.b02-0.0.ea +- Change target from 'zip-docs' to 'docs-zip', which is the naming used upstream. + +* Sun Aug 09 2020 Andrew Hughes - 1:1.8.0.272.b02-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b02. +- Remove JDK-8154313 backport now applied upstream. + +* Sat Aug 01 2020 Andrew Hughes - 1:1.8.0.272.b01-0.0.ea +- JFR must now be explicitly disabled when unwanted (e.g. x86), following switch of upstream default. + +* Sat Aug 01 2020 Andrew Hughes - 1:1.8.0.272.b01-0.0.ea +- Update to aarch64-shenandoah-jdk8u272-b01. +- Switch to EA mode. +- Remove ZipConstants change from JDK-8186464 backport, now provided upstream by JDK-8075774 + +* Mon Jul 27 2020 Andrew Hughes - 1:1.8.0.265.b01-0 +- Update to aarch64-shenandoah-jdk8u265-b01. +- Update release notes for 8u265 release. +- Resolves: rhbz#1860453 + +* Sun Jul 12 2020 Andrew Hughes - 1:1.8.0.262.b10-0 +- Introduce jfr_arches for architectures which support JFR. +- Resolves: rhbz#1838811 + +* Sun Jul 12 2020 Andrew Hughes - 1:1.8.0.262.b10-0 +- Update to aarch64-shenandoah-jdk8u262-b10. +- Switch to GA mode for final release. +- Update release notes for 8u262 release. +- Fix typo in jfr_arches which leads to ppc64 being wrongly excluded. +- Split JDK-8042159 patch into per-repo patches as upstream. +- Update JDK-8042159 JDK patch to apply after JDK-8238002 changes to Awt2dLibraries.gmk +- Resolves: rhbz#1838811 + +* Sat Jul 11 2020 Andrew Hughes - 1:1.8.0.262.b09-0.3.ea +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Resolves: rhbz#1838811 + +* Fri Jul 10 2020 Andrew Hughes - 1:1.8.0.262.b09-0.2.ea +- Update to aarch64-shenandoah-jdk8u262-b09-shenandoah-merge-2020-07-03 +- Resolves: rhbz#1838811 + +* Wed Jul 08 2020 Andrew Hughes - 1:1.8.0.262.b09-0.2.ea +- Sync alt-java support with java-11-openjdk version. +- Resolves: rhbz#1838811 + +* Wed Jul 08 2020 Jiri Vanek - 1:1.8.0.262.b09-0.2.ea +- Created copy of java as alt-java and adapted alternatives and man pages +- Resolves: rhbz#1838811 + +* Wed Jul 08 2020 Andrew Hughes - 1:1.8.0.262.b09-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b09. +- Resolves: rhbz#1838811 + +* Wed Jul 08 2020 Andrew Hughes - 1:1.8.0.262.b08-0.3.ea +- Update to aarch64-shenandoah-jdk8u262-b08. +- Resolves: rhbz#1838811 + +* Tue Jul 07 2020 Andrew Hughes - 1:1.8.0.262.b07-0.2.ea +- Update to aarch64-shenandoah-jdk8u262-b07-shenandoah-merge-2020-06-18. +- Resolves: rhbz#1838811 + +* Fri Jul 03 2020 Andrew Hughes - 1:1.8.0.262.b07-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b07. +- Require tzdata 2020a so system tzdata matches resource updates in b07 +- Resolves: rhbz#1838811 + +* Mon Jun 08 2020 Andrew Hughes - 1:1.8.0.262.b06-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b06. +- Resolves: rhbz#1838811 + +* Mon Jun 08 2020 Jayashree Huttanagoudar - 1:1.8.0.262.b05-0.4.ea +- Removed patch jdk8243541-rh1838229-tzdata2020a.patch +- Portabel builds use upstream tzddb.dat, and we expect it to be synced with jdk code + +* Mon Jun 08 2020 Andrew Hughes - 1:1.8.0.262.b05-0.4.ea +- Backport JDK-8186464 so ZIP64 archives < 4GB can be read. +- Resolves: rhbz#1433262 + +* Mon Jun 08 2020 Andrew Hughes - 1:1.8.0.262.b05-0.3.ea +- Update to aarch64-shenandoah-jdk8u262-b05-shenandoah-merge-2020-06-04. +- Resolves: rhbz#1838811 + +* Mon Jun 08 2020 Andrew Hughes - 1:1.8.0.262.b05-0.2.ea +- Backport JDK-8243541 & require tzdata 2020a as latest tzdata package needs resource updates +- Resolves: rhbz#1838229 + +* Sun Jun 07 2020 Andrew Hughes - 1:1.8.0.262.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b05. +- Remove backports of JDK-8227269 & JDK-8241750 included upstream in 8u262-b05. +- Resolves: rhbz#1838811 + +* Sun Jun 07 2020 Andrew Hughes - 1:1.8.0.262.b04-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b04. +- Resolves: rhbz#1838811 + +* Sun Jun 07 2020 Andrew Hughes - 1:1.8.0.262.b03-0.2.ea +- Update to aarch64-shenandoah-jdk8u262-b03-shenandoah-merge-2020-05-20. +- Resolves: rhbz#1838811 + +* Sat Jun 06 2020 Andrew Hughes - 1:1.8.0.262.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b03. +- Resolves: rhbz#1838811 + +* Sat Jun 06 2020 Andrew Hughes - 1:1.8.0.262.b02-0.2.ea +- Enable JFR in our builds, ahead of upstream default. +- Only enable JFR for JIT builds, as it is not supported with Zero. +- Turn off JFR on x86 for now due to assert(SerializePageShiftCount == count) crash. +- Resolves: rhbz#1838811 + +* Wed Jun 03 2020 Andrew Hughes - 1:1.8.0.262.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b02. +- Resolves: rhbz#1838811 + +* Sun May 24 2020 Andrew Hughes - 1:1.8.0.262.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b01. +- Switch to EA mode. +- Adjust JDK-8143245/PR3548 patch following context changes due to JDK-8203287 for JFR + +* Sat May 23 2020 Andrew John Hughes - 1:1.8.0.252.b09-4 +- Add backports of JDK-8227269 & JDK-8241750 to resolve slow class loading with JDWP enabled. +- Resolves: rhbz#1751985 + +* Tue Apr 14 2020 Andrew Hughes - 1:1.8.0.252.b09-2 +- Add release notes. +- Resolves: rhbz#1810557 + +* Sun Apr 12 2020 Andrew Hughes - 1:1.8.0.252.b09-1 +- Make use of --with-extra-asflags introduced in jdk8u252-b01. +- Resolves: rhbz#1810557 + +* Mon Apr 06 2020 Andrew Hughes - 1:1.8.0.252.b09-0 +- Update to aarch64-shenandoah-jdk8u252-b09. +- Switch to GA mode for final release. +- Resolves: rhbz#1810557 + +* Fri Mar 27 2020 Andrew Hughes - 1:1.8.0.252.b08-0.0.ea +- Update to aarch64-shenandoah-jdk8u252-b08. +- Resolves: rhbz#1810557 + +* Tue Mar 24 2020 Andrew Hughes - 1:1.8.0.252.b07-0.0.ea +- Update to aarch64-shenandoah-jdk8u252-b07. +- Resolves: rhbz#1810557 + +* Mon Mar 16 2020 Andrew Hughes - 1:1.8.0.252.b06-0.0.ea +- Update to aarch64-shenandoah-jdk8u252-b06. +- Resolves: rhbz#1810557 + +* Fri Feb 28 2020 Andrew Hughes - 1:1.8.0.252.b05-0.0.ea +- Update to aarch64-shenandoah-jdk8u252-b05. +- Resolves: rhbz#1810557 + +* Mon Feb 24 2020 Andrew Hughes - 1:1.8.0.252.b04-0.0.ea +- Update to aarch64-shenandoah-jdk8u252-b04. +- Resolves: rhbz#1810557 + +* Wed Feb 19 2020 Andrew Hughes - 1:1.8.0.252.b03-0.0.ea +- Update to aarch64-shenandoah-jdk8u252-b03. +- Adjust PR2974/RH1337583 & PR3083/RH1346460 following context changes in JDK-8230978 +- Resolves: rhbz#1810557 + +* Tue Feb 04 2020 Andrew Hughes - 1:1.8.0.252.b02-0.0.ea +- Update to aarch64-shenandoah-jdk8u252-b02. +- Resolves: rhbz#1810557 + +* Mon Jan 27 2020 Andrew Hughes - 1:1.8.0.252.b01-0.0.ea +- Update to aarch64-shenandoah-jdk8u252-b01. +- Switch to EA mode. +- Adjust JDK-8199936/PR3533 patch following JDK-8227397 configure change +- Resolves: rhbz#1810557 + +* Tue Jan 21 2020 Jiri Vanek - 1:1.8.0.242.b08-3 +- get rid of openjdkportable in favour of el + +* Tue Jan 21 2020 Jiri Vanek - 1:1.8.0.242.b08-2 +- renamed static to more accurate portable + +* Wed Jan 15 2020 Jiri Vanek - 1:1.8.0.242.b08-1 +- sync with rhel 8.1 + +* Tue Oct 15 2019 Jiri Vanek - 1:1.8.0.232.b09-0 +- Update to aarch64-shenandoah-jdk8u232-b09. +- Switch to GA mode for final release. +- Remove PR1834/RH1022017 which is now handled by JDK-8228825 upstream. + +* Mon Oct 07 2019 Jiri Vanek - 1:1.8.0.232.b01-0.0.ea +- Update to aarch64-shenandoah-jdk8u232-b01. +- Switch to EA mode. +- Drop JDK-8210761/RH1632174 as now upstream. +- Drop JDK-8223219 as now upstream. + +* Tue Jul 23 2019 Jiri Vanek - 1:1.8.0.222.b10-4 +- for release, build debugsymbols to special archive + +* Tue Jul 23 2019 Jiri Vanek - 1:1.8.0.222.b10-3 +- filtered out -g from extra flags + +* Thu Jul 11 2019 Andrew Hughes - 1:1.8.0.222.b10-1 +- Update to aarch64-shenandoah-jdk8u222-b10. +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:1.8.0.222.b09-2 +- Use normal_suffix for Javadoc zip filename to copy, as there is is no debug version. +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:1.8.0.222.b09-2 +- Provide Javadoc debug subpackages for now, but populate them from the normal build. +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:1.8.0.222.b09-1 +- Update to aarch64-shenandoah-jdk8u222-b09. +- Switch to GA mode for final release. +- Resolves: rhbz#1724452 + +* Tue Jul 02 2019 Andrew Hughes - 1:1.8.0.222.b08-0.1.ea +- Update to aarch64-shenandoah-jdk8u222-b08. +- Adjust PR3083/RH134640 to apply after JDK-8182999 +- Resolves: rhbz#1724452 + +* Tue Jul 02 2019 Severin Gehwolf - 1:1.8.0.222.b07-0.3.ea +- Include 'ea' designator in Release when appropriate. +- Resolves: rhbz#1724452 + +* Wed Jun 26 2019 Severin Gehwolf - 1:1.8.0.222.b07-2 +- Don't produce javadoc/javadoc-zip sub packages for the debug variant build. +- Don't perform a bootcycle build for the debug variant build. +- Resolves: rhbz#1724452 + +* Tue Jun 25 2019 Andrew Hughes - 1:1.8.0.222.b07-1 +- Update to aarch64-shenandoah-jdk8u222-b07 and Shenandoah merge 2019-06-13. +- Resolves: rhbz#1724452 + +* Fri Jun 14 2019 Andrew Hughes - 1:1.8.0.222.b06-1 +- Update to aarch64-shenandoah-jdk8u222-b06. +- Resolves: rhbz#1724452 + +* Thu Jun 06 2019 Andrew Hughes - 1:1.8.0.222.b05-1 +- Update to aarch64-shenandoah-jdk8u222-b05. +- Resolves: rhbz#1724452 + +* Sat May 25 2019 Andrew Hughes - 1:1.8.0.222.b04-1 +- Update to aarch64-shenandoah-jdk8u222-b04. +- Drop remaining JDK-8210425/RH1632174 patch now AArch64 part is upstream. +- Resolves: rhbz#1705328 + +* Wed May 22 2019 Andrew Hughes - 1:1.8.0.222.b03-1 +- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately. +- Drop unused use_shenandoah_hotspot variable. +- Resolves: rhbz#1705328 + +* Wed May 22 2019 Andrew Hughes - 1:1.8.0.222.b03-1 +- Update to aarch64-shenandoah-jdk8u222-b03. +- Set milestone to "ea" as this is not the final release. +- Drop 8210425 patches applied upstream. Still need to add AArch64 version in aarch64/shenandoah-jdk8u. +- Re-generate JDK-8141570 & JDK-8143245 patches due to 8210425 zeroshark.make changes. +- Resolves: rhbz#1705328 + +* Mon May 13 2019 Andrew Hughes - 1:1.8.0.222.b02-1 +- Update to aarch64-shenandoah-jdk8u222-b02. +- Drop 8064786/PR3599 & 8210416/RH1632174 as applied upstream (8064786 silently in 8176100). +- Resolves: rhbz#1705328 + +* Thu May 02 2019 Andrew Hughes - 1:1.8.0.222.b01-1 +- Update to aarch64-shenandoah-jdk8u222-b01. +- Refactor PR2888 after inclusion of 8129988 upstream. Now includes PR3575. +- Drop 8171000, 8197546 & PR3634 as applied upstream. +- Adjust 8214206 fix for S390 as BinaryMagnitudeSeq moved to shenandoahNumberSeq.cpp +- Resolves: rhbz#1705328 + +* Thu Apr 11 2019 Andrew Hughes - 1:1.8.0.212.b04-1 +- Update to aarch64-shenandoah-jdk8u212-b04. +- Resolves: rhbz#1693468 + +* Thu Apr 11 2019 Andrew Hughes - 1:1.8.0.212.b03-0 +- Update to aarch64-shenandoah-jdk8u212-b03. +- Resolves: rhbz#1693468 + +* Tue Apr 09 2019 Andrew Hughes - 1:1.8.0.212.b02-0 +- Update to aarch64-shenandoah-jdk8u212-b02. +- Remove patches included upstream + - JDK-8197429/PR3546/RH153662{2,3} + - JDK-8184309/PR3596 +- Re-generate patches + - JDK-8203030 +- Add casts to resolve s390 ambiguity in calls to log2_intptr +- Resolves: rhbz#1693468 + +* Sun Apr 07 2019 Andrew Hughes - 1:1.8.0.202.b08-0 +- Update to aarch64-shenandoah-jdk8u202-b08. +- Remove patches included upstream + - JDK-8211387/PR3559 + - JDK-8073139/PR1758/RH1191652 + - JDK-8044235 + - JDK-8131048/PR3574/RH1498936 + - JDK-8164920/PR3574/RH1498936 +- Resolves: rhbz#1693468 + +* Thu Apr 04 2019 Andrew Hughes - 1:1.8.0.201.b13-0 +- Update to aarch64-shenandoah-jdk8u201-b13. +- Drop JDK-8160748 & JDK-8189170 AArch64 patches now applied upstream. +- Resolves: rhbz#1693468 + +* Tue Apr 02 2019 Severin Gehwolf - 1:1.8.0.201.b09-3 +- Update patch for RH1566890. + - Renamed rh1566890_speculative_store_bypass_so_added_more_per_task_speculation_control_CVE_2018_3639 to + rh1566890-CVE_2018_3639-speculative_store_bypass.patch + - Added dependent patch, + rh1566890-CVE_2018_3639-speculative_store_bypass_toggle.patch +- Resolves: rhbz#1693468 + +* Tue Mar 12 2019 Jiri Vanek - 1:1.8.0.201.b09-2 +- name adapted to current tag + +* Thu Feb 28 2019 Jiri Vanek jvanek@redhat.com - 1:1.8.0.201.b09-2 +- Replaced pcsc-lite-devel (which is in optional channel) with pcsc-lite-libs. +- added rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch to make jdk work with pcsc + +* Tue Feb 26 2019 Jiri Vanek - 1:1.8.0.201.b09-0 +- cripled rpms original specto roduce only portable build +- Resolves: rhbz#1661577 diff --git a/java-1.8.0-openjdk.spec b/java-1.8.0-openjdk.spec index 141e952..adc805d 100644 --- a/java-1.8.0-openjdk.spec +++ b/java-1.8.0-openjdk.spec @@ -132,7 +132,7 @@ # Set of architectures where we verify backtraces with gdb %global gdb_arches %{jit_arches} %{zero_arches} # Set of architectures for which we have a portable build -%global portable_build_arches %{aarch64} %{power64} x86_64 +%global portable_build_arches %{aarch64} %{ix86} %{power64} x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -338,7 +338,7 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project openjdk %global shenandoah_repo shenandoah-jdk8u -%global openjdk_revision jdk8u362-b09 +%global openjdk_revision jdk8u372-b07 %global shenandoah_revision shenandoah-%{openjdk_revision} # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} @@ -354,15 +354,11 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 4 +%global rpmrelease 2 # Settings used by the portable build -%global portablerelease 4 -%global portablesuffix el7openjdkportable +%global portablerelease 2 +%global portablesuffix el8 %global portablebuilddir /builddir/build/BUILD -# Temporary override until we have the portable version in sync -# b09 only contains some build fixes for RHEL 6 & Windows -%global portablebuildver b08 -%global portableversion %{javaver}.%{updatever}.%{portablebuildver} # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): @@ -845,6 +841,8 @@ exit 0 %license %{_jvmdir}/%{jredir -- %{?1}}/LICENSE %license %{_jvmdir}/%{jredir -- %{?1}}/THIRD_PARTY_README %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-1.%{majorver}.0-openjdk-portable.specfile %dir %{_jvmdir}/%{sdkdir -- %{?1}} %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security @@ -1190,7 +1188,6 @@ exit 0 %define files_src() %{expand: %defattr(-,root,root,-) -%doc README.md %{_jvmdir}/%{sdkdir -- %{?1}}/src.zip } @@ -1404,9 +1401,6 @@ URL: http://openjdk.java.net/ # where the source is obtained from http://hg.openjdk.java.net/%%{project}/%%{repo} Source0: %{shenandoah_project}-%{shenandoah_repo}-%{shenandoah_revision}-4curve.tar.xz -# Custom README for -src subpackage -Source2: README.md - # Release notes Source7: NEWS @@ -1443,70 +1437,22 @@ Source17: nss.fips.cfg.in # Ensure translations are available for new timezones Source18: TestTranslations.java -Source20: repackReproduciblePolycies.sh +Source21: repackReproduciblePolycies.sh # New versions of config files with aarch64 support. This is not upstream yet. Source100: config.guess Source101: config.sub -# TODO: Portable packages are not yet available in buildroot -# Temporarily add them as sources - -# aarch64 -Source1000: %{name}-portable-%{portableversion}-%{portablerelease}.portable.unstripped.jdk.el.aarch64.tar.xz -Source1002: %{name}-portable-%{portableversion}-%{portablerelease}.portable.docs.el.aarch64.tar.xz -Source1003: %{name}-portable-%{portableversion}-%{portablerelease}.portable.misc.el.aarch64.tar.xz -Source1004: %{name}-portable-%{portableversion}-%{portablerelease}.portable.slowdebug.jdk.el.aarch64.tar.xz -Source1006: %{name}-portable-%{portableversion}-%{portablerelease}.portable.fastdebug.jdk.el.aarch64.tar.xz - -# ppc64le -Source2000: %{name}-portable-%{portableversion}-%{portablerelease}.portable.unstripped.jdk.el.ppc64le.tar.xz -Source2002: %{name}-portable-%{portableversion}-%{portablerelease}.portable.docs.el.ppc64le.tar.xz -Source2003: %{name}-portable-%{portableversion}-%{portablerelease}.portable.misc.el.ppc64le.tar.xz -Source2004: %{name}-portable-%{portableversion}-%{portablerelease}.portable.slowdebug.jdk.el.ppc64le.tar.xz -Source2006: %{name}-portable-%{portableversion}-%{portablerelease}.portable.fastdebug.jdk.el.ppc64le.tar.xz - -# s390x -Source3000: %{name}-portable-%{portableversion}-%{portablerelease}.portable.unstripped.jdk.el.s390x.tar.xz -Source3002: %{name}-portable-%{portableversion}-%{portablerelease}.portable.docs.el.s390x.tar.xz -Source3003: %{name}-portable-%{portableversion}-%{portablerelease}.portable.misc.el.s390x.tar.xz - -# x86_64 -Source4000: %{name}-portable-%{portableversion}-%{portablerelease}.portable.unstripped.jdk.el.x86_64.tar.xz -Source4002: %{name}-portable-%{portableversion}-%{portablerelease}.portable.docs.el.x86_64.tar.xz -Source4003: %{name}-portable-%{portableversion}-%{portablerelease}.portable.misc.el.x86_64.tar.xz -Source4004: %{name}-portable-%{portableversion}-%{portablerelease}.portable.slowdebug.jdk.el.x86_64.tar.xz -Source4006: %{name}-portable-%{portableversion}-%{portablerelease}.portable.fastdebug.jdk.el.x86_64.tar.xz +# Include portable spec and instructions on how to rebuild +Source19: README.md +Source20: java-1.%{majorver}.0-openjdk-portable.specfile # Setup variables to reference correct sources -%ifarch %{aarch64} -%global releasezip %{SOURCE1000} -%global docszip %{SOURCE1002} -%global misczip %{SOURCE1003} -%global slowdebugzip %{SOURCE1004} -%global fastdebugzip %{SOURCE1006} -%endif -%ifarch %{ppc64le} -%global releasezip %{SOURCE2000} -%global docszip %{SOURCE2002} -%global misczip %{SOURCE2003} -%global slowdebugzip %{SOURCE2004} -%global fastdebugzip %{SOURCE2006} -%endif -%ifarch s390x -%global releasezip %{SOURCE3000} -%global docszip %{SOURCE3002} -%global misczip %{SOURCE3003} -%global slowdebugzip %{nil} -%global fastdebugzip %{nil} -%endif -%ifarch x86_64 -%global releasezip %{SOURCE4000} -%global docszip %{SOURCE4002} -%global misczip %{SOURCE4003} -%global slowdebugzip %{SOURCE4004} -%global fastdebugzip %{SOURCE4006} -%endif +%global releasezip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.unstripped.jdk.%{_arch}.tar.xz +%global docszip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.docs.%{_arch}.tar.xz +%global misczip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.misc.%{_arch}.tar.xz +%global slowdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.slowdebug.jdk.%{_arch}.tar.xz +%global fastdebugzip %{_jvmdir}/%{name}-portable-%{version}-%{portablerelease}.portable.fastdebug.jdk.%{_arch}.tar.xz ############################################ # @@ -1575,8 +1521,6 @@ Patch600: rh1750419-redhat_alt_java.patch Patch111: jdk8218811-perfMemory_linux.patch # JDK-8281098, PR3836: Extra compiler flags not passed to adlc build Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch -# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked -Patch113: jdk8275535-rh2053256-ldap_auth.patch ############################################# # @@ -1624,13 +1568,15 @@ Patch581: jdk8257794-remove_broken_assert.patch ############################################# # -# Patches appearing in 8u362 +# Patches appearing in 8u382 # # This section includes patches which are present # in the listed OpenJDK 8u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# +# JDK-8271199, RH2175317: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key +Patch2001: jdk8271199-rh2175317-custom_pkcs11_provider_support.patch ############################################# # @@ -1697,12 +1643,17 @@ BuildRequires: unzip # For definitions and macros like jvmdir BuildRequires: javapackages-filesystem %ifarch %{portable_build_arches} -# TODO: Portable packages are not yet available in buildroot -#BuildRequires: %{name}-portable-unstripped = %{VERSION} -#BuildRequires: %{name}-portable-docs = %{VERSION} -#BuildRequires: %{name}-portable-misc = %{VERSION} -#BuildRequires: %{name}-portable-devel-fastdebug = %{VERSION} -#BuildRequires: %{name}-portable-devel-slowdebug = %{VERSION} +%if %{include_normal_build} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-unstripped = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +%endif +%if %{include_fastdebug_build} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-fastdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +%endif +%if %{include_debug_build} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-devel-slowdebug = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +%endif +BuildRequires: java-1.%{majorver}.0-openjdk-portable-docs = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} +BuildRequires: java-1.%{majorver}.0-openjdk-portable-misc = %{epoch}:%{version}-%{portablerelease}.%{portablesuffix} %else # Require a boot JDK which doesn't fail due to RH1482244 BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 @@ -1712,8 +1663,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3 BuildRequires: libffi BuildRequires: libffi-devel %endif -# 2022g required as of JDK-8297804 -BuildRequires: tzdata-java >= 2022g +# 2023c required as of JDK-8305113 +BuildRequires: tzdata-java >= 2023c # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1982,8 +1933,6 @@ fi # For old patches ln -s %{top_level_dir_name} jdk8 -cp %{SOURCE2} . - # replace outdated configure guess script # # the configure macro will do this too, but it also passes a few flags not @@ -2028,7 +1977,6 @@ sh %{SOURCE12} %patch111 %patch112 %patch581 -%patch113 pushd %{top_level_dir_name} # Add crypto policy and FIPS support @@ -2037,6 +1985,8 @@ pushd %{top_level_dir_name} %patch1000 -p1 # cacerts patch; must follow FIPS patch as it also alters java.security %patch539 -p1 +# 8u382 fix +%patch2001 -p1 popd # RPM-only fixes @@ -2322,7 +2272,7 @@ for suffix in %{build_loop} ; do mkdir -p $(dirname ${installdir}) mv %{name}* ${installdir} # Fix build paths in ELF files so it looks like we built them - portablenvr="%{name}-portable-%{portableversion}-%{portablerelease}.%{portablesuffix}.%{_arch}" + portablenvr="%{name}-portable-%{version}-%{portablerelease}.%{portablesuffix}.%{_arch}" for file in $(find ${installdir} -type f) ; do if file ${file} | grep -q 'ELF'; then %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file} @@ -2534,7 +2484,7 @@ for suffix in %{build_loop} ; do miscdir=%{top_level_dir_name}/jdk/src/solaris/classes/sun/awt/X11 %endif - # Install release notes + # Install release notes and rebuild instructions commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} install -d -m 755 ${commondocdir} %ifarch %{portable_build_arches} @@ -2542,6 +2492,7 @@ for suffix in %{build_loop} ; do %else cp -a %{SOURCE7} ${commondocdir} %endif + cp -a %{SOURCE19} %{SOURCE20} ${commondocdir} # Install the jdk pushd ${jdk_image} @@ -2605,11 +2556,10 @@ if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} cp -a ${docdir}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip %ifarch %{portable_build_arches} - built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{portablebuildver}-docs.zip cp -a ${docdir}/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip %else - built_doc_archive=`echo "jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip" | sed s/slowdebug/debug/` cp -a %{installoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip %endif fi @@ -2658,7 +2608,7 @@ find $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/demo \ | sed 's|^|%dir |' \ >> %{name}-demo.files"$suffix" -bash %{SOURCE20} $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix} %{javaver} +bash %{SOURCE21} $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix} %{javaver} # https://bugzilla.redhat.com/show_bug.cgi?id=1183793 touch -t 201401010000 $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir -- $suffix}/lib/security/java.security @@ -2900,6 +2850,24 @@ cjc.mainProgram(args) %endif %changelog +* Tue Apr 18 2023 Andrew Hughes - 1:1.8.0.372.b07-2 +- Update to shenandoah-jdk8u372-b07 (GA) +- Update release notes for shenandoah-8u372-b07. +- Require tzdata 2023c due to inclusion of JDK-8305113 in 8u372-b07 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Drop JDK-8275535/RH2053256 patch which is now upstream +- Include JDK-8271199 backport early ahead of 8u382 (RH2175317) +- Drop hack for difference in local and portable build version +- Replace local copies of JDK portable binaries with build dependencies +- Include the java-1.8.0-openjdk-portable.spec file with instructions on how to rebuild. +- Remove duplicate use of README.md inside the *-src package (it is no longer about sources) +- Use portable build on x86_32 now one is available +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2189329 + * Tue Feb 28 2023 Andrew Hughes - 1:1.8.0.362.b09-4 - Drop use of portable build on s390x due to libffi compatibility issue (needs libffi.so.6) - Related: rhbz#2150202 diff --git a/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch b/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch new file mode 100644 index 0000000..42ac516 --- /dev/null +++ b/jdk8271199-rh2175317-custom_pkcs11_provider_support.patch @@ -0,0 +1,167 @@ +commit d41618f34f1d2f5416ec3c035f33dcb15cf5ab99 +Author: Alexey Bakhtin +Date: Tue Apr 4 10:29:11 2023 +0000 + + 8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key + + Reviewed-by: andrew, mbalao + Backport-of: f6232982b91cb2314e96ddbde3984836a810a556 + +diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java +index a79e97d7c74..5378446b97b 100644 +--- a/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java ++++ b/jdk/src/share/classes/sun/security/rsa/RSAPSSSignature.java +@@ -127,12 +127,15 @@ public class RSAPSSSignature extends SignatureSpi { + @Override + protected void engineInitVerify(PublicKey publicKey) + throws InvalidKeyException { +- if (!(publicKey instanceof RSAPublicKey)) { ++ if (publicKey instanceof RSAPublicKey) { ++ RSAPublicKey rsaPubKey = (RSAPublicKey)publicKey; ++ isPublicKeyValid(rsaPubKey); ++ this.pubKey = rsaPubKey; ++ this.privKey = null; ++ resetDigest(); ++ } else { + throw new InvalidKeyException("key must be RSAPublicKey"); + } +- this.pubKey = (RSAPublicKey) isValid((RSAKey)publicKey); +- this.privKey = null; +- resetDigest(); + } + + // initialize for signing. See JCA doc +@@ -146,14 +149,17 @@ public class RSAPSSSignature extends SignatureSpi { + @Override + protected void engineInitSign(PrivateKey privateKey, SecureRandom random) + throws InvalidKeyException { +- if (!(privateKey instanceof RSAPrivateKey)) { ++ if (privateKey instanceof RSAPrivateKey) { ++ RSAPrivateKey rsaPrivateKey = (RSAPrivateKey)privateKey; ++ isPrivateKeyValid(rsaPrivateKey); ++ this.privKey = rsaPrivateKey; ++ this.pubKey = null; ++ this.random = ++ (random == null ? JCAUtil.getSecureRandom() : random); ++ resetDigest(); ++ } else { + throw new InvalidKeyException("key must be RSAPrivateKey"); + } +- this.privKey = (RSAPrivateKey) isValid((RSAKey)privateKey); +- this.pubKey = null; +- this.random = +- (random == null? JCAUtil.getSecureRandom() : random); +- resetDigest(); + } + + /** +@@ -205,11 +211,57 @@ public class RSAPSSSignature extends SignatureSpi { + } + } + ++ /** ++ * Validate the specified RSAPrivateKey ++ */ ++ private void isPrivateKeyValid(RSAPrivateKey prKey) throws InvalidKeyException { ++ try { ++ if (prKey instanceof RSAPrivateCrtKey) { ++ RSAPrivateCrtKey crtKey = (RSAPrivateCrtKey)prKey; ++ if (RSAPrivateCrtKeyImpl.checkComponents(crtKey)) { ++ RSAKeyFactory.checkRSAProviderKeyLengths( ++ crtKey.getModulus().bitLength(), ++ crtKey.getPublicExponent()); ++ } else { ++ throw new InvalidKeyException( ++ "Some of the CRT-specific components are not available"); ++ } ++ } else { ++ RSAKeyFactory.checkRSAProviderKeyLengths( ++ prKey.getModulus().bitLength(), ++ null); ++ } ++ } catch (InvalidKeyException ikEx) { ++ throw ikEx; ++ } catch (Exception e) { ++ throw new InvalidKeyException( ++ "Can not access private key components", e); ++ } ++ isValid(prKey); ++ } ++ ++ /** ++ * Validate the specified RSAPublicKey ++ */ ++ private void isPublicKeyValid(RSAPublicKey pKey) throws InvalidKeyException { ++ try { ++ RSAKeyFactory.checkRSAProviderKeyLengths( ++ pKey.getModulus().bitLength(), ++ pKey.getPublicExponent()); ++ } catch (InvalidKeyException ikEx) { ++ throw ikEx; ++ } catch (Exception e) { ++ throw new InvalidKeyException( ++ "Can not access public key components", e); ++ } ++ isValid(pKey); ++ } ++ + /** + * Validate the specified RSAKey and its associated parameters against + * internal signature parameters. + */ +- private RSAKey isValid(RSAKey rsaKey) throws InvalidKeyException { ++ private void isValid(RSAKey rsaKey) throws InvalidKeyException { + try { + AlgorithmParameterSpec keyParams = rsaKey.getParams(); + // validate key parameters +@@ -227,7 +279,6 @@ public class RSAPSSSignature extends SignatureSpi { + } + checkKeyLength(rsaKey, hLen, this.sigParams.getSaltLength()); + } +- return rsaKey; + } catch (SignatureException e) { + throw new InvalidKeyException(e); + } +diff --git a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java +index 6b219937981..b3c1fae9672 100644 +--- a/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java ++++ b/jdk/src/share/classes/sun/security/rsa/RSAPrivateCrtKeyImpl.java +@@ -80,22 +80,28 @@ public final class RSAPrivateCrtKeyImpl + RSAPrivateCrtKeyImpl key = new RSAPrivateCrtKeyImpl(encoded); + // check all CRT-specific components are available, if any one + // missing, return a non-CRT key instead +- if ((key.getPublicExponent().signum() == 0) || +- (key.getPrimeExponentP().signum() == 0) || +- (key.getPrimeExponentQ().signum() == 0) || +- (key.getPrimeP().signum() == 0) || +- (key.getPrimeQ().signum() == 0) || +- (key.getCrtCoefficient().signum() == 0)) { ++ if (checkComponents(key)) { ++ return key; ++ } else { + return new RSAPrivateKeyImpl( + key.algid, + key.getModulus(), +- key.getPrivateExponent() +- ); +- } else { +- return key; ++ key.getPrivateExponent()); + } + } + ++ /** ++ * Validate if all CRT-specific components are available. ++ */ ++ static boolean checkComponents(RSAPrivateCrtKey key) { ++ return !((key.getPublicExponent().signum() == 0) || ++ (key.getPrimeExponentP().signum() == 0) || ++ (key.getPrimeExponentQ().signum() == 0) || ++ (key.getPrimeP().signum() == 0) || ++ (key.getPrimeQ().signum() == 0) || ++ (key.getCrtCoefficient().signum() == 0)); ++ } ++ + /** + * Generate a new key from the specified type and components. + * Returns a CRT key if possible and a non-CRT key otherwise. diff --git a/jdk8275535-rh2053256-ldap_auth.patch b/jdk8275535-rh2053256-ldap_auth.patch deleted file mode 100644 index ca3e985..0000000 --- a/jdk8275535-rh2053256-ldap_auth.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -index cf4becb7db..4ab2ac0a31 100644 ---- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -+++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java -@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor - ctx = getLdapCtxFromUrl( - r.getDomainName(), url, new LdapURL(u), env); - return ctx; -+ } catch (AuthenticationException e) { -+ // do not retry on a different endpoint to avoid blocking -+ // the user if authentication credentials are wrong. -+ throw e; - } catch (NamingException e) { - // try the next element - lastException = e; -@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor - for (String u : urls) { - try { - return getUsingURL(u, env); -+ } catch (AuthenticationException e) { -+ // do not retry on a different URL to avoid blocking -+ // the user if authentication credentials are wrong. -+ throw e; - } catch (NamingException e) { - ex = e; - } diff --git a/sources b/sources index ea53fc4..808ed42 100644 --- a/sources +++ b/sources @@ -1,20 +1,2 @@ SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671 -SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u362-b09-4curve.tar.xz) = 2ed16c616189e7872ecf36c82e86b551b1e6efc4d11a93264db856f01191875a82ddaec3363b5f8296ea225a9a8edf4c0e1504ff27d8474088ba0b2f6fc061d5 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.docs.el.aarch64.tar.xz) = 7fce6dc8ebceb8e0806da8539f06d126fa4b688c5c9522aa93e9493103fa1bff0608de0edb264ce4a86b25fc9f89973f6a054d72e98529f68c49150395c72b98 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.docs.el.ppc64le.tar.xz) = 2bac5b118490e76efb843dd4f0a9c96e478c85d46cd765becc7e2525cb39b9e6fde1c58a416cd3ddbc7df078e31ba037e742af6821f8a03bc207f5d4d4e66612 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.docs.el.s390x.tar.xz) = 9158b158a189f36c9b58a3e24c7e3e24feeaa7e15d3dbca085b4f20689ec2874be5d8b9bebf2b76320f5e934bf16b42daaa743f5b27a7b3bf9ec39f156245b09 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.docs.el.x86_64.tar.xz) = 7189898f419e83a83e242ed45b2bda70b5c1e69f0fcdfd8bf721f1e99a7cc24220912aa110385466da294bd15c294fc923ce6baf57c84ed2b021e8d56f5c503c -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.fastdebug.jdk.el.aarch64.tar.xz) = 949110664035f93eccd6f47b2d5df7e43bb26ce120c97ec8a56fffd2f6e68d7b6fe368e4661d6bb7669726c24a47ed21985865a2eafc911ddd27def7bd1ae955 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.fastdebug.jdk.el.ppc64le.tar.xz) = 13f5982dd99e99fc88e22cd604575ae7e4430caaee9c86ae7f8ab332d2bbfe4cd97a343da4a9ffe5eb685b00ccdb9cb03d38e2779d279717a3ba32b81608bc54 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.fastdebug.jdk.el.x86_64.tar.xz) = b0ee5f1ab913655860005c0aeac36afcf47811eb1c026b05ef2927695829d4fe6f99f1b038107c99b8d12039122a48d08a5ae1f291804f4b4b5dc19529c8f903 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.misc.el.aarch64.tar.xz) = 5cfe934f17949d7c4dfbd0f825957039c85d544bd09004e1825f7cca0c5ce34a6dbccc34150bc7d87cee055d538a5ffb435a9accc335000fac7193696d4fe40b -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.misc.el.ppc64le.tar.xz) = fd5511e78fabb85a1a73a3d8e7dfca50f36852d45e0f598bc9d9813056ea509e539dad0d10546291a7bfadae4ae2b1897cdb635949fb41a195649db757619644 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.misc.el.s390x.tar.xz) = 41488ef06b28013c96a04ec5c932b2e37ce3580f2beddec70760216e84e6de69206f8ba370788f8e382af2e42380d13c8f598cbc0ef6148bebeb6caed15e6358 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.misc.el.x86_64.tar.xz) = 7805e8c6647250198e7c41cfa8ef1aec8ed6f6cbf62d816e9bf161b5177fd1f3007bf247205dc2360e5026060eb44921f17111694dc93cafa1ebf4fdde697086 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.slowdebug.jdk.el.aarch64.tar.xz) = f79d6086eec6c751aca4a2ba22ca03a30a24dc8d10a0115fbc5a901e1a9c4fdfb7fc463ff0cdaddba0b9285ef25aa9ab7b1c8c0e772c06e53617741484e010c7 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.slowdebug.jdk.el.ppc64le.tar.xz) = 870a2de374d90d53e2078a930b6df3800001489b1bcd01a8014c227a9dd8be86ae1038a92ae65730ffeba08df88a085ab9b00c337f95e7577593ace3e67ca128 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.slowdebug.jdk.el.x86_64.tar.xz) = 35cef5ec1fdf04e6095c4cc018948e07616102d9f82db11e5ad0c3e0ddd0fbc83d4b2c134d47e6311650a91ee7301c5606b7657486c6a71c4c7982aac103f048 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.aarch64.tar.xz) = 0b83725711408fedf3bae3cfeb4a670312085982699da6510652d2f516729082dae3733e1736815a035a355d55af8c70407196fc8377b0fd8dccc062711d2d0d -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.ppc64le.tar.xz) = d8267a6f30a379181f461ce030a0b325e69dde89cbab7eba82ec8431227f2d982350b60ecf3380cafc1943696a8d17f477baab87b4c9a38a454543f5091841af -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.s390x.tar.xz) = bc80c58e6010f9722c932c4231e90c79b3285c6dc47fcffaeaf76839cd08e7602314d3648568354858c99f4b8163dc1cf3d4bf5e651dea8d715dde286a836c00 -SHA512 (java-1.8.0-openjdk-portable-1.8.0.362.b08-4.portable.unstripped.jdk.el.x86_64.tar.xz) = 0e4eed7f8d21473c07c4edd2cd764b659527676d5e8547403db60d2ca52a81567084f444b479bf1fa4f5cb3f863fce811d2be04d6608399f8fd5ab26b5720d00 +SHA512 (openjdk-shenandoah-jdk8u-shenandoah-jdk8u372-b07-4curve.tar.xz) = afc1324463883404f22cea3c37177d7b6164fc4cf285d958e7ec21aba976dc306045296eadaa296a31795be6b543ca0b742e0ba074689c3e5a50b9956383934b