From 500b1da933c13246c6f468de15e6ef1b9a07403b Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Wed, 6 Oct 2021 05:14:00 -0400 Subject: [PATCH] import java-11-openjdk-11.0.12.0.7-4.el8 --- .gitignore | 4 +- .java-11-openjdk.metadata | 4 +- SOURCES/NEWS | 1008 ++++++++ SOURCES/TestSecurityProperties.java | 43 + ...12-pkcs11_incorrrect_session_closure.patch | 480 ---- ...61-rh1895274-crash_in_MinINode_Ideal.patch | 32 - SOURCES/jdk8254177-tzdata2020b.patch | 2041 ----------------- ...69668-rh1977671-aarch64_lib_path_fix.patch | 32 + SOURCES/remove-intree-libraries.sh | 34 +- SOURCES/rh1750419-redhat_alt_java.patch | 13 +- .../rh1842572-rsa_default_for_keytool.patch | 4 +- .../rh1868740-cryptoki_access_to_sunjce.patch | 12 - .../rh1868754-pkcs11_cancel_on_failure.patch | 21 - ...cess_to_sunjce_with_security_manager.patch | 60 - ...lways_initialise_configurator_access.patch | 68 + ...929465-improve_system_FIPS_detection.patch | 430 ++++ .../rh1996182-extend_security_policy.patch | 18 + ...h1996182-login_to_nss_software_token.patch | 66 + SOURCES/s390-8214206_fix.patch | 12 - SPECS/java-11-openjdk.spec | 690 ++++-- 20 files changed, 2226 insertions(+), 2846 deletions(-) create mode 100644 SOURCES/TestSecurityProperties.java delete mode 100644 SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch delete mode 100644 SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch delete mode 100644 SOURCES/jdk8254177-tzdata2020b.patch create mode 100644 SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch delete mode 100644 SOURCES/rh1868740-cryptoki_access_to_sunjce.patch delete mode 100644 SOURCES/rh1868754-pkcs11_cancel_on_failure.patch delete mode 100644 SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch create mode 100644 SOURCES/rh1915071-always_initialise_configurator_access.patch create mode 100644 SOURCES/rh1929465-improve_system_FIPS_detection.patch create mode 100644 SOURCES/rh1996182-extend_security_policy.patch create mode 100644 SOURCES/rh1996182-login_to_nss_software_token.patch delete mode 100644 SOURCES/s390-8214206_fix.patch diff --git a/.gitignore b/.gitignore index fcfb766..09ab344 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz -SOURCES/tapsets-icedtea-3.15.0.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz +SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index e4fe5f2..42cb995 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -4a65c2e79897772480e91d1bc60aca9a4c7e20f2 SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz -7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz +7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz +c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index a50068e..26c3f66 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,1014 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.12 (2021-07-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11012 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.12.txt + +* Security fixes + - JDK-8256157: Improve bytecode assembly + - JDK-8256491: Better HTTP transport + - JDK-8258432, CVE-2021-2341: Improve file transfers + - JDK-8260453: Improve Font Bounding + - JDK-8260960: Signs of jarsigner signing + - JDK-8260967, CVE-2021-2369: Better jar file validation + - JDK-8262380: Enhance XML processing passes + - JDK-8262403: Enhanced data transfer + - JDK-8262410: Enhanced rules for zones + - JDK-8262477: Enhance String Conclusions + - JDK-8262967: Improve Zip file support + - JDK-8264066, CVE-2021-2388: Enhance compiler validation + - JDK-8264079: Improve abstractions + - JDK-8264460: Improve NTLM support +* Other changes + - JDK-6847157: java.lang.NullPointerException: HDC for component at sun.java2d.loops.Blit.Blit + - JDK-7106851: Test should not use System.exit + - JDK-8073446: TimeZone getOffset API does not return a dst offset between years 2038-2137 + - JDK-8076190: Customizing the generation of a PKCS12 keystore + - JDK-8153005: Upgrade the default PKCS12 encryption/MAC algorithms + - JDK-8171303: sun/java2d/pipe/InterpolationQualityTest.java fails on Windows & Linux + - JDK-8177068: incomplete classpath causes NPE in Flow + - JDK-8185734: [Windows] Structured Exception Catcher missing around gtest execution + - JDK-8187450: JNI local refs exceeds capacity warning in NetworkInterface::getAll + - JDK-8190763: Class cast exception on (CompoundEdit) UndoableEditEvent.getEdit() + - JDK-8195841: PNGImageReader.readNullTerminatedString() doesnt check for non-null terminated strings with length equal to maxLen + - JDK-8196100: javax/swing/text/JTextComponent/5074573/bug5074573.java fails + - JDK-8199646: JShell tests: jdk/jshell/FailOverDirectExecutionControlTest.java failed with java.lang.UnsupportedOperationException + - JDK-8206925: Support the certificate_authorities extension + - JDK-8207160: ClassReader::adjustMethodParams can potentially return null if the args list is empty + - JDK-8207247: AARCH64: Enable Minimal and Client VM builds + - JDK-8207404: MulticastSocket tests failing on AIX + - JDK-8207779: Method::is_valid_method() compares 'this' with NULL + - JDK-8208061: runtime/LoadClass/TestResize.java fails with "Load factor too high" when running in CDS mode. + - JDK-8209459: TestSHA512MultiBlockIntrinsics failed on AArch64 + - JDK-8210443: Migrate Locale matching tests to JDK Repo. + - JDK-8213231: ThreadSnapshot::_threadObj can become stale + - JDK-8213483: ARM32: runtime/ErrorHandling/ShowRegistersOnAssertTest.java jtreg test fail + - JDK-8213725: JShell NullPointerException due to class file with unexpected package + - JDK-8213794: ARM32: disable TypeProfiling, CriticalJNINatives, Serviceablity tests for ARM32 + - JDK-8213845: ARM32: Interpreter doesn't call result handler after native calls + - JDK-8214128: ARM32: wrong stack alignment on Deoptimization::unpack_frames + - JDK-8214512: ARM32: Jtreg test compiler/c2/Test8062950.java fails on ARM + - JDK-8214854: JDWP: Unforseen output truncation in logging + - JDK-8214922: Add vectorization support for fmin/fmax + - JDK-8215009: GCC 8 compilation error in libjli + - JDK-8216184: CDS/appCDS tests failed on Windows due to long path to a classlist file + - JDK-8216259: AArch64: Vectorize Adler32 intrinsics + - JDK-8216314: SIGILL in CodeHeapState::print_names() + - JDK-8217348: assert(thread->is_Java_thread()) failed: just checking + - JDK-8217465: [REDO] - Optimize CodeHeap Analytics + - JDK-8217561: X86: Add floating-point Math.min/max intrinsics + - JDK-8217918: C2: -XX:+AggressiveUnboxing is broken + - JDK-8218458: [TESTBUG] runtime/NMT/CheckForProperDetailStackTrace.java fails with Expected stack trace missing from output + - JDK-8219142: Remove unused JIMAGE_ResourcePath + - JDK-8219586: CodeHeap State Analytics processes dead nmethods + - JDK-8220074: Clean up GCC 8.3 errors in LittleCMS + - JDK-8220407: compiler/intrinsics/math/TestFpMinMaxIntrinsics.java timedout + - JDK-8222302: [TESTBUG]test/hotspot/jtreg/compiler/intrinsics/sha/cli/TestUseSHAOptionOnUnsupportedCPU.java fails on any other CPU + - JDK-8222412: AARCH64: multiple instructions encoding issues + - JDK-8223020: aarch64: expand minI_rReg and maxI_rReg patterns into separate instructions + - JDK-8223444: Improve CodeHeap Free Space Management + - JDK-8223504: Improve performance of forall loops by better inlining of "iterator()" methods + - JDK-8223667: ASAN build broken + - JDK-8225081: Remove Telia Company CA certificate expiring in April 2021 + - JDK-8225116: Test OwnedWindowsLeak.java intermittently fails + - JDK-8225438: javax/net/ssl/TLSCommon/TestSessionLocalPrincipal.java failed with Read timed out + - JDK-8225756: [testbug] compiler/loopstripmining/CheckLoopStripMining.java sets too short a SafepointTimeoutDelay + - JDK-8226374: Restrict TLS signature schemes and named groups + - JDK-8226627: assert(t->singleton()) failed: must be a constant + - JDK-8226721: Missing intrinsics for Math.ceil, floor, rint + - JDK-8227080: (fs) Files.newInputStream(...).skip(n) is slow + - JDK-8227222: vmTestbase/jit/FloatingPoint/gen_math/Loops04/Loops04.java failed XMM register should be 0-15 + - JDK-8227609: (fs) Files.newInputStream(...).skip(n) should allow skipping beyond file size + - JDK-8230428: Cleanup dead CastIP node code in formssel.cpp + - JDK-8231460: Performance issue (CodeHeap) with large free blocks + - JDK-8231713: x86_32 build failures after JDK-8226721 (Missing intrinsics for Math.ceil, floor, rint) + - JDK-8231841: AArch64: debug.cpp help() is missing an AArch64 line for pns + - JDK-8232084: HotSpot build failed with GCC 9.2.1 + - JDK-8232591: AArch64: Add missing match rules for smaddl, smsubl and smnegl + - JDK-8233185: HttpServer.stop() blocks indefinitely when called on dispatch thread + - JDK-8233787: Break cycle in vm_version* includes + - JDK-8233948: AArch64: Incorrect mapping between OptoReg and VMReg for high 64 bits of Vector Register + - JDK-8234355: Buffer overflow in jcmd GC.class_stats due to too many classes + - JDK-8235368: Update BCEL to Version 6.4.1 + - JDK-8236859: WebSocket over authenticating proxy fails with NPE + - JDK-8236992: AArch64: remove redundant load_klass in itable stub + - JDK-8237743: test/langtools/jdk/jshell/FailOverExecutionControlTest.java fails No ExecutionControlProvider with name 'nonExistent' and parameter keys: [] + - JDK-8237804: sun/security/mscapi tests fail with "Key pair not generated, alias already exists" + - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class + - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers + - JDK-8238812: assert(false) failed: bad AD file + - JDK-8239312: [macos] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java + - JDK-8239386: handle ContendedPaddingWidth in vm_version_aarch64 + - JDK-8239536: Can't use `java.util.List` object after importing `java.awt.List` + - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files + - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler + - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version + - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873 + - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string + - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93) + - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset + - JDK-8241475: AArch64: Add missing support for PopCountVI node + - JDK-8241829: Cleanup the code for PrinterJob on windows + - JDK-8241960: The SHA3 message digests impl of SUN provider are not thread safe after cloned + - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01 + - JDK-8242429: Better implementation for sign extract + - JDK-8242557: Add length limit for strings in PNGImageWriter + - JDK-8242919: Paste locks up jshell + - JDK-8243155: AArch64: Add support for SqrtVF + - JDK-8243240: AArch64: Add support for MulVB + - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings + - JDK-8243559: Remove root certificates with 1024-bit keys + - JDK-8243597: AArch64: Add support for integer vector abs + - JDK-8244031: HttpClient should have more tests for HEAD requests + - JDK-8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected + - JDK-8244847: Linux/PPC: runtime/CompressedOops/CompressedClassPointers: smallHeapTest fails + - JDK-8245511: G1 adaptive IHOP does not account for reclamation of humongous objects by young GC + - JDK-8246274: G1 old gen allocation tracking is not in a separate class + - JDK-8247354: [aarch64] PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop + - JDK-8247408: IdealGraph bit check expression canonicalization + - JDK-8247432: Update IANA Language Subtag Registry to Version 2020-09-29 + - JDK-8247438: JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown + - JDK-8247753: UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32 + - JDK-8248043: Need to eliminate excessive i2l conversions + - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted + - JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr + - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values + - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable + - JDK-8249189: AARCH64: more L2I conversions can be skipped + - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function + - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code + - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks + - JDK-8250876: Fix issues with cross-compile on macos + - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits + - JDK-8251525: AARCH64: Faster Math.signum(fp) + - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE + - JDK-8252311: AArch64: save two words in itable lookup stub + - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525 + - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows + - JDK-8253167: ARM32 builds fail after JDK-8247910 + - JDK-8253572: [windows] CDS archive may fail to open with long file names + - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops + - JDK-8253948: Memory leak in ImageFileReader + - JDK-8254631: Better support ALPN byte wire values in SunJSSE + - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards + - JDK-8255086: Update the root locale display names + - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic + - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement + - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0 + - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small + - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1 + - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned + - JDK-8256523: Streamline Java SHA2 implementation + - JDK-8257414: Drag n Drop target area is wrong on high DPI systems + - JDK-8257569: Failure observed with JfrVirtualMemory::initialize + - JDK-8257574: C2: "failed: parsing found no loops but there are some" assert failure + - JDK-8257580: Bump update version for OpenJDK: jdk-11.0.12 + - JDK-8257604: JNI_ArgumentPusherVaArg leaks valist + - JDK-8257621: JFR StringPool misses cached items across consecutive recordings + - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32 + - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check + - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads + - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code + - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m + - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m + - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m + - JDK-8258414: OldObjectSample events too expensive + - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions + - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues + - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it + - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check + - JDK-8259232: Bad JNI lookup during printing + - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization + - JDK-8259343: [macOS] Update JNI error handling in Cocoa code. + - JDK-8259585: Accessible actions do not work on mac os x + - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros + - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl + - JDK-8259710: Inlining trace leaks memory + - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion + - JDK-8259777: Incorrect predication condition generated by ADLC + - JDK-8259786: initialize last parameter of getpwuid_r + - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name + - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs + - JDK-8259886: Improve SSL session cache performance and scalability + - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection + - JDK-8260030: Improve stringStream buffer handling + - JDK-8260236: better init AnnotationCollector _contended_group + - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized + - JDK-8260284: C2: assert(_base == Int) failed: Not an Int + - JDK-8260380: Upgrade to LittleCMS 2.12 + - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint + - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory + - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory + - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module + - JDK-8260653: Unreachable nodes keep speculative types alive + - JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out + - JDK-8260925: HttpsURLConnection does not work with other JSSE provider. + - JDK-8260926: Trace resource exhausted events unconditionally + - JDK-8261020: Wrong format parameter in create_emergency_chunk_path + - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code + - JDK-8261167: print_process_memory_info add a close call after fopen + - JDK-8261170: Upgrade to freetype 2.10.4 + - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code + - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check + - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js + - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION + - JDK-8261354: SIGSEGV at MethodIteratorHost + - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding + - JDK-8261397: try catch Method failing to work when dividing an integer by 0 + - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage + - JDK-8261447: MethodInvocationCounters frequently run into overflow + - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur + - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer + - JDK-8261601: free memory in early return in Java_sun_nio_ch_sctp_SctpChannelImpl_receive0 + - JDK-8261649: AArch64: Optimize LSE atomics in C++ code + - JDK-8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge + - JDK-8261752: Multiple GC test are missing memory requirements + - JDK-8261791: (sctp) handleSendFailed in SctpChannelImpl.c potential leaks + - JDK-8261812: C2 compilation fails with assert(!had_error) failed: bad dominance + - JDK-8261914: IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload + - JDK-8262093: java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node" + - JDK-8262110: DST starts from incorrect time in 2038 + - JDK-8262121: [11u] Redo 8244287: JFR: Methods samples have line number 0 + - JDK-8262163: Extend settings printout in jcmd VM.metaspace + - JDK-8262295: C2: Out-of-Bounds Array Load from Clone Source + - JDK-8262298: G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape" + - JDK-8262446: DragAndDrop hangs on Windows + - JDK-8262461: handle wcstombsdmp return value correctly in unix awt_InputMethod.c + - JDK-8262465: Very long compilation times and high memory consumption in C2 debug builds + - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack + - JDK-8262739: String inflation C2 intrinsic prevents insertion of anti-dependencies + - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames() + - JDK-8262837: handle split_USE correctly + - JDK-8262900: ToolBasicTest fails to access HTTP server it starts + - JDK-8263260: [s390] Support latest hardware (z14 and z15) + - JDK-8263311: Watch registry changes for remote printers update instead of polling + - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors + - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec + - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address() + - JDK-8263448: CTW: fatal error: meet not symmetric + - JDK-8263504: Some OutputMachOpcodes fields are uninitialized + - JDK-8263557: Possible NULL dereference in Arena::destruct_contents() + - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true + - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address() + - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test + - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X + - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt + - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported + - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state + - JDK-8264173: [s390] Improve Hardware Feature Detection And Reporting + - JDK-8264190: Harden TLS interop tests + - JDK-8264223: CodeHeap::verify fails extra_hops assertion in fastdebug test + - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java + - JDK-8264360: Loop strip mining verification fails with "should be on the backedge" + - JDK-8264626: C1 should be able to inline excluded methods + - JDK-8264640: CMS ParScanClosure misses a barrier + - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched + - JDK-8264821: DirectIOTest fails on a system with large block size + - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch + - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo + - JDK-8264958: C2 compilation fails with assert "n is later than its clone" + - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE + - JDK-8265154: vinserti128 operand mix up for KNL platforms + - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1 + - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build + - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement + - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod + - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport + - JDK-8265666: Enable AIX build platform to make external debug symbols + - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier + - JDK-8265690: Use the latest Ubuntu base image version in Docker testing + - JDK-8265718: Build failure after JDK-8258414 11u backport + - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414 + - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind + - JDK-8265938: C2's conditional move optimization does not handle top Phi + - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified + - JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long" + - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753 + - JDK-8266802: Shenandoah: Round up region size to page size unconditionally + - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x + - JDK-8266929: Unable to use algorithms from 3p providers + - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash + - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC + - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u + - JDK-8267641: [11u] 8227609 backport typo + - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64 + - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8215293: Customizing PKCS12 keystore Generation +=================================================== +New system and security properties have been added to enable users to +customize the generation of PKCS #12 keystores. This includes +algorithms and parameters for key protection, certificate protection, +and MacData. The detailed explanation and possible values for these +properties can be found in the "PKCS12 KeyStore properties" section of +the `java.security` file. + +Also, support for the following SHA-2 based HmacPBE algorithms has +been added to the SunJCE provider: + +* HmacPBESHA224 +* HmacPBESHA256 +* HmacPBESHA384 +* HmacPBESHA512 +* HmacPBESHA512/224 +* HmacPBESHA512/256 + +JDK-8256902: Removed Root Certificates with 1024-bit Keys +========================================================= +The following root certificates with weak 1024-bit RSA public keys +have been removed from the `cacerts` keystore: + +Alias Name: thawtepremiumserverca [jdk] +Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA + +Alias Name: verisignclass2g2ca [jdk] +Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + +Alias Name: verisignclass3ca [jdk] +Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US + +Alias Name: verisignclass3g2ca [jdk] +Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US + +Alias Name: verisigntsaca [jdk] +Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA + +JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate +================================================================= + +The following root certificate have been removed from the cacerts truststore: + +Alias Name: soneraclass2ca +Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI + +JDK-8242069: Upgraded the Default PKCS12 Encryption and MAC Algorithms +====================================================================== +The default encryption and MAC algorithms used in a PKCS #12 keystore +have been updated. The new algorithms are based on AES-256 and SHA-256 +and are stronger than the old algorithms that were based on RC2, +DESede, and SHA-1. See the security properties starting with +`keystore.pkcs12` in the `java.security` file for detailed +information. + +For compatibility, a new system property named +`keystore.pkcs12.legacy` is defined that will revert the algorithms to +use the older, weaker algorithms. There is no value defined for this +property. + +security-libs/javax.net.ssl: + +JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values +========================================================================================= +Certain TLS ALPN values couldn't be properly read or written by the +SunJSSE provider. This is due to the choice of Strings as the API +interface and the undocumented internal use of the UTF-8 Character Set +which converts characters larger than U+00007F (7-bit ASCII) into +multi-byte arrays that may not be expected by a peer. + +ALPN values are now represented using the network byte representation +expected by the peer, which should require no modification for +standard 7-bit ASCII-based character Strings. However, SunJSSE now +encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1 +characters. This means applications that used characters above +U+000007F that were previously encoded using UTF-8 may need to either +be modified to perform the UTF-8 conversion, or set the Java security +property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior. + +See the updated guide at +https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html +for more information. + +JDK-8244460: Support for certificate_authorities Extension +========================================================== +The "certificate_authorities" extension is an optional extension +introduced in TLS 1.3. It is used to indicate the certificate +authorities (CAs) that an endpoint supports and should be used by the +receiving endpoint to guide certificate selection. + +With this JDK release, the "certificate_authorities" extension is +supported for TLS 1.3 in both the client and the server sides. This +extension is always present for client certificate selection, while it +is optional for server certificate selection. + +Applications can enable this extension for server certificate +selection by setting the `jdk.tls.client.enableCAExtension` system +property to `true`. The default value of the property is `false`. + +Note that if the client trusts more CAs than the size limit of the +extension (less than 2^16 bytes), the extension is not enabled. Also, +some server implementations do not allow handshake messages to exceed +2^14 bytes. Consequently, there may be interoperability issues when +`jdk.tls.client.enableCAExtension` is set to `true` and the client +trusts more CAs than the server implementation limit. + +New in release OpenJDK 11.0.11 (2021-04-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11011 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.11.txt + +* Security fixes + - JDK-8244473: Contextualize registration for JNDI + - JDK-8244543: Enhanced handling of abstract classes + - JDK-8249906, CVE-2021-2163: Enhance opening JARs + - JDK-8250568, CVE-2021-2161: Less ambiguous processing + - JDK-8253799: Make lists of normal filenames + - JDK-8257001: Improve Http Client Support +* Other changes + - JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream readDouble() conversion to long mishandled + - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection + - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing + - JDK-8168869: jdeps: localized messages don't use proper line breaks + - JDK-8180837: SunPKCS11-NSS tests failing with CKR_ATTRIBUTE_READ_ONLY and CKR_MECHANISM_PARAM_INVALID + - JDK-8202343: Disable TLS 1.0 and 1.1 + - JDK-8205992: jhsdb cannot attach to Java processes running in Docker containers + - JDK-8209193: Fix aarch64-linux compilation after -Wreorder changes + - JDK-8210413: AArch64: Optimize div/rem by constant in C1 + - JDK-8210578: AArch64: Invalid encoding for fmlsvs instruction + - JDK-8211051: jdeps usage of --dot-output doesn't provide valid output for modular jar + - JDK-8211057: Gensrc step CompileProperties generates unstable CompilerProperties output + - JDK-8211150: G1 Full GC not purging code root memory and hence causing memory leak + - JDK-8211825: ModuleLayer.defineModulesWithXXX does not setup delegation when module reads automatic module + - JDK-8212043: Add floating-point Math.min/max intrinsics + - JDK-8212218: [TESTBUG] runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryErrorInMetaspace.java timed out + - JDK-8213116: javax/swing/JComboBox/WindowsComboBoxSize/WindowsComboBoxSizeTest.java fails in Windows + - JDK-8213909: jdeps --print-module-deps should report missing dependences + - JDK-8214180: Need better granularity for sleeping + - JDK-8214223: tools/jdeps/listdeps/ListModuleDeps.java failed due to missing Lib2 file + - JDK-8214230: Classes generated by SystemModulesPlugin.java are not reproducable + - JDK-8214741: docs/index.html has no title or copyright + - JDK-8215687: [Graal] unit test CheckGraalIntrinsics failed after 8212043 + - JDK-8217848: [Graal] vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003/TestDescription.java fails + - JDK-8218482: sun/security/krb5/auto/ReplayCachePrecise.java failed - no KrbException thrown + - JDK-8218550: Add test omitted from JDK-8212043 + - JDK-8221584: SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event + - JDK-8221995: AARCH64: problems with CAS instructions encoding + - JDK-8222518: Remove unnecessary caching of Parker object in java.lang.Thread + - JDK-8222785: aarch64: add necessary masking for immediate shift counts + - JDK-8223186: HotSpot compile warnings from GCC 9 + - JDK-8225773: jdeps --check produces NPE if there are missing module dependences + - JDK-8225805: Java Access Bridge does not close the logger + - JDK-8226810: Failed to launch JVM because of NullPointerException occured on System.props + - JDK-8229396: jdeps ignores multi-release when generate-module-info used on command line + - JDK-8229474: Shenandoah: Cleanup CM::update_roots() + - JDK-8232225: Rework the fix for JDK-8071483 + - JDK-8232905: JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant + - JDK-8233164: C2 fails with assert(phase->C->get_alias_index(t) == phase->C->get_alias_index(t_adr)) failed: correct memory chain + - JDK-8233910: java/awt/ColorClass/AlphaColorTest.java is failing intermittently in nightly lnux-x64 system + - JDK-8233912: aarch64: minor improvements of atomic operations + - JDK-8234508: VM_HeapWalkOperation::iterate_over_object reads non-strong fields with an on-strong load barrier + - JDK-8234742: Improve handshake logging + - JDK-8234796: Refactor Handshake::execute to take a more complex type than ThreadClosure + - JDK-8235324: Dying objects are published from users of CollectedHeap::object_iterate + - JDK-8235351: Lookup::unreflect should bind with the original caller independent of Method's accessible flag + - JDK-8237369: Shenandoah: failed vmTestbase/nsk/jvmti/AttachOnDemand/attach021/TestDescription.java test + - JDK-8237392: Shenandoah: Remove unreliable assertion + - JDK-8237483: AArch64 C1 OopMap inserted twice fatal error + - JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7 + - JDK-8239355: (dc) Initial value of SO_SNDBUF should allow sending large datagrams (macOS) + - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1 + - JDK-8240704: CheckHandles.java failed "AssertionError: Handle use increased by more than 10 percent." + - JDK-8240751: Shenandoah: fold ShenandoahTracer definition + - JDK-8240795: [REDO] 8238384 CTW: C2 compilation fails with "assert(store != load->find_exact_control(load->in(0))) failed: dependence cycle found" + - JDK-8241598: Upgrade JLine to 3.14.0 + - JDK-8241649: Optimize Character.toString + - JDK-8241770: Module xxxAnnotation() methods throw NCDFE if module-info.class found as resource in unnamed module + - JDK-8241911: AArch64: Fix a potential register clash issue in reduce_add2I + - JDK-8242030: Wrong package declarations in jline classes after JDK-8241598 + - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled + - JDK-8243618: compiler/rtm/cli tests can be run w/o WhiteBox + - JDK-8243670: Unexpected test result caused by C2 MergeMemNode::Ideal + - JDK-8244088: [Regression] Switch of Gnome theme ends up in deadlocked UI + - JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files + - JDK-8244340: Handshake processing thread lacks yielding + - JDK-8244573: java.lang.ArrayIndexOutOfBoundsException thrown for malformed class file + - JDK-8244683: A TSA server used by tests + - JDK-8245005: javax/net/ssl/compatibility/BasicConnectTest.java failed with No enum constant + - JDK-8245026: PsAdaptiveSizePolicy::_old_gen_policy_is_ready is unused + - JDK-8245283: JFR: Can't handle constant dynamic used by Jacoco agent + - JDK-8245512: CRC32 optimization using AVX512 instructions + - JDK-8245527: LDAP Channel Binding support for Java GSS/Kerberos + - JDK-8246707: (sc) SocketChannel.read/write throws AsynchronousCloseException on closed channel + - JDK-8246709: sun/security/tools/jarsigner/TsacertOptionTest.java compilation failed after JDK-8244683 + - JDK-8247200: assert((unsigned)fpargs < 32) + - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn. + - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit + - JDK-8248865: Document JNDI/LDAP timeout properties + - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken. + - JDK-8249543: Force DirectBufferAllocTest to run with -ExplicitGCInvokesConcurrent + - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows + - JDK-8249749: modify a primitive array through a stream and a for cycle causes jre crash + - JDK-8249787: Make TestGCLocker more resilient with concurrent GCs + - JDK-8249867: xml declaration is not followed by a newline + - JDK-8250911: [windows] os::pd_map_memory() error detection broken + - JDK-8251255: [linux] Add process-memory information to hs-err and VM.info + - JDK-8251359: Shenandoah: filter null oops before calling enqueue/SATB barrier + - JDK-8251925: C2: RenaissanceStressTest fails with assert(!had_error): bad dominance + - JDK-8251944: Add Shenandoah test config to compiler/gcbarriers/UnsafeIntrinsicsTest.java + - JDK-8251992: VM crashed running TestComplexAddrExpr.java test with -XX:UseAVX=X + - JDK-8253220: Epsilon: clean up unused code/declarations + - JDK-8253274: The CycleDMImagetest brokes the system + - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node + - JDK-8253368: TLS connection always receives close_notify exception + - JDK-8255368: Math.exp() gives wrong result for large values on x86 32-bit platforms + - JDK-8255401: Shenandoah: Allow oldval and newval registers to overlap in cmpxchg_oop() + - JDK-8253404: C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit + - JDK-8253409: Double-rounding possibility in float fma + - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities + - JDK-8253524: C2: Refactor code that clones predicates during loop unswitching + - JDK-8253644: C2: assert(skeleton_predicate_has_opaque(iff)) failed: unexpected + - JDK-8253681: closed java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed + - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn + - JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*) + - JDK-8254104: MethodCounters must exist before nmethod is installed + - JDK-8254734: "dead loop detected" assert failure with patch from 8223051 + - JDK-8254748: Bad Copyright header format after JDK-8212218 + - JDK-8254799: runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryError.java fails with release VMs + - JDK-8255058: C1: assert(is_virtual()) failed: type check + - JDK-8255351: Add detection for Graviton 2 CPUs + - JDK-8255387: Japanese characters were printed upside down on AIX + - JDK-8255479: [aarch64] assert(src->section_index_of(target) == CodeBuffer::SECT_NONE) failed: sanity + - JDK-8255544: Create a checked cast + - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI() + - JDK-8255681: print callstack in error case in runAWTLoopWithApp + - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too + - JDK-8255742: PrintInlining as compiler directive doesn't print virtual calls + - JDK-8255845: Memory leak in imageFile.cpp + - JDK-8255880: UI of Swing components is not redrawn after their internal state changed + - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem + - JDK-8256025: AArch64: MachCallRuntimeNode::ret_addr_offset() is incorrect for stub calls + - JDK-8256056: Deoptimization stub doesn't save vector registers on x86 + - JDK-8256061: RegisterSaver::save_live_registers() omits upper halves of ZMM0-15 registers + - JDK-8256187: [TEST_BUG] Automate bug4275046.java test + - JDK-8256220: C1: x86_32 fails with -XX:UseSSE=1 after JDK-8210764 due to mishandled lir_neg + - JDK-8256258: some missing NULL checks or asserts after CodeCache::find_blob_unsafe + - JDK-8256264: Printed GlyphVector outline with low DPI has bad quality on Windows + - JDK-8256290: javac/lambda/T8031967.java fails with StackOverflowError on x86_32 + - JDK-8256359: AArch64: runtime/ReservedStack/ReservedStackTestCompiler.java fails + - JDK-8256387: Unexpected result if patching an entire instruction on AArch64 + - JDK-8256421: Add 2 HARICA roots to cacerts truststore + - JDK-8256488: [aarch64] Use ldpq/stpq instead of ld4/st4 for small copies in StubGenerator::copy_memory + - JDK-8256489: Make gtest for long path names on Windows more resilient in the presence of virus scanners + - JDK-8256501: libTestMainKeyWindow fails to build with Xcode 12.2 + - JDK-8256633: Fix product build on Windows+Arm64 + - JDK-8256682: JDK-8202343 is incomplete + - JDK-8256751: Incremental rebuild with precompiled header fails when touching a header file + - JDK-8256757: Incorrect MachCallRuntimeNode::ret_addr_offset() for CallLeafNoFP on x86_32 + - JDK-8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test + - JDK-8256807: C2: Not marking stores correctly as mismatched in string opts + - JDK-8256810: Incremental rebuild broken on Macosx + - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources + - JDK-8256888: Client manual test problem list update + - JDK-8257083: Security infra test failures caused by JDK-8202343 + - JDK-8257408: Bump update version for OpenJDK: jdk-11.0.11 + - JDK-8257423: [PPC64] Support -XX:-UseInlineCaches + - JDK-8257436: [aarch64] Regressions in ArrayCopyUnalignedDst.testByte/testChar for 65-78 bytes when UseSIMDForMemoryOps is on + - JDK-8257513: C2: assert((constant_addr - _masm.code()->consts()->start()) == con.offset()) + - JDK-8257547: Handle multiple prereqs on the same line in deps files + - JDK-8257561: Some code is not vectorized after 8251925 and 8250607 + - JDK-8257565: epsilonBarrierSet.hpp should not include barrierSetAssembler + - JDK-8257575: C2: "failed: only phis" assert failure in loop strip mining verification + - JDK-8257594: C2 compiled checkcast of non-null object triggers endless deoptimization/recompilation cycle + - JDK-8257633: Missing -mmacosx-version-min=X flag when linking libjvm + - JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks + - JDK-8257707: Fix incorrect format string in Http1HeaderParser + - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines + - JDK-8257798: [PPC64] undefined reference to Klass::vtable_start_offset() + - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test + - JDK-8257910: [JVMCI] Set exception_seen accordingly in the runtime. + - JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884 + - JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region + - JDK-8258077: Using -Xcheck:jni can lead to a double-free after JDK-8193234 + - JDK-8258247: Couple of issues in fix for JDK-8249906 + - JDK-8258373: Update the text handling in the JPasswordField + - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk() + - JDK-8258419: RSA cipher buffer cleanup + - JDK-8258471: "search codecache" clhsdb command does not work + - JDK-8258534: Epsilon: clean up unused includes + - JDK-8258805: Japanese characters not entered by mouse click on Windows 10 + - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures + - JDK-8258836: JNI local refs exceed capacity getDiagnosticCommandInfo + - JDK-8258884: [TEST_BUG] Convert applet-based test open/test/jdk/javax/swing/JMenuItem/8031573/bug8031573.java to a regular java test + - JDK-8259007: This test printed a blank page + - JDK-8259049: Uninitialized variable after JDK-8257513 + - JDK-8259451: Zero: skip serviceability/sa tests, set vm.hasSA to false + - JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState + - JDK-8259231: Epsilon: improve performance under contention during virtual space expansion + - JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region" + - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will expire in 90 days + - JDK-8259319: Illegal package access when SunPKCS11 requires SunJCE's classes + - JDK-8259339: AllocateUninitializedArray C2 intrinsic fails with void.class input + - JDK-8259428: AlgorithmId.getEncodedParams() should return copy + - JDK-8259446: runtime/jni/checked/TestCheckedReleaseArrayElements.java fails with stderr not empty + - JDK-8259949: x86 32-bit build fails when -fcf-protection is passed in the compiler flags + - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect + - JDK-8259633: compiler/graalunit/CoreTest.java fails with NPE after JDK-8244543 + - JDK-8259706: C2 compilation fails with assert(vtable_index == Method::invalid_vtable_index) failed: correct sentinel value + - JDK-8259707: LDAP channel binding does not work with StartTLS extension + - JDK-8259773: Incorrect encoding of AVX-512 kmovq instruction + - JDK-8259849: Shenandoah: Rename store-val to IU-barrier + - JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp + - JDK-8260029: aarch64: fix typo in verify_oop_array + - JDK-8260308: Update LogCompilation junit to 4.13.1 + - JDK-8260338: Some fields in HaltNode is not cloned + - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS + - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a + - JDK-8260378: [TESTBUG] DcmdMBeanTestCheckJni.java reports false positive + - JDK-8260497: Shenandoah: Improve SATB flushing + - JDK-8260502: [s390] NativeMovRegMem::verify() fails because it's too strict + - JDK-8260632: Build failures after JDK-8253353 + - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end + - JDK-8261022: Fix incorrect result of Math.abs() with char type + - JDK-8261089: [TESTBUG] native library of test TestCheckedReleaseCriticalArray.java fails to compile with gcc 4.x + - JDK-8261183: Follow on to Make lists of normal filenames + - JDK-8261209: isStandalone property: remove dependency on pretty-print + - JDK-8261231: Windows IME was disabled after DnD operation + - JDK-8261251: Shenandoah: Use object size for full GC humongous compaction + - JDK-8261310: PPC64 Zero build fails with 'VMError::controlled_crash(int)::FunctionDescriptor functionDescriptor' has incomplete type and cannot be defined + - JDK-8261334: NMT: tuning statistic shows incorrect hash distribution + - JDK-8261413: Shenandoah: Disable class-unloading in I-U mode + - JDK-8261522: [PPC64] AES intrinsics write beyond the destination array + - JDK-8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined + - JDK-8261585: Restore HandleArea used in Deoptimization::uncommon_trap + - JDK-8261753: Test java/lang/System/OsVersionTest.java still failing on BigSur patch versions after JDK-8253702 + - JDK-8261829: Exclude tools/jlink/JLinkReproducibleTest.java in 11u + - JDK-8261912: Code IfNode::fold_compares_helper more defensively + - JDK-8261920: [AIX] jshell command throws java.io.IOError on non English locales + - JDK-8262018: Wrong format in SAP copyright header of OsVersionTest + - JDK-8263069: Exclude some failing tests from security/infra/java/security/cert/CertPathValidator + +Notes on individual issues: +=========================== + +core-libs/javax.naming: + +JDK-8258824: LDAP Channel Binding Support for Java GSS/Kerberos +=============================================================== +A new JNDI environment property "com.sun.jndi.ldap.tls.cbtype" has +been added to enable TLS Channel Binding data in LDAP authentication +over SSL/TLS protocol to the Windows AD server. The only valid value +at present is "tls-server-end-point", where channel binding data is +created on the base of the TLS server certificate. See RFC-5929 [0] +and the module description of the `java.naming` module for further +details. + +[0] RFC-5929 "Channel Bindings for TLS": https://www.ietf.org/rfc/rfc5929.txt + +security-libs/java.security: + +JDK-8260597: Added 2 HARICA Root CA Certificates +================================================ +The following root certificates have been added to the cacerts truststore: + +Alias Name: haricarootca2015 +Distinguished Name: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + +Alias Name: haricaeccrootca2015 +Distinguished Name: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR + +security-libs/javax.net.ssl: + +JDK-8256490: Disable TLS 1.0 and 1.1 +==================================== +TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer +considered secure and have been superseded by more secure and modern +versions (TLS 1.2 and 1.3). + +These versions have now been disabled by default. If you encounter +issues, you can, at your own risk, re-enable the versions by removing +"TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms` +security property in the `java.security` configuration file. + +tools: + +JDK-8214213: jdeps --print-module-deps Reports Transitive Dependencies +====================================================================== +`jdeps --print-module-deps`, `--list-deps`, and `--list-reduce-deps` +options have been enhanced as follows. + +1. By default, they perform transitive module dependence analysis on +libraries on the class path and module path, both directly and +indirectly, as required by the given input JAR files or +classes. Previously, they only reported the modules required by the +given input JAR files or classes. The `--no-recursive` option can be +used to request non-transitive dependence analysis. + +2. By default, they flag any missing dependency, i.e. not found from +class path and module path, as an error. The `--ignore-missing-deps` +option can be used to suppress missing dependence errors. Note that a +custom image is created with the list of modules output by jdeps when +using the `--ignore-missing-deps` option for a non-modular +application. Such an application, running on the custom image, might +fail at runtime when missing dependence errors are suppressed. + +xml/jaxp: + +JDK-8249867 XML declaration is not followed by a newline +======================================================== + +The DOM Load and Save `LSSerializer` does not have an explicit control +for whether or not the XML Declaration ends with a newline. In this +release, a JDK implementation specific property +`http://www.oracle.com/xml/jaxp/properties/isStandalone` and +corresponding System property `jdk.xml.isStandalone` are added to +control the addition of a newline and act independently without +having to set the pretty-print property. This property can be used to +reverse the incompatible change introduced in Java SE 7 Update 4 with +an update of Xalan 2.7.1 where a newline is omitted when pretty-print +is required. + +For details, please refer to the bug report and the java.xml module-summary. + +Usage: + +// to set the property, get an instance of LSSerializer and set it along with pretty-print +LSSerializer ser = impl.createLSSerializer(); +ser.getDomConfig().setParameter("format-pretty-print", true); +ser.getDomConfig().setParameter("http://www.oracle.com/xml/jaxp/properties/isStandalone", true); + +// to use the System property, set it before initializing a LSSerializer +System.setProperty("jdk.xml.isStandalone", “true”); + +// to clear the property, place the line anywhere after the LSSerializer is initialized +System.clearProperty("jdk.xml.isStandalone"); + +New in release OpenJDK 11.0.10 (2021-01-19): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11010 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt + +* Security fixes + - JDK-8247619: Improve Direct Buffering of Characters +* Other changes + - JDK-6722928: Support SSPI as a native GSS-API provider + - JDK-7185258: [macosx] Deadlock in SunToolKit.realSync() + - JDK-8152332: [macosx] JFileChooser cannot be serialized on Mac OS X + - JDK-8161684: [testconf] Add VerifyOops' testing into compiler tiers + - JDK-8171279: Support X25519 and X448 in TLS + - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load + - JDK-8173658: JvmtiExport::post_class_unload() is broken for non-JavaThread initiators + - JDK-8191006: hsdis disassembler plugin does not compile with binutils 2.29+ + - JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8 + - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode + - JDK-8200151: Add 8 JNDI tests to com/sun/jndi/dns/ConfigTests/ + - JDK-8208279: Add 8 JNDI tests to com/sun/jndi/dns/EnvTests/ + - JDK-8208483: Add 5 JNDI tests to com/sun/jndi/dns/FactoryTests/ + - JDK-8208542: Add 4 JNDI tests to com/sun/jndi/dns/ListTests/ + - JDK-8208665: Amend cross-compilation docs with qemu-debootstrap recipe + - JDK-8210088: ProblemList gc/epsilon/TestMemoryMXBeans.java + - JDK-8210339: Add 10 JNDI tests to com/sun/jndi/dns/FedTests/ + - JDK-8211450: UndetVar::dup is not copying the kind field to the duplicated instance + - JDK-8212160: JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value" + - JDK-8212226: SurfaceManager throws "Invalid Image variant" for MultiResolutionImage (Windows) + - JDK-8213400: Support choosing group name in keytool keypair generation + - JDK-8213535: Windows HiDPI html lightweight tooltips are truncated + - JDK-8213698: Improve devkit creation and add support for linux/ppc64/ppc64le/s390x + - JDK-8214025: assert(t->singleton()) failed: must be a constant when ScavengeRootsInCode < 2 + - JDK-8214242: compiler/arguments/TestScavengeRootsInCode.java fails because of missing UnlockDiagnosticVMOptions + - JDK-8214787: Zero builds fail with "undefined JavaThread::thread_state()" + - JDK-8215583: Exclude runtime/handshake/HandshakeWalkSuspendExitTest.java + - JDK-8216012: Infinite loop in RSA KeyPairGenerator + - JDK-8216324: GetClassMethods is confused by the presence of default methods in super interfaces + - JDK-8217429: WebSocket over authenticating proxy fails to send Upgrade headers + - JDK-8217976: test/jdk/java/net/httpclient/websocket/WebSocketProxyTest.java fails intermittently + - JDK-8218021: Have jarsigner preserve posix permission attributes + - JDK-8218287: jshell tool: input behavior unstable after 12-ea+24 on Windows + - JDK-8218851: JVM crash in custom classloader stress test, JDK 12 & 13 + - JDK-8220420: Cleanup c1_LinearScan + - JDK-8222072: JVMTI GenerateEvents() sends CompiledMethodLoad events to wrong jvmtiEnv + - JDK-8222286: Fix for JDK-8213419 is broken on s390 + - JDK-8222527: HttpClient doesn't send HOST header when tunelling HTTP/1.1 through http proxy + - JDK-8222533: jtreg test jdk/internal/platform/cgroup/TestCgroupMetrics.java fails on SLES12.3 linux ppc64le machine + - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137 + - JDK-8224555: vmTestbase/nsk/jvmti/scenarios/contention/TC02/tc02t001/TestDescription.java failed + - JDK-8224650: Add tests to support X25519 and X448 in TLS + - JDK-8225072: Add LuxTrust certificate that is expiring in March 2021 to list of allowed but expired certs + - JDK-8225329: -XX:+PrintBiasedLockingStatistics causes crash during initialization on Windows platforms + - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors + - JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100 + - JDK-8227275: Within native OOM error handling, assertions may hang the process + - JDK-8227647: [Graal] Test8009761.java fails due to "RuntimeException: static java.lang.Object compiler.uncommontrap.Test8009761.m3(boolean,boolean) not compiled" + - JDK-8229495: SIGILL in C2 generated OSR compilation + - JDK-8230910: libsspi_bridge does not build on Windows 32bit + - JDK-8232114: JVM crashed at imjpapi.dll in native code + - JDK-8234147: Avoid looking up standard charsets in core libraries + - JDK-8234393: [macos] printing ignores printer tray + - JDK-8234863: Increase default value of MaxInlineLevel + - JDK-8235218: Minimal VM is broken after JDK-8173361 + - JDK-8235456: Minimal VM is broken after JDK-8212160 + - JDK-8235829: graal crashes with Zombie.java test + - JDK-8236124: Minimal VM slowdebug build failed after JDK-8212160 + - JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding + - JDK-8236944: The legVecZ operand should be limited to zmm0-zmm15 registers + - JDK-8237186: Fix typo in copyright header of java/io/Reader/TransferTo.java + - JDK-8237499: JFR: Include stack trace in the ThreadStart event + - JDK-8237512: AArch64: aarch64TestHook leaks a BufferBlob + - JDK-8237524: AArch64: String.compareTo() may return incorrect result + - JDK-8237950: C2 compilation fails with "Live Node limit exceeded limit" during ConvI2L::Ideal optimization + - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read + - JDK-8239105: Add exception for expiring Digicert root certificates to VerifyCACerts test + - JDK-8239477: jdk/jfr/jcmd/TestJcmdStartStopDefault.java fails -XX:+VerifyOops with "verify_oop: rsi: broken oop" + - JDK-8239497: SEGV in EdgeUtils::field_name_symbol(Edge const&) + - JDK-8239886: Minimal VM build fails after JDK-8237499 + - JDK-8240633: Memory leaks in the implementations of FileChooserUI + - JDK-8240690: Race condition between EDT and BasicDirectoryModel.FilesLoader.run0() + - JDK-8241234: Unify monitor enter/exit runtime entries. + - JDK-8241311: Move some charset mapping tests from closed to open + - JDK-8241797: Add some tests to the problem list + - JDK-8242029: AArch64: skip G1 array copy pre-barrier if marking not active + - JDK-8242335: Additional Tests for RSASSA-PSS + - JDK-8242480: Negative value may be returned by getFreeSwapSpaceSize() in the docker + - JDK-8242614: cleanup duplicated test ldap server in some com/sun/jndi/ldap/ tests + - JDK-8242846: Bring back test/jdk/tools/jlink/plugins/OrderResourcesPluginTest.java + - JDK-8243114: Implement montgomery{Multiply,Square}intrinsics on Windows + - JDK-8243290: Improve diagnostic messages for class verification and redefinition failures + - JDK-8243488: Add tests for set/get SendBufferSize and getReceiveBufferSize in DatagramSocket + - JDK-8243549: sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java failed with Unsupported signature algorithm: DSA + - JDK-8243617: compiler/onSpinWait/TestOnSpinWaitC1.java test uses wrong class + - JDK-8243619: compiler/codecache/CheckSegmentedCodeCache.java test misses -version + - JDK-8244142: some hotspot/runtime tests don't check exit code of forked JVM + - JDK-8244278: Excessive code cache flushes and sweeps + - JDK-8244282: test/hotspot/jtreg/compiler/intrinsics/Test8237524.java fails with --illegal-access=deny + - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11 + - JDK-8244819: hsdis does not compile with binutils 2.34+ + - JDK-8245051: c1 is broken if it is compiled by gcc without -fno-lifetime-dse + - JDK-8245168: jlink should not be treated as a "small" tool + - JDK-8245400: Upgrade to LittleCMS 2.11 + - JDK-8246381: VM crashes with "Current BasicObjectLock* below than low_mark" + - JDK-8246434: Threads::print_on_error assumes that the heap has been set up + - JDK-8246648: issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480 + - JDK-8247201: Print potential pointer value of readable stack memory in hs_err file + - JDK-8247763: assert(outer->outcnt() == 2) failed: 'only phis' failure in LoopNode::verify_strip_mined() + - JDK-8247867: Upgrade to freetype 2.10.2 + - JDK-8248190: Enable Power10 system and implement new byte-reverse instructions + - JDK-8248226: TestCloneAccessStressGCM fails with -XX:-ReduceBulkZeroing + - JDK-8248347: windows build broken by JDK-8243114 + - JDK-8248532: Every time I change keyboard language at my MacBook, Java crashes + - JDK-8248552: C2 crashes with SIGFPE due to division by zero + - JDK-8248596: [TESTBUG] compiler/loopopts/PartialPeelingUnswitch.java times out with Graal enabled + - JDK-8248745: Add jarsigner and keytool tests for restricted algorithms + - JDK-8248791: sun/util/resources/cldr/TimeZoneNamesTest.java fails with -XX:-ReduceInitialCardMarks -XX:-ReduceBulkZeroing + - JDK-8248845: AArch64: stack corruption after spilling vector register + - JDK-8249176: Update GlobalSignR6CA test certificates + - JDK-8249183: JVM crash in "AwtFrame::WmSize" method + - JDK-8249192: MonitorInfo stores raw oops across safepoints + - JDK-8249602: C2: assert(cnt == _outcnt) failed: no insertions allowed + - JDK-8249603: C1: assert(has_error == false) failed: register allocation invalid + - JDK-8249605: C2: assert(no_dead_loop) failed: dead loop detected + - JDK-8249607: C2: assert(!had_error) failed: bad dominance + - JDK-8249608: Vector register used by C2 compiled method corrupted at safepoint + - JDK-8249672: Include microcode revision in features_string on x86 + - JDK-8249748: gtest silently ignores bad jvm arguments + - JDK-8249821: Separate libharfbuzz from libfontmanager + - JDK-8250598: Hyper-V is detected in spite of running on host OS + - JDK-8250605: Linux x86_32 builds fail after JDK-8249821 + - JDK-8250636: iso8601_time returns incorrect offset part on MacOS + - JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY + - JDK-8250772: Test com/sun/jndi/ldap/NamingExceptionMessageTest.java fails intermittently with javax.naming.ServiceUnavailableException + - JDK-8250825: C2 crashes with assert(field != __null) failed: missing field + - JDK-8250894: Provide a configure option to build and run against the platform libharfbuzz + - JDK-8250928: JFR: Improve hash algorithm for stack traces + - JDK-8250968: Symlinks attributes not preserved when using jarsigner on zip files + - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities + - JDK-8251118: BiasedLocking::preserve_marks should not have a HandleMark + - JDK-8251189: com/sun/jndi/ldap/LdapDnsProviderTest.java failed due to timeout + - JDK-8251257: NMT: jcmd VM.native_memory scale=1 crashes target VM + - JDK-8251365: Build failure on AIX after 8250636 + - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray + - JDK-8251456: [TESTBUG] compiler/vectorization/TestVectorsNotSavedAtSafepoint.java failed OutOfMemoryError + - JDK-8251458: Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed" + - JDK-8251535: Partial peeling at unsigned test adds incorrect loop exit check + - JDK-8251949: ZGC: Set explicit heap size for compiler/gcbarriers tests + - JDK-8252090: JFR: StreamWriterHost::write_unbuffered() stucks in an infinite loop OpenJDK (build 13.0.1+9) + - JDK-8252415: Bump update version for OpenJDK: jdk-11.0.10 + - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows + - JDK-8252497: Incorrect numeric currency code for ROL + - JDK-8252660: Shenandoah: support manageable SoftMaxHeapSize option + - JDK-8252679: Two windows specific FileDIalog tests may fail on some Windows_Server_2016_Standard + - JDK-8252696: Loop unswitching may cause out of bound array load to be executed + - JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent + - JDK-8253219: Epsilon: clean up unnecessary includes + - JDK-8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues() + - JDK-8253226: Shenandoah: remove unimplemented ShenandoahStrDedupQueue::verify + - JDK-8253269: The CheckCommonColors test should provide more info on failure + - JDK-8253284: Zero OrderAccess barrier mappings are incorrect + - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209) + - JDK-8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads + - JDK-8253791: Issue with useAppleColor check in CSystemColors.m + - JDK-8254016: Test8237524 fails with -XX:-CompactStrings option + - JDK-8254081: java/security/cert/PolicyNode/GetPolicyQualifiers.java fails due to an expired certificate + - JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp + - JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp + - JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b + - JDK-8254185: Fix Code cache sweeper heuristics for JDK 11 + - JDK-8254190: [s390] interpreter misses exception check after calling monitorenter + - JDK-8254790: SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics + - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations + - JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c + - JDK-8255050: Add pkcs11/KeyStore/ClientAuth.sh to Problem list + - JDK-8255065: Zero: accessor_entry misses the IRIW case + - JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d + - JDK-8255269: Unsigned overflow in g1Policy.cpp + - JDK-8255365: Problem list failing client manual tests + - JDK-8255457: Shenandoah: cleanup ShenandoahMarkTask + - JDK-8255466: C2 crashes at ciObject::get_oop() const+0x0 + - JDK-8255550: x86: Assembler::cmpq(Address dst, Register src) encoding is incorrect + - JDK-8255603: Memory/Performance regression after JDK-8210985 + - JDK-8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback + - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java + - JDK-8256427: Test com/sun/jndi/dns/ConfigTests/PortUnreachable.java does not work on AIX + - JDK-8256452: Integrate missing part of JDK-8232370 to 11u + - JDK-8256483: [TESTBUG] serviceability/jvmti/GetClassMethods/libOverpassMethods.c fails to compile on gcc 4.4.x + - JDK-8256557: libharfbuzz fails to link on gcc 4.4.x due to -Wl,-z,defs + - JDK-8256618: Zero: Linux x86_32 build still fails + - JDK-8256736: Zero: GTest tests fail with "unsuppported vm variant" + - JDK-8256809: Annotation processing causes NPE during flow analysis + - JDK-8257181: s390x builds are very noisy with gc-sections messages + - JDK-8257242: [macOS] Java app crashes while switching input methods + - JDK-8257545: SunJSSE FIPS regression in key exchange after JDK-8171279 11u backport + - JDK-8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false + - JDK-8257701: Shenandoah: objArrayKlass metadata is not marked with chunked arrays + - JDK-8258630: Add expiry exception for QuoVadis root certificate + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8213821: -groupname Option Added to keytool Key Pair Generation +=================================================================== +A new `-groupname` option has been added to `keytool -genkeypair` so +that a user can specify a named group when generating a key pair. For +example, `keytool -genkeypair -keyalg EC -groupname secp384r1` will +generate an EC key pair by using the `secp384r1` curve. Because there +might be multiple curves with the same size, using the `-groupname` +option is preferred over the `-keysize` option. + +JDK-8248263: jarsigner Preserves POSIX File Permission and symlink Attributes +============================================================================= +When signing a file that contains POSIX file permission or symlink +attributes, `jarsigner` now preserves these attributes in the newly +signed file but warns that these attributes are unsigned and not +protected by the signature. The same warning is printed during the +`jarsigner -verify` operation for such files. + +Note that the `jar` tool does not read/write these attributes. This +change is more visible to tools like `unzip` where these attributes +are preserved. + +security-libs/javax.net.ssl: + +JDK-8225764: Support for X25519 and X448 in TLS +================================================ + +The named elliptic curve groups `x25519` and `x448` are now available +for JSSE key agreement in TLS versions 1.0 to 1.3, with `x25519` being +the most preferred of the default enabled named groups. The default +ordered list is now: + +* x25519 +* secp256r1 +* secp384r1 +* secp521r1 +* x448 +* secp256k1 +* ffdhe2048 +* ffdhe3072 +* ffdhe4096 +* ffdhe6144 +* ffdhe8192 + +The default list can be overridden using the system property *`jdk.tls.namedGroups`*. + +security-libs/org.ietf.jgss: + +JDK-8214079: Added a Default Native GSS-API Library on Windows +============================================================== +A native GSS-API library has been added to JDK on the Windows +platform. The library is client-side only and uses the default +credentials. It will be loaded when the `sun.security.jgss.native` +system property is set to "true". A user can still load a third-party +native GSS-API library by setting the system property +`sun.security.jgss.lib` to its path. + +New in release OpenJDK 11.0.9.1 (2020-10-20): +============================================= +Live versions of these release notes can be found at: + * https://bitly.com/openjdk11091 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.1.txt + +* Regression fixes + - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) + New in release OpenJDK 11.0.9 (2020-10-20): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java new file mode 100644 index 0000000..06a0b07 --- /dev/null +++ b/SOURCES/TestSecurityProperties.java @@ -0,0 +1,43 @@ +import java.io.File; +import java.io.FileInputStream; +import java.security.Security; +import java.util.Properties; + +public class TestSecurityProperties { + // JDK 11 + private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security"; + // JDK 8 + private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security"; + + public static void main(String[] args) { + Properties jdkProps = new Properties(); + loadProperties(jdkProps); + for (Object key: jdkProps.keySet()) { + String sKey = (String)key; + String securityVal = Security.getProperty(sKey); + String jdkSecVal = jdkProps.getProperty(sKey); + if (!securityVal.equals(jdkSecVal)) { + String msg = "Expected value '" + jdkSecVal + "' for key '" + + sKey + "'" + " but got value '" + securityVal + "'"; + throw new RuntimeException("Test failed! " + msg); + } else { + System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected."); + } + } + System.out.println("TestSecurityProperties PASSED!"); + } + + private static void loadProperties(Properties props) { + String javaVersion = System.getProperty("java.version"); + System.out.println("Debug: Java version is " + javaVersion); + String propsFile = JDK_PROPS_FILE_JDK_11; + if (javaVersion.startsWith("1.8.0")) { + propsFile = JDK_PROPS_FILE_JDK_8; + } + try (FileInputStream fin = new FileInputStream(new File(propsFile))) { + props.load(fin); + } catch (Exception e) { + throw new RuntimeException("Test failed!", e); + } + } +} diff --git a/SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch b/SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch deleted file mode 100644 index bba7287..0000000 --- a/SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch +++ /dev/null @@ -1,480 +0,0 @@ -# HG changeset patch -# User valeriep -# Date 1581468987 0 -# Wed Feb 12 00:56:27 2020 +0000 -# Node ID e47d22d82b0464720ccb7641e290080972b6ce88 -# Parent 5c41dc4c48f85e5a1e1ce6e3836b54674f273367 -8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding -Summary: Removed killSession() calls in certain impl classes when cancelling operations -Reviewed-by: xuelei - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java -@@ -1,4 +1,5 @@ --/* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. -+/* -+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -334,25 +335,25 @@ - } - - private void cancelOperation() { -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ int bufLen = doFinalLength(0); -+ byte[] buffer = new byte[bufLen]; -+ byte[] in = dataBuffer.toByteArray(); -+ int inLen = in.length; - try { -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -+ if (encrypt) { -+ token.p11.C_Encrypt(session.id(), 0, in, 0, inLen, -+ 0, buffer, 0, bufLen); - } else { -- // cancel operation by finishing it -- int bufLen = doFinalLength(0); -- byte[] buffer = new byte[bufLen]; -- -- if (encrypt) { -- token.p11.C_Encrypt(session.id(), 0, buffer, 0, bufLen, -- 0, buffer, 0, bufLen); -- } else { -- token.p11.C_Decrypt(session.id(), 0, buffer, 0, bufLen, -- 0, buffer, 0, bufLen); -- } -+ token.p11.C_Decrypt(session.id(), 0, in, 0, inLen, -+ 0, buffer, 0, bufLen); - } - } catch (PKCS11Exception e) { -- throw new ProviderException("Cancel failed", e); -+ if (encrypt) { -+ throw new ProviderException("Cancel failed", e); -+ } -+ // ignore failure for decryption - } - } - -@@ -434,18 +435,21 @@ - if (!initialized) { - return; - } -+ initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } - } finally { - p11Key.releaseKeyID(); - session = token.releaseSession(session); -+ dataBuffer.reset(); - } -- initialized = false; - } - - // see JCE spec -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -409,10 +409,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -426,22 +428,21 @@ - - private void cancelOperation() { - token.ensureValid(); -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -- } else { -- try { -- // cancel operation by finishing it -- int bufLen = doFinalLength(0); -- byte[] buffer = new byte[bufLen]; -- if (encrypt) { -- token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen); -- } else { -- token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen); -- } -- } catch (PKCS11Exception e) { -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { -+ int bufLen = doFinalLength(0); -+ byte[] buffer = new byte[bufLen]; -+ if (encrypt) { -+ token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen); -+ } else { -+ token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen); -+ } -+ } catch (PKCS11Exception e) { -+ if (encrypt) { - throw new ProviderException("Cancel failed", e); - } -+ // ignore failure for decryption - } - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -124,10 +124,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -139,15 +141,12 @@ - - private void cancelOperation() { - token.ensureValid(); -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -- } else { -- try { -- token.p11.C_SignFinal(session.id(), 0); -- } catch (PKCS11Exception e) { -- throw new ProviderException("Cancel failed", e); -- } -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { -+ token.p11.C_SignFinal(session.id(), 0); -+ } catch (PKCS11Exception e) { -+ throw new ProviderException("Cancel failed", e); - } - } - -@@ -209,7 +208,6 @@ - ensureInitialized(); - return token.p11.C_SignFinal(session.id(), 0); - } catch (PKCS11Exception e) { -- reset(true); - throw new ProviderException("doFinal() failed", e); - } finally { - reset(false); -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -223,10 +223,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -242,14 +244,10 @@ - token.ensureValid(); - if (DEBUG) System.out.print("Cancelling operation"); - -- if (session.hasObjects() == false) { -- if (DEBUG) System.out.println(" by killing session"); -- session = token.killSession(session); -- return; -- } -- // "cancel" operation by finishing it -- if (mode == M_SIGN) { -- try { -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { -+ if (mode == M_SIGN) { - if (type == T_UPDATE) { - if (DEBUG) System.out.println(" by C_SignFinal"); - token.p11.C_SignFinal(session.id(), 0); -@@ -259,11 +257,7 @@ - if (DEBUG) System.out.println(" by C_Sign"); - token.p11.C_Sign(session.id(), digest); - } -- } catch (PKCS11Exception e) { -- throw new ProviderException("cancel failed", e); -- } -- } else { // M_VERIFY -- try { -+ } else { // M_VERIFY - byte[] signature = - new byte[(p11Key.length() + 7) >> 3]; - if (type == T_UPDATE) { -@@ -275,10 +269,12 @@ - if (DEBUG) System.out.println(" by C_Verify"); - token.p11.C_Verify(session.id(), digest, signature); - } -- } catch (PKCS11Exception e) { -- // will fail since the signature is incorrect -- // XXX check error code - } -+ } catch (PKCS11Exception e) { -+ if (mode == M_SIGN) { -+ throw new ProviderException("cancel failed", e); -+ } -+ // ignore failure for verification - } - } - -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -247,10 +247,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -264,36 +266,33 @@ - // state variables such as "initialized" - private void cancelOperation() { - token.ensureValid(); -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -- } else { -- try { -- PKCS11 p11 = token.p11; -- int inLen = maxInputSize; -- int outLen = buffer.length; -- long sessId = session.id(); -- switch (mode) { -- case MODE_ENCRYPT: -- p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); -- break; -- case MODE_DECRYPT: -- p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); -- break; -- case MODE_SIGN: -- byte[] tmpBuffer = new byte[maxInputSize]; -- p11.C_Sign(sessId, tmpBuffer); -- break; -- case MODE_VERIFY: -- p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer, -- 0, outLen); -- break; -- default: -- throw new ProviderException("internal error"); -- } -- } catch (PKCS11Exception e) { -- // XXX ensure this always works, ignore error -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { -+ PKCS11 p11 = token.p11; -+ int inLen = maxInputSize; -+ int outLen = buffer.length; -+ long sessId = session.id(); -+ switch (mode) { -+ case MODE_ENCRYPT: -+ p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); -+ break; -+ case MODE_DECRYPT: -+ p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); -+ break; -+ case MODE_SIGN: -+ byte[] tmpBuffer = new byte[maxInputSize]; -+ p11.C_Sign(sessId, tmpBuffer); -+ break; -+ case MODE_VERIFY: -+ p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer, -+ 0, outLen); -+ break; -+ default: -+ throw new ProviderException("internal error"); - } -+ } catch (PKCS11Exception e) { -+ // XXX ensure this always works, ignore error - } - } - -@@ -362,6 +361,7 @@ - private int implDoFinal(byte[] out, int outOfs, int outLen) - throws BadPaddingException, IllegalBlockSizeException { - if (bufOfs > maxInputSize) { -+ reset(true); - throw new IllegalBlockSizeException("Data must not be longer " - + "than " + maxInputSize + " bytes"); - } -diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java ---- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java -+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java -@@ -1,5 +1,5 @@ - /* -- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. -+ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. - * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. - * - * This code is free software; you can redistribute it and/or modify it -@@ -270,10 +270,12 @@ - return; - } - initialized = false; -+ - try { - if (session == null) { - return; - } -+ - if (doCancel && token.explicitCancel) { - cancelOperation(); - } -@@ -284,59 +286,51 @@ - } - - private void cancelOperation() { -- - token.ensureValid(); -- if (session.hasObjects() == false) { -- session = token.killSession(session); -- return; -- } else { -- // "cancel" operation by finishing it -- // XXX make sure all this always works correctly -+ // cancel operation by finishing it; avoid killSession as some -+ // hardware vendors may require re-login -+ try { - if (mode == M_SIGN) { -- try { -- if (type == T_UPDATE) { -- token.p11.C_SignFinal(session.id(), 0); -- } else { -- byte[] digest; -- if (type == T_DIGEST) { -- digest = md.digest(); -- } else { // T_RAW -- digest = buffer; -- } -- token.p11.C_Sign(session.id(), digest); -+ if (type == T_UPDATE) { -+ token.p11.C_SignFinal(session.id(), 0); -+ } else { -+ byte[] digest; -+ if (type == T_DIGEST) { -+ digest = md.digest(); -+ } else { // T_RAW -+ digest = buffer; - } -- } catch (PKCS11Exception e) { -- throw new ProviderException("cancel failed", e); -+ token.p11.C_Sign(session.id(), digest); - } - } else { // M_VERIFY - byte[] signature; -- try { -- if (keyAlgorithm.equals("DSA")) { -- signature = new byte[40]; -- } else { -- signature = new byte[(p11Key.length() + 7) >> 3]; -+ if (keyAlgorithm.equals("DSA")) { -+ signature = new byte[40]; -+ } else { -+ signature = new byte[(p11Key.length() + 7) >> 3]; -+ } -+ if (type == T_UPDATE) { -+ token.p11.C_VerifyFinal(session.id(), signature); -+ } else { -+ byte[] digest; -+ if (type == T_DIGEST) { -+ digest = md.digest(); -+ } else { // T_RAW -+ digest = buffer; - } -- if (type == T_UPDATE) { -- token.p11.C_VerifyFinal(session.id(), signature); -- } else { -- byte[] digest; -- if (type == T_DIGEST) { -- digest = md.digest(); -- } else { // T_RAW -- digest = buffer; -- } -- token.p11.C_Verify(session.id(), digest, signature); -- } -- } catch (PKCS11Exception e) { -- long errorCode = e.getErrorCode(); -- if ((errorCode == CKR_SIGNATURE_INVALID) || -- (errorCode == CKR_SIGNATURE_LEN_RANGE)) { -- // expected since signature is incorrect -- return; -- } -- throw new ProviderException("cancel failed", e); -+ token.p11.C_Verify(session.id(), digest, signature); - } - } -+ } catch (PKCS11Exception e) { -+ if (mode == M_VERIFY) { -+ long errorCode = e.getErrorCode(); -+ if ((errorCode == CKR_SIGNATURE_INVALID) || -+ (errorCode == CKR_SIGNATURE_LEN_RANGE)) { -+ // expected since signature is incorrect -+ return; -+ } -+ } -+ throw new ProviderException("cancel failed", e); - } - } - diff --git a/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch b/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch deleted file mode 100644 index b00022f..0000000 --- a/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch +++ /dev/null @@ -1,32 +0,0 @@ - -# HG changeset patch -# User thartmann -# Date 1604482955 -3600 -# Node ID 27723943c0dd65a191cbefe031cec001521e4b13 -# Parent e9d90c9daf895b469b461b727b6887e7780b4ac2 -8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) -Summary: Added missing NULL checks. -Reviewed-by: kvn, chagedorn - -diff -r e9d90c9daf89 -r 27723943c0dd src/hotspot/share/opto/addnode.cpp ---- a/src/hotspot/share/opto/addnode.cpp Mon Nov 02 20:20:05 2020 +0100 -+++ b/src/hotspot/share/opto/addnode.cpp Wed Nov 04 10:42:35 2020 +0100 -@@ -917,7 +917,7 @@ - - // Transform MIN2(x + c0, MIN2(x + c1, z)) into MIN2(x + MIN2(c0, c1), z) - // if x == y and the additions can't overflow. -- if (phase->eqv(x,y) && -+ if (phase->eqv(x,y) && tx != NULL && - !can_overflow(tx, x_off) && - !can_overflow(tx, y_off)) { - return new MinINode(phase->transform(new AddINode(x, phase->intcon(MIN2(x_off, y_off)))), r->in(2)); -@@ -925,7 +925,7 @@ - } else { - // Transform MIN2(x + c0, y + c1) into x + MIN2(c0, c1) - // if x == y and the additions can't overflow. -- if (phase->eqv(x,y) && -+ if (phase->eqv(x,y) && tx != NULL && - !can_overflow(tx, x_off) && - !can_overflow(tx, y_off)) { - return new AddINode(x,phase->intcon(MIN2(x_off,y_off))); - diff --git a/SOURCES/jdk8254177-tzdata2020b.patch b/SOURCES/jdk8254177-tzdata2020b.patch deleted file mode 100644 index a9f3282..0000000 --- a/SOURCES/jdk8254177-tzdata2020b.patch +++ /dev/null @@ -1,2041 +0,0 @@ -# 8254177: (tz) Upgrade time-zone data to tzdata2020b - -diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION ---- a/make/data/tzdata/VERSION -+++ b/make/data/tzdata/VERSION -@@ -21,4 +21,4 @@ - # or visit www.oracle.com if you need additional information or have any - # questions. - # --tzdata2020a -+tzdata2020b -diff --git a/make/data/tzdata/africa b/make/data/tzdata/africa ---- a/make/data/tzdata/africa -+++ b/make/data/tzdata/africa -@@ -87,7 +87,7 @@ - # Corrections are welcome. - - # Algeria --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Algeria 1916 only - Jun 14 23:00s 1:00 S - Rule Algeria 1916 1919 - Oct Sun>=1 23:00s 0 - - Rule Algeria 1917 only - Mar 24 23:00s 1:00 S -@@ -110,10 +110,9 @@ - Rule Algeria 1978 only - Sep 22 3:00 0 - - Rule Algeria 1980 only - Apr 25 0:00 1:00 S - Rule Algeria 1980 only - Oct 31 2:00 0 - --# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's --# more precise 0:09:21. -+# See Europe/Paris for PMT-related transitions. - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone Africa/Algiers 0:12:12 - LMT 1891 Mar 15 0:01 -+Zone Africa/Algiers 0:12:12 - LMT 1891 Mar 16 - 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time - 0:00 Algeria WE%sT 1940 Feb 25 2:00 - 1:00 Algeria CE%sT 1946 Oct 7 -@@ -199,7 +198,7 @@ - # Egypt was mean noon at the Great Pyramid, 2:04:30.5, but apparently this - # did not apply to Cairo, Alexandria, or Port Said. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Egypt 1940 only - Jul 15 0:00 1:00 S - Rule Egypt 1940 only - Oct 1 0:00 0 - - Rule Egypt 1941 only - Apr 15 0:00 1:00 S -@@ -434,7 +433,7 @@ - # now Ghana observed different DST regimes in different years. For - # lack of better info, use Shanks except treat the minus sign as a - # typo, and assume DST started in 1920 not 1936. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Ghana 1920 1942 - Sep 1 0:00 0:20 - - Rule Ghana 1920 1942 - Dec 31 0:00 0 - - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -524,7 +523,7 @@ - # From Paul Eggert (2013-10-25): - # For now, assume they're reverting to the pre-2012 rules of permanent UT +02. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Libya 1951 only - Oct 14 2:00 1:00 S - Rule Libya 1952 only - Jan 1 0:00 0 - - Rule Libya 1953 only - Oct 9 2:00 1:00 S -@@ -647,7 +646,7 @@ - # "The trial ended on March 29, 2009, when the clocks moved back by one hour - # at 2am (or 02:00) local time..." - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Mauritius 1982 only - Oct 10 0:00 1:00 - - Rule Mauritius 1983 only - Mar 21 0:00 0 - - Rule Mauritius 2008 only - Oct lastSun 2:00 1:00 - -@@ -898,17 +897,30 @@ - # https://maroc-diplomatique.net/maroc-le-retour-a-lheure-gmt-est-prevu-dimanche-prochain/ - # http://aujourdhui.ma/actualite/gmt1-retour-a-lheure-normale-dimanche-prochain-1 - # --# From Paul Eggert (2020-04-14): -+# From Milamber (2020-05-31) -+# In Morocco (where I live), the end of Ramadan (Arabic month) is followed by -+# the Eid al-Fitr, and concretely it's 1 or 2 day offs for the people (with -+# traditional visiting of family, big lunches/dinners, etc.). So for this -+# year the astronomical calculations don't include the following 2 days off in -+# the calc. These 2 days fall in a Sunday/Monday, so it's not acceptable by -+# people to have a time shift during these 2 days off. Perhaps you can modify -+# the (predicted) rules for next years: if the end of Ramadan is a (probable) -+# Friday or Saturday (and so the 2 days off are on a weekend), the next time -+# shift will be the next weekend. -+# -+# From Paul Eggert (2020-05-31): - # For now, guess that in the future Morocco will fall back at 03:00 - # the last Sunday before Ramadan, and spring forward at 02:00 the --# first Sunday after the day after Ramadan. To implement this, --# transition dates for 2021 through 2087 were determined by running --# the following program under GNU Emacs 26.3. --# (let ((islamic-year 1442)) -+# first Sunday after two days after Ramadan. To implement this, -+# transition dates and times for 2019 through 2087 were determined by -+# running the following program under GNU Emacs 26.3. (This algorithm -+# also produces the correct transition dates for 2016 through 2018, -+# though the times differ due to Morocco's time zone change in 2018.) -+# (let ((islamic-year 1440)) - # (require 'cal-islam) - # (while (< islamic-year 1511) - # (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year))) --# (b (1+ (calendar-islamic-to-absolute (list 10 1 islamic-year)))) -+# (b (+ 2 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) - # (sunday 0)) - # (while (/= sunday (mod (setq a (1- a)) 7))) - # (while (/= sunday (mod b 7)) -@@ -923,7 +935,7 @@ - # (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b))))) - # (setq islamic-year (+ 1 islamic-year)))) - --# RULE NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Morocco 1939 only - Sep 12 0:00 1:00 - - Rule Morocco 1939 only - Nov 19 0:00 0 - - Rule Morocco 1940 only - Feb 25 0:00 1:00 - -@@ -974,7 +986,7 @@ - Rule Morocco 2022 only - Mar 27 3:00 -1:00 - - Rule Morocco 2022 only - May 8 2:00 0 - - Rule Morocco 2023 only - Mar 19 3:00 -1:00 - --Rule Morocco 2023 only - Apr 23 2:00 0 - -+Rule Morocco 2023 only - Apr 30 2:00 0 - - Rule Morocco 2024 only - Mar 10 3:00 -1:00 - - Rule Morocco 2024 only - Apr 14 2:00 0 - - Rule Morocco 2025 only - Feb 23 3:00 -1:00 - -@@ -990,7 +1002,7 @@ - Rule Morocco 2029 only - Dec 30 3:00 -1:00 - - Rule Morocco 2030 only - Feb 10 2:00 0 - - Rule Morocco 2030 only - Dec 22 3:00 -1:00 - --Rule Morocco 2031 only - Jan 26 2:00 0 - -+Rule Morocco 2031 only - Feb 2 2:00 0 - - Rule Morocco 2031 only - Dec 14 3:00 -1:00 - - Rule Morocco 2032 only - Jan 18 2:00 0 - - Rule Morocco 2032 only - Nov 28 3:00 -1:00 - -@@ -1006,7 +1018,7 @@ - Rule Morocco 2037 only - Oct 4 3:00 -1:00 - - Rule Morocco 2037 only - Nov 15 2:00 0 - - Rule Morocco 2038 only - Sep 26 3:00 -1:00 - --Rule Morocco 2038 only - Oct 31 2:00 0 - -+Rule Morocco 2038 only - Nov 7 2:00 0 - - Rule Morocco 2039 only - Sep 18 3:00 -1:00 - - Rule Morocco 2039 only - Oct 23 2:00 0 - - Rule Morocco 2040 only - Sep 2 3:00 -1:00 - -@@ -1022,7 +1034,7 @@ - Rule Morocco 2045 only - Jul 9 3:00 -1:00 - - Rule Morocco 2045 only - Aug 20 2:00 0 - - Rule Morocco 2046 only - Jul 1 3:00 -1:00 - --Rule Morocco 2046 only - Aug 5 2:00 0 - -+Rule Morocco 2046 only - Aug 12 2:00 0 - - Rule Morocco 2047 only - Jun 23 3:00 -1:00 - - Rule Morocco 2047 only - Jul 28 2:00 0 - - Rule Morocco 2048 only - Jun 7 3:00 -1:00 - -@@ -1038,7 +1050,7 @@ - Rule Morocco 2053 only - Apr 13 3:00 -1:00 - - Rule Morocco 2053 only - May 25 2:00 0 - - Rule Morocco 2054 only - Apr 5 3:00 -1:00 - --Rule Morocco 2054 only - May 10 2:00 0 - -+Rule Morocco 2054 only - May 17 2:00 0 - - Rule Morocco 2055 only - Mar 28 3:00 -1:00 - - Rule Morocco 2055 only - May 2 2:00 0 - - Rule Morocco 2056 only - Mar 12 3:00 -1:00 - -@@ -1054,7 +1066,7 @@ - Rule Morocco 2061 only - Jan 16 3:00 -1:00 - - Rule Morocco 2061 only - Feb 27 2:00 0 - - Rule Morocco 2062 only - Jan 8 3:00 -1:00 - --Rule Morocco 2062 only - Feb 12 2:00 0 - -+Rule Morocco 2062 only - Feb 19 2:00 0 - - Rule Morocco 2062 only - Dec 31 3:00 -1:00 - - Rule Morocco 2063 only - Feb 4 2:00 0 - - Rule Morocco 2063 only - Dec 16 3:00 -1:00 - -@@ -1070,7 +1082,7 @@ - Rule Morocco 2068 only - Oct 21 3:00 -1:00 - - Rule Morocco 2068 only - Dec 2 2:00 0 - - Rule Morocco 2069 only - Oct 13 3:00 -1:00 - --Rule Morocco 2069 only - Nov 17 2:00 0 - -+Rule Morocco 2069 only - Nov 24 2:00 0 - - Rule Morocco 2070 only - Oct 5 3:00 -1:00 - - Rule Morocco 2070 only - Nov 9 2:00 0 - - Rule Morocco 2071 only - Sep 20 3:00 -1:00 - -@@ -1086,7 +1098,7 @@ - Rule Morocco 2076 only - Jul 26 3:00 -1:00 - - Rule Morocco 2076 only - Sep 6 2:00 0 - - Rule Morocco 2077 only - Jul 18 3:00 -1:00 - --Rule Morocco 2077 only - Aug 22 2:00 0 - -+Rule Morocco 2077 only - Aug 29 2:00 0 - - Rule Morocco 2078 only - Jul 10 3:00 -1:00 - - Rule Morocco 2078 only - Aug 14 2:00 0 - - Rule Morocco 2079 only - Jun 25 3:00 -1:00 - -@@ -1096,13 +1108,13 @@ - Rule Morocco 2081 only - Jun 1 3:00 -1:00 - - Rule Morocco 2081 only - Jul 13 2:00 0 - - Rule Morocco 2082 only - May 24 3:00 -1:00 - --Rule Morocco 2082 only - Jun 28 2:00 0 - -+Rule Morocco 2082 only - Jul 5 2:00 0 - - Rule Morocco 2083 only - May 16 3:00 -1:00 - - Rule Morocco 2083 only - Jun 20 2:00 0 - - Rule Morocco 2084 only - Apr 30 3:00 -1:00 - - Rule Morocco 2084 only - Jun 11 2:00 0 - - Rule Morocco 2085 only - Apr 22 3:00 -1:00 - --Rule Morocco 2085 only - May 27 2:00 0 - -+Rule Morocco 2085 only - Jun 3 2:00 0 - - Rule Morocco 2086 only - Apr 14 3:00 -1:00 - - Rule Morocco 2086 only - May 19 2:00 0 - - Rule Morocco 2087 only - Mar 30 3:00 -1:00 - -@@ -1203,7 +1215,7 @@ - # Use plain "WAT" and "CAT" for the time zone abbreviations, to be compatible - # with Namibia's neighbors. - --# RULE NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - # Vanguard section, for zic and other parsers that support negative DST. - Rule Namibia 1994 only - Mar 21 0:00 -1:00 WAT - Rule Namibia 1994 2017 - Sep Sun>=1 2:00 0 CAT -@@ -1326,7 +1338,7 @@ - # See Africa/Nairobi. - - # South Africa --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule SA 1942 1943 - Sep Sun>=15 2:00 1:00 - - Rule SA 1943 1944 - Mar Sun>=15 2:00 0 - - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -1359,7 +1371,7 @@ - # Abdalla of NTC, archived at: - # https://mm.icann.org/pipermail/tz/2017-October/025333.html - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Sudan 1970 only - May 1 0:00 1:00 S - Rule Sudan 1970 1985 - Oct 15 0:00 0 - - Rule Sudan 1971 only - Apr 30 0:00 1:00 S -@@ -1447,7 +1459,7 @@ - # http://www.almadenahnews.com/newss/news.php?c=118&id=38036 - # http://www.worldtimezone.com/dst_news/dst_news_tunis02.html - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Tunisia 1939 only - Apr 15 23:00s 1:00 S - Rule Tunisia 1939 only - Nov 18 23:00s 0 - - Rule Tunisia 1940 only - Feb 25 23:00s 1:00 S -@@ -1474,9 +1486,7 @@ - Rule Tunisia 2006 2008 - Mar lastSun 2:00s 1:00 S - Rule Tunisia 2006 2008 - Oct lastSun 2:00s 0 - - --# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's --# more precise 0:09:21. --# Shanks & Pottenger say the 1911 switch was on Mar 9; go with Howse's Mar 11. -+# See Europe/Paris for PMT-related transitions. - # Zone NAME STDOFF RULES FORMAT [UNTIL] - Zone Africa/Tunis 0:40:44 - LMT 1881 May 12 - 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time -diff --git a/make/data/tzdata/antarctica b/make/data/tzdata/antarctica ---- a/make/data/tzdata/antarctica -+++ b/make/data/tzdata/antarctica -@@ -93,15 +93,30 @@ - # Australian Antarctica Division informed us that Casey changed time - # zone to UTC+11 in "the morning of 22nd October 2016". - -+# From Steffen Thorsen (2020-10-02, as corrected): -+# Based on information we have received from the Australian Antarctic -+# Division, Casey station and Macquarie Island station will move to Tasmanian -+# daylight savings time on Sunday 4 October. This will take effect from 0001 -+# hrs on Sunday 4 October 2020 and will mean Casey and Macquarie Island will -+# be on the same time zone as Hobart. Some past dates too for this 3 hour -+# time change back and forth between UTC+8 and UTC+11 for Casey: -+# - 2018 Oct 7 4:00 - 2019 Mar 17 3:00 - 2019 Oct 4 3:00 - 2020 Mar 8 3:00 -+# and now - 2020 Oct 4 0:01 -+ - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone Antarctica/Casey 0 - -00 1969 -- 8:00 - +08 2009 Oct 18 2:00 -+Zone Antarctica/Casey 0 - -00 1969 -+ 8:00 - +08 2009 Oct 18 2:00 - 11:00 - +11 2010 Mar 5 2:00 -- 8:00 - +08 2011 Oct 28 2:00 -+ 8:00 - +08 2011 Oct 28 2:00 - 11:00 - +11 2012 Feb 21 17:00u -- 8:00 - +08 2016 Oct 22 -+ 8:00 - +08 2016 Oct 22 - 11:00 - +11 2018 Mar 11 4:00 -- 8:00 - +08 -+ 8:00 - +08 2018 Oct 7 4:00 -+ 11:00 - +11 2019 Mar 17 3:00 -+ 8:00 - +08 2019 Oct 4 3:00 -+ 11:00 - +11 2020 Mar 8 3:00 -+ 8:00 - +08 2020 Oct 4 0:01 -+ 11:00 - +11 - Zone Antarctica/Davis 0 - -00 1957 Jan 13 - 7:00 - +07 1964 Nov - 0 - -00 1969 Feb -@@ -247,7 +262,7 @@ - # suggested by Bengt-Inge Larsson comment them out for now, and approximate - # with only UTC and CEST. Uncomment them when 2014b is more prevalent. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - #Rule Troll 2005 max - Mar 1 1:00u 1:00 +01 - Rule Troll 2005 max - Mar lastSun 1:00u 2:00 +02 - #Rule Troll 2005 max - Oct lastSun 1:00u 1:00 +01 -diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia ---- a/make/data/tzdata/asia -+++ b/make/data/tzdata/asia -@@ -93,7 +93,7 @@ - ############################################################################### - - # These rules are stolen from the 'europe' file. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule EUAsia 1981 max - Mar lastSun 1:00u 1:00 S - Rule EUAsia 1979 1995 - Sep lastSun 1:00u 0 - - Rule EUAsia 1996 max - Oct lastSun 1:00u 0 - -@@ -137,7 +137,7 @@ - # or - # (brief) - # http://www.worldtimezone.com/dst_news/dst_news_armenia03.html --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Armenia 2011 only - Mar lastSun 2:00s 1:00 - - Rule Armenia 2011 only - Oct lastSun 2:00s 0 - - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -163,7 +163,7 @@ - # http://vestnikkavkaza.net/news/Azerbaijani-Cabinet-of-Ministers-cancels-daylight-saving-time.html - # http://en.apa.az/xeber_azerbaijan_abolishes_daylight_savings_ti_240862.html - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Azer 1997 2015 - Mar lastSun 4:00 1:00 - - Rule Azer 1997 2015 - Oct lastSun 5:00 0 - - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -250,7 +250,7 @@ - # http://www.thedailystar.net/newDesign/latest_news.php?nid=22817 - # http://www.worldtimezone.com/dst_news/dst_news_bangladesh06.html - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Dhaka 2009 only - Jun 19 23:00 1:00 - - Rule Dhaka 2009 only - Dec 31 24:00 0 - - -@@ -326,7 +326,7 @@ - # generally esteemed a success, it was announced early in 1920 that it would - # not be repeated." - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Shang 1919 only - Apr 12 24:00 1:00 D - Rule Shang 1919 only - Sep 30 24:00 0 S - -@@ -422,7 +422,7 @@ - # the Yangtze river delta area during that period of time although the scope - # of such use will need to be investigated to determine. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Shang 1940 only - Jun 1 0:00 1:00 D - Rule Shang 1940 only - Oct 12 24:00 0 S - Rule Shang 1941 only - Mar 15 0:00 1:00 D -@@ -485,7 +485,7 @@ - # to begin on 17 April. - # http://data.people.com.cn/pic/101p/1988/04/1988041201.jpg - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule PRC 1986 only - May 4 2:00 1:00 D - Rule PRC 1986 1991 - Sep Sun>=11 2:00 0 S - Rule PRC 1987 1991 - Apr Sun>=11 2:00 1:00 D -@@ -869,7 +869,7 @@ - # or dates for the 1942 and 1945 transitions. - # The Japanese occupation of Hong Kong began 1941-12-25. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule HK 1946 only - Apr 21 0:00 1:00 S - Rule HK 1946 only - Dec 1 3:30s 0 - - Rule HK 1947 only - Apr 13 3:30s 1:00 S -@@ -996,7 +996,7 @@ - # until 1945-09-21 at 01:00, overriding Shanks & Pottenger. - # Likewise, use Yu-Cheng Chuang's data for DST in Taiwan. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Taiwan 1946 only - May 15 0:00 1:00 D - Rule Taiwan 1946 only - Oct 1 0:00 0 S - Rule Taiwan 1947 only - Apr 15 0:00 1:00 D -@@ -1122,7 +1122,7 @@ - # The 1904 decree says that Macau changed from the meridian of - # Fortaleza do Monte, presumably the basis for the 7:34:10 for LMT. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Macau 1942 1943 - Apr 30 23:00 1:00 - - Rule Macau 1942 only - Nov 17 23:00 0 - - Rule Macau 1943 only - Sep 30 23:00 0 S -@@ -1180,7 +1180,7 @@ - # Cyprus to remain united in time. Cyprus Mail 2017-10-17. - # https://cyprus-mail.com/2017/10/17/cyprus-remain-united-time/ - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Cyprus 1975 only - Apr 13 0:00 1:00 S - Rule Cyprus 1975 only - Oct 12 0:00 0 - - Rule Cyprus 1976 only - May 15 0:00 1:00 S -@@ -1557,7 +1557,7 @@ - # be changed back to its previous state on the 24 hours of the - # thirtieth day of Shahrivar. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Iran 1978 1980 - Mar 20 24:00 1:00 - - Rule Iran 1978 only - Oct 20 24:00 0 - - Rule Iran 1979 only - Sep 18 24:00 0 - -@@ -1699,7 +1699,7 @@ - # We have published a short article in English about the change: - # https://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Iraq 1982 only - May 1 0:00 1:00 - - Rule Iraq 1982 1984 - Oct 1 0:00 0 - - Rule Iraq 1983 only - Mar 31 0:00 1:00 - -@@ -1722,6 +1722,10 @@ - - # Israel - -+# For more info about the motivation for DST in Israel, see: -+# Barak Y. Israel's Daylight Saving Time controversy. Israel Affairs. -+# 2020-08-11. https://doi.org/10.1080/13537121.2020.1806564 -+ - # From Ephraim Silverberg (2001-01-11): - # - # I coined "IST/IDT" circa 1988. Until then there were three -@@ -1743,7 +1747,7 @@ - # family is from India). - - # From Shanks & Pottenger: --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Zion 1940 only - Jun 1 0:00 1:00 D - Rule Zion 1942 1944 - Nov 1 0:00 0 S - Rule Zion 1943 only - Apr 1 2:00 1:00 D -@@ -1835,7 +1839,7 @@ - # (except in 2002) is three nights before Yom Kippur [Day of Atonement] - # (the eve of the 7th of Tishrei in the lunar Hebrew calendar). - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Zion 1989 only - Apr 30 0:00 1:00 D - Rule Zion 1989 only - Sep 3 0:00 0 S - Rule Zion 1990 only - Mar 25 0:00 1:00 D -@@ -1851,7 +1855,7 @@ - # Ministry of Interior, Jerusalem, Israel. The spokeswoman can be reached by - # calling the office directly at 972-2-6701447 or 972-2-6701448. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Zion 1994 only - Apr 1 0:00 1:00 D - Rule Zion 1994 only - Aug 28 0:00 0 S - Rule Zion 1995 only - Mar 31 0:00 1:00 D -@@ -1871,7 +1875,7 @@ - # - # where YYYY is the relevant year. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Zion 1996 only - Mar 15 0:00 1:00 D - Rule Zion 1996 only - Sep 16 0:00 0 S - Rule Zion 1997 only - Mar 21 0:00 1:00 D -@@ -1894,7 +1898,7 @@ - # - # ftp://ftp.cs.huji.ac.il/pub/tz/announcements/2000-2004.ps.gz - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Zion 2000 only - Apr 14 2:00 1:00 D - Rule Zion 2000 only - Oct 6 1:00 0 S - Rule Zion 2001 only - Apr 9 1:00 1:00 D -@@ -1916,7 +1920,7 @@ - # - # ftp://ftp.cs.huji.ac.il/pub/tz/announcements/2005+beyond.ps - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Zion 2005 2012 - Apr Fri<=1 2:00 1:00 D - Rule Zion 2005 only - Oct 9 2:00 0 S - Rule Zion 2006 only - Oct 1 2:00 0 S -@@ -1936,7 +1940,7 @@ - # As of 2013, DST starts at 02:00 on the Friday before the last Sunday - # in March. DST ends at 02:00 on the last Sunday of October. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Zion 2013 max - Mar Fri>=23 2:00 1:00 D - Rule Zion 2013 max - Oct lastSun 2:00 0 S - -@@ -2036,7 +2040,7 @@ - # do in any POSIX or C platform. The "25:00" assumes zic from 2007 or later, - # which should be safe now. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Japan 1948 only - May Sat>=1 24:00 1:00 D - Rule Japan 1948 1951 - Sep Sat>=8 25:00 0 S - Rule Japan 1949 only - Apr Sat>=1 24:00 1:00 D -@@ -2113,7 +2117,7 @@ - # From Paul Eggert (2013-12-11): - # As Steffen suggested, consider the past 21-month experiment to be DST. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Jordan 1973 only - Jun 6 0:00 1:00 S - Rule Jordan 1973 1975 - Oct 1 0:00 0 - - Rule Jordan 1974 1977 - May 1 0:00 1:00 S -@@ -2439,7 +2443,7 @@ - # Our government cancels daylight saving time 6th of August 2005. - # From 2005-08-12 our GMT-offset is +6, w/o any daylight saving. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Kyrgyz 1992 1996 - Apr Sun>=7 0:00s 1:00 - - Rule Kyrgyz 1992 1996 - Sep lastSun 0:00 0 - - Rule Kyrgyz 1997 2005 - Mar lastSun 2:30 1:00 - -@@ -2495,7 +2499,7 @@ - # follow and continued to use GMT+9:00 for interoperability. - - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule ROK 1948 only - Jun 1 0:00 1:00 D - Rule ROK 1948 only - Sep 12 24:00 0 S - Rule ROK 1949 only - Apr 3 0:00 1:00 D -@@ -2583,7 +2587,7 @@ - - - # Lebanon --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Lebanon 1920 only - Mar 28 0:00 1:00 S - Rule Lebanon 1920 only - Oct 25 0:00 0 - - Rule Lebanon 1921 only - Apr 3 0:00 1:00 S -@@ -2613,7 +2617,7 @@ - 2:00 Lebanon EE%sT - - # Malaysia --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule NBorneo 1935 1941 - Sep 14 0:00 0:20 - - Rule NBorneo 1935 1941 - Dec 14 0:00 0 - - # -@@ -2758,7 +2762,7 @@ - # September daylight saving time ends. Source: - # http://zasag.mn/news/view/8969 - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Mongol 1983 1984 - Apr 1 0:00 1:00 - - Rule Mongol 1983 only - Oct 1 0:00 0 - - # Shanks & Pottenger and IATA SSIM say 1990s switches occurred at 00:00, -@@ -2946,7 +2950,7 @@ - # "People laud PM's announcement to end DST" - # http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=99374&Itemid=2 - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Pakistan 2002 only - Apr Sun>=2 0:00 1:00 S - Rule Pakistan 2002 only - Oct Sun>=2 0:00 0 - - Rule Pakistan 2008 only - Jun 1 0:00 1:00 S -@@ -3248,7 +3252,7 @@ - # From Tim Parenti (2016-10-19): - # Predict fall transitions on October's last Saturday at 01:00 from now on. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule EgyptAsia 1957 only - May 10 0:00 1:00 S - Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - - Rule EgyptAsia 1958 only - May 1 0:00 1:00 S -@@ -3348,7 +3352,7 @@ - # influence of the sources. There is no current abbreviation for DST, - # so use "PDT", the usual American style. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Phil 1936 only - Nov 1 0:00 1:00 D - Rule Phil 1937 only - Feb 1 0:00 0 S - Rule Phil 1954 only - Apr 12 0:00 1:00 D -@@ -3496,7 +3500,7 @@ - 5:30 - +0530 - - # Syria --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Syria 1920 1923 - Apr Sun>=15 2:00 1:00 S - Rule Syria 1920 1923 - Oct Sun>=1 2:00 0 - - Rule Syria 1962 only - Apr 29 2:00 1:00 S -diff --git a/make/data/tzdata/australasia b/make/data/tzdata/australasia ---- a/make/data/tzdata/australasia -+++ b/make/data/tzdata/australasia -@@ -36,7 +36,7 @@ - - # Please see the notes below for the controversy about "EST" versus "AEST" etc. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Aus 1917 only - Jan 1 0:01 1:00 D - Rule Aus 1917 only - Mar 25 2:00 0 S - Rule Aus 1942 only - Jan 1 2:00 1:00 D -@@ -55,7 +55,7 @@ - 9:30 Aus AC%sT - # Western Australia - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule AW 1974 only - Oct lastSun 2:00s 1:00 D - Rule AW 1975 only - Mar Sun>=1 2:00s 0 S - Rule AW 1983 only - Oct lastSun 2:00s 1:00 D -@@ -93,7 +93,7 @@ - # applies to all of the Whitsundays. - # http://www.australia.gov.au/about-australia/australian-story/austn-islands - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule AQ 1971 only - Oct lastSun 2:00s 1:00 D - Rule AQ 1972 only - Feb lastSun 2:00s 0 S - Rule AQ 1989 1991 - Oct lastSun 2:00s 1:00 D -@@ -109,7 +109,7 @@ - 10:00 Holiday AE%sT - - # South Australia --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule AS 1971 1985 - Oct lastSun 2:00s 1:00 D - Rule AS 1986 only - Oct 19 2:00s 1:00 D - Rule AS 1987 2007 - Oct lastSun 2:00s 1:00 D -@@ -137,7 +137,7 @@ - # http://www.bom.gov.au/climate/averages/tables/dst_times.shtml - # says King Island didn't observe DST from WWII until late 1971. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule AT 1967 only - Oct Sun>=1 2:00s 1:00 D - Rule AT 1968 only - Mar lastSun 2:00s 0 S - Rule AT 1968 1985 - Oct lastSun 2:00s 1:00 D -@@ -170,7 +170,7 @@ - 10:00 AT AE%sT - - # Victoria --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule AV 1971 1985 - Oct lastSun 2:00s 1:00 D - Rule AV 1972 only - Feb lastSun 2:00s 0 S - Rule AV 1973 1985 - Mar Sun>=1 2:00s 0 S -@@ -191,7 +191,7 @@ - 10:00 AV AE%sT - - # New South Wales --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule AN 1971 1985 - Oct lastSun 2:00s 1:00 D - Rule AN 1972 only - Feb 27 2:00s 0 S - Rule AN 1973 1981 - Mar Sun>=1 2:00s 0 S -@@ -220,7 +220,7 @@ - 9:30 AS AC%sT - - # Lord Howe Island --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule LH 1981 1984 - Oct lastSun 2:00 1:00 - - Rule LH 1982 1985 - Mar Sun>=1 2:00 0 - - Rule LH 1985 only - Oct lastSun 2:00 0:30 - -@@ -275,8 +275,9 @@ - 10:00 Aus AE%sT 1919 Apr 1 0:00s - 0 - -00 1948 Mar 25 - 10:00 Aus AE%sT 1967 -- 10:00 AT AE%sT 2010 Apr 4 3:00 -- 11:00 - +11 -+ 10:00 AT AE%sT 2010 -+ 10:00 1:00 AEDT 2011 -+ 10:00 AT AE%sT - - # Christmas - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -403,7 +404,7 @@ - # From Michael Deckers (2019-08-06): - # https://www.laws.gov.fj/LawsAsMade/downloadfile/848 - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Fiji 1998 1999 - Nov Sun>=1 2:00 1:00 - - Rule Fiji 1999 2000 - Feb lastSun 3:00 0 - - Rule Fiji 2009 only - Nov 29 2:00 1:00 - -@@ -432,7 +433,7 @@ - - # Guam - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - # http://guamlegislature.com/Public_Laws_5th/PL05-025.pdf - # http://documents.guam.gov/wp-content/uploads/E.O.-59-7-Guam-Daylight-Savings-Time-May-6-1959.pdf - Rule Guam 1959 only - Jun 27 2:00 1:00 D -@@ -543,7 +544,7 @@ - 12:00 - +12 - - # New Caledonia --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule NC 1977 1978 - Dec Sun>=1 0:00 1:00 - - Rule NC 1978 1979 - Feb 27 0:00 0 - - Rule NC 1996 only - Dec 1 2:00s 1:00 - -@@ -558,7 +559,7 @@ - - # New Zealand - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule NZ 1927 only - Nov 6 2:00 1:00 S - Rule NZ 1928 only - Mar 4 2:00 0 M - Rule NZ 1928 1933 - Oct Sun>=8 2:00 0:30 S -@@ -610,7 +611,7 @@ - - # Cook Is - # From Shanks & Pottenger: --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Cook 1978 only - Nov 12 0:00 0:30 - - Rule Cook 1979 1991 - Mar Sun>=1 0:00 0 - - Rule Cook 1979 1990 - Oct lastSun 0:00 0:30 - -@@ -755,7 +756,7 @@ - # That web page currently lists transitions for 2012/3 and 2013/4. - # Assume the pattern instituted in 2012 will continue indefinitely. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule WS 2010 only - Sep lastSun 0:00 1 - - Rule WS 2011 only - Apr Sat>=1 4:00 0 - - Rule WS 2011 only - Sep lastSat 3:00 1 - -@@ -799,7 +800,7 @@ - 13:00 - +13 - - # Tonga --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Tonga 1999 only - Oct 7 2:00s 1:00 - - Rule Tonga 2000 only - Mar 19 2:00s 0 - - Rule Tonga 2000 2001 - Nov Sun>=1 2:00 1:00 - -@@ -880,7 +881,7 @@ - - - # Vanuatu --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Vanuatu 1983 only - Sep 25 0:00 1:00 - - Rule Vanuatu 1984 1991 - Mar Sun>=23 0:00 0 - - Rule Vanuatu 1984 only - Oct 23 0:00 1:00 - -diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe ---- a/make/data/tzdata/europe -+++ b/make/data/tzdata/europe -@@ -411,7 +411,7 @@ - # http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print - # http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - # Summer Time Act, 1916 - Rule GB-Eire 1916 only - May 21 2:00s 1:00 BST - Rule GB-Eire 1916 only - Oct 1 2:00s 0 GMT -@@ -552,7 +552,7 @@ - # The following is like GB-Eire and EU, except with standard time in - # summer and negative daylight saving time in winter. It is for when - # negative SAVE values are used. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Eire 1971 only - Oct 31 2:00u -1:00 - - Rule Eire 1972 1980 - Mar Sun>=16 2:00u 0 - - Rule Eire 1972 1980 - Oct Sun>=23 2:00u -1:00 - -@@ -589,7 +589,7 @@ - # predecessor organization, the European Communities. - # For brevity they are called "EU rules" elsewhere in this file. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule EU 1977 1980 - Apr Sun>=1 1:00u 1:00 S - Rule EU 1977 only - Sep lastSun 1:00u 0 - - Rule EU 1978 only - Oct 1 1:00u 0 - -@@ -629,13 +629,13 @@ - # corrected in version 2008d). The circumstantial evidence is simply the - # tz database itself, as seen below: - # --# Zone Europe/Paris 0:09:21 - LMT 1891 Mar 15 0:01 -+# Zone Europe/Paris ... - # 0:00 France WE%sT 1945 Sep 16 3:00 - # --# Zone Europe/Monaco 0:29:32 - LMT 1891 Mar 15 -+# Zone Europe/Monaco ... - # 0:00 France WE%sT 1945 Sep 16 3:00 - # --# Zone Europe/Belgrade 1:22:00 - LMT 1884 -+# Zone Europe/Belgrade ... - # 1:00 1:00 CEST 1945 Sep 16 2:00s - # - # Rule France 1945 only - Sep 16 3:00 0 - -@@ -681,7 +681,7 @@ - # - # The 1917-1921 decree URLs are from Alexander Belopolsky (2016-08-23). - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Russia 1917 only - Jul 1 23:00 1:00 MST # Moscow Summer Time - # - # Decree No. 142 (1917-12-22) http://istmat.info/node/28137 -@@ -795,7 +795,7 @@ - - - # Albania --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Albania 1940 only - Jun 16 0:00 1:00 S - Rule Albania 1942 only - Nov 2 3:00 0 - - Rule Albania 1943 only - Mar 29 2:00 1:00 S -@@ -849,7 +849,7 @@ - # In 1946 the end of DST was on Monday, 7 October 1946, at 3:00 am. - # Shanks had this right. Source: Die Weltpresse, 5. Oktober 1946, page 5. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Austria 1920 only - Apr 5 2:00s 1:00 S - Rule Austria 1920 only - Sep 13 2:00s 0 - - Rule Austria 1946 only - Apr 14 2:00s 1:00 S -@@ -936,7 +936,7 @@ - # The 1918 rules are listed for completeness; they apply to unoccupied Belgium. - # Assume Brussels switched to WET in 1918 when the armistice took effect. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Belgium 1918 only - Mar 9 0:00s 1:00 S - Rule Belgium 1918 1919 - Oct Sat>=1 23:00s 0 - - Rule Belgium 1919 only - Mar 1 23:00s 1:00 S -@@ -996,7 +996,7 @@ - # EET -> EETDST is in 03:00 Local time in last Sunday of March ... - # EETDST -> EET is in 04:00 Local time in last Sunday of October - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Bulg 1979 only - Mar 31 23:00 1:00 S - Rule Bulg 1979 only - Oct 1 1:00 0 - - Rule Bulg 1980 1982 - Apr Sat>=1 23:00 1:00 S -@@ -1028,7 +1028,7 @@ - # We know of no English-language name for historical Czech winter time; - # abbreviate it as "GMT", as it happened to be GMT. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Czech 1945 only - Apr Mon>=1 2:00s 1:00 S - Rule Czech 1945 only - Oct 1 2:00s 0 - - Rule Czech 1946 only - May 6 2:00s 1:00 S -@@ -1084,7 +1084,7 @@ - # Hence the "02:00" of the 1980 law refers to standard time, not - # wall-clock time, and so the EU rules were in effect in 1980. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Denmark 1916 only - May 14 23:00 1:00 S - Rule Denmark 1916 only - Sep 30 23:00 0 - - Rule Denmark 1940 only - May 15 0:00 1:00 S -@@ -1186,7 +1186,7 @@ - # http://naalakkersuisut.gl/~/media/Nanoq/Files/Attached%20Files/Engelske-tekster/Legislation/Executive%20Order%20National%20Park.rtf - # It is their only National Park. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Thule 1991 1992 - Mar lastSun 2:00 1:00 D - Rule Thule 1991 1992 - Sep lastSun 2:00 0 S - Rule Thule 1993 2006 - Apr Sun>=1 2:00 1:00 D -@@ -1317,7 +1317,7 @@ - # From Paul Eggert (2014-06-14): - # Go with Oja over Shanks. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Finland 1942 only - Apr 2 24:00 1:00 S - Rule Finland 1942 only - Oct 4 1:00 0 - - Rule Finland 1981 1982 - Mar lastSun 2:00 1:00 S -@@ -1349,10 +1349,58 @@ - # Françoise Gauquelin, Problèmes de l'heure résolus en astrologie, - # Guy Trédaniel, Paris 1987 - -+# From Michael Deckers (2020-06-11): -+# the law of 1891 -+# was published on 1891-03-15, so it could only take force on 1891-03-16. -+ -+# From Michael Deckers (2020-06-10): -+# Le Gaulois, 1911-03-11, page 1/6, online at -+# https://www.retronews.fr/societe/echo-de-presse/2018/01/29/1911-change-lheure-de-paris -+# ... [ Instantly, all pressure driven clock dials halted... Nine minutes and -+# twenty-one seconds later the hands resumed their circular motion. ] -+# There are also precise reports about how the change was prepared in train -+# stations: all the publicly visible clocks stopped at midnight railway time -+# (or were covered), only the chief of service had a watch, labeled -+# "Heure ancienne", that he kept running until it reached 00:04:21, when -+# he announced "Heure nouvelle". See the "Le Petit Journal 1911-03-11". -+# https://gallica.bnf.fr/ark:/12148/bpt6k6192911/f1.item.zoom -+# -+# From Michael Deckers (2020-06-12): -+# That "all French clocks stopped" for 00:09:21 is a misreading of French -+# newspapers; this sort of adjustment applies only to certain -+# remote-controlled clocks ("pendules pneumatiques", of which there existed -+# perhaps a dozen in Paris, and which simply could not be set back remotely), -+# but not to all the clocks in all French towns and villages. For instance, -+# the following story in the "Courrier de Saône-et-Loire" 1911-03-11, page 2: -+# only works if legal time was stepped back (was not monotone): ... -+# [One can observe that children who had been born at midnight less 5 -+# minutes and who had died at midnight of the old time, would turn out to -+# be dead before being born, time having been set back and having -+# suppressed 9 minutes and 25 seconds of their existence, that is, more -+# than they could spend.] -+# -+# From Paul Eggert (2020-06-12): -+# French time in railway stations was legally five minutes behind civil time, -+# which explains why railway "old time" ran to 00:04:21 instead of to 00:09:21. -+# The law's text (which Michael Deckers noted is at -+# ) says only that -+# at 1911-03-11 00:00 legal time was that of Paris mean time delayed by -+# nine minutes and twenty-one seconds, and does not say how the -+# transition from Paris mean time was to occur. -+# -+# tzdb has no way to represent stopped clocks. As the railway practice -+# was to keep a watch running on "old time" to decide when to restart -+# the other clocks, this could be modeled as a transition for "old time" at -+# 00:09:21. However, since the law was ambiguous and clocks outside railway -+# stations were probably done haphazardly with the popular impression being -+# that the transition was done at 00:00 "old time", simply leave the time -+# blank; this causes zic to default to 00:00 "old time" which is good enough. -+# Do something similar for the 1891-03-16 transition. There are similar -+# problems in Algiers, Monaco and Tunis. - - # - # Shank & Pottenger seem to use '24:00' ambiguously; resolve it with Whitman. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule France 1916 only - Jun 14 23:00s 1:00 S - Rule France 1916 1919 - Oct Sun>=1 23:00s 0 - - Rule France 1917 only - Mar 24 23:00s 1:00 S -@@ -1412,13 +1460,11 @@ - # go with Excoffier's 28/3/76 0hUT and 25/9/76 23hUT. - Rule France 1976 only - Mar 28 1:00 1:00 S - Rule France 1976 only - Sep 26 1:00 0 - --# Shanks & Pottenger give 0:09:20 for Paris Mean Time, and Whitman 0:09:05, --# but Howse quotes the actual French legislation as saying 0:09:21. --# Go with Howse. Howse writes that the time in France was officially based -+# Howse writes that the time in France was officially based - # on PMT-0:09:21 until 1978-08-09, when the time base finally switched to UTC. - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone Europe/Paris 0:09:21 - LMT 1891 Mar 15 0:01 -- 0:09:21 - PMT 1911 Mar 11 0:01 # Paris MT -+Zone Europe/Paris 0:09:21 - LMT 1891 Mar 16 -+ 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time - # Shanks & Pottenger give 1940 Jun 14 0:00; go with Excoffier and Le Corre. - 0:00 France WE%sT 1940 Jun 14 23:00 - # Le Corre says Paris stuck with occupied-France time after the liberation; -@@ -1447,7 +1493,7 @@ - # this was equivalent to UT +03, not +04. - - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Germany 1946 only - Apr 14 2:00s 1:00 S - Rule Germany 1946 only - Oct 7 2:00s 0 - - Rule Germany 1947 1949 - Oct Sun>=1 2:00s 0 - -@@ -1499,7 +1545,7 @@ - 1:00 EU CE%sT - - # Greece --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - # Whitman gives 1932 Jul 5 - Nov 1; go with Shanks & Pottenger. - Rule Greece 1932 only - Jul 7 0:00 1:00 S - Rule Greece 1932 only - Sep 1 0:00 0 - -@@ -1534,38 +1580,69 @@ - 2:00 EU EE%sT - - # Hungary --# From Paul Eggert (2014-07-15): --# Dates for 1916-1945 are taken from: --# Oross A. Jelen a múlt jövője: a nyári időszámítás Magyarországon 1916-1945. --# National Archives of Hungary (2012-10-29). --# http://mnl.gov.hu/a_het_dokumentuma/a_nyari_idoszamitas_magyarorszagon_19161945.html --# This source does not always give times, which are taken from Shanks --# & Pottenger (which disagree about the dates). --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S --Rule Hungary 1918 only - Apr 1 3:00 1:00 S --Rule Hungary 1918 only - Sep 16 3:00 0 - --Rule Hungary 1919 only - Apr 15 3:00 1:00 S --Rule Hungary 1919 only - Nov 24 3:00 0 - -+ -+# From Michael Deckers (2020-06-09): -+# an Austrian encyclopedia of railroads of 1913, online at -+# http://www.zeno.org/Roell-1912/A/Eisenbahnzeit -+# says that the switch [to CET] happened on 1890-11-01. -+ -+# From Géza Nyáry (2020-06-07): -+# Data for 1918-1983 are based on the archive database of Library Hungaricana. -+# The dates are collected from original, scanned governmental orders, -+# bulletins, instructions and public press. -+# [See URLs below.] -+ -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S -+# https://library.hungaricana.hu/hu/view/OGYK_RT_1918/?pg=238 -+# https://library.hungaricana.hu/hu/view/OGYK_RT_1919/?pg=808 -+# https://library.hungaricana.hu/hu/view/OGYK_RT_1920/?pg=201 -+Rule Hungary 1918 1919 - Apr 15 2:00 1:00 S -+Rule Hungary 1918 1920 - Sep Mon>=15 3:00 0 - -+Rule Hungary 1920 only - Apr 5 2:00 1:00 S -+# https://library.hungaricana.hu/hu/view/OGYK_RT_1945/?pg=882 - Rule Hungary 1945 only - May 1 23:00 1:00 S --Rule Hungary 1945 only - Nov 1 0:00 0 - -+Rule Hungary 1945 only - Nov 1 1:00 0 - -+# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1946_03/?pg=49 - Rule Hungary 1946 only - Mar 31 2:00s 1:00 S --Rule Hungary 1946 1949 - Oct Sun>=1 2:00s 0 - -+# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1946_09/?pg=54 -+Rule Hungary 1946 only - Oct 7 2:00 0 - -+# https://library.hungaricana.hu/hu/view/KulfBelfHirek_1947_04_1__001-123/?pg=90 -+# https://library.hungaricana.hu/hu/view/DunantuliNaplo_1947_09/?pg=128 -+# https://library.hungaricana.hu/hu/view/KulfBelfHirek_1948_03_3__001-123/?pg=304 -+# https://library.hungaricana.hu/hu/view/Zala_1948_09/?pg=64 -+# https://library.hungaricana.hu/hu/view/SatoraljaujhelyiLeveltar_ZempleniNepujsag_1948/?pg=53 -+# https://library.hungaricana.hu/hu/view/SatoraljaujhelyiLeveltar_ZempleniNepujsag_1948/?pg=160 -+# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1949_09/?pg=94 - Rule Hungary 1947 1949 - Apr Sun>=4 2:00s 1:00 S --Rule Hungary 1950 only - Apr 17 2:00s 1:00 S --Rule Hungary 1950 only - Oct 23 2:00s 0 - --Rule Hungary 1954 1955 - May 23 0:00 1:00 S --Rule Hungary 1954 1955 - Oct 3 0:00 0 - --Rule Hungary 1956 only - Jun Sun>=1 0:00 1:00 S --Rule Hungary 1956 only - Sep lastSun 0:00 0 - --Rule Hungary 1957 only - Jun Sun>=1 1:00 1:00 S --Rule Hungary 1957 only - Sep lastSun 3:00 0 - --Rule Hungary 1980 only - Apr 6 1:00 1:00 S -+Rule Hungary 1947 1949 - Oct Sun>=1 2:00s 0 - -+# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1954/?pg=513 -+Rule Hungary 1954 only - May 23 0:00 1:00 S -+Rule Hungary 1954 only - Oct 3 0:00 0 - -+# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1955/?pg=398 -+Rule Hungary 1955 only - May 22 2:00 1:00 S -+Rule Hungary 1955 only - Oct 2 3:00 0 - -+# https://library.hungaricana.hu/hu/view/HevesMegyeiNepujsag_1956_06/?pg=0 -+# https://library.hungaricana.hu/hu/view/EszakMagyarorszag_1956_06/?pg=6 -+# https://library.hungaricana.hu/hu/view/SzolnokMegyeiNeplap_1957_04/?pg=120 -+# https://library.hungaricana.hu/hu/view/PestMegyeiHirlap_1957_09/?pg=143 -+Rule Hungary 1956 1957 - Jun Sun>=1 2:00 1:00 S -+Rule Hungary 1956 1957 - Sep lastSun 3:00 0 - -+# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1980/?pg=1227 -+Rule Hungary 1980 only - Apr 6 0:00 1:00 S -+Rule Hungary 1980 only - Sep 28 1:00 0 - -+# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1981_01/?pg=79 -+# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1982/?pg=115 -+# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1983/?pg=85 -+Rule Hungary 1981 1983 - Mar lastSun 0:00 1:00 S -+Rule Hungary 1981 1983 - Sep lastSun 1:00 0 - -+# - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone Europe/Budapest 1:16:20 - LMT 1890 Oct -+Zone Europe/Budapest 1:16:20 - LMT 1890 Nov 1 - 1:00 C-Eur CE%sT 1918 -- 1:00 Hungary CE%sT 1941 Apr 8 -+# https://library.hungaricana.hu/hu/view/OGYK_RT_1941/?pg=1204 -+ 1:00 Hungary CE%sT 1941 Apr 7 23:00 - 1:00 C-Eur CE%sT 1945 -- 1:00 Hungary CE%sT 1980 Sep 28 2:00s -+ 1:00 Hungary CE%sT 1984 - 1:00 EU CE%sT - - # Iceland -@@ -1601,7 +1678,7 @@ - # The information below is taken from the 1988 Almanak; see - # http://www.almanak.hi.is/klukkan.html - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Iceland 1917 1919 - Feb 19 23:00 1:00 - - Rule Iceland 1917 only - Oct 21 1:00 0 - - Rule Iceland 1918 1919 - Nov 16 1:00 0 - -@@ -1693,7 +1770,7 @@ - # to 1944-06-04; although Rome was an open city during this period, it - # was effectively controlled by Germany. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Italy 1916 only - Jun 3 24:00 1:00 S - Rule Italy 1916 1917 - Sep 30 24:00 0 - - Rule Italy 1917 only - Mar 31 24:00 1:00 S -@@ -1803,7 +1880,7 @@ - # urged Lithuania and Estonia to adopt a similar time policy, but it - # appears that they will not do so.... - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Latvia 1989 1996 - Mar lastSun 2:00s 1:00 S - Rule Latvia 1989 1996 - Sep lastSun 2:00s 0 - - -@@ -1896,7 +1973,7 @@ - # Luxembourg - # Whitman disagrees with most of these dates in minor ways; - # go with Shanks & Pottenger. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Lux 1916 only - May 14 23:00 1:00 S - Rule Lux 1916 only - Oct 1 1:00 0 - - Rule Lux 1917 only - Apr 28 23:00 1:00 S -@@ -1937,7 +2014,7 @@ - # From Paul Eggert (2016-10-21): - # Assume 1900-1972 was like Rome, overriding Shanks. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Malta 1973 only - Mar 31 0:00s 1:00 S - Rule Malta 1973 only - Sep 29 0:00s 0 - - Rule Malta 1974 only - Apr 21 0:00s 1:00 S -@@ -2010,7 +2087,7 @@ - # says the 2014-03-30 spring-forward transition was at 02:00 local time. - # Guess that since 1997 Moldova has switched one hour before the EU. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Moldova 1997 max - Mar lastSun 2:00 1:00 S - Rule Moldova 1997 max - Oct lastSun 3:00 0 - - -@@ -2028,11 +2105,24 @@ - 2:00 Moldova EE%sT - - # Monaco --# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's --# more precise 0:09:21. -+# -+# From Michael Deckers (2020-06-12): -+# In the "Journal de Monaco" of 1892-05-24, online at -+# https://journaldemonaco.gouv.mc/var/jdm/storage/original/application/b1c67c12c5af11b41ea888fb048e4fe8.pdf -+# we read: ... -+# [In virtue of a Sovereign Ordinance of the May 13 of the current [year], -+# legal time in the Principality will be set to, from the date of June 1, -+# 1892 onwards, to the meridian of Paris, as in France.] -+# In the "Journal de Monaco" of 1911-03-28, online at -+# https://journaldemonaco.gouv.mc/var/jdm/storage/original/application/de74ffb7db53d4f599059fe8f0ed482a.pdf -+# we read an ordinance of 1911-03-16: ... -+# [Legal time in the Principality will be set, from the date of promulgation -+# of the present ordinance, to legal time in France.... Consequently, legal -+# time will be retarded by 9 minutes and 21 seconds.] -+# - # Zone NAME STDOFF RULES FORMAT [UNTIL] --Zone Europe/Monaco 0:29:32 - LMT 1891 Mar 15 -- 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time -+Zone Europe/Monaco 0:29:32 - LMT 1892 Jun 1 -+ 0:09:21 - PMT 1911 Mar 29 # Paris Mean Time - 0:00 France WE%sT 1945 Sep 16 3:00 - 1:00 France CE%sT 1977 - 1:00 EU CE%sT -@@ -2080,7 +2170,7 @@ - # The data entries before 1945 are taken from - # https://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Neth 1916 only - May 1 0:00 1:00 NST # Netherlands Summer Time - Rule Neth 1916 only - Oct 1 0:00 0 AMT # Amsterdam Mean Time - Rule Neth 1917 only - Apr 16 2:00s 1:00 NST -@@ -2117,7 +2207,7 @@ - # Norway - # http://met.no/met/met_lex/q_u/sommertid.html (2004-01) agrees with Shanks & - # Pottenger. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Norway 1916 only - May 22 1:00 1:00 S - Rule Norway 1916 only - Sep 30 0:00 0 - - Rule Norway 1945 only - Apr 2 2:00s 1:00 S -@@ -2186,7 +2276,7 @@ - # The 1919 dates and times can be found in Tygodnik Urzędowy nr 1 (1919-03-20), - # pp 1-2. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Poland 1918 1919 - Sep 16 2:00s 0 - - Rule Poland 1919 only - Apr 15 2:00s 1:00 S - Rule Poland 1944 only - Apr 3 2:00s 1:00 S -@@ -2257,7 +2347,7 @@ - # Guess that the Azores changed to EU rules in 1992 (since that's when Portugal - # harmonized with EU rules), and that they stayed +0:00 that winter. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - # DSH writes that despite Decree 1,469 (1915), the change to the clocks was not - # done every year, depending on what Spain did, because of railroad schedules. - # Go with Shanks & Pottenger. -@@ -2370,7 +2460,7 @@ - # assume that Romania and Moldova switched to EU rules in 1997, - # the same year as Bulgaria. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Romania 1932 only - May 21 0:00s 1:00 S - Rule Romania 1932 1939 - Oct Sun>=1 0:00s 0 - - Rule Romania 1933 1939 - Apr Sun>=2 0:00s 1:00 S -@@ -3468,14 +3558,14 @@ - # fallback transition from the next day's 00:59... to 00:00. - - # From Michael Deckers (2016-12-15): --# The Royal Decree of 1900-06-26 quoted by Planesas, online at -+# The Royal Decree of 1900-07-26 quoted by Planesas, online at - # https://www.boe.es/datos/pdfs/BOE//1900/209/A00383-00384.pdf - # says in its article 5 (my translation): - # These dispositions will enter into force beginning with the - # instant at which, according to the time indicated in article 1, - # the 1st day of January of 1901 will begin. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Spain 1918 only - Apr 15 23:00 1:00 S - Rule Spain 1918 1919 - Oct 6 24:00s 0 - - Rule Spain 1919 only - Apr 6 23:00 1:00 S -@@ -3612,7 +3702,7 @@ - # By the end of the 18th century clocks and watches became commonplace - # and their performance improved enormously. Communities began to keep - # mean time in preference to apparent time - Geneva from 1780 .... --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - # From Whitman (who writes "Midnight?"): - # Rule Swiss 1940 only - Nov 2 0:00 1:00 S - # Rule Swiss 1940 only - Dec 31 0:00 0 - -@@ -3699,7 +3789,7 @@ - # 1853-07-16, though it probably occurred at some other date in Zurich, and - # legal civil time probably changed at still some other transition date. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Swiss 1941 1942 - May Mon>=1 1:00 1:00 S - Rule Swiss 1941 1942 - Oct Mon>=1 2:00 0 - - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -3848,7 +3938,7 @@ - # Although Google Translate misfires on that source, it looks like - # Turkey reversed last month's decision, and so will stay at +03. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Turkey 1916 only - May 1 0:00 1:00 S - Rule Turkey 1916 only - Oct 1 0:00 0 - - Rule Turkey 1920 only - Mar 28 0:00 1:00 S -@@ -4006,7 +4096,7 @@ - 2:00 1:00 EEST 1991 Sep 29 3:00 - 2:00 E-Eur EE%sT 1995 - 2:00 EU EE%sT --# Ruthenia used CET 1990/1991. -+# Transcarpathia used CET 1990/1991. - # "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but - # "Uzhgorod" is more common in English. - Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct -diff --git a/make/data/tzdata/leapseconds b/make/data/tzdata/leapseconds ---- a/make/data/tzdata/leapseconds -+++ b/make/data/tzdata/leapseconds -@@ -91,11 +91,11 @@ - # Any additional leap seconds will come after this. - # This Expires line is commented out for now, - # so that pre-2020a zic implementations do not reject this file. --#Expires 2020 Dec 28 00:00:00 -+#Expires 2021 Jun 28 00:00:00 - - # POSIX timestamps for the data in this file: - #updated 1467936000 (2016-07-08 00:00:00 UTC) --#expires 1609113600 (2020-12-28 00:00:00 UTC) -+#expires 1624838400 (2021-06-28 00:00:00 UTC) - --# Updated through IERS Bulletin C59 --# File expires on: 28 December 2020 -+# Updated through IERS Bulletin C60 -+# File expires on: 28 June 2021 -diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica ---- a/make/data/tzdata/northamerica -+++ b/make/data/tzdata/northamerica -@@ -193,7 +193,7 @@ - # U.S. government action. So even though the "US" rules have changed - # in the latest release, other countries won't be affected. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule US 1918 1919 - Mar lastSun 2:00 1:00 D - Rule US 1918 1919 - Oct lastSun 2:00 0 S - Rule US 1942 only - Feb 9 2:00 1:00 W # War -@@ -370,7 +370,7 @@ - # Eastern time (i.e., -4:56:01.6) just before the 1883 switch. Round to the - # nearest second. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule NYC 1920 only - Mar lastSun 2:00 1:00 D - Rule NYC 1920 only - Oct lastSun 2:00 0 S - Rule NYC 1921 1966 - Apr lastSun 2:00 1:00 D -@@ -454,7 +454,7 @@ - # The Tennessean 2007-05-11, republished 2015-04-06. - # https://www.tennessean.com/story/insider/extras/2015/04/06/archives-seigenthaler-for-100-years-the-tennessean-had-it-covered/25348545/ - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Chicago 1920 only - Jun 13 2:00 1:00 D - Rule Chicago 1920 1921 - Oct lastSun 2:00 0 S - Rule Chicago 1921 only - Mar lastSun 2:00 1:00 D -@@ -523,7 +523,7 @@ - # El Paso Times. 2018-10-24 06:40 -06. - # https://www.elpasotimes.com/story/news/local/el-paso/2018/10/24/el-pasoans-were-time-rebels-fought-stay-mountain-zone/1744509002/ - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Denver 1920 1921 - Mar lastSun 2:00 1:00 D - Rule Denver 1920 only - Oct lastSun 2:00 0 S - Rule Denver 1921 only - May 22 2:00 0 S -@@ -576,7 +576,7 @@ - # https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props - # https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule CA 1948 only - Mar 14 2:01 1:00 D - Rule CA 1949 only - Jan 1 2:00 0 S - Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D -@@ -934,7 +934,7 @@ - # going to switch from Central to Eastern Time on March 11, 2007.... - # http://www.indystar.com/apps/pbcs.dll/article?AID=/20070207/LOCAL190108/702070524/0/LOCAL - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D - Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S - Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D -@@ -953,7 +953,7 @@ - # - # Eastern Crawford County, Indiana, left its clocks alone in 1974, - # as well as from 1976 through 2005. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Marengo 1951 only - Apr lastSun 2:00 1:00 D - Rule Marengo 1951 only - Sep lastSun 2:00 0 S - Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D -@@ -972,7 +972,7 @@ - # Daviess, Dubois, Knox, and Martin Counties, Indiana, - # switched from eastern to central time in April 2006, then switched back - # in November 2007. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Vincennes 1946 only - Apr lastSun 2:00 1:00 D - Rule Vincennes 1946 only - Sep lastSun 2:00 0 S - Rule Vincennes 1953 1954 - Apr lastSun 2:00 1:00 D -@@ -997,7 +997,7 @@ - # The Indianapolis News, Friday 27 October 1967 states that Perry County - # returned to CST. It went again to EST on 27 April 1969, as documented by the - # Indianapolis star of Saturday 26 April. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Perry 1955 only - May 1 0:00 1:00 D - Rule Perry 1955 1960 - Sep lastSun 2:00 0 S - Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D -@@ -1014,7 +1014,7 @@ - # - # Pike County, Indiana moved from central to eastern time in 1977, - # then switched back in 2006, then switched back again in 2007. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Pike 1955 only - May 1 0:00 1:00 D - Rule Pike 1955 1960 - Sep lastSun 2:00 0 S - Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D -@@ -1035,7 +1035,7 @@ - # An article on page A3 of the Sunday, 1991-10-27 Washington Post - # notes that Starke County switched from Central time to Eastern time as of - # 1991-10-27. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Starke 1947 1961 - Apr lastSun 2:00 1:00 D - Rule Starke 1947 1954 - Sep lastSun 2:00 0 S - Rule Starke 1955 1956 - Oct lastSun 2:00 0 S -@@ -1052,7 +1052,7 @@ - # - # Pulaski County, Indiana, switched from eastern to central time in - # April 2006 and then switched back in March 2007. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Pulaski 1946 1960 - Apr lastSun 2:00 1:00 D - Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S - Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S -@@ -1094,7 +1094,7 @@ - # - # Part of Kentucky left its clocks alone in 1974. - # This also includes Clark, Floyd, and Harrison counties in Indiana. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Louisville 1921 only - May 1 2:00 1:00 D - Rule Louisville 1921 only - Sep 1 2:00 0 S - Rule Louisville 1941 only - Apr lastSun 2:00 1:00 D -@@ -1208,7 +1208,7 @@ - # election Michigan voters narrowly repealed DST, effective 1969. - # - # Most of Michigan observed DST from 1973 on, but was a bit late in 1975. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Detroit 1948 only - Apr lastSun 2:00 1:00 D - Rule Detroit 1948 only - Sep lastSun 2:00 0 S - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -1225,7 +1225,7 @@ - # - # Dickinson, Gogebic, Iron, and Menominee Counties, Michigan, - # switched from EST to CST/CDT in 1973. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER -+# Rule NAME FROM TO - IN ON AT SAVE LETTER - Rule Menominee 1946 only - Apr lastSun 2:00 1:00 D - Rule Menominee 1946 only - Sep lastSun 2:00 0 S - Rule Menominee 1966 only - Apr lastSun 2:00 1:00 D -@@ -1395,7 +1395,7 @@ - # Oct 31, to Oct 27, 1918 (and Sunday is a more likely transition day - # than Thursday) in all Canadian rulesets. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Canada 1918 only - Apr 14 2:00 1:00 D - Rule Canada 1918 only - Oct 27 2:00 0 S - Rule Canada 1942 only - Feb 9 2:00 1:00 W # War -@@ -1418,7 +1418,7 @@ - # that follows the rules is the southeast corner, including Port Hope - # Simpson and Mary's Harbour, but excluding, say, Black Tickle. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule StJohns 1917 only - Apr 8 2:00 1:00 D - Rule StJohns 1917 only - Sep 17 2:00 0 S - # Whitman gives 1919 Apr 5 and 1920 Apr 5; go with Shanks & Pottenger. -@@ -1520,7 +1520,7 @@ - # bill say that it is "accommodating the customs and practices" of those - # regions, which suggests that they have always been in-line with Halifax. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Halifax 1916 only - Apr 1 0:00 1:00 D - Rule Halifax 1916 only - Oct 1 0:00 0 S - Rule Halifax 1920 only - May 9 0:00 1:00 D -@@ -1586,7 +1586,7 @@ - # clear that this was the case since at least 1993. - # For now, assume it started in 1993. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Moncton 1933 1935 - Jun Sun>=8 1:00 1:00 D - Rule Moncton 1933 1935 - Sep Sun>=8 1:00 0 S - Rule Moncton 1936 1938 - Jun Sun>=1 1:00 1:00 D -@@ -1795,7 +1795,7 @@ - # With some exceptions, the use of daylight saving may be said to be limited - # to those cities and towns lying between Quebec city and Windsor, Ont. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Toronto 1919 only - Mar 30 23:30 1:00 D - Rule Toronto 1919 only - Oct 26 0:00 0 S - Rule Toronto 1920 only - May 2 2:00 1:00 D -@@ -1893,7 +1893,7 @@ - # starting 1966. Since 02:00s is clearly correct for 1967 on, assume - # it was also 02:00s in 1966. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Winn 1916 only - Apr 23 0:00 1:00 D - Rule Winn 1916 only - Sep 17 0:00 0 S - Rule Winn 1918 only - Apr 14 2:00 1:00 D -@@ -1984,7 +1984,7 @@ - # long and rather painful to read. - # http://www.qp.gov.sk.ca/documents/English/Statutes/Statutes/T14.pdf - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Regina 1918 only - Apr 14 2:00 1:00 D - Rule Regina 1918 only - Oct 27 2:00 0 S - Rule Regina 1930 1934 - May Sun>=1 0:00 1:00 D -@@ -2034,7 +2034,7 @@ - # Boyer JP. Forcing Choice: The Risky Reward of Referendums. Dundum. 2017. - # ISBN 978-1459739123. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Edm 1918 1919 - Apr Sun>=8 2:00 1:00 D - Rule Edm 1918 only - Oct 27 2:00 0 S - Rule Edm 1919 only - May 27 2:00 0 S -@@ -2143,7 +2143,7 @@ - # https://searcharchives.vancouver.ca/daylight-saving-1918-starts-again-july-7-1941-start-d-s-sept-27-end-of-d-s-1941 - # We have no further details, so omit them for now. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Vanc 1918 only - Apr 14 2:00 1:00 D - Rule Vanc 1918 only - Oct 27 2:00 0 S - Rule Vanc 1942 only - Feb 9 2:00 1:00 W # War -@@ -2472,7 +2472,19 @@ - # consistency with nearby Dawson Creek, Creston, and Fort Nelson. - # https://yukon.ca/en/news/yukon-end-seasonal-time-change - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# From Andrew G. Smith (2020-09-24): -+# Yukon has completed its regulatory change to be on UTC -7 year-round.... -+# http://www.gov.yk.ca/legislation/regs/oic2020_125.pdf -+# What we have done is re-defined Yukon Standard Time, as we are -+# authorized to do under section 33 of our Interpretation Act: -+# http://www.gov.yk.ca/legislation/acts/interpretation_c.pdf -+# -+# From Paul Eggert (2020-09-24): -+# tzdb uses the obsolete YST abbreviation for standard time in Yukon through -+# about 1970, and uses PST for standard time in Yukon since then. Consistent -+# with that, use MST for -07, the new standard time in Yukon effective Nov. 1. -+ -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule NT_YK 1918 only - Apr 14 2:00 1:00 D - Rule NT_YK 1918 only - Oct 27 2:00 0 S - Rule NT_YK 1919 only - May 25 2:00 1:00 D -@@ -2526,12 +2538,12 @@ - Zone America/Whitehorse -9:00:12 - LMT 1900 Aug 20 - -9:00 NT_YK Y%sT 1967 May 28 0:00 - -8:00 NT_YK P%sT 1980 -- -8:00 Canada P%sT 2020 Mar 8 2:00 -+ -8:00 Canada P%sT 2020 Nov 1 - -7:00 - MST - Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 - -9:00 NT_YK Y%sT 1973 Oct 28 0:00 - -8:00 NT_YK P%sT 1980 -- -8:00 Canada P%sT 2020 Mar 8 2:00 -+ -8:00 Canada P%sT 2020 Nov 1 - -7:00 - MST - - -@@ -2746,7 +2758,7 @@ - # 5- The islands, reefs and keys shall take their timezone from the - # longitude they are located at. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Mexico 1939 only - Feb 5 0:00 1:00 D - Rule Mexico 1939 only - Jun 25 0:00 0 S - Rule Mexico 1940 only - Dec 9 0:00 1:00 D -@@ -2951,7 +2963,7 @@ - # rules to sync with the U.S. starting in 2007.... - # http://www.jonesbahamas.com/?c=45&a=10412 - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Bahamas 1964 1975 - Oct lastSun 2:00 0 S - Rule Bahamas 1964 1975 - Apr lastSun 2:00 1:00 D - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -2963,7 +2975,7 @@ - - # For 1899 Milne gives -3:58:29.2; round that. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Barb 1977 only - Jun 12 2:00 1:00 D - Rule Barb 1977 1978 - Oct Sun>=1 2:00 0 S - Rule Barb 1978 1980 - Apr Sun>=15 2:00 1:00 D -@@ -2976,7 +2988,7 @@ - - # Belize - # Whitman entirely disagrees with Shanks; go with Shanks & Pottenger. --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Belize 1918 1942 - Oct Sun>=2 0:00 0:30 -0530 - Rule Belize 1919 1943 - Feb Sun>=9 0:00 0 CST - Rule Belize 1973 only - Dec 5 0:00 1:00 CDT -@@ -3013,7 +3025,7 @@ - - # Milne gives -5:36:13.3 as San José mean time; round to nearest. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule CR 1979 1980 - Feb lastSun 0:00 1:00 D - Rule CR 1979 1980 - Jun Sun>=1 0:00 0 S - Rule CR 1991 1992 - Jan Sat>=15 0:00 1:00 D -@@ -3187,7 +3199,7 @@ - # From Paul Eggert (2012-11-03): - # For now, assume the future rule is first Sunday in November. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Cuba 1928 only - Jun 10 0:00 1:00 D - Rule Cuba 1928 only - Oct 10 0:00 0 S - Rule Cuba 1940 1942 - Jun Sun>=1 0:00 1:00 D -@@ -3256,7 +3268,7 @@ - # decided to revert. - - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule DR 1966 only - Oct 30 0:00 1:00 EDT - Rule DR 1967 only - Feb 28 0:00 0 EST - Rule DR 1969 1973 - Oct lastSun 0:00 0:30 -0430 -@@ -3273,7 +3285,7 @@ - - # El Salvador - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Salv 1987 1988 - May Sun>=1 0:00 1:00 D - Rule Salv 1987 1988 - Sep lastSun 0:00 0 S - # There are too many San Salvadors elsewhere, so use America/El_Salvador -@@ -3302,7 +3314,7 @@ - # (2006-04-19), says DST ends at 24:00. See - # http://www.sieca.org.gt/Sitio_publico/Energeticos/Doc/Medidas/Cambio_Horario_Nac_190406.pdf - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Guat 1973 only - Nov 25 0:00 1:00 D - Rule Guat 1974 only - Feb 24 0:00 0 S - Rule Guat 1983 only - May 21 0:00 1:00 D -@@ -3383,7 +3395,7 @@ - # I have not been able to find a more authoritative source: - # https://www.haitilibre.com/en/news-20319-haiti-notices-time-change-in-haiti.html - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Haiti 1983 only - May 8 0:00 1:00 D - Rule Haiti 1984 1987 - Apr lastSun 0:00 1:00 D - Rule Haiti 1983 1987 - Oct lastSun 0:00 0 S -@@ -3431,7 +3443,7 @@ - # http://www.laprensahn.com/pais_nota.php?id04962=7386 - # So it seems that Honduras will not enter DST this year.... - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Hond 1987 1988 - May Sun>=1 0:00 1:00 D - Rule Hond 1987 1988 - Sep lastSun 0:00 0 S - Rule Hond 2006 only - May Sun>=1 0:00 1:00 D -@@ -3522,7 +3534,7 @@ - # The natural sun time is restored in all the national territory, in that the - # time is returned one hour at 01:00 am of October 1 of 2006. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Nic 1979 1980 - Mar Sun>=16 0:00 1:00 D - Rule Nic 1979 1980 - Jun Mon>=23 0:00 0 S - Rule Nic 2005 only - Apr 10 0:00 1:00 D -diff --git a/make/data/tzdata/pacificnew b/make/data/tzdata/pacificnew -deleted file mode 100644 ---- a/make/data/tzdata/pacificnew -+++ /dev/null -@@ -1,52 +0,0 @@ --# --# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. --# --# This code is free software; you can redistribute it and/or modify it --# under the terms of the GNU General Public License version 2 only, as --# published by the Free Software Foundation. Oracle designates this --# particular file as subject to the "Classpath" exception as provided --# by Oracle in the LICENSE file that accompanied this code. --# --# This code is distributed in the hope that it will be useful, but WITHOUT --# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or --# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --# version 2 for more details (a copy is included in the LICENSE file that --# accompanied this code). --# --# You should have received a copy of the GNU General Public License version --# 2 along with this work; if not, write to the Free Software Foundation, --# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. --# --# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA --# or visit www.oracle.com if you need additional information or have any --# questions. --# --# tzdb data for proposed US election time (this file is obsolete) -- --# This file is in the public domain, so clarified as of --# 2009-05-17 by Arthur David Olson. -- --# From Arthur David Olson (1989-04-05): --# On 1989-04-05, the U. S. House of Representatives passed (238-154) a bill --# establishing "Pacific Presidential Election Time"; it was not acted on --# by the Senate or signed into law by the President. --# You might want to change the "PE" (Presidential Election) below to --# "Q" (Quadrennial) to maintain three-character zone abbreviations. --# If you're really conservative, you might want to change it to "D". --# Avoid "L" (Leap Year), which won't be true in 2100. -- --# If Presidential Election Time is ever established, replace "XXXX" below --# with the year the law takes effect and uncomment the "##" lines. -- --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S --## Rule Twilite XXXX max - Apr Sun>=1 2:00 1:00 D --## Rule Twilite XXXX max uspres Oct lastSun 2:00 1:00 PE --## Rule Twilite XXXX max uspres Nov Sun>=7 2:00 0 S --## Rule Twilite XXXX max nonpres Oct lastSun 2:00 0 S -- --# Zone NAME STDOFF RULES/SAVE FORMAT [UNTIL] --## Zone America/Los_Angeles-PET -8:00 US P%sT XXXX --## -8:00 Twilite P%sT -- --# For now... --Link America/Los_Angeles US/Pacific-New ## -diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica ---- a/make/data/tzdata/southamerica -+++ b/make/data/tzdata/southamerica -@@ -71,7 +71,7 @@ - # I am sending modifications to the Argentine time zone table... - # AR was chosen because they are the ISO letters that represent Argentina. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Arg 1930 only - Dec 1 0:00 1:00 - - Rule Arg 1931 only - Apr 1 0:00 0 - - Rule Arg 1931 only - Oct 15 0:00 1:00 - -@@ -792,7 +792,7 @@ - # From Paul Eggert (2013-10-17): - # For now, assume western Amazonas will change as well. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - # Decree 20,466 (1931-10-01) - # Decree 21,896 (1932-01-10) - Rule Brazil 1931 only - Oct 3 11:00 1:00 - -@@ -1281,7 +1281,7 @@ - # For now, assume that they will not revert, - # since they have extended the expiration date once already. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Chile 1927 1931 - Sep 1 0:00 1:00 - - Rule Chile 1928 1932 - Apr 1 0:00 0 - - Rule Chile 1968 only - Nov 3 4:00u 1:00 - -@@ -1381,7 +1381,7 @@ - # Milne gives 4:56:16.4 for Bogotá time in 1899; round to nearest. He writes, - # "A variation of fifteen minutes in the public clocks of Bogota is not rare." - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule CO 1992 only - May 3 0:00 1:00 - - Rule CO 1993 only - Apr 4 0:00 0 - - # Zone NAME STDOFF RULES FORMAT [UNTIL] -@@ -1441,7 +1441,7 @@ - # (Not one step back), the clocks went back in 1993 and the experiment was not - # repeated. For now, assume transitions were at 00:00 local time country-wide. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Ecuador 1992 only - Nov 28 0:00 1:00 - - Rule Ecuador 1993 only - Feb 5 0:00 0 - - # -@@ -1535,7 +1535,7 @@ - # For now we will assume permanent -03 for the Falklands - # until advised differently (to apply for 2012 and beyond, after the 2011 - # experiment was apparently successful.) --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Falk 1937 1938 - Sep lastSun 0:00 1:00 - - Rule Falk 1938 1942 - Mar Sun>=19 0:00 0 - - Rule Falk 1939 only - Oct 1 0:00 1:00 - -@@ -1581,7 +1581,7 @@ - # No time of the day is established for the adjustment, so people normally - # adjust their clocks at 0 hour of the given dates. - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Para 1975 1988 - Oct 1 0:00 1:00 - - Rule Para 1975 1978 - Mar 1 0:00 0 - - Rule Para 1979 1991 - Apr 1 0:00 0 - -@@ -1674,7 +1674,7 @@ - # From Paul Eggert (2006-03-22): - # Shanks & Pottenger don't have this transition. Assume 1986 was like 1987. - --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Peru 1938 only - Jan 1 0:00 1:00 - - Rule Peru 1938 only - Apr 1 0:00 0 - - Rule Peru 1938 1939 - Sep lastSun 0:00 1:00 - -@@ -1770,7 +1770,7 @@ - # https://www.impo.com.uy/diariooficial/1926/03/10/2 - # https://www.impo.com.uy/diariooficial/1926/03/18/2 - # --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S -+# Rule NAME FROM TO - IN ON AT SAVE LETTER/S - Rule Uruguay 1923 1925 - Oct 1 0:00 0:30 - - Rule Uruguay 1924 1926 - Apr 1 0:00 0 - - # From Tim Parenti (2018-02-15): -diff --git a/make/data/tzdata/systemv b/make/data/tzdata/systemv -deleted file mode 100644 ---- a/make/data/tzdata/systemv -+++ /dev/null -@@ -1,62 +0,0 @@ --# --# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. --# --# This code is free software; you can redistribute it and/or modify it --# under the terms of the GNU General Public License version 2 only, as --# published by the Free Software Foundation. Oracle designates this --# particular file as subject to the "Classpath" exception as provided --# by Oracle in the LICENSE file that accompanied this code. --# --# This code is distributed in the hope that it will be useful, but WITHOUT --# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or --# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License --# version 2 for more details (a copy is included in the LICENSE file that --# accompanied this code). --# --# You should have received a copy of the GNU General Public License version --# 2 along with this work; if not, write to the Free Software Foundation, --# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. --# --# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA --# or visit www.oracle.com if you need additional information or have any --# questions. --# --# tzdb data for System V rules (this file is obsolete) -- --# This file is in the public domain, so clarified as of --# 2009-05-17 by Arthur David Olson. -- --# Old rules, should the need arise. --# No attempt is made to handle Newfoundland, since it cannot be expressed --# using the System V "TZ" scheme (half-hour offset), or anything outside --# North America (no support for non-standard DST start/end dates), nor --# the changes in the DST rules in the US after 1976 (which occurred after --# the old rules were written). --# --# If you need the old rules, uncomment ## lines. --# Compile this *without* leap second correction for true conformance. -- --# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S --Rule SystemV min 1973 - Apr lastSun 2:00 1:00 D --Rule SystemV min 1973 - Oct lastSun 2:00 0 S --Rule SystemV 1974 only - Jan 6 2:00 1:00 D --Rule SystemV 1974 only - Nov lastSun 2:00 0 S --Rule SystemV 1975 only - Feb 23 2:00 1:00 D --Rule SystemV 1975 only - Oct lastSun 2:00 0 S --Rule SystemV 1976 max - Apr lastSun 2:00 1:00 D --Rule SystemV 1976 max - Oct lastSun 2:00 0 S -- --# Zone NAME STDOFF RULES/SAVE FORMAT [UNTIL] --## Zone SystemV/AST4ADT -4:00 SystemV A%sT --## Zone SystemV/EST5EDT -5:00 SystemV E%sT --## Zone SystemV/CST6CDT -6:00 SystemV C%sT --## Zone SystemV/MST7MDT -7:00 SystemV M%sT --## Zone SystemV/PST8PDT -8:00 SystemV P%sT --## Zone SystemV/YST9YDT -9:00 SystemV Y%sT --## Zone SystemV/AST4 -4:00 - AST --## Zone SystemV/EST5 -5:00 - EST --## Zone SystemV/CST6 -6:00 - CST --## Zone SystemV/MST7 -7:00 - MST --## Zone SystemV/PST8 -8:00 - PST --## Zone SystemV/YST9 -9:00 - YST --## Zone SystemV/HST10 -10:00 - HST -diff --git a/make/gendata/GendataTZDB.gmk b/make/gendata/GendataTZDB.gmk ---- a/make/gendata/GendataTZDB.gmk -+++ b/make/gendata/GendataTZDB.gmk -@@ -29,7 +29,7 @@ - # Time zone data file creation - # - TZDATA_DIR := $(TOPDIR)/make/data/tzdata --TZDATA_TZFILE := africa antarctica asia australasia europe northamerica pacificnew southamerica backward etcetera gmt jdk11_backward -+TZDATA_TZFILE := africa antarctica asia australasia europe northamerica southamerica backward etcetera gmt jdk11_backward - TZDATA_TZFILES := $(addprefix $(TZDATA_DIR)/,$(TZDATA_TZFILE)) - - GENDATA_TZDB_DAT := $(SUPPORT_OUTPUTDIR)/modules_libs/$(MODULE)/tzdb.dat -diff --git a/src/java.base/aix/conf/tzmappings b/src/java.base/aix/conf/tzmappings ---- a/src/java.base/aix/conf/tzmappings -+++ b/src/java.base/aix/conf/tzmappings -@@ -568,7 +568,6 @@ - US/Michigan America/New_York - US/Mountain America/Denver - US/Pacific America/Los_Angeles --US/Pacific-New America/Los_Angeles - US/Samoa Pacific/Pago_Pago - USAST-2 Africa/Johannesburg - USAST-2USADT Europe/Istanbul -diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java ---- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java -+++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java -@@ -1063,7 +1063,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java -@@ -1035,7 +1035,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java ---- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java -+++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java -@@ -1037,7 +1037,6 @@ - {"US/Michigan", EST}, - {"US/Mountain", MST}, - {"US/Pacific", PST}, -- {"US/Pacific-New", PST}, - {"US/Samoa", SAMOA}, - {"VST", ICT}, - {"W-SU", MSK}, -diff --git a/test/jdk/java/time/test/java/time/format/ZoneName.java b/test/jdk/java/time/test/java/time/format/ZoneName.java ---- a/test/jdk/java/time/test/java/time/format/ZoneName.java -+++ b/test/jdk/java/time/test/java/time/format/ZoneName.java -@@ -589,7 +589,6 @@ - "US/Michigan", "America_Eastern", "America/New_York", - "US/Mountain", "America_Mountain", "America/Denver", - "US/Pacific", "America_Pacific", "America/Los_Angeles", -- "US/Pacific-New", "America_Pacific", "America/Los_Angeles", - "US/Samoa", "Samoa", "Pacific/Pago_Pago", - "W-SU", "Moscow", "Europe/Moscow", - -@@ -973,7 +972,6 @@ - "US/Michigan", "America/Detroit", - "US/Mountain", "America/Denver", - "US/Pacific", "America/Los_Angeles", -- "US/Pacific-New", "America/Los_Angeles", - "US/Samoa", "Pacific/Pago_Pago", - "UTC", "Etc/UTC", - "Universal", "Etc/UTC", -diff --git a/test/jdk/java/time/test/java/time/zone/TestZoneRules.java b/test/jdk/java/time/test/java/time/zone/TestZoneRules.java ---- a/test/jdk/java/time/test/java/time/zone/TestZoneRules.java -+++ b/test/jdk/java/time/test/java/time/zone/TestZoneRules.java -@@ -88,7 +88,7 @@ - {CASABLANCA, LocalDate.of(2019, 5, 6), ZoneOffset.ofHours(0), ZoneOffset.ofHours(0), false}, - {CASABLANCA, LocalDate.of(2037, 10, 5), ZoneOffset.ofHours(0), ZoneOffset.ofHours(0), false}, - {CASABLANCA, LocalDate.of(2037, 11, 16), ZoneOffset.ofHours(1), ZoneOffset.ofHours(0), true}, -- {CASABLANCA, LocalDate.of(2038, 11, 1), ZoneOffset.ofHours(1), ZoneOffset.ofHours(0), true}, -+ {CASABLANCA, LocalDate.of(2038, 11, 8), ZoneOffset.ofHours(1), ZoneOffset.ofHours(0), true}, - }; - } - -diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java ---- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java -+++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java -@@ -48,7 +48,7 @@ - String TESTDIR = System.getProperty("test.dir", "."); - Path tzdir = Paths.get(System.getProperty("test.root"), - "..", "..", "make", "data", "tzdata"); -- String tzfiles = "africa antarctica asia australasia europe northamerica pacificnew southamerica backward etcetera systemv gmt"; -+ String tzfiles = "africa antarctica asia australasia europe northamerica southamerica backward etcetera gmt"; - Path jdk_tzdir = Paths.get(System.getProperty("test.src"), "tzdata_jdk"); - String jdk_tzfiles = "jdk11_backward"; - String zidir = TESTDIR + File.separator + "zi"; -@@ -215,8 +215,9 @@ - - // test getAvailableIDs(raw); - zids_new = TimeZone.getAvailableIDs(-8 * 60 * 60 * 1000); -- //Arrays.sort(zids_new); -+ Arrays.sort(zids_new); - zids_old = ZoneInfoOld.getAvailableIDs(-8 * 60 * 60 * 1000); -+ Arrays.sort(zids_old); - if (!Arrays.equals(zids_new, zids_old)) { - System.out.println("------------------------"); - System.out.println("NEW.getAvailableIDs(-8:00)"); diff --git a/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch new file mode 100644 index 0000000..ddf686c --- /dev/null +++ b/SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch @@ -0,0 +1,32 @@ +From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001 +From: Severin Gehwolf +Date: Wed, 14 Jul 2021 12:06:39 +0200 +Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c + +--- + src/hotspot/os/linux/os_linux.cpp | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp +index e8baf704e3a..12b75b733b5 100644 +--- a/src/hotspot/os/linux/os_linux.cpp ++++ b/src/hotspot/os/linux/os_linux.cpp +@@ -413,8 +413,15 @@ void os::init_system_properties_values() { + // 7: The default directories, normally /lib and /usr/lib. + #if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390) + #define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib" ++#else ++#if defined(AARCH64) ++ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems ++ // might not adhere to the FHS and it would be a change in behaviour if we used ++ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths. ++ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64" + #else + #define DEFAULT_LIBPATH "/lib:/usr/lib" ++#endif // AARCH64 + #endif + + // Base path of extensions installed on the system. +-- +2.31.1 + diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh index f3be341..d475909 100644 --- a/SOURCES/remove-intree-libraries.sh +++ b/SOURCES/remove-intree-libraries.sh @@ -1,24 +1,52 @@ #!/bin/sh +# Arguments: +TREE=${1} +TYPE=${2} + ZIP_SRC=src/java.base/share/native/libzip/zlib/ JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ LCMS_SRC=src/java.desktop/share/native/liblcms/ -cd openjdk +if test "x${TREE}" = "x"; then + echo "$0 (MINIMAL|FULL)"; + exit 1; +fi + +if test "x${TYPE}" = "x"; then + TYPE=minimal; +fi + +if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then + echo "Type must be minimal or full"; + exit 2; +fi + +echo "Removing in-tree libraries from ${TREE}" +echo "Cleansing operation: ${TYPE}"; + +cd ${TREE} echo "Removing built-in libs (they will be linked)" +# On full runs, allow for zlib having already been deleted by minimal echo "Removing zlib" -if [ ! -d ${ZIP_SRC} ]; then +if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then echo "${ZIP_SRC} does not exist. Refusing to proceed." exit 1 fi rm -rvf ${ZIP_SRC} +# Minimal is limited to just zlib so finish here +if test "x${TYPE}" = "xminimal"; then + echo "Finished."; + exit 0; +fi + echo "Removing libjpeg" -if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." exit 1 fi diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch index eaac9f1..e6355f2 100644 --- a/SOURCES/rh1750419-redhat_alt_java.patch +++ b/SOURCES/rh1750419-redhat_alt_java.patch @@ -1,12 +1,13 @@ diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk --- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 +++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 -@@ -41,6 +41,15 @@ +@@ -41,6 +41,16 @@ OPTIMIZATION := HIGH, \ )) ++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c +$(eval $(call SetupBuildLauncher, alt-java, \ -+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \ + LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \ + LIBS_windows := user32.lib comctl32.lib, \ + EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ @@ -98,12 +99,16 @@ diff -r 25e94aa812b2 src/share/bin/alt_main.h diff -r 25e94aa812b2 src/share/bin/main.c --- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 +++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 -@@ -34,6 +34,10 @@ +@@ -34,6 +34,14 @@ #include "jli_util.h" #include "jni.h" -+#if defined(linux) && defined(__x86_64) ++#ifdef REDHAT_ALT_JAVA ++#if defined(__linux__) && defined(__x86_64__) +#include "alt_main.h" ++#else ++#warning alt-java requested but SSB mitigation not available on this platform. ++#endif +#endif + #ifdef _MSC_VER diff --git a/SOURCES/rh1842572-rsa_default_for_keytool.patch b/SOURCES/rh1842572-rsa_default_for_keytool.patch index db74cdc..9f1dabc 100644 --- a/SOURCES/rh1842572-rsa_default_for_keytool.patch +++ b/SOURCES/rh1842572-rsa_default_for_keytool.patch @@ -1,12 +1,12 @@ diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java --- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java +++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java -@@ -1122,7 +1122,7 @@ +@@ -1135,7 +1135,7 @@ } } else if (command == GENKEYPAIR) { if (keyAlgName == null) { - keyAlgName = "DSA"; + keyAlgName = "RSA"; } - doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName); + doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName); kssave = true; diff --git a/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch b/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch deleted file mode 100644 index d673434..0000000 --- a/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -r eba0f976c468 -r 1fceafb49be5 src/java.base/share/classes/module-info.java ---- openjdk/src/java.base/share/classes/module-info.java Thu Jul 30 15:05:22 2020 +0200 -+++ openjdk/src/java.base/share/classes/module-info.java Thu Aug 13 15:17:59 2020 +0200 -@@ -132,6 +132,8 @@ - // additional qualified exports may be inserted at build time - // see make/gensrc/GenModuleInfo.gmk - -+ exports com.sun.crypto.provider to -+ jdk.crypto.cryptoki; - exports com.sun.security.ntlm to - java.security.sasl; - exports jdk.internal to diff --git a/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch b/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch deleted file mode 100644 index 1c47913..0000000 --- a/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch +++ /dev/null @@ -1,21 +0,0 @@ -diff -r e10f558e1df5 openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java ---- openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 16:12:32 2020 +0100 -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:17:50 2020 -0300 -@@ -628,7 +628,7 @@ - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } -- reset(false); -+ reset(true); - throw new ProviderException("update() failed", e); - } - } -@@ -746,7 +746,7 @@ - throw (ShortBufferException) - (new ShortBufferException().initCause(e)); - } -- reset(false); -+ reset(true); - throw new ProviderException("update() failed", e); - } - } diff --git a/SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch b/SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch deleted file mode 100644 index 57bb977..0000000 --- a/SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch +++ /dev/null @@ -1,60 +0,0 @@ -# HG changeset patch -# User Zdenek Zambersky -# Date 1601403587 -7200 -# Tue Sep 29 20:19:47 2020 +0200 -# Node ID f77ac813eee61b2e9616b2d71a2c5372d0cbd158 -# Parent d484fdfcc7d5c21812de8a0712236d077b0f2dde -Fixed default policy for jdk.crypto.cryptoki - -diff -r d484fdfcc7d5 -r f77ac813eee6 src/java.base/share/lib/security/default.policy ---- openjdk.orig/src/java.base/share/lib/security/default.policy Wed Sep 02 07:36:15 2020 +0200 -+++ openjdk/src/java.base/share/lib/security/default.policy Tue Sep 29 20:19:47 2020 +0200 -@@ -124,6 +124,8 @@ - grant codeBase "jrt:/jdk.crypto.cryptoki" { - permission java.lang.RuntimePermission - "accessClassInPackage.sun.security.*"; -+ permission java.lang.RuntimePermission -+ "accessClassInPackage.com.sun.crypto.provider"; - permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; - permission java.lang.RuntimePermission "loadLibrary.j2pkcs11"; - permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read"; -# HG changeset patch -# User Zdenek Zambersky -# Date 1601419086 -7200 -# Wed Sep 30 00:38:06 2020 +0200 -# Node ID 02c8b154f728be3dd06239a98519d654e2127186 -# Parent f77ac813eee61b2e9616b2d71a2c5372d0cbd158 -P11Util: Create provider in priviledged block - -diff -r f77ac813eee6 -r 02c8b154f728 src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java ---- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Tue Sep 29 20:19:47 2020 +0200 -+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Wed Sep 30 00:38:06 2020 +0200 -@@ -87,14 +87,20 @@ - } - p = Security.getProvider(providerName); - if (p == null) { -- try { -- @SuppressWarnings("deprecation") -- Object o = Class.forName(className).newInstance(); -- p = (Provider)o; -- } catch (Exception e) { -- throw new ProviderException -- ("Could not find provider " + providerName, e); -- } -+ p = AccessController.doPrivileged( -+ new PrivilegedAction() { -+ public Provider run() { -+ try { -+ @SuppressWarnings("deprecation") -+ Object o = Class.forName(className).newInstance(); -+ return (Provider) o; -+ } catch (Exception e) { -+ throw new ProviderException -+ ("Could not find provider " + providerName, e); -+ } -+ } -+ } -+ ); - } - return p; - } diff --git a/SOURCES/rh1915071-always_initialise_configurator_access.patch b/SOURCES/rh1915071-always_initialise_configurator_access.patch new file mode 100644 index 0000000..21ced06 --- /dev/null +++ b/SOURCES/rh1915071-always_initialise_configurator_access.patch @@ -0,0 +1,68 @@ +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -32,6 +32,7 @@ + + import jdk.internal.event.EventHelper; + import jdk.internal.event.SecurityPropertyModificationEvent; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import jdk.internal.misc.SharedSecrets; + import jdk.internal.util.StaticProperty; + import sun.security.util.Debug; +@@ -74,6 +75,15 @@ + } + + static { ++ // Initialise here as used by code with system properties disabled ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); ++ + // doPrivileged here because there are multiple + // things in initialize that might require privs. + // (the FileInputStream call and the File.exists call, +@@ -193,9 +203,8 @@ + } + + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); +- if (disableSystemProps == null && +- "true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { ++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && ++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { + if (SystemConfigurator.configure(props)) { + loadedProps = true; + } +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -38,8 +38,6 @@ + import java.util.Properties; + import java.util.regex.Pattern; + +-import jdk.internal.misc.SharedSecrets; +-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + + /** +@@ -65,16 +63,6 @@ + + private static boolean systemFipsEnabled = false; + +- static { +- SharedSecrets.setJavaSecuritySystemConfiguratorAccess( +- new JavaSecuritySystemConfiguratorAccess() { +- @Override +- public boolean isSystemFipsEnabled() { +- return SystemConfigurator.isSystemFipsEnabled(); +- } +- }); +- } +- + /* + * Invoked when java.security.Security class is initialized, if + * java.security.disableSystemPropertiesFile property is not set and diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection.patch b/SOURCES/rh1929465-improve_system_FIPS_detection.patch new file mode 100644 index 0000000..2cdf6f7 --- /dev/null +++ b/SOURCES/rh1929465-improve_system_FIPS_detection.patch @@ -0,0 +1,430 @@ +diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4 +--- openjdk.orig/make/autoconf/libraries.m4 ++++ openjdk/make/autoconf/libraries.m4 +@@ -101,6 +101,7 @@ + LIB_SETUP_LIBFFI + LIB_SETUP_BUNDLED_LIBS + LIB_SETUP_MISC_LIBS ++ LIB_SETUP_SYSCONF_LIBS + LIB_SETUP_SOLARIS_STLPORT + LIB_TESTS_SETUP_GRAALUNIT + +@@ -223,3 +224,62 @@ + fi + ]) + ++################################################################################ ++# Setup system configuration libraries ++################################################################################ ++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS], ++[ ++ ############################################################################### ++ # ++ # Check for the NSS library ++ # ++ ++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)]) ++ ++ # default is not available ++ DEFAULT_SYSCONF_NSS=no ++ ++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss], ++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])], ++ [ ++ case "${enableval}" in ++ yes) ++ sysconf_nss=yes ++ ;; ++ *) ++ sysconf_nss=no ++ ;; ++ esac ++ ], ++ [ ++ sysconf_nss=${DEFAULT_SYSCONF_NSS} ++ ]) ++ AC_MSG_RESULT([$sysconf_nss]) ++ ++ USE_SYSCONF_NSS=false ++ if test "x${sysconf_nss}" = "xyes"; then ++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no]) ++ if test "x${NSS_FOUND}" = "xyes"; then ++ AC_MSG_CHECKING([for system FIPS support in NSS]) ++ saved_libs="${LIBS}" ++ saved_cflags="${CFLAGS}" ++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}" ++ LIBS="${LIBS} ${NSS_LIBS}" ++ AC_LANG_PUSH([C]) ++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], ++ [[SECMOD_GetSystemFIPSEnabled()]])], ++ [AC_MSG_RESULT([yes])], ++ [AC_MSG_RESULT([no]) ++ AC_MSG_ERROR([System NSS FIPS detection unavailable])]) ++ AC_LANG_POP([C]) ++ CFLAGS="${saved_cflags}" ++ LIBS="${saved_libs}" ++ USE_SYSCONF_NSS=true ++ else ++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API ++ dnl in nss3/pk11pub.h. ++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.]) ++ fi ++ fi ++ AC_SUBST(USE_SYSCONF_NSS) ++]) +diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in +--- openjdk.orig/make/autoconf/spec.gmk.in ++++ openjdk/make/autoconf/spec.gmk.in +@@ -828,6 +828,10 @@ + # Libraries + # + ++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@ ++NSS_LIBS:=@NSS_LIBS@ ++NSS_CFLAGS:=@NSS_CFLAGS@ ++ + USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@ + LCMS_CFLAGS:=@LCMS_CFLAGS@ + LCMS_LIBS:=@LCMS_LIBS@ +diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk +--- openjdk.orig/make/lib/Lib-java.base.gmk ++++ openjdk/make/lib/Lib-java.base.gmk +@@ -179,6 +179,31 @@ + endif + + ################################################################################ ++# Create the systemconf library ++ ++LIBSYSTEMCONF_CFLAGS := ++LIBSYSTEMCONF_CXXFLAGS := ++ ++ifeq ($(USE_SYSCONF_NSS), true) ++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS ++endif ++ ++ifeq ($(OPENJDK_BUILD_OS), linux) ++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \ ++ NAME := systemconf, \ ++ OPTIMIZATION := LOW, \ ++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \ ++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \ ++ LDFLAGS := $(LDFLAGS_JDKLIB) \ ++ $(call SET_SHARED_LIBRARY_ORIGIN), \ ++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \ ++ )) ++ ++ TARGETS += $(BUILD_LIBSYSTEMCONF) ++endif ++ ++################################################################################ + # Create the symbols file for static builds. + + ifeq ($(STATIC_BUILD), true) +diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml +--- openjdk.orig/make/nb_native/nbproject/configurations.xml ++++ openjdk/make/nb_native/nbproject/configurations.xml +@@ -2950,6 +2950,9 @@ + LinuxWatchService.c + + ++ ++ systemconf.c ++ + + + +@@ -29301,6 +29304,11 @@ + tool="0" + flavor2="0"> + ++ ++ + ++#include ++#include ++#include ++ ++#ifdef SYSCONF_NSS ++#include ++#endif //SYSCONF_NSS ++ ++#include "java_security_SystemConfigurator.h" ++ ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++#define MSG_MAX_SIZE 96 ++ ++static jmethodID debugPrintlnMethodID = NULL; ++static jobject debugObj = NULL; ++ ++static void throwIOException(JNIEnv *env, const char *msg); ++static void dbgPrint(JNIEnv *env, const char* msg); ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnLoad ++ */ ++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ jclass sysConfCls, debugCls; ++ jfieldID sdebugFld; ++ ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return JNI_EVERSION; /* JNI version not supported */ ++ } ++ ++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator"); ++ if (sysConfCls == NULL) { ++ printf("libsystemconf: SystemConfigurator class not found\n"); ++ return JNI_ERR; ++ } ++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls, ++ "sdebug", "Lsun/security/util/Debug;"); ++ if (sdebugFld == NULL) { ++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld); ++ if (debugObj != NULL) { ++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug"); ++ if (debugCls == NULL) { ++ printf("libsystemconf: Debug class not found\n"); ++ return JNI_ERR; ++ } ++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls, ++ "println", "(Ljava/lang/String;)V"); ++ if (debugPrintlnMethodID == NULL) { ++ printf("libsystemconf: Debug::println(String) method not found\n"); ++ return JNI_ERR; ++ } ++ debugObj = (*env)->NewGlobalRef(env, debugObj); ++ } ++ ++ return (*env)->GetVersion(env); ++} ++ ++/* ++ * Class: java_security_SystemConfigurator ++ * Method: JNI_OnUnload ++ */ ++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) ++{ ++ JNIEnv *env; ++ ++ if (debugObj != NULL) { ++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { ++ return; /* Should not happen */ ++ } ++ (*env)->DeleteGlobalRef(env, debugObj); ++ } ++} ++ ++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled ++ (JNIEnv *env, jclass cls) ++{ ++ int fips_enabled; ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ ++#ifdef SYSCONF_NSS ++ ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = SECMOD_GetSystemFIPSEnabled(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " SECMOD_GetSystemFIPSEnabled return value"); ++ } ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ ++#else // SYSCONF_NSS ++ ++ FILE *fe; ++ ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { ++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ ++ " read character"); ++ } ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); ++ ++#endif // SYSCONF_NSS ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, 2020, Red Hat, Inc. ++ * Copyright (c) 2019, 2021, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * +@@ -30,13 +30,9 @@ + import java.io.FileInputStream; + import java.io.IOException; + +-import java.nio.file.Files; +-import java.nio.file.Path; +- + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.regex.Pattern; + + import sun.security.util.Debug; + +@@ -58,10 +54,21 @@ + private static final String CRYPTO_POLICIES_JAVA_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; + +- private static final String CRYPTO_POLICIES_CONFIG = +- CRYPTO_POLICIES_BASE_DIR + "/config"; ++ private static boolean systemFipsEnabled = false; ++ ++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf"; ++ ++ private static native boolean getSystemFIPSEnabled() ++ throws IOException; + +- private static boolean systemFipsEnabled = false; ++ static { ++ AccessController.doPrivileged(new PrivilegedAction() { ++ public Void run() { ++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB); ++ return null; ++ } ++ }); ++ } + + /* + * Invoked when java.security.Security class is initialized, if +@@ -170,16 +177,34 @@ + } + + /* +- * FIPS is enabled only if crypto-policies are set to "FIPS" +- * and the com.redhat.fips property is true. ++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips ++ * system property is true (default) and the system is in FIPS mode. ++ * ++ * There are 2 possible ways in which OpenJDK detects that the system ++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is ++ * available at OpenJDK's built-time, it is called; 2) otherwise, the ++ * /proc/sys/crypto/fips_enabled file is read. + */ + private static boolean enableFips() throws Exception { + boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (shouldEnable) { +- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); +- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } +- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +- return pattern.matcher(cryptoPoliciesConfig).find(); ++ if (sdebug != null) { ++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)..."); ++ } ++ try { ++ shouldEnable = getSystemFIPSEnabled(); ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: " ++ + shouldEnable); ++ } ++ return shouldEnable; ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:"); ++ sdebug.println(e.getMessage()); ++ } ++ throw e; ++ } + } else { + return false; + } diff --git a/SOURCES/rh1996182-extend_security_policy.patch b/SOURCES/rh1996182-extend_security_policy.patch new file mode 100644 index 0000000..78552c3 --- /dev/null +++ b/SOURCES/rh1996182-extend_security_policy.patch @@ -0,0 +1,18 @@ +commit 598fe421216b0a437fa36ee91a29966599867aa3 +Author: Andrew Hughes +Date: Mon Aug 30 16:12:52 2021 +0100 + + RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc + +diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy +index ab59a334cd..5db744ff17 100644 +--- openjdk.orig/src/java.base/share/lib/security/default.policy ++++ openjdk/src/java.base/share/lib/security/default.policy +@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" { + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.com.sun.crypto.provider"; ++ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc"; + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch new file mode 100644 index 0000000..d3a1dde --- /dev/null +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -0,0 +1,66 @@ +commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e +Author: Martin Balao +Date: Fri Aug 27 19:42:07 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + +diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java +index 0cf61732d7..2cd851587c 100644 +--- openjdk.orig/src/java.base/share/classes/module-info.java ++++ openjdk/src/java.base/share/classes/module-info.java +@@ -182,6 +182,7 @@ module java.base { + java.security.jgss, + java.sql, + java.xml, ++ jdk.crypto.cryptoki, + jdk.jartool, + jdk.attach, + jdk.charsets, +diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +index b00b738b85..1eca1f8f0a 100644 +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback; + import javax.security.auth.callback.PasswordCallback; + import javax.security.auth.callback.TextOutputCallback; + ++import jdk.internal.misc.SharedSecrets; ++ + import sun.security.util.Debug; + import sun.security.util.ResourcesMgr; + import static sun.security.util.SecurityConstants.PROVIDER_VER; +@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; + */ + public final class SunPKCS11 extends AuthProvider { + ++ private static final boolean systemFipsEnabled = SharedSecrets ++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled(); ++ + private static final long serialVersionUID = -1354835039035306505L; + + static final Debug debug = Debug.getInstance("sunpkcs11"); +@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider { + if (nssModule != null) { + nssModule.setProvider(this); + } ++ if (systemFipsEnabled) { ++ // The NSS Software Token in FIPS 140-2 mode requires a user ++ // login for most operations. See sftk_fipsCheck. The NSS DB ++ // (/etc/pki/nssdb) PIN is empty. ++ Session session = null; ++ try { ++ session = token.getOpSession(); ++ p11.C_Login(session.id(), CKU_USER, new char[] {}); ++ } catch (PKCS11Exception p11e) { ++ if (debug != null) { ++ debug.println("Error during token login: " + ++ p11e.getMessage()); ++ } ++ throw p11e; ++ } finally { ++ token.releaseSession(session); ++ } ++ } + } catch (Exception e) { + if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) { + throw new UnsupportedOperationException diff --git a/SOURCES/s390-8214206_fix.patch b/SOURCES/s390-8214206_fix.patch deleted file mode 100644 index 1d0c686..0000000 --- a/SOURCES/s390-8214206_fix.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git openjdk.orig/jdk/src/hotspot/share/runtime/os.cpp openjdk/jdk/src/hotspot/share/runtime/os.cpp ---- openjdk.orig/src/hotspot/share/runtime/os.cpp -+++ openjdk/src/hotspot/share/runtime/os.cpp -@@ -1368,7 +1368,7 @@ - } - - void os::set_memory_serialize_page(address page) { -- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64); -+ int count = log2_intptr((uintptr_t) sizeof(class JavaThread)) - log2_int(64); - _mem_serialize_page = (volatile int32_t *)page; - // We initialize the serialization page shift count here - // We assume a cache line size of 64 bytes diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index 417aa4c..3f501e9 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -19,9 +19,16 @@ %bcond_without slowdebug # Enable release builds by default on relevant arches. %bcond_without release +# Enable static library builds by default. +%bcond_without staticlibs # Workaround for stripping of debug symbols from static libraries +%if %{with staticlibs} %define __brp_strip_static_archive %{nil} +%global include_staticlibs 1 +%else +%global include_staticlibs 0 +%endif # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. @@ -35,16 +42,21 @@ # (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) %global debug_suffix_unquoted -slowdebug %global fastdebug_suffix_unquoted -fastdebug +%global main_suffix_unquoted -main +%global staticlibs_suffix_unquoted -staticlibs # quoted one for shell operations %global debug_suffix "%{debug_suffix_unquoted}" %global fastdebug_suffix "%{fastdebug_suffix_unquoted}" %global normal_suffix "" +%global main_suffix "%{main_suffix_unquoted}" +%global staticlibs_suffix "%{staticlibs_suffix_unquoted}" %global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. -%global debug_on with full debug on %global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. -%global for_fastdebug_on with minimal debug on -%global for_debug for packages with debug on +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation %if %{with release} %global include_normal_build 1 @@ -71,7 +83,7 @@ # == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin # != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin # similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} -%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) # while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 # as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) @@ -86,7 +98,7 @@ # Set of architectures for which we build slowdebug builds %global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x # Set of architectures for which we build fastdebug builds -%global fastdebug_arches x86_64 +%global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler %global jit_arches %{debug_arches} %{arm} # Set of architectures which run a full bootstrap cycle @@ -105,6 +117,8 @@ %global shenandoah_arches x86_64 %{aarch64} # Set of architectures for which we build the Z garbage collector %global zgc_arches x86_64 +# Set of architectures for which alt-java has SSB mitigation +%global ssbd_arches x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -142,6 +156,8 @@ %else %global include_fastdebug_build 0 %endif +%else +%global include_fastdebug_build 0 %endif %if %{include_debug_build} @@ -157,10 +173,14 @@ %endif # If you disable both builds, then the build fails -# Note that the debug build requires the normal build for docs -%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build} -# Test slowdebug first as it provides the best diagnostics -%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +# Build and test slowdebug first as it provides the best diagnostics +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%if %{include_staticlibs} +%global staticlibs_loop %{staticlibs_suffix} +%else +%global staticlibs_loop %{nil} +%endif %ifarch %{bootstrap_arches} %global bootstrap_build 1 @@ -169,12 +189,20 @@ %endif %if %{bootstrap_build} -%global release_targets bootcycle-images static-libs-image docs-zip +%global release_targets bootcycle-images docs-zip %else -%global release_targets images docs-zip static-libs-image +%global release_targets images docs-zip %endif # No docs nor bootcycle for debug builds -%global debug_targets images static-libs-image +%global debug_targets images + +%if %{include_staticlibs} +# Extra target for producing the static-libraries. Separate from +# other targets since this target is configured to use in-tree +# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib +# and possibly others +%global static_libs_target static-libs-image +%endif # Filter out flags from the optflags macro that cause problems with the OpenJDK build @@ -259,16 +287,18 @@ %endif # New Version-String scheme-style defines -%global majorver 11 -# If you bump majorver, you must also bump vendor_version_string +%global featurever 11 +%global interimver 0 +%global updatever 12 +%global patchver 0 +# If you bump featurever, you must bump also vendor_version_string # Used via new version scheme. JDK 11 was # GA'ed in September 2018 => 18.9 %global vendor_version_string 18.9 -%global securityver 9 -# buildjdkver is usually same as %%{majorver}, -# but in time of bootstrap of next jdk, it is majorver-1, +# buildjdkver is usually same as %%{featurever}, +# but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver %{majorver} +%global buildjdkver %{featurever} # Add LTS designator for RHEL builds %if 0%{?rhel} %global lts_designator "LTS" @@ -280,7 +310,7 @@ # Define vendor information used by OpenJDK %global oj_vendor Red Hat, Inc. -%global oj_vendor_url "https://www.redhat.com/" +%global oj_vendor_url https://www.redhat.com/ # Define what url should JVM offer in case of a crash report # order may be important, epel may have rhel declared %if 0%{?epel} @@ -299,26 +329,38 @@ %endif # Define IcedTea version used for SystemTap tapsets and desktop file -%global icedteaver 3.15.0 +%global icedteaver 6.0.0pre00-c848b93a8598 # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK %global top_level_dir_name %{origin} -%global minorver 0 -%global buildver 11 -%global rpmrelease 7 +%global top_level_dir_name_backup %{top_level_dir_name}-backup +%global buildver 7 +%global rpmrelease 4 #%%global tagsuffix %%{nil} -# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit +# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk -%global priority %( printf '%02d%02d%02d%02d' %{majorver} %{minorver} %{securityver} %{buildver} ) +# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions +# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build. +# This means 11.0.9.0+11 would have had a priority of 11000911 as before +# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11 +%global combiver $( expr 20 '*' %{patchver} + %{buildver} ) +%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} ) %else # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{majorver}.%{minorver}.%{securityver} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} -%global javaver %{majorver} +# Omit trailing 0 in filenames when the patch version is 0 +%if 0%{?patchver} > 0 +%global filever %{newjavaver} +%else +%global filever %{featurever}.%{interimver}.%{updatever} +%endif + +%global javaver %{featurever} # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): @@ -338,13 +380,13 @@ %endif # parametrized macros are order-sensitive -%global compatiblename java-%{majorver}-%{origin} +%global compatiblename java-%{featurever}-%{origin} %global fullversion %{compatiblename}-%{version}-%{release} # images directories from upstream build %global jdkimage jdk %global static_libs_image static-libs # output dir stub -%define buildoutputdir() %{expand:openjdk/build%{?1}} +%define buildoutputdir() %{expand:build/jdk11.build%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk @@ -354,7 +396,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.* +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.* %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -362,6 +404,8 @@ # Never generate lib-style provides/requires for slowdebug packages %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ %else # Don't generate provides/requires for JDK provided shared libraries at all. %global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ @@ -382,6 +426,14 @@ %global rpm_state_dir %{_localstatedir}/lib/rpm-state/ +# For flatpack builds hard-code /usr/sbin/alternatives, +# otherwise use %%{_sbindir} relative path. +%if 0%{?flatpak} +%global alternatives_requires /usr/sbin/alternatives +%else +%global alternatives_requires %{_sbindir}/alternatives +%endif + %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -703,6 +755,7 @@ exit 0 %endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so @@ -953,25 +1006,26 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2020b required as of JDK-8254177 in October CPU -# Temporarily held at 2020a until 2020b has shipped -Requires: tzdata-java >= 2020a +# 2021a required as of JDK-8260356 in April 2021 CPU +Requires: tzdata-java >= 2021a # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} +%if ! 0%{?flatpak} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression -Requires: copy-jdk-configs >= 3.3 +Requires: copy-jdk-configs >= 4.0 OrderWithRequires: copy-jdk-configs +%endif # for printing support Requires: cups-libs # Post requires alternatives to install tool alternatives -Requires(post): %{_sbindir}/alternatives +Requires(post): %{alternatives_requires} # in version 1.7 and higher for --family switch Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall tool alternatives -Requires(postun): %{_sbindir}/alternatives +Requires(postun): %{alternatives_requires} # in version 1.7 and higher for --family switch Requires(postun): chkconfig >= 1.7 # for optional support of kernel stream control, card reader and printing bindings @@ -997,11 +1051,11 @@ Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install tool alternatives -Requires(post): %{_sbindir}/alternatives +Requires(post): %{alternatives_requires} # in version 1.7 and higher for --family switch Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall tool alternatives -Requires(postun): %{_sbindir}/alternatives +Requires(postun): %{alternatives_requires} # in version 1.7 and higher for --family switch Requires(postun): chkconfig >= 1.7 @@ -1050,11 +1104,11 @@ Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} %define java_javadoc_rpo() %{expand: OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # Post requires alternatives to install javadoc alternative -Requires(post): %{_sbindir}/alternatives +Requires(post): %{alternatives_requires} # in version 1.7 and higher for --family switch Requires(post): chkconfig >= 1.7 # Postun requires alternatives to uninstall javadoc alternative -Requires(postun): %{_sbindir}/alternatives +Requires(postun): %{alternatives_requires} # in version 1.7 and higher for --family switch Requires(postun): chkconfig >= 1.7 @@ -1094,7 +1148,7 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". Epoch: 1 -Summary: %{origin_nice} Runtime Environment %{majorver} +Summary: %{origin_nice} %{featurever} Runtime Environment Group: Development/Languages # HotSpot code is licensed under GPLv2 @@ -1117,10 +1171,10 @@ URL: http://openjdk.java.net/ # to regenerate source0 (jdk) run update_package.sh # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: jdk-updates-jdk%{majorver}u-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz +Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz # Use 'icedtea_sync.sh' to update the following -# They are based on code contained in the IcedTea project (3.x). +# They are based on code contained in the IcedTea project (6.x). # Systemtap tapsets. Zipped up to keep it small. Source8: tapsets-icedtea-%{icedteaver}.tar.xz @@ -1142,12 +1196,15 @@ Source13: TestCryptoLevel.java # Ensure ECDSA is working Source14: TestECDSA.java -# nss fips configuration file -Source15: nss.fips.cfg.in +# Verify system crypto (policy) can be disabled via a property +Source15: TestSecurityProperties.java # Ensure vendor settings are correct Source16: CheckVendor.java +# nss fips configuration file +Source17: nss.fips.cfg.in + ############################################ # # RPM/distribution specific patches @@ -1162,18 +1219,23 @@ Patch2: rh1648644-java_access_bridge_privileged_security.patch Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch # enable build of speculative store bypass hardened alt-java Patch600: rh1750419-redhat_alt_java.patch +# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +Patch1003: rh1842572-rsa_default_for_keytool.patch + +# FIPS support patches # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider Patch1001: rh1655466-global_crypto_and_fips.patch # RH1818909: No ciphersuites availale for SSLSocket in FIPS mode Patch1002: rh1818909-fips_default_keystore_type.patch -# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY -Patch1003: rh1842572-rsa_default_for_keytool.patch # RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch -# RH1868740: FIPS: IllegalAccessException by pkcs11 provider -Patch1005: rh1868740-cryptoki_access_to_sunjce.patch -# RH1883849: FIPS: IllegalAccessException by pkcs11 provider with security manager on -Patch1006: rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch +# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess +Patch1007: rh1915071-always_initialise_configurator_access.patch +# RH1929465: Improve system FIPS detection +Patch1008: rh1929465-improve_system_FIPS_detection.patch +# RH1996182: Login to the NSS software token in FIPS mode +Patch1009: rh1996182-login_to_nss_software_token.patch +Patch1010: rh1996182-extend_security_policy.patch ############################################# # @@ -1197,26 +1259,18 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch # PR3695: Allow use of system crypto policy to be disabled by the user Patch7: pr3695-toggle_system_crypto_policy.patch -# RH1868754: FIPS: Ciphers remain in broken state (unusable), after being supplied with wrongly sized buffer -Patch11: rh1868754-pkcs11_cancel_on_failure.patch ############################################# # -# Patches appearing in 11.0.10 +# Patches appearing in 11.0.13 # # This section includes patches which are present # in the listed OpenJDK 11u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8222286: S390 ambiguous log2_intptr call -Patch8: s390-8214206_fix.patch -# JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b -Patch9: jdk8254177-tzdata2020b.patch -# JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding -Patch10: jdk8236512-pkcs11_incorrrect_session_closure.patch -# JDK-8250861, RH1895274: Crash in MinINode::Ideal(PhaseGVN*, bool) -Patch12: jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch +# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64 +Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch BuildRequires: autoconf BuildRequires: automake @@ -1231,6 +1285,7 @@ BuildRequires: freetype-devel BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb +BuildRequires: harfbuzz-devel BuildRequires: lcms2-devel BuildRequires: libjpeg-devel BuildRequires: libpng-devel @@ -1242,8 +1297,8 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg -BuildRequires: nss-devel +# Requirements for setting up the nss.cfg and FIPS support +BuildRequires: nss-devel >= 3.53 BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1254,9 +1309,8 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifnarch %{jit_arches} BuildRequires: libffi-devel %endif -# 2020b required as of JDK-8254177 in October CPU -# Temporarily held at 2020a until 2020b has shipped -BuildRequires: tzdata-java >= 2020a +# 2021a required as of JDK-8260356 in April 2021 CPU +BuildRequires: tzdata-java >= 2021a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1269,241 +1323,246 @@ BuildRequires: systemtap-sdt-devel %{java_rpo %{nil}} %description -The %{origin_nice} runtime environment. +The %{origin_nice} %{featurever} runtime environment. %if %{include_debug_build} %package slowdebug -Summary: %{origin_nice} Runtime Environment %{majorver} %{debug_on} +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} Group: Development/Languages %{java_rpo -- %{debug_suffix_unquoted}} %description slowdebug -The %{origin_nice} runtime environment. +The %{origin_nice} %{featurever} runtime environment. %{debug_warning} %endif %if %{include_fastdebug_build} %package fastdebug -Summary: %{origin_nice} Runtime Environment %{majorver} %{fastdebug_on} +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} Group: Development/Languages %{java_rpo -- %{fastdebug_suffix_unquoted}} %description fastdebug -The %{origin_nice} runtime environment. +The %{origin_nice} %{featurever} runtime environment. %{fastdebug_warning} %endif %if %{include_normal_build} %package headless -Summary: %{origin_nice} Headless Runtime Environment %{majorver} +Summary: %{origin_nice} %{featurever} Headless Runtime Environment Group: Development/Languages %{java_headless_rpo %{nil}} %description headless -The %{origin_nice} runtime environment %{majorver} without audio and video support. +The %{origin_nice} %{featurever} runtime environment without audio and video support. %endif %if %{include_debug_build} %package headless-slowdebug -Summary: %{origin_nice} Runtime Environment %{debug_on} +Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} Group: Development/Languages %{java_headless_rpo -- %{debug_suffix_unquoted}} %description headless-slowdebug -The %{origin_nice} runtime environment %{majorver} without audio and video support. +The %{origin_nice} %{featurever} runtime environment without audio and video support. %{debug_warning} %endif %if %{include_fastdebug_build} %package headless-fastdebug -Summary: %{origin_nice} Runtime Environment %{fastdebug_on} +Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} Group: Development/Languages %{java_headless_rpo -- %{fastdebug_suffix_unquoted}} %description headless-fastdebug -The %{origin_nice} runtime environment %{majorver} without audio and video support. +The %{origin_nice} %{featurever} runtime environment without audio and video support. %{fastdebug_warning} %endif %if %{include_normal_build} %package devel -Summary: %{origin_nice} Development Environment %{majorver} +Summary: %{origin_nice} %{featurever} Development Environment Group: Development/Tools %{java_devel_rpo %{nil}} %description devel -The %{origin_nice} development tools %{majorver}. +The %{origin_nice} %{featurever} development tools. %endif %if %{include_debug_build} %package devel-slowdebug -Summary: %{origin_nice} Development Environment %{majorver} %{debug_on} +Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} Group: Development/Tools %{java_devel_rpo -- %{debug_suffix_unquoted}} %description devel-slowdebug -The %{origin_nice} development tools %{majorver}. +The %{origin_nice} %{featurever} development tools. %{debug_warning} %endif %if %{include_fastdebug_build} %package devel-fastdebug -Summary: %{origin_nice} Development Environment %{majorver} %{fastdebug_on} +Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} Group: Development/Tools %{java_devel_rpo -- %{fastdebug_suffix_unquoted}} %description devel-fastdebug -The %{origin_nice} development tools %{majorver}. +The %{origin_nice} %{featurever} development tools. %{fastdebug_warning} %endif +%if %{include_staticlibs} + %if %{include_normal_build} %package static-libs -Summary: %{origin_nice} libraries for static linking %{majorver} +Summary: %{origin_nice} %{featurever} libraries for static linking %{java_static_libs_rpo %{nil}} %description static-libs -The %{origin_nice} libraries for static linking %{majorver}. +The %{origin_nice} %{featurever} libraries for static linking. %endif %if %{include_debug_build} %package static-libs-slowdebug -Summary: %{origin_nice} libraries for static linking %{majorver} %{debug_on} +Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on} %{java_static_libs_rpo -- %{debug_suffix_unquoted}} %description static-libs-slowdebug -The %{origin_nice} libraries for static linking %{majorver}. +The %{origin_nice} %{featurever} libraries for static linking. %{debug_warning} %endif %if %{include_fastdebug_build} %package static-libs-fastdebug -Summary: %{origin_nice} libraries for static linking %{majorver} %{fastdebug_on} +Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on} %{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} %description static-libs-fastdebug -The %{origin_nice} libraries for static linking %{majorver}. +The %{origin_nice} %{featurever} libraries for static linking. %{fastdebug_warning} %endif +# staticlibs +%endif + %if %{include_normal_build} %package jmods -Summary: JMods for %{origin_nice} %{majorver} +Summary: JMods for %{origin_nice} %{featurever} Group: Development/Tools %{java_jmods_rpo %{nil}} %description jmods -The JMods for %{origin_nice}. +The JMods for %{origin_nice} %{featurever}. %endif %if %{include_debug_build} %package jmods-slowdebug -Summary: JMods for %{origin_nice} %{majorver} %{debug_on} +Summary: JMods for %{origin_nice} %{featurever} %{debug_on} Group: Development/Tools %{java_jmods_rpo -- %{debug_suffix_unquoted}} %description jmods-slowdebug -The JMods for %{origin_nice} %{majorver}. +The JMods for %{origin_nice} %{featurever}. %{debug_warning} %endif %if %{include_fastdebug_build} %package jmods-fastdebug -Summary: JMods for %{origin_nice} %{majorver} %{fastdebug_on} +Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} Group: Development/Tools %{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} %description jmods-fastdebug -The JMods for %{origin_nice} %{majorver}. +The JMods for %{origin_nice} %{featurever}. %{fastdebug_warning} %endif %if %{include_normal_build} %package demo -Summary: %{origin_nice} Demos %{majorver} +Summary: %{origin_nice} %{featurever} Demos Group: Development/Languages %{java_demo_rpo %{nil}} %description demo -The %{origin_nice} demos %{majorver}. +The %{origin_nice} %{featurever} demos. %endif %if %{include_debug_build} %package demo-slowdebug -Summary: %{origin_nice} Demos %{majorver} %{debug_on} +Summary: %{origin_nice} %{featurever} Demos %{debug_on} Group: Development/Languages %{java_demo_rpo -- %{debug_suffix_unquoted}} %description demo-slowdebug -The %{origin_nice} demos %{majorver}. +The %{origin_nice} %{featurever} demos. %{debug_warning} %endif %if %{include_fastdebug_build} %package demo-fastdebug -Summary: %{origin_nice} Demos %{majorver} %{fastdebug_on} +Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} Group: Development/Languages %{java_demo_rpo -- %{fastdebug_suffix_unquoted}} %description demo-fastdebug -The %{origin_nice} demos %{majorver}. +The %{origin_nice} %{featurever} demos. %{fastdebug_warning} %endif %if %{include_normal_build} %package src -Summary: %{origin_nice} Source Bundle %{majorver} +Summary: %{origin_nice} %{featurever} Source Bundle Group: Development/Languages %{java_src_rpo %{nil}} %description src -The java-%{origin}-src sub-package contains the complete %{origin_nice} %{majorver} +The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever} class library source code for use by IDE indexers and debuggers. %endif %if %{include_debug_build} %package src-slowdebug -Summary: %{origin_nice} Source Bundle %{majorver} %{for_debug} +Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} Group: Development/Languages %{java_src_rpo -- %{debug_suffix_unquoted}} %description src-slowdebug -The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice} %{majorver} - class library source code for use by IDE indexers and debuggers. Debugging %{for_debug}. +The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_debug}. %endif %if %{include_fastdebug_build} %package src-fastdebug -Summary: %{origin_nice} Source Bundle %{majorver} %{for_fastdebug} +Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} Group: Development/Languages %{java_src_rpo -- %{fastdebug_suffix_unquoted}} %description src-fastdebug -The java-%{origin}-src-fastdebug sub-package contains the complete %{origin_nice} %{majorver} - class library source code for use by IDE indexers and debuggers. Debugging %{for_fastdebug}. +The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever} + class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. %endif %if %{include_normal_build} %package javadoc -Summary: %{origin_nice} %{majorver} API documentation +Summary: %{origin_nice} %{featurever} API documentation Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-debug @@ -1511,10 +1570,10 @@ Obsoletes: javadoc-debug %{java_javadoc_rpo %{nil}} %description javadoc -The %{origin_nice} %{majorver} API documentation. +The %{origin_nice} %{featurever} API documentation. %package javadoc-zip -Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive +Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-zip-debug @@ -1522,7 +1581,7 @@ Obsoletes: javadoc-zip-debug %{java_javadoc_rpo %{nil}} %description javadoc-zip -The %{origin_nice} %{majorver} API documentation compressed in a single archive. +The %{origin_nice} %{featurever} API documentation compressed in a single archive. %endif %prep @@ -1556,10 +1615,6 @@ if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{includ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." exit 14 fi -if [ %{include_normal_build} -eq 0 ] ; then - echo "You have disabled the normal build, but this is required to provide docs for the debug build." - exit 15 -fi %setup -q -c -n %{uniquesuffix ""} -T -a 0 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084 prioritylength=`expr length %{priority}` @@ -1569,9 +1624,10 @@ if [ $prioritylength -ne 8 ] ; then fi # OpenJDK patches +# Remove libraries that are linked by both static and dynamic builds +sh %{SOURCE12} %{top_level_dir_name} -# Remove libraries that are linked -sh %{SOURCE12} +# Patch the JDK pushd %{top_level_dir_name} %patch1 -p1 %patch2 -p1 @@ -1579,10 +1635,6 @@ pushd %{top_level_dir_name} %patch4 -p1 %patch7 -p1 %patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 popd # openjdk %patch1000 @@ -1591,8 +1643,10 @@ popd # openjdk %patch1002 %patch1003 %patch1004 -%patch1005 -%patch1006 +%patch1007 +%patch1008 +%patch1009 +%patch1010 # Extract systemtap tapsets %if %{with_systemtap} @@ -1609,11 +1663,12 @@ for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 + sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2 # TODO find out which architectures other than i686 have a client vm %ifarch %{ix86} - sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.1 > $OUTPUT_FILE + sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE %else - sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE + sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE %endif sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE @@ -1644,7 +1699,7 @@ done sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build @@ -1665,9 +1720,8 @@ export CFLAGS="$CFLAGS -mieee" # We use ourcppflags because the OpenJDK build seems to # pass EXTRA_CFLAGS to the HotSpot C++ compiler... -# Explicitly set the C++ standard as the default has changed on GCC >= 6 -EXTRA_CFLAGS="%ourcppflags -std=gnu++98 -Wno-error -fno-delete-null-pointer-checks -fno-lifetime-dse" -EXTRA_CPP_FLAGS="%ourcppflags -std=gnu++98 -fno-delete-null-pointer-checks -fno-lifetime-dse" +EXTRA_CFLAGS="%ourcppflags -Wno-error" +EXTRA_CPP_FLAGS="%ourcppflags" %ifarch %{power64} ppc # fix rpmlint warnings @@ -1684,24 +1738,43 @@ else debugbuild=`echo $suffix | sed "s/-//g"` fi -# Variable used in hs_err hook on build failures -top_dir_abs_path=$(pwd)/%{top_level_dir_name} +for loop in %{main_suffix} %{staticlibs_loop} ; do -mkdir -p %{buildoutputdir -- $suffix} -pushd %{buildoutputdir -- $suffix} +if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Variable used by configure and hs_err hook on build failures + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up + maketargets="%{release_targets}" + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + fi +else + # Variable used by configure and hs_err hook on build failures + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" +fi -bash ../configure \ +top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} +top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} +mkdir -p ${top_dir_abs_build_path} +pushd ${top_dir_abs_build_path} + +bash ${top_dir_abs_src_path}/configure \ %ifnarch %{jit_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} --with-jobs=1 \ %endif - --with-version-build=1 \ + --with-version-build=%{buildver} \ --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ - --with-version-patch=1 \ - --with-version-date="2020-11-04" \ --with-vendor-version-string="%{vendor_version_string}" \ --with-vendor-name="%{oj_vendor}" \ --with-vendor-url="%{oj_vendor_url}" \ @@ -1710,12 +1783,14 @@ bash ../configure \ --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ --with-debug-level=$debugbuild \ --with-native-debug-symbols=internal \ + --enable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ - --with-libjpeg=system \ - --with-giflib=system \ - --with-libpng=system \ - --with-lcms=system \ + --with-libjpeg=${link_opt} \ + --with-giflib=${link_opt} \ + --with-libpng=${link_opt} \ + --with-lcms=${link_opt} \ + --with-harfbuzz=${link_opt} \ --with-stdc++lib=dynamic \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ @@ -1726,33 +1801,37 @@ bash ../configure \ --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ --disable-warnings-as-errors -# Debug builds don't need same targets as release for -# build speed-up -maketargets="%{release_targets}" -if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" -fi make \ JAVAC_FLAGS=-g \ LOG=trace \ WARNINGS_ARE_ERRORS="-Wno-error" \ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find $top_dir_abs_path -name "hs_err_pid*.log" | xargs cat && false ) + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + +popd >& /dev/null + +# Restore original source tree if we modified it by removing full in-tree sources +if [ -d %{top_level_dir_name_backup} ] ; then + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} +fi + +done # end of main / staticlibs loop + +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} # the build (erroneously) removes read permissions from some jars # this is a regression in OpenJDK 7 (our compiler): # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 -find images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; +find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; # Build screws up permissions on binaries # https://bugs.openjdk.java.net/browse/JDK-8173610 -find images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; -find images/%{jdkimage}/bin/ -exec chmod +x {} \; - -popd >& /dev/null +find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; +find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; # Install nss.cfg right away as we will be using the JRE above -export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} # Install nss.cfg right away as we will be using the JRE above install -m 644 nss.cfg $JAVA_HOME/conf/security/ @@ -1772,14 +1851,19 @@ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 popd # build cycles -done +done # end of release / debug cycle loop %check # We test debug first as it will give better diagnostics on a crash -for suffix in %{rev_build_loop} ; do +for suffix in %{build_loop} ; do -export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +%endif + +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} #check Shenandoah is enabled %if %{use_shenandoah_hotspot} @@ -1794,14 +1878,30 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") +# Check system crypto (policy) can be disabled +$JAVA_HOME/bin/javac -d . %{SOURCE15} +$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||") + # Check correct vendor values have been set $JAVA_HOME/bin/javac -d . %{SOURCE16} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" +# Check java launcher has no SSB mitigation +if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi + +# Check alt-java launcher has SSB mitigation on supported architectures +%ifarch %{ssbd_arches} +nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +%else +if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +%endif + +%if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c +%endif # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib @@ -1887,12 +1987,17 @@ STRIP_KEEP_SYMTAB=libjvm* for suffix in %{build_loop} ; do +top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} +%if %{include_staticlibs} +top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} +%endif +jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage} + # Install the jdk mkdir -p $RPM_BUILD_ROOT%{_jvmdir} -cp -a %{buildoutputdir -- $suffix}/images/%{jdkimage} \ - $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} +cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix} -pushd %{buildoutputdir $suffix}/images/%{jdkimage} +pushd ${jdk_image} %if %{with_systemtap} # Install systemtap support files @@ -1936,18 +2041,19 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage} popd # Install static libs artefacts +%if %{include_staticlibs} mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc -cp -a %{buildoutputdir -- $suffix}/images/%{static_libs_image}/lib/*.a \ +cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc - +%endif if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} - cp -a %{buildoutputdir $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix} - #built_doc_archive=jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip - built_doc_archive=jdk-11.0.9.1+1%{lts_designator_zip}-docs.zip - cp -a %{buildoutputdir -- $suffix}/bundles/${built_doc_archive} $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip + cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \ + $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/ fi # Install release notes @@ -2009,7 +2115,13 @@ done -- whether copy-jdk-configs is installed or not. If so, then configs are copied -- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all local posix = require "posix" -local debug = false + +if (os.getenv("debug") == "true") then + debug = true; + print("cjc: in spec debug is on") +else + debug = false; +end SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" @@ -2037,9 +2149,10 @@ else return end end --- run content of included file with fake args -arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} -require "copy_jdk_configs.lua" +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) -- the returns from copy_jdk_configs.lua should not affect this 'main', so it shodl run under all circumstances, except fatal error -- https://bugzilla.redhat.com/show_bug.cgi?id=1820172 -- https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ @@ -2173,8 +2286,10 @@ end %files devel %{files_devel %{nil}} +%if %{include_staticlibs} %files static-libs %{files_static_libs %{nil}} +%endif %files jmods %{files_jmods %{nil}} @@ -2205,8 +2320,10 @@ end %files devel-slowdebug %{files_devel -- %{debug_suffix_unquoted}} +%if %{include_staticlibs} %files static-libs-slowdebug %{files_static_libs -- %{debug_suffix_unquoted}} +%endif %files jmods-slowdebug %{files_jmods -- %{debug_suffix_unquoted}} @@ -2229,8 +2346,10 @@ end %files devel-fastdebug %{files_devel -- %{fastdebug_suffix_unquoted}} +%if %{include_staticlibs} %files static-libs-fastdebug %{files_static_libs -- %{fastdebug_suffix_unquoted}} +%endif %files jmods-fastdebug %{files_jmods -- %{fastdebug_suffix_unquoted}} @@ -2244,6 +2363,227 @@ end %endif %changelog +* Mon Aug 30 2021 Andrew Hughes - 1:11.0.12.0.7-4 +- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc. +- Resolves: rhbz#1997357 + +* Fri Aug 27 2021 Andrew Hughes - 1:11.0.12.0.7-3 +- Add patch to login to the NSS software token when in FIPS mode. +- Resolves: rhbz#1997357 + +* Wed Jul 28 2021 Severin Gehwolf - 1:11.0.12.0.7-2 +- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668) +- Resolves: rhbz#1994104 + +* Tue Jul 13 2021 Andrew Hughes - 1:11.0.12.0.7-1 +- Update to jdk-11.0.12.0+7 +- Update release notes to 11.0.12.0+7 +- Switch to GA mode for final release. +- Resolves: rhbz#1972395 + +* Thu Jul 08 2021 Andrew Hughes - 1:11.0.12.0.6-0.0.ea +- Update to jdk-11.0.12.0+6 +- Update release notes to 11.0.12.0+6 +- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change +- Resolves: rhbz#1967374 + +* Thu Jul 08 2021 Andrew Hughes - 1:11.0.12.0.4-0.0.ea +- Update to jdk-11.0.12.0+4 +- Update release notes to 11.0.12.0+4 +- Correct bug ID JDK-8264846 to intended ID of JDK-8264848 +- Resolves: rhbz#1967374 + +* Mon Jul 05 2021 Andrew Hughes - 1:11.0.12.0.3-0.0.ea +- Update to jdk-11.0.12.0+3 +- Update release notes to 11.0.12.0+3 +- Resolves: rhbz#1967374 + +* Fri Jul 02 2021 Andrew Hughes - 1:11.0.12.0.2-0.1.ea +- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. +- Remove restriction on disabling product build, as debug packages no longer have javadoc packages. +- Resolves: rhbz#1966234 + +* Fri Jul 02 2021 Andrew Hughes - 1:11.0.12.0.2-0.0.ea +- Update to jdk-11.0.12.0+2 +- Update release notes to 11.0.12.0+2 +- Resolves: rhbz#1967374 + +* Wed Jun 30 2021 Andrew Hughes - 1:11.0.12.0.1-0.3.ea +- Remove explicit compiler flags which should be handled by the upstream build + (-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse) +- Resolves: rhbz#1966234 + +* Wed Jun 30 2021 Andrew Hughes - 1:11.0.12.0.1-0.2.ea +- Add ppc64le and aarch64 to fastdebug_arches +- Resolves: rhbz#1969255 + +* Mon Jun 28 2021 Andrew Hughes - 1:11.0.12.0.1-0.1.ea +- Re-order source files to sync with Fedora. +- Resolves: rhbz#1966234 + +* Mon Jun 28 2021 Severin Gehwolf - 1:11.0.12.0.1-0.1.ea +- Add a test verifying system crypto policies can be disabled +- Resolves: rhbz#1966234 + +* Mon Jun 28 2021 Andrew Hughes - 1:11.0.12.0.1-0.0.ea +- Update to jdk-11.0.12.0+1 +- Update release notes to 11.0.12.0+1 +- Switch to EA mode for 11.0.12 pre-release builds. +- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed) +- Resolves: rhbz#1967374 + +* Wed Jun 16 2021 Jiri Vanek - 1:11.0.11.0.9-5 +- adapted to newst cjc to fix issue with rpm 4.17 +- Disable copy-jdk-configs for Flatpak builds +- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction +- Resolves: rhbz#1953923 + +* Tue Jun 08 2021 Andrew Hughes - 1:11.0.11.0.9-4 +- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. +- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. +- Resolves: rhbz#1929465 + +* Tue Jun 08 2021 Martin Balao - 1:11.0.11.0.9-4 +- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. +- Resolves: rhbz#1929465 + +* Wed Apr 21 2021 Andrew Hughes - 1:11.0.11.0.9-3 +- Update to jdk-11.0.11.0+9 +- Update release notes to 11.0.11.0+9 +- Switch to GA mode for final release. +- This tarball is embargoed until 2021-04-20 @ 1pm PT. +- Resolves: rhbz#1938201 + +* Thu Apr 15 2021 Andrew Hughes - 1:11.0.11.0.7-0.3.ea +- Require tzdata 2021a to match upstream change JDK-8260356 +- Resolves: rhbz#1942310 + +* Mon Apr 12 2021 Andrew Hughes - 1:11.0.11.0.7-0.2.ea +- Update to jdk-11.0.11.0+7 +- Update release notes to 11.0.11.0+7 +- Resolves: rhbz#1942310 + +* Mon Apr 12 2021 Andrew Hughes - 1:11.0.11.0.6-0.2.ea +- Update to jdk-11.0.11.0+6 +- Update release notes to 11.0.11.0+6 +- Resolves: rhbz#1942310 + +* Sat Apr 10 2021 Andrew Hughes - 1:11.0.11.0.5-0.2.ea +- Update to jdk-11.0.11.0+5 +- Update release notes to 11.0.11.0+5 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.4-0.2.ea +- Update to jdk-11.0.11.0+4 +- Update release notes to 11.0.11.0+4 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.3-0.2.ea +- Update to jdk-11.0.11.0+3 +- Update release notes to 11.0.11.0+3 +- Resolves: rhbz#1942310 + +* Fri Apr 09 2021 Andrew Hughes - 1:11.0.11.0.2-0.2.ea +- Update to jdk-11.0.11.0+2 +- Update release notes to 11.0.11.0+2 +- Resolves: rhbz#1942310 + +* Mon Apr 05 2021 Andrew Hughes - 1:11.0.11.0.1-0.2.ea +- Update to jdk-11.0.11.0+1 +- Update release notes to 11.0.11.0+1 +- Switch to EA mode for 11.0.11 pre-release builds. +- Require tzdata 2020f to match upstream change JDK-8259048 +- Remove RH1868754 patch as this is now resolved upstream by JDK-8258833 +- Remove RH1868740 & RH1883849 patches as these are now resolved by JDK-8259319 +- Resolves: rhbz#1942310 + +* Sun Mar 28 2021 Jayashree Huttanagoudar - 1:11.0.10.0.9-10 +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Resolves: rhbz#1942310 + +* Wed Mar 24 2021 Jayashree Huttanagoudar - 1:11.0.10.0.9-9 +- Fixed not-including fastdebug build in case of --without fastdebug +- Resolves: rhbz#1942310 + +* Mon Feb 22 2021 Andrew Hughes - 1:11.0.10.0.9-8 +- Perform static library build on a separate source tree with bundled image libraries +- Make static library build optional +- Based on initial work by Severin Gehwolf +- Resolves: rhbz#1930513 + +* Mon Feb 22 2021 Andrew Hughes - 1:11.0.10.0.9-7 +- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) +- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository +- Resolves: rhbz#1814915 + +* Mon Feb 22 2021 Stephan Bergmann - 1:11.0.10.0.9-6 +- Hardcode /usr/sbin/alternatives for Flatpak builds +- Resolves: rhbz#1930370 + +* Mon Jan 18 2021 Andrew Hughes - 1:11.0.10.0.9-5 +- Fix accidental use of $ instead of % for variable reference. +- Resolves: rhbz#1908972 + +* Mon Jan 18 2021 Andrew Hughes - 1:11.0.10.0.9-4 +- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs. +- Resolves: rhbz#1915071 + +* Sun Jan 17 2021 Andrew Hughes - 1:11.0.10.0.9-3 +- Fix debug and fastdebug descriptions to emphasise the difference is optimisation or no optimisation. +- Resolves: rhbz#1908972 + +* Sun Jan 17 2021 Jiri Vanek - 1:11.0.10.0.9-3 +- Removed lib-style provides for fastdebug_suffix_unquoted +- Fixed missing condition for fastdebug packages being counted as debug ones +- Fix typo in variable +- Resolves: rhbz#1908972 + +* Sun Jan 17 2021 Andrew Hughes - 1:11.0.10.0.9-2 +- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode +- Resolves: rhbz#1894083 + +* Fri Jan 15 2021 Andrew Hughes - 1:11.0.10.0.9-1 +- Update to jdk-11.0.10.0+9 +- Update release notes to 11.0.10.0+9 +- Switch to GA mode for final release. +- Resolves: rhbz#1908972 + +* Thu Jan 14 2021 Andrew Hughes - 1:11.0.10.0.8-0.1.ea +- Update to jdk-11.0.10.0+8 +- Update release notes to 11.0.10.0+8. +- Update tarball generation script to use PR3818 which handles JDK-8171279 changes +- Drop JDK-8250861 as applied upstream. +- Resolves: rhbz#1903908 + +* Tue Jan 12 2021 Andrew John Hughes - 1:11.0.10.0.1-0.1.ea +- Update to jdk-11.0.10.0+1 +- Update release notes to 11.0.10.0+1 +- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly. +- Still use 11.0.x rather than 11.0.x.0 for file naming, as the trailing zero is omitted from tags. +- Revert configure and built_doc_archive hacks to build 11.0.9.1 from 11.0.9.0 sources, and synced with RHEL version. +- Cleanup debug package descriptions and version number placement. +- Switch to EA mode for 11.0.10 pre-release builds. +- Drop JDK-8222286, JDK-8236512 & JDK-8254177 as applied upstream +- Use system harfbuzz now this is supported. +- Use system tzdata2020b now it's available. +- Adjust RH1842572 patch due to context change from JDK-8213400 +- Resolves: rhbz#1903908 + +* Tue Dec 29 2020 Andrew Hughes - 1:11.0.9.11-9 +- Introduced ssbd_arches to denote architectures with SSBD mitigation (currently only x86_64) +- Introduced nm-based check to verify alt-java on ssbd_arches is patched, and no other alt-java or java binaries are patched +- RH1750419 patch amended to emit a warning on architectures where alt-java is the same as java +- Resolves: rhbz#1784116 + +* Tue Dec 29 2020 Jiri Vanek - 1:11.0.9.11-9 +- Redefined linux -> __linux__ and __x86_64 -> __x86_64__ in RH1750419 patch +- Resolves: rhbz#1784116 + +* Tue Dec 29 2020 Andrew Hughes - 1:11.0.9.11-8 +- Update release notes for 11.0.9.1 release. +- Resolves: rhbz#1895274 + * Tue Dec 01 2020 Jiri Vanek - 1:11.0.9.11-7 - removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch - added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch