import java-11-openjdk-11.0.12.0.7-4.el8
This commit is contained in:
parent
a990579d9f
commit
73b8355481
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,2 +1,2 @@
|
||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz
|
||||
SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
|
||||
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||
|
@ -1,2 +1,2 @@
|
||||
e36bde565834fe738fd222d419cfedc23ab80cee SOURCES/jdk-updates-jdk11u-jdk-11.0.13+8-4curve.tar.xz
|
||||
7459fbf6c597831b6039c3a608048131cb637528 SOURCES/jdk-updates-jdk11u-jdk-11.0.12+7-4curve.tar.xz
|
||||
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
|
||||
|
352
SOURCES/NEWS
352
SOURCES/NEWS
@ -3,358 +3,6 @@ Key:
|
||||
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
|
||||
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
|
||||
|
||||
New in release OpenJDK 11.0.13 (2021-10-19):
|
||||
=============================================
|
||||
Live versions of these release notes can be found at:
|
||||
* https://bitly.com/openjdk11013
|
||||
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.13.txt
|
||||
|
||||
* Security fixes
|
||||
- JDK-8163326, CVE-2021-35550: Update the default enabled cipher suites preference
|
||||
- JDK-8254967, CVE-2021-35565: com.sun.net.HttpsServer spins on TLS session close
|
||||
- JDK-8263314: Enhance XML Dsig modes
|
||||
- JDK-8265167, CVE-2021-35556: Richer Text Editors
|
||||
- JDK-8265574: Improve handling of sheets
|
||||
- JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
|
||||
- JDK-8265776: Improve Stream handling for SSL
|
||||
- JDK-8266097, CVE-2021-35561: Better hashing support
|
||||
- JDK-8266103: Better specified spec values
|
||||
- JDK-8266109: More Resilient Classloading
|
||||
- JDK-8266115: More Manifest Jar Loading
|
||||
- JDK-8266137, CVE-2021-35564: Improve Keystore integrity
|
||||
- JDK-8266689, CVE-2021-35567: More Constrained Delegation
|
||||
- JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
|
||||
- JDK-8267712: Better LDAP reference processing
|
||||
- JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
|
||||
- JDK-8267735, CVE-2021-35586: Better BMP support
|
||||
- JDK-8268193: Improve requests of certificates
|
||||
- JDK-8268199: Correct certificate requests
|
||||
- JDK-8268205: Enhance DTLS client handshake
|
||||
- JDK-8268506: More Manifest Digests
|
||||
- JDK-8269618, CVE-2021-35603: Better session identification
|
||||
- JDK-8269624: Enhance method selection support
|
||||
- JDK-8270398: Enhance canonicalization
|
||||
- JDK-8270404: Better canonicalization
|
||||
* Other changes
|
||||
- JDK-8024368: private methods are allocated vtable indices
|
||||
- JDK-8042902: Test java/net/Inet6Address/serialize/Inet6AddressSerializationTest.java fails intermittently
|
||||
- JDK-8140466: ChaCha20 and Poly1305 TLS Cipher Suites
|
||||
- JDK-8157404: Unable to read certain PKCS12 keystores from SequenceInputStream
|
||||
- JDK-8158066: SourceDebugExtensionTest fails to rename file
|
||||
- JDK-8168304: Make all of DependencyContext_test available in product mode
|
||||
- JDK-8169246: java/net/DatagramSocket/ReportSocketClosed.java fails intermittently with BindException
|
||||
- JDK-8181313: SA: Remove libthread_db dependency on Linux
|
||||
- JDK-8193214: Incorrect annotations.without.processors warnings with JDK 9
|
||||
- JDK-8194230: jdk/internal/jrtfs/remote/RemoteRuntimeImageTest.java fails with java.lang.NullPointerException
|
||||
- JDK-8196092: javax/swing/JComboBox/8032878/bug8032878.java fails
|
||||
- JDK-8199931: java/net/MulticastSocket/UnreferencedMulticastSockets.java fails with "incorrect data received"
|
||||
- JDK-8206083: Make tools/javac/api/T6265137.java robust to JDK version changes
|
||||
- JDK-8206350: java/util/Locale/bcp47u/SystemPropertyTests.java failed on Mac 10.13 with zh_CN and zh_TW locales.
|
||||
- JDK-8207316: java/nio/channels/spi/SelectorProvider/inheritedChannel/InheritedChannelTest.java failed
|
||||
- JDK-8208227: tools/jdeps/DotFileTest.java fails on Win-X64
|
||||
- JDK-8208363: test/jdk/java/lang/Package/PackageFromManifest.java missing module dependencies declaration
|
||||
- JDK-8209380: ARM: cleanup maybe-uninitialized and reorder compiler warnings
|
||||
- JDK-8209768: Refactor java/util/prefs/CheckUserPrefsStorage.sh to plain java test
|
||||
- JDK-8209772: Refactor shell test java/util/ServiceLoader/basic/basic.sh to java
|
||||
- JDK-8209773: Refactor shell test javax/naming/module/basic.sh to java
|
||||
- JDK-8209832: Refactor jdk/internal/reflect/Reflection/GetCallerClassTest.sh to plain java test
|
||||
- JDK-8209930: Refactor java/util/zip/ZipFile/deletetempjar.sh to plain java test
|
||||
- JDK-8210406: Refactor java.util.PluggableLocale:i18n shell tests to plain java tests
|
||||
- JDK-8210407: Refactor java.util.Calendar:i18n shell tests to plain java tests
|
||||
- JDK-8210495: compiler crashes because of illegal signature in otherwise legal code
|
||||
- JDK-8210669: Some launcher tests assume a pre-JDK 9 run-time image layout
|
||||
- JDK-8210802: temp files left by tests in jdk/java/net/httpclient
|
||||
- JDK-8210819: Update the host name in CNameTest.java
|
||||
- JDK-8210908: Refactor java/util/prefs/PrefsSpi.sh to plain java test
|
||||
- JDK-8210934: Move sun/net/www/protocol/http/GetErrorStream.java to OpenJDK
|
||||
- JDK-8210959: JShell fails and exits when statement throws an exception whose message contains a '%'.
|
||||
- JDK-8211055: Provide print to a file (PDF) feature even when printer was not connected
|
||||
- JDK-8211092: test/jdk/sun/net/www/http/HttpClient/MultiThreadTest.java fails intermittently when cleaning up
|
||||
- JDK-8211296: Remove HotSpot deprecation warning suppression for Mac/clang
|
||||
- JDK-8211325: test/jdk/java/net/Socket/LingerTest.java fails with cleaning up
|
||||
- JDK-8212040: Compilation error due to wrong usage of NSPrintJobDispositionValue in mac10.12
|
||||
- JDK-8212695: Add explicit timeout to several HTTP Client tests
|
||||
- JDK-8212718: Refactor some annotation processor tests to better use collections
|
||||
- JDK-8213007: Update the link in test/jdk/sun/security/provider/SecureRandom/DrbgCavp.java
|
||||
- JDK-8213137: Remove static initialization of monitor/mutex instances
|
||||
- JDK-8213235: java/nio/channels/SocketChannel/AsyncCloseChannel.java fails with threads that didn't exit
|
||||
- JDK-8213409: Refactor sun.text.IntHashtable:i18n shell tests to plain java tests
|
||||
- JDK-8213576: Make test AsyncCloseChannel.java run in othervm
|
||||
- JDK-8213694: Test Timeout.java should run in othervm mode
|
||||
- JDK-8213718: [TEST] Wrong classname in vmTestbase/nsk/stress/except/except002 and except003
|
||||
- JDK-8213922: fix ctw stand-alone build
|
||||
- JDK-8214195: Align stdout messages in test/jdk/java/math/BigInteger/PrimitiveConversionTests.java
|
||||
- JDK-8214520: [TEST_BUG] sun/security/mscapi/nonUniqueAliases/NonUniqueAliases.java failed with incorrect jtreg tags order
|
||||
- JDK-8214937: sun/security/tools/jarsigner/warnings/NoTimestampTest.java failed due to unexpected expiration date
|
||||
- JDK-8216532: tools/launcher/Test7029048.java fails (Solaris)
|
||||
- JDK-8217825: Verify @AfterTest is used correctly in WebSocket tests
|
||||
- JDK-8218145: block_if_requested is not proper inlined due to size
|
||||
- JDK-8219417: bump jtreg requiredVersion to b14
|
||||
- JDK-8219552: bump jtreg requiredVersion to b14 in test/jdk/sanity/client/
|
||||
- JDK-8219804: java/net/MulticastSocket/Promiscuous.java fails intermittently due to NumberFormatException
|
||||
- JDK-8220445: Support for side by side MSVC Toolset versions
|
||||
- JDK-8221988: add possibility to build with Visual Studio 2019
|
||||
- JDK-8222751: closed/test/jdk/sun/security/util/DerIndefLenConverter/IndefBerPkcs12.java fail
|
||||
- JDK-8223050: JVMCI: findUniqueConcreteMethod() should not use Dependencies::find_unique_concrete_method() for non-virtual methods
|
||||
- JDK-8224853: CDS address sanitizer errors
|
||||
- JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
|
||||
- JDK-8225583: Examine the HttpResponse.BodySubscribers for null handling and multiple subscriptions
|
||||
- JDK-8225690: Multiple AttachListener threads can be created
|
||||
- JDK-8225790: Two NestedDialogs tests fail on Ubuntu
|
||||
- JDK-8226319: Add forgotten test/jdk/java/net/httpclient/BodySubscribersTest.java
|
||||
- JDK-8226533: JVMCI: findUniqueConcreteMethod should handle statically bindable methods directly
|
||||
- JDK-8226602: Test convenience reactive primitives from java.net.http with RS TCK
|
||||
- JDK-8226683: Remove review suggestion from fix to 8219804
|
||||
- JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134"
|
||||
- JDK-8227766: CheckUnhandledOops is broken in MemAllocator
|
||||
- JDK-8227815: Minimal VM: set_state is not a member of AttachListener
|
||||
- JDK-8230674: Heap dumps should exclude dormant CDS archived objects of unloaded classes
|
||||
- JDK-8230808: Remove Access::equals()
|
||||
- JDK-8230841: Remove oopDesc::equals()
|
||||
- JDK-8231717: Improve performance of charset decoding when charset is always compactable
|
||||
- JDK-8232243: Wrong caret position in JTextPane on Windows with a screen resolution > 100%
|
||||
- JDK-8232782: Shenandoah: streamline post-LRB CAS barrier (aarch64)
|
||||
- JDK-8233790: Forward output from heap dumper to jcmd/jmap
|
||||
- JDK-8233989: Create an IPv4 version of java/net/MulticastSocket/SetLoopbackMode.java
|
||||
- JDK-8234510: Remove file seeking requirement for writing a heap dump
|
||||
- JDK-8235211: serviceability/attach/RemovingUnixDomainSocketTest.java fails with AttachNotSupportedException: Unable to open socket file
|
||||
- JDK-8235216: typo in test filename
|
||||
- JDK-8235866: bump jtreg requiredVersion to 4.2b16
|
||||
- JDK-8236111: narrow allowSmartActionArgs disabling
|
||||
- JDK-8236413: AbstractConnectTimeout should tolerate both NoRouteToHostException and UnresolvedAddressException
|
||||
- JDK-8236671: NullPointerException in JKS keystore
|
||||
- JDK-8238930: problem list compiler/c2/Test8004741.java
|
||||
- JDK-8238943: switch to jtreg 5.0
|
||||
- JDK-8240555: Using env of JAVA_TOOL_OPTIONS and _JAVA_OPTIONS breaks QuietOption.java test
|
||||
- JDK-8240983: Incorrect copyright header in Apache Santuario 2.1.3 files
|
||||
- JDK-8241336: Some java.net tests failed with NoRouteToHostException on MacOS with special network configuration
|
||||
- JDK-8241353: NPE in ToolProvider.getSystemJavaCompiler
|
||||
- JDK-8241768: git needs .gitattributes
|
||||
- JDK-8242882: opening jar file with large manifest might throw NegativeArraySizeException
|
||||
- JDK-8244973: serviceability/attach/RemovingUnixDomainSocketTest.java fails "stderr was not empty"
|
||||
- JDK-8245134: test/lib/jdk/test/lib/security/KeyStoreUtils.java should allow to specify aliases
|
||||
- JDK-8246261: TCKLocalTime.java failed due to "AssertionError: expected [18:14:22] but found [18:14:23]"
|
||||
- JDK-8246387: switch to jtreg 5.1
|
||||
- JDK-8247421: [TESTBUG] ReturnBlobToWrongHeapTest.java failed allocating blob
|
||||
- JDK-8247469: getSystemCpuLoad() returns -1 on linux when some offline cpus are present and cpusets.effective_cpus is not available
|
||||
- JDK-8248352: [TEST_BUG] Test test/jdk/java/awt/font/TextLayout/ArabicDiacriticTest.java can leave frame open
|
||||
- JDK-8248403: AArch64: Remove uses of kernel integer types
|
||||
- JDK-8248414: AArch64: Remove uses of long and unsigned long ints
|
||||
- JDK-8248657: Windows: strengthening in ThreadCritical regarding memory model
|
||||
- JDK-8248666: AArch64: Use THREAD_LOCAL instead of __thread
|
||||
- JDK-8248668: AArch64: Avoid MIN/MAX macros when using MSVC
|
||||
- JDK-8248671: AArch64: Remove unused variables
|
||||
- JDK-8248682: AArch64: Use ATTRIBUTE_ALIGNED helper
|
||||
- JDK-8248816: C1: Fix signature conflict in LIRGenerator::strength_reduce_multiply
|
||||
- JDK-8249095: tools/javac/launcher/SourceLauncherTest.java fails on Windows
|
||||
- JDK-8249548: backward focus traversal gets stuck in button group
|
||||
- JDK-8249773: Upgrade ReceiveISA.java test to be resilient to failure due to stray packets and interference
|
||||
- JDK-8249897: jdk/javadoc/tool/LangVers.java uses @ignore w/o bug-id
|
||||
- JDK-8249898: jdk/javadoc/tool/6176978/T6176978.java uses @ignore w/o bug-id
|
||||
- JDK-8249899: jdk/javadoc/tool/InlineTagsWithBraces.java uses @ignore w/o bug-id
|
||||
- JDK-8250588: Shenandoah: LRB needs to save/restore fp registers for runtime call
|
||||
- JDK-8250824: AArch64: follow up for JDK-8248414
|
||||
- JDK-8251166: Add automated testcases for changes done in JDK-8214112
|
||||
- JDK-8251252: Add automated testcase for fix done in JDK-8214253
|
||||
- JDK-8251254: Add automated test for fix done in JDK-8218472
|
||||
- JDK-8251361: Potential race between Logger configuration and GCs in HttpURLConWithProxy test
|
||||
- JDK-8251549: Update docs on building for Git
|
||||
- JDK-8251945: SIGSEGV in PackageEntry::purge_qualified_exports()
|
||||
- JDK-8252194: Add automated test for fix done in JDK-8218469
|
||||
- JDK-8252648: Shenandoah: name gang tasks consistently
|
||||
- JDK-8252825: Add automated test for fix done in JDK-8218479
|
||||
- JDK-8252853: AArch64: gc/shenandoah/TestVerifyJCStress.java fails intermittently with C1
|
||||
- JDK-8252857: AArch64: Shenandoah C1 CAS is not sequentially consistent
|
||||
- JDK-8253048: AArch64: When CallLeaf, no need to preserve callee-saved registers in caller
|
||||
- JDK-8253424: Add support for running pre-submit testing using GitHub Actions
|
||||
- JDK-8253631: Remove unimplemented CompileBroker methods after JEP-165
|
||||
- JDK-8253865: Pre-submit testing using GitHub Actions does not detect failures reliably
|
||||
- JDK-8253899: Make IsClassUnloadingEnabled signature match specification
|
||||
- JDK-8254024: Enhance native libs for AWT and Swing to work with GraalVM Native Image
|
||||
- JDK-8254054: Pre-submit testing using GitHub Actions should not use the deprecated set-env command
|
||||
- JDK-8254173: Add Zero, Minimal hotspot targets to submit workflow
|
||||
- JDK-8254175: Build no-pch configuration in debug mode for submit checks
|
||||
- JDK-8254244: Some code emitted by TemplateTable::branch is unused when running TieredCompilation
|
||||
- JDK-8254270: linux 32 bit build doesn't compile libjdwp/log_messages.c
|
||||
- JDK-8254282: Add Linux x86_32 builds to submit workflow
|
||||
- JDK-8254850: Update terminology in java.awt.GridBagLayout source code comments
|
||||
- JDK-8255255: Update Apache Santuario (XML Signature) to version 2.2.1
|
||||
- JDK-8255305: Add Linux x86_32 tier1 to submit workflow
|
||||
- JDK-8255352: Archive important test outputs in submit workflow
|
||||
- JDK-8255373: Submit workflow artifact name is always "test-results_.zip"
|
||||
- JDK-8255452: Doing GC during JVMTI MethodExit event posting breaks return oop
|
||||
- JDK-8255718: Zero: VM should know it runs in interpreter-only mode
|
||||
- JDK-8255790: GTKL&F: Java 16 crashes on initialising GTKL&F on Manjaro Linux
|
||||
- JDK-8255810: Zero: build fails without JVMTI
|
||||
- JDK-8255895: Submit workflow artifacts miss hs_errs/replays due to ZIP include mismatch
|
||||
- JDK-8256127: Add cross-compiled foreign architectures builds to submit workflow
|
||||
- JDK-8256215: Shenandoah: re-organize saving/restoring machine state in assembler code
|
||||
- JDK-8256267: Relax compiler/floatingpoint/NaNTest.java for x86_32 and lower -XX:+UseSSE
|
||||
- JDK-8256277: Github Action build on macOS should define OS and Xcode versions
|
||||
- JDK-8256354: Github Action build on Windows should define OS and MSVC versions
|
||||
- JDK-8256393: Github Actions build on Linux should define OS and GCC versions
|
||||
- JDK-8256414: add optimized build to submit workflow
|
||||
- JDK-8256747: GitHub Actions: decouple the hotspot build-only jobs from Linux x64 testing
|
||||
- JDK-8257056: Submit workflow should apt-get update to avoid package installation errors
|
||||
- JDK-8257148: Remove obsolete code in AWTView.m
|
||||
- JDK-8257497: Update keytool to create AKID from the SKID of the issuing certificate as specified by RFC 5280
|
||||
- JDK-8257620: Do not use objc_msgSend_stret to get macOS version
|
||||
- JDK-8257913: Add more known library locations to simplify Linux cross-compilation
|
||||
- JDK-8258703: Incorrect 512-bit vector registers restore on x86_32
|
||||
- JDK-8259338: Add expiry exception for identrustdstx3 alias to VerifyCACerts.java test
|
||||
- JDK-8259535: ECDSA SignatureValue do not always have the specified length
|
||||
- JDK-8259679: GitHub actions should use MSVC 14.28
|
||||
- JDK-8259924: GitHub actions fail on Linux x86_32 with "Could not configure libc6:i386"
|
||||
- JDK-8260460: GitHub actions still fail on Linux x86_32 with "Could not configure libc6:i386"
|
||||
- JDK-8260589: Crash in JfrTraceIdLoadBarrier::load(_jclass*)
|
||||
- JDK-8260923: Add more tests for SSLSocket input/output shutdown
|
||||
- JDK-8261072: AArch64: Fix MacroAssembler::get_thread convention
|
||||
- JDK-8261147: C2: Node is wrongly marked as reduction resulting in a wrong execution due to wrong vector instructions
|
||||
- JDK-8261238: NMT should not limit baselining by size threshold
|
||||
- JDK-8261496: Shenandoah: reconsider pacing updates memory ordering
|
||||
- JDK-8261652: Remove some dead comments from os_bsd_x86
|
||||
- JDK-8261846: [JVMCI] c2v_iterateFrames can get out of sync with the StackFrameStream
|
||||
- JDK-8262000: jdk/jfr/event/gc/detailed/TestPromotionFailedEventWithParallelScavenge.java failed with "OutOfMemoryError: Java heap space"
|
||||
- JDK-8262017: C2: assert(n != __null) failed: Bad immediate dominator info.
|
||||
- JDK-8262392: Update Mesa 3-D Headers to version 21.0.3
|
||||
- JDK-8262409: sun/security/ssl/SSLSocketImpl/SSLSocketImplThrowsWrongExceptions. SSL test failures caused by java failed with "Server reported the wrong exception"
|
||||
- JDK-8262470: Printed GlyphVector outline with low DPI has bad quality on Windows
|
||||
- JDK-8262862: Harden tests sun/security/x509/URICertStore/ExtensionsWithLDAP.java and krb5/canonicalize/Test.java
|
||||
- JDK-8263136: C4530 was reported from VS 2019 at access bridge
|
||||
- JDK-8263227: C2: inconsistent spilling due to dead nodes in exception block
|
||||
- JDK-8263382: java/util/logging/ParentLoggersTest.java failed with "checkLoggers: getLoggerNames() returned unexpected loggers"
|
||||
- JDK-8263407: SPARC64 detection fails on Athena (SPARC64-X)
|
||||
- JDK-8263432: javac may report an invalid package/class clash on case insensitive filesystems
|
||||
- JDK-8263490: [macos] Crash occurs on JPasswordField with activated InputMethod
|
||||
- JDK-8263531: Remove unused buffer int
|
||||
- JDK-8263667: Avoid running GitHub actions on branches named pr/*
|
||||
- JDK-8263776: [JVMCI] add helper to perform Java upcalls
|
||||
- JDK-8264016: [JVMCI] add some thread local fields for use by JVMCI
|
||||
- JDK-8264752: SIGFPE crash with option FlightRecorderOptions:threadbuffersize=30M
|
||||
- JDK-8265132: C2 compilation fails with assert "missing precedence edge"
|
||||
- JDK-8265231: (fc) ReadDirect and WriteDirect tests fail after fix for JDK-8264821
|
||||
- JDK-8265335: Epsilon: Minor typo in EpsilonElasticTLABDecay description
|
||||
- JDK-8265756: AArch64: initialize memory allocated for locals according to Windows AArch64 stack page growth requirement in template interpreter
|
||||
- JDK-8265761: Font with missed font family name is not properly printed on Windows
|
||||
- JDK-8265773: incorrect jdeps message "jdk8internals" to describe a removed JDK internal API
|
||||
- JDK-8265836: OperatingSystemImpl.getCpuLoad() returns incorrect CPU load inside a container
|
||||
- JDK-8266018: Shenandoah: fix an incorrect assert
|
||||
- JDK-8266206: Build failure after JDK-8264752 with older GCCs
|
||||
- JDK-8266248: Compilation failure in PLATFORM_API_MacOSX_MidiUtils.c with Xcode 12.5
|
||||
- JDK-8266288: assert root method not found in witnessed_reabstraction_in_supers is too strong
|
||||
- JDK-8266404: Fatal error report generated with -XX:+CrashOnOutOfMemoryError should not contain suggestion to submit a bug report
|
||||
- JDK-8266480: Implicit null check optimization does not update control of hoisted memory operation
|
||||
- JDK-8266615: C2 incorrectly folds subtype checks involving an interface array
|
||||
- JDK-8266642: Improve ResolvedMethodTable hash function
|
||||
- JDK-8266749: AArch64: Backtracing broken on PAC enabled systems
|
||||
- JDK-8266761: AssertionError in sun.net.httpserver.ServerImpl.responseCompleted
|
||||
- JDK-8266813: Shenandoah: Use shorter instruction sequence for checking if marking in progress
|
||||
- JDK-8267042: bug in monitor locking/unlocking on ARM32 C1 due to uninitialized BasicObjectLock::_displaced_header
|
||||
- JDK-8267348: Rewrite gc/epsilon/TestClasses.java to use Metaspace with less classes
|
||||
- JDK-8267396: Avoid recording "pc" in unhandled oops detector for better performance
|
||||
- JDK-8267399: C2: java/text/Normalizer/ConformanceTest.java test failed with assertion
|
||||
- JDK-8267424: CTW: C1 fails with "State must not be null"
|
||||
- JDK-8267459: Pasting Unicode characters into JShell does not work.
|
||||
- JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
|
||||
- JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
|
||||
- JDK-8267695: Bump update version for OpenJDK: jdk-11.0.13
|
||||
- JDK-8267751: (test) jtreg.SkippedException has no serial VersionUID
|
||||
- JDK-8267773: PhaseStringOpts::int_stringSize doesn't handle min_jint correctly
|
||||
- JDK-8268103: JNI functions incorrectly return a double after JDK-8265836
|
||||
- JDK-8268127: Shenandoah: Heap size may be too small for region to align to large page size
|
||||
- JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
|
||||
- JDK-8268347: C2: nested locks optimization may create unbalanced monitor enter/exit code
|
||||
- JDK-8268360: Missing check for infinite loop during node placement
|
||||
- JDK-8268362: [REDO] C2 crash when compile negative Arrays.copyOf length after loop
|
||||
- JDK-8268366: Incorrect calculation of has_fpu_registers in C1 linear scan
|
||||
- JDK-8268369: SIGSEGV in PhaseCFG::implicit_null_check due to missing null check
|
||||
- JDK-8268417: Add test from JDK-8268360
|
||||
- JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
|
||||
- JDK-8268617: [11u REDO] - WebSocket over authenticating proxy fails with NPE
|
||||
- JDK-8268620: InfiniteLoopException test may fail on x86 platforms
|
||||
- JDK-8268635: Corrupt oop in ClassLoaderData
|
||||
- JDK-8268699: Shenandoah: Add test for JDK-8268127
|
||||
- JDK-8268771: javadoc -notimestamp option does not work on index.html
|
||||
- JDK-8268775: Password is being converted to String in AccessibleJPasswordField
|
||||
- JDK-8268776: Test `ADatagramSocket.java` missing /othervm from @run tag
|
||||
- JDK-8268965: TCP Connection Reset when connecting simple socket to SSL server
|
||||
- JDK-8269304: Regression ~5% in 2005 in b27
|
||||
- JDK-8269415: [11u] Remove ea from DEFAULT_PROMOTED_VERSION_PRE in OpenJDK 11u
|
||||
- JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
|
||||
- JDK-8269529: javax/swing/reliability/HangDuringStaticInitialization.java fails in Windows debug build
|
||||
- JDK-8269594: assert(_handle_mark_nesting > 1) failed: memory leak: allocating handle outside HandleMark
|
||||
- JDK-8269614: [s390] Interpreter checks wrong bit for slow path instance allocation
|
||||
- JDK-8269650: Optimize gc-locker in [Get|Release]StringCritical for latin string
|
||||
- JDK-8269661: JNI_GetStringCritical does not lock char array
|
||||
- JDK-8269668: [aarch64] java.library.path not including /usr/lib64
|
||||
- JDK-8269763: The JEditorPane is blank after JDK-8265167
|
||||
- JDK-8269795: C2: Out of bounds array load floats above its range check in loop peeling resulting in SEGV
|
||||
- JDK-8269847: JDK-8269594 backport breaks 11u builds
|
||||
- JDK-8269850: Most JDK releases report macOS version 12 as 10.16 instead of 12.0
|
||||
- JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
|
||||
- JDK-8269882: stack-use-after-scope in NewObjectA
|
||||
- JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
|
||||
- JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
|
||||
- JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
|
||||
- JDK-8270184: [TESTBUG] Add coverage for jvmci ResolvedJavaType.toJavaName() for lambdas
|
||||
- JDK-8270196: [11u] [JVMCI] JavaType.toJavaName() returns incorrect type name for lambdas
|
||||
- JDK-8270556: Exclude security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA
|
||||
- JDK-8270893: IndexOutOfBoundsException while reading large TIFF file
|
||||
- JDK-8272078: Wrong Checksums in Temurin BootJDK dependencies
|
||||
- JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
|
||||
- JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
|
||||
- JDK-8272197: Update 11u GHA workflow with Shenandoah configurations
|
||||
- JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
|
||||
- JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
|
||||
- JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
|
||||
- JDK-8272628: Problemlist gc/stress/gcbasher/TestGCBasherWithCMS.java for x86_32
|
||||
- JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
|
||||
- JDK-8272772: Shenandoah: compiler/c2/aarch64/TestVolatilesShenandoah.java fails in 11u
|
||||
- JDK-8273939: Backport of 8248414 to JDK11 breaks MacroAssembler::adrp
|
||||
|
||||
Notes on individual issues:
|
||||
===========================
|
||||
|
||||
security-libs/java.security:
|
||||
|
||||
JDK-8271434: Removed IdenTrust Root Certificate
|
||||
===============================================
|
||||
The following root certificate from IdenTrust has been removed from
|
||||
the `cacerts` keystore:
|
||||
|
||||
Alias Name: identrustdstx3 [jdk]
|
||||
Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
|
||||
|
||||
JDK-8261922: Updated keytool to Create AKID From SKID of Issuing Certificate as Specified by RFC 5280
|
||||
=====================================================================================================
|
||||
The `gencert` command of the `keytool` utility has been updated to
|
||||
create AKID from the SKID of the issuing certificate as specified by
|
||||
RFC 5280.
|
||||
|
||||
security-libs/javax.net.ssl:
|
||||
|
||||
JDK-8210799: ChaCha20 and Poly1305 TLS Cipher Suites
|
||||
====================================================
|
||||
New TLS cipher suites using the `ChaCha20-Poly1305` algorithm have
|
||||
been added to JSSE. These cipher suites are enabled by default. The
|
||||
TLS_CHACHA20_POLY1305_SHA256 cipher suite is available for TLS 1.3.
|
||||
The following cipher suites are available for TLS 1.2:
|
||||
|
||||
* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
* TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
|
||||
|
||||
Refer to the "Java Secure Socket Extension (JSSE) Reference Guide" for
|
||||
details on these new TLS cipher suites.
|
||||
|
||||
JDK-8219551: Updated the Default Enabled Cipher Suites Preference
|
||||
=================================================================
|
||||
The preference of the default enabled cipher suites has been
|
||||
changed. The compatibility impact should be minimal. If needed,
|
||||
applications can customize the enabled cipher suites and the
|
||||
preference. For more details, refer to the SunJSSE provider
|
||||
documentation and the JSSE Reference Guide documentation.
|
||||
|
||||
New in release OpenJDK 11.0.12 (2021-07-20):
|
||||
=============================================
|
||||
Live versions of these release notes can be found at:
|
||||
|
32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
Normal file
32
SOURCES/jdk8269668-rh1977671-aarch64_lib_path_fix.patch
Normal file
@ -0,0 +1,32 @@
|
||||
From ec03fdb752f2dc0833784a6877a4c232a8cdd9d2 Mon Sep 17 00:00:00 2001
|
||||
From: Severin Gehwolf <sgehwolf@redhat.com>
|
||||
Date: Wed, 14 Jul 2021 12:06:39 +0200
|
||||
Subject: [PATCH] Backport e14801cdd9b108aa4ca47d0bc1dc67fca575764c
|
||||
|
||||
---
|
||||
src/hotspot/os/linux/os_linux.cpp | 7 +++++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/src/hotspot/os/linux/os_linux.cpp b/src/hotspot/os/linux/os_linux.cpp
|
||||
index e8baf704e3a..12b75b733b5 100644
|
||||
--- a/src/hotspot/os/linux/os_linux.cpp
|
||||
+++ b/src/hotspot/os/linux/os_linux.cpp
|
||||
@@ -413,8 +413,15 @@ void os::init_system_properties_values() {
|
||||
// 7: The default directories, normally /lib and /usr/lib.
|
||||
#if defined(AMD64) || (defined(_LP64) && defined(SPARC)) || defined(PPC64) || defined(S390)
|
||||
#define DEFAULT_LIBPATH "/usr/lib64:/lib64:/lib:/usr/lib"
|
||||
+#else
|
||||
+#if defined(AARCH64)
|
||||
+ // Use 32-bit locations first for AARCH64 (a 64-bit architecture), since some systems
|
||||
+ // might not adhere to the FHS and it would be a change in behaviour if we used
|
||||
+ // DEFAULT_LIBPATH of other 64-bit architectures which prefer the 64-bit paths.
|
||||
+ #define DEFAULT_LIBPATH "/lib:/usr/lib:/usr/lib64:/lib64"
|
||||
#else
|
||||
#define DEFAULT_LIBPATH "/lib:/usr/lib"
|
||||
+#endif // AARCH64
|
||||
#endif
|
||||
|
||||
// Base path of extensions installed on the system.
|
||||
--
|
||||
2.31.1
|
||||
|
430
SOURCES/rh1929465-improve_system_FIPS_detection.patch
Normal file
430
SOURCES/rh1929465-improve_system_FIPS_detection.patch
Normal file
@ -0,0 +1,430 @@
|
||||
diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
|
||||
--- openjdk.orig/make/autoconf/libraries.m4
|
||||
+++ openjdk/make/autoconf/libraries.m4
|
||||
@@ -101,6 +101,7 @@
|
||||
LIB_SETUP_LIBFFI
|
||||
LIB_SETUP_BUNDLED_LIBS
|
||||
LIB_SETUP_MISC_LIBS
|
||||
+ LIB_SETUP_SYSCONF_LIBS
|
||||
LIB_SETUP_SOLARIS_STLPORT
|
||||
LIB_TESTS_SETUP_GRAALUNIT
|
||||
|
||||
@@ -223,3 +224,62 @@
|
||||
fi
|
||||
])
|
||||
|
||||
+################################################################################
|
||||
+# Setup system configuration libraries
|
||||
+################################################################################
|
||||
+AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
|
||||
+[
|
||||
+ ###############################################################################
|
||||
+ #
|
||||
+ # Check for the NSS library
|
||||
+ #
|
||||
+
|
||||
+ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
|
||||
+
|
||||
+ # default is not available
|
||||
+ DEFAULT_SYSCONF_NSS=no
|
||||
+
|
||||
+ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
|
||||
+ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
|
||||
+ [
|
||||
+ case "${enableval}" in
|
||||
+ yes)
|
||||
+ sysconf_nss=yes
|
||||
+ ;;
|
||||
+ *)
|
||||
+ sysconf_nss=no
|
||||
+ ;;
|
||||
+ esac
|
||||
+ ],
|
||||
+ [
|
||||
+ sysconf_nss=${DEFAULT_SYSCONF_NSS}
|
||||
+ ])
|
||||
+ AC_MSG_RESULT([$sysconf_nss])
|
||||
+
|
||||
+ USE_SYSCONF_NSS=false
|
||||
+ if test "x${sysconf_nss}" = "xyes"; then
|
||||
+ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
|
||||
+ if test "x${NSS_FOUND}" = "xyes"; then
|
||||
+ AC_MSG_CHECKING([for system FIPS support in NSS])
|
||||
+ saved_libs="${LIBS}"
|
||||
+ saved_cflags="${CFLAGS}"
|
||||
+ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
|
||||
+ LIBS="${LIBS} ${NSS_LIBS}"
|
||||
+ AC_LANG_PUSH([C])
|
||||
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <nss3/pk11pub.h>]],
|
||||
+ [[SECMOD_GetSystemFIPSEnabled()]])],
|
||||
+ [AC_MSG_RESULT([yes])],
|
||||
+ [AC_MSG_RESULT([no])
|
||||
+ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
|
||||
+ AC_LANG_POP([C])
|
||||
+ CFLAGS="${saved_cflags}"
|
||||
+ LIBS="${saved_libs}"
|
||||
+ USE_SYSCONF_NSS=true
|
||||
+ else
|
||||
+ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
|
||||
+ dnl in nss3/pk11pub.h.
|
||||
+ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
|
||||
+ fi
|
||||
+ fi
|
||||
+ AC_SUBST(USE_SYSCONF_NSS)
|
||||
+])
|
||||
diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
|
||||
--- openjdk.orig/make/autoconf/spec.gmk.in
|
||||
+++ openjdk/make/autoconf/spec.gmk.in
|
||||
@@ -828,6 +828,10 @@
|
||||
# Libraries
|
||||
#
|
||||
|
||||
+USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
|
||||
+NSS_LIBS:=@NSS_LIBS@
|
||||
+NSS_CFLAGS:=@NSS_CFLAGS@
|
||||
+
|
||||
USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
|
||||
LCMS_CFLAGS:=@LCMS_CFLAGS@
|
||||
LCMS_LIBS:=@LCMS_LIBS@
|
||||
diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
|
||||
--- openjdk.orig/make/lib/Lib-java.base.gmk
|
||||
+++ openjdk/make/lib/Lib-java.base.gmk
|
||||
@@ -179,6 +179,31 @@
|
||||
endif
|
||||
|
||||
################################################################################
|
||||
+# Create the systemconf library
|
||||
+
|
||||
+LIBSYSTEMCONF_CFLAGS :=
|
||||
+LIBSYSTEMCONF_CXXFLAGS :=
|
||||
+
|
||||
+ifeq ($(USE_SYSCONF_NSS), true)
|
||||
+ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
|
||||
+ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
|
||||
+endif
|
||||
+
|
||||
+ifeq ($(OPENJDK_BUILD_OS), linux)
|
||||
+ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
|
||||
+ NAME := systemconf, \
|
||||
+ OPTIMIZATION := LOW, \
|
||||
+ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
|
||||
+ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
|
||||
+ LDFLAGS := $(LDFLAGS_JDKLIB) \
|
||||
+ $(call SET_SHARED_LIBRARY_ORIGIN), \
|
||||
+ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
|
||||
+ ))
|
||||
+
|
||||
+ TARGETS += $(BUILD_LIBSYSTEMCONF)
|
||||
+endif
|
||||
+
|
||||
+################################################################################
|
||||
# Create the symbols file for static builds.
|
||||
|
||||
ifeq ($(STATIC_BUILD), true)
|
||||
diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
|
||||
--- openjdk.orig/make/nb_native/nbproject/configurations.xml
|
||||
+++ openjdk/make/nb_native/nbproject/configurations.xml
|
||||
@@ -2950,6 +2950,9 @@
|
||||
<in>LinuxWatchService.c</in>
|
||||
</df>
|
||||
</df>
|
||||
+ <df name="libsystemconf">
|
||||
+ <in>systemconf.c</in>
|
||||
+ </df>
|
||||
</df>
|
||||
</df>
|
||||
<df name="macosx">
|
||||
@@ -29301,6 +29304,11 @@
|
||||
tool="0"
|
||||
flavor2="0">
|
||||
</item>
|
||||
+ <item path="../../src/java.base/linux/native/libsystemconf/systemconf.c"
|
||||
+ ex="false"
|
||||
+ tool="0"
|
||||
+ flavor2="0">
|
||||
+ </item>
|
||||
<item path="../../src/java.base/macosx/native/include/jni_md.h"
|
||||
ex="false"
|
||||
tool="3"
|
||||
diff --git openjdk.orig/make/scripts/compare_exceptions.sh.incl openjdk/make/scripts/compare_exceptions.sh.incl
|
||||
--- openjdk.orig/make/scripts/compare_exceptions.sh.incl
|
||||
+++ openjdk/make/scripts/compare_exceptions.sh.incl
|
||||
@@ -179,6 +179,7 @@
|
||||
./lib/libsplashscreen.so
|
||||
./lib/libsunec.so
|
||||
./lib/libsunwjdga.so
|
||||
+ ./lib/libsystemconf.so
|
||||
./lib/libunpack.so
|
||||
./lib/libverify.so
|
||||
./lib/libzip.so
|
||||
@@ -289,6 +290,7 @@
|
||||
./lib/libsplashscreen.so
|
||||
./lib/libsunec.so
|
||||
./lib/libsunwjdga.so
|
||||
+ ./lib/libsystemconf.so
|
||||
./lib/libunpack.so
|
||||
./lib/libverify.so
|
||||
./lib/libzip.so
|
||||
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
|
||||
@@ -0,0 +1,168 @@
|
||||
+/*
|
||||
+ * Copyright (c) 2021, Red Hat, Inc.
|
||||
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
+ *
|
||||
+ * This code is free software; you can redistribute it and/or modify it
|
||||
+ * under the terms of the GNU General Public License version 2 only, as
|
||||
+ * published by the Free Software Foundation. Oracle designates this
|
||||
+ * particular file as subject to the "Classpath" exception as provided
|
||||
+ * by Oracle in the LICENSE file that accompanied this code.
|
||||
+ *
|
||||
+ * This code is distributed in the hope that it will be useful, but WITHOUT
|
||||
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
||||
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
||||
+ * version 2 for more details (a copy is included in the LICENSE file that
|
||||
+ * accompanied this code).
|
||||
+ *
|
||||
+ * You should have received a copy of the GNU General Public License version
|
||||
+ * 2 along with this work; if not, write to the Free Software Foundation,
|
||||
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||
+ *
|
||||
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
|
||||
+ * or visit www.oracle.com if you need additional information or have any
|
||||
+ * questions.
|
||||
+ */
|
||||
+
|
||||
+#include <dlfcn.h>
|
||||
+#include <jni.h>
|
||||
+#include <jni_util.h>
|
||||
+#include <stdio.h>
|
||||
+
|
||||
+#ifdef SYSCONF_NSS
|
||||
+#include <nss3/pk11pub.h>
|
||||
+#endif //SYSCONF_NSS
|
||||
+
|
||||
+#include "java_security_SystemConfigurator.h"
|
||||
+
|
||||
+#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
|
||||
+#define MSG_MAX_SIZE 96
|
||||
+
|
||||
+static jmethodID debugPrintlnMethodID = NULL;
|
||||
+static jobject debugObj = NULL;
|
||||
+
|
||||
+static void throwIOException(JNIEnv *env, const char *msg);
|
||||
+static void dbgPrint(JNIEnv *env, const char* msg);
|
||||
+
|
||||
+/*
|
||||
+ * Class: java_security_SystemConfigurator
|
||||
+ * Method: JNI_OnLoad
|
||||
+ */
|
||||
+JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
|
||||
+{
|
||||
+ JNIEnv *env;
|
||||
+ jclass sysConfCls, debugCls;
|
||||
+ jfieldID sdebugFld;
|
||||
+
|
||||
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||
+ return JNI_EVERSION; /* JNI version not supported */
|
||||
+ }
|
||||
+
|
||||
+ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
|
||||
+ if (sysConfCls == NULL) {
|
||||
+ printf("libsystemconf: SystemConfigurator class not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
|
||||
+ "sdebug", "Lsun/security/util/Debug;");
|
||||
+ if (sdebugFld == NULL) {
|
||||
+ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
|
||||
+ if (debugObj != NULL) {
|
||||
+ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
|
||||
+ if (debugCls == NULL) {
|
||||
+ printf("libsystemconf: Debug class not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
|
||||
+ "println", "(Ljava/lang/String;)V");
|
||||
+ if (debugPrintlnMethodID == NULL) {
|
||||
+ printf("libsystemconf: Debug::println(String) method not found\n");
|
||||
+ return JNI_ERR;
|
||||
+ }
|
||||
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
|
||||
+ }
|
||||
+
|
||||
+ return (*env)->GetVersion(env);
|
||||
+}
|
||||
+
|
||||
+/*
|
||||
+ * Class: java_security_SystemConfigurator
|
||||
+ * Method: JNI_OnUnload
|
||||
+ */
|
||||
+JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
|
||||
+{
|
||||
+ JNIEnv *env;
|
||||
+
|
||||
+ if (debugObj != NULL) {
|
||||
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
|
||||
+ return; /* Should not happen */
|
||||
+ }
|
||||
+ (*env)->DeleteGlobalRef(env, debugObj);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
|
||||
+ (JNIEnv *env, jclass cls)
|
||||
+{
|
||||
+ int fips_enabled;
|
||||
+ char msg[MSG_MAX_SIZE];
|
||||
+ int msg_bytes;
|
||||
+
|
||||
+#ifdef SYSCONF_NSS
|
||||
+
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
|
||||
+ fips_enabled = SECMOD_GetSystemFIPSEnabled();
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
|
||||
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
+ dbgPrint(env, msg);
|
||||
+ } else {
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||
+ " SECMOD_GetSystemFIPSEnabled return value");
|
||||
+ }
|
||||
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
|
||||
+
|
||||
+#else // SYSCONF_NSS
|
||||
+
|
||||
+ FILE *fe;
|
||||
+
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
|
||||
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
|
||||
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
|
||||
+ }
|
||||
+ fips_enabled = fgetc(fe);
|
||||
+ fclose(fe);
|
||||
+ if (fips_enabled == EOF) {
|
||||
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
|
||||
+ }
|
||||
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
|
||||
+ " read character is '%c'", fips_enabled);
|
||||
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
|
||||
+ dbgPrint(env, msg);
|
||||
+ } else {
|
||||
+ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
|
||||
+ " read character");
|
||||
+ }
|
||||
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
|
||||
+
|
||||
+#endif // SYSCONF_NSS
|
||||
+}
|
||||
+
|
||||
+static void throwIOException(JNIEnv *env, const char *msg)
|
||||
+{
|
||||
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
|
||||
+ if (cls != 0)
|
||||
+ (*env)->ThrowNew(env, cls, msg);
|
||||
+}
|
||||
+
|
||||
+static void dbgPrint(JNIEnv *env, const char* msg)
|
||||
+{
|
||||
+ jstring jMsg;
|
||||
+ if (debugObj != NULL) {
|
||||
+ jMsg = (*env)->NewStringUTF(env, msg);
|
||||
+ CHECK_NULL(jMsg);
|
||||
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
|
||||
+ }
|
||||
+}
|
||||
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
- * Copyright (c) 2019, 2020, Red Hat, Inc.
|
||||
+ * Copyright (c) 2019, 2021, Red Hat, Inc.
|
||||
*
|
||||
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
|
||||
*
|
||||
@@ -30,13 +30,9 @@
|
||||
import java.io.FileInputStream;
|
||||
import java.io.IOException;
|
||||
|
||||
-import java.nio.file.Files;
|
||||
-import java.nio.file.Path;
|
||||
-
|
||||
import java.util.Iterator;
|
||||
import java.util.Map.Entry;
|
||||
import java.util.Properties;
|
||||
-import java.util.regex.Pattern;
|
||||
|
||||
import sun.security.util.Debug;
|
||||
|
||||
@@ -58,10 +54,21 @@
|
||||
private static final String CRYPTO_POLICIES_JAVA_CONFIG =
|
||||
CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
|
||||
|
||||
- private static final String CRYPTO_POLICIES_CONFIG =
|
||||
- CRYPTO_POLICIES_BASE_DIR + "/config";
|
||||
+ private static boolean systemFipsEnabled = false;
|
||||
+
|
||||
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
|
||||
+
|
||||
+ private static native boolean getSystemFIPSEnabled()
|
||||
+ throws IOException;
|
||||
|
||||
- private static boolean systemFipsEnabled = false;
|
||||
+ static {
|
||||
+ AccessController.doPrivileged(new PrivilegedAction<Void>() {
|
||||
+ public Void run() {
|
||||
+ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
|
||||
+ return null;
|
||||
+ }
|
||||
+ });
|
||||
+ }
|
||||
|
||||
/*
|
||||
* Invoked when java.security.Security class is initialized, if
|
||||
@@ -170,16 +177,34 @@
|
||||
}
|
||||
|
||||
/*
|
||||
- * FIPS is enabled only if crypto-policies are set to "FIPS"
|
||||
- * and the com.redhat.fips property is true.
|
||||
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
|
||||
+ * system property is true (default) and the system is in FIPS mode.
|
||||
+ *
|
||||
+ * There are 2 possible ways in which OpenJDK detects that the system
|
||||
+ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
|
||||
+ * available at OpenJDK's built-time, it is called; 2) otherwise, the
|
||||
+ * /proc/sys/crypto/fips_enabled file is read.
|
||||
*/
|
||||
private static boolean enableFips() throws Exception {
|
||||
boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
|
||||
if (shouldEnable) {
|
||||
- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
|
||||
- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
|
||||
- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
|
||||
- return pattern.matcher(cryptoPoliciesConfig).find();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
|
||||
+ }
|
||||
+ try {
|
||||
+ shouldEnable = getSystemFIPSEnabled();
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
|
||||
+ + shouldEnable);
|
||||
+ }
|
||||
+ return shouldEnable;
|
||||
+ } catch (IOException e) {
|
||||
+ if (sdebug != null) {
|
||||
+ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
|
||||
+ sdebug.println(e.getMessage());
|
||||
+ }
|
||||
+ throw e;
|
||||
+ }
|
||||
} else {
|
||||
return false;
|
||||
}
|
18
SOURCES/rh1996182-extend_security_policy.patch
Normal file
18
SOURCES/rh1996182-extend_security_policy.patch
Normal file
@ -0,0 +1,18 @@
|
||||
commit 598fe421216b0a437fa36ee91a29966599867aa3
|
||||
Author: Andrew Hughes <gnu.andrew@redhat.com>
|
||||
Date: Mon Aug 30 16:12:52 2021 +0100
|
||||
|
||||
RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.misc
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/lib/security/default.policy openjdk/src/java.base/share/lib/security/default.policy
|
||||
index ab59a334cd..5db744ff17 100644
|
||||
--- openjdk.orig/src/java.base/share/lib/security/default.policy
|
||||
+++ openjdk/src/java.base/share/lib/security/default.policy
|
||||
@@ -124,6 +124,7 @@ grant codeBase "jrt:/jdk.crypto.ec" {
|
||||
grant codeBase "jrt:/jdk.crypto.cryptoki" {
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.com.sun.crypto.provider";
|
||||
+ permission java.lang.RuntimePermission "accessClassInPackage.jdk.internal.misc";
|
||||
permission java.lang.RuntimePermission
|
||||
"accessClassInPackage.sun.security.*";
|
||||
permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch";
|
66
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
66
SOURCES/rh1996182-login_to_nss_software_token.patch
Normal file
@ -0,0 +1,66 @@
|
||||
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
|
||||
Author: Martin Balao <mbalao@redhat.com>
|
||||
Date: Fri Aug 27 19:42:07 2021 +0100
|
||||
|
||||
RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||
|
||||
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
|
||||
index 0cf61732d7..2cd851587c 100644
|
||||
--- openjdk.orig/src/java.base/share/classes/module-info.java
|
||||
+++ openjdk/src/java.base/share/classes/module-info.java
|
||||
@@ -182,6 +182,7 @@ module java.base {
|
||||
java.security.jgss,
|
||||
java.sql,
|
||||
java.xml,
|
||||
+ jdk.crypto.cryptoki,
|
||||
jdk.jartool,
|
||||
jdk.attach,
|
||||
jdk.charsets,
|
||||
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
index b00b738b85..1eca1f8f0a 100644
|
||||
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
|
||||
@@ -42,6 +42,8 @@ import javax.security.auth.callback.ConfirmationCallback;
|
||||
import javax.security.auth.callback.PasswordCallback;
|
||||
import javax.security.auth.callback.TextOutputCallback;
|
||||
|
||||
+import jdk.internal.misc.SharedSecrets;
|
||||
+
|
||||
import sun.security.util.Debug;
|
||||
import sun.security.util.ResourcesMgr;
|
||||
import static sun.security.util.SecurityConstants.PROVIDER_VER;
|
||||
@@ -59,6 +61,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
|
||||
*/
|
||||
public final class SunPKCS11 extends AuthProvider {
|
||||
|
||||
+ private static final boolean systemFipsEnabled = SharedSecrets
|
||||
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
|
||||
+
|
||||
private static final long serialVersionUID = -1354835039035306505L;
|
||||
|
||||
static final Debug debug = Debug.getInstance("sunpkcs11");
|
||||
@@ -373,6 +378,24 @@ public final class SunPKCS11 extends AuthProvider {
|
||||
if (nssModule != null) {
|
||||
nssModule.setProvider(this);
|
||||
}
|
||||
+ if (systemFipsEnabled) {
|
||||
+ // The NSS Software Token in FIPS 140-2 mode requires a user
|
||||
+ // login for most operations. See sftk_fipsCheck. The NSS DB
|
||||
+ // (/etc/pki/nssdb) PIN is empty.
|
||||
+ Session session = null;
|
||||
+ try {
|
||||
+ session = token.getOpSession();
|
||||
+ p11.C_Login(session.id(), CKU_USER, new char[] {});
|
||||
+ } catch (PKCS11Exception p11e) {
|
||||
+ if (debug != null) {
|
||||
+ debug.println("Error during token login: " +
|
||||
+ p11e.getMessage());
|
||||
+ }
|
||||
+ throw p11e;
|
||||
+ } finally {
|
||||
+ token.releaseSession(session);
|
||||
+ }
|
||||
+ }
|
||||
} catch (Exception e) {
|
||||
if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
|
||||
throw new UnsupportedOperationException
|
@ -7,12 +7,12 @@
|
||||
# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
|
||||
# $ rpmbuild -ba java-11-openjdk.spec
|
||||
#
|
||||
# Produce only release builds (no slowdebug builds) on x86_64:
|
||||
# Produce only release builds (no debug builds) on x86_64:
|
||||
# $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug
|
||||
#
|
||||
# Only produce a release build on x86_64:
|
||||
# $ rhpkg mockbuild --without slowdebug --without fastdebug
|
||||
|
||||
#
|
||||
# Enable fastdebug builds by default on relevant arches.
|
||||
%bcond_without fastdebug
|
||||
# Enable slowdebug builds by default on relevant arches.
|
||||
@ -21,8 +21,6 @@
|
||||
%bcond_without release
|
||||
# Enable static library builds by default.
|
||||
%bcond_without staticlibs
|
||||
# Remove build artifacts by default
|
||||
%bcond_with artifacts
|
||||
|
||||
# Workaround for stripping of debug symbols from static libraries
|
||||
%if %{with staticlibs}
|
||||
@ -100,7 +98,7 @@
|
||||
# Set of architectures for which we build slowdebug builds
|
||||
%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
|
||||
# Set of architectures for which we build fastdebug builds
|
||||
%global fastdebug_arches x86_64
|
||||
%global fastdebug_arches x86_64 ppc64le aarch64
|
||||
# Set of architectures with a Just-In-Time (JIT) compiler
|
||||
%global jit_arches %{debug_arches} %{arm}
|
||||
# Set of architectures which run a full bootstrap cycle
|
||||
@ -122,7 +120,7 @@
|
||||
# Set of architectures for which alt-java has SSB mitigation
|
||||
%global ssbd_arches x86_64
|
||||
|
||||
# By default, we build a slowdebug build during main build on JIT architectures
|
||||
# By default, we build a debug build during main build on JIT architectures
|
||||
%if %{with slowdebug}
|
||||
%ifarch %{debug_arches}
|
||||
%global include_debug_build 1
|
||||
@ -190,28 +188,22 @@
|
||||
%global bootstrap_build 1
|
||||
%endif
|
||||
|
||||
%if %{bootstrap_build}
|
||||
%global release_targets bootcycle-images docs-zip
|
||||
%else
|
||||
%global release_targets images docs-zip
|
||||
%endif
|
||||
# No docs nor bootcycle for debug builds
|
||||
%global debug_targets images
|
||||
|
||||
%if %{include_staticlibs}
|
||||
# Extra target for producing the static-libraries. Separate from
|
||||
# other targets since this target is configured to use in-tree
|
||||
# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
|
||||
# and possibly others
|
||||
%global static_libs_target static-libs-image
|
||||
%else
|
||||
%global static_libs_target %{nil}
|
||||
%endif
|
||||
|
||||
# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
|
||||
%global debug_symbols internal
|
||||
|
||||
# unlike portables,the rpms have to use static_libs_target very dynamically
|
||||
%global bootstrap_targets images
|
||||
%global release_targets images docs-zip
|
||||
# No docs nor bootcycle for debug builds
|
||||
%global debug_targets images
|
||||
|
||||
# Disable LTO as this causes build failures at the moment.
|
||||
# See RHBZ#1861401
|
||||
%define _lto_cflags %{nil}
|
||||
|
||||
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
|
||||
# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
|
||||
@ -297,7 +289,7 @@
|
||||
# New Version-String scheme-style defines
|
||||
%global featurever 11
|
||||
%global interimver 0
|
||||
%global updatever 13
|
||||
%global updatever 12
|
||||
%global patchver 0
|
||||
# If you bump featurever, you must bump also vendor_version_string
|
||||
# Used via new version scheme. JDK 11 was
|
||||
@ -344,8 +336,8 @@
|
||||
%global origin_nice OpenJDK
|
||||
%global top_level_dir_name %{origin}
|
||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||
%global buildver 8
|
||||
%global rpmrelease 1
|
||||
%global buildver 7
|
||||
%global rpmrelease 4
|
||||
#%%global tagsuffix %%{nil}
|
||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||
%if %is_system_jdk
|
||||
@ -395,7 +387,6 @@
|
||||
%global static_libs_image static-libs
|
||||
# output dir stub
|
||||
%define buildoutputdir() %{expand:build/jdk11.build%{?1}}
|
||||
%define installoutputdir() %{expand:install/jdk11.install%{?1}}
|
||||
# we can copy the javadoc to not arched dir, or make it not noarch
|
||||
%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
|
||||
# main id and dir of this jdk
|
||||
@ -405,7 +396,7 @@
|
||||
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
|
||||
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
|
||||
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.*
|
||||
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*
|
||||
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
|
||||
%if %is_system_jdk
|
||||
%global __provides_exclude ^(%{_privatelibs})$
|
||||
@ -764,6 +755,7 @@ exit 0
|
||||
%endif
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
|
||||
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
|
||||
@ -1019,19 +1011,23 @@ Requires: tzdata-java >= 2021a
|
||||
# for support of kernel stream control
|
||||
# libsctp.so.1 is being `dlopen`ed on demand
|
||||
Requires: lksctp-tools%{?_isa}
|
||||
%if ! 0%{?flatpak}
|
||||
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
|
||||
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
|
||||
# considered as regression
|
||||
Requires: copy-jdk-configs >= 3.3
|
||||
Requires: copy-jdk-configs >= 4.0
|
||||
OrderWithRequires: copy-jdk-configs
|
||||
%endif
|
||||
# for printing support
|
||||
Requires: cups-libs
|
||||
# for FIPS PKCS11 provider
|
||||
Requires: nss
|
||||
# Post requires alternatives to install tool alternatives
|
||||
Requires(post): %{alternatives_requires}
|
||||
# in version 1.7 and higher for --family switch
|
||||
Requires(post): chkconfig >= 1.7
|
||||
# Postun requires alternatives to uninstall tool alternatives
|
||||
Requires(postun): %{alternatives_requires}
|
||||
# in version 1.7 and higher for --family switch
|
||||
Requires(postun): chkconfig >= 1.7
|
||||
# for optional support of kernel stream control, card reader and printing bindings
|
||||
%if 0%{?rhel} >= 8
|
||||
Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa}
|
||||
@ -1056,8 +1052,12 @@ Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
# Post requires alternatives to install tool alternatives
|
||||
Requires(post): %{alternatives_requires}
|
||||
# in version 1.7 and higher for --family switch
|
||||
Requires(post): chkconfig >= 1.7
|
||||
# Postun requires alternatives to uninstall tool alternatives
|
||||
Requires(postun): %{alternatives_requires}
|
||||
# in version 1.7 and higher for --family switch
|
||||
Requires(postun): chkconfig >= 1.7
|
||||
|
||||
# Standard JPackage devel provides
|
||||
Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
|
||||
@ -1098,7 +1098,6 @@ Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
|
||||
Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
|
||||
%if %is_system_jdk
|
||||
Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
|
||||
Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
|
||||
%endif
|
||||
}
|
||||
|
||||
@ -1106,8 +1105,12 @@ Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
|
||||
OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
|
||||
# Post requires alternatives to install javadoc alternative
|
||||
Requires(post): %{alternatives_requires}
|
||||
# in version 1.7 and higher for --family switch
|
||||
Requires(post): chkconfig >= 1.7
|
||||
# Postun requires alternatives to uninstall javadoc alternative
|
||||
Requires(postun): %{alternatives_requires}
|
||||
# in version 1.7 and higher for --family switch
|
||||
Requires(postun): chkconfig >= 1.7
|
||||
|
||||
# Standard JPackage javadoc provides
|
||||
Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release}
|
||||
@ -1125,7 +1128,6 @@ Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
|
||||
Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
|
||||
%if %is_system_jdk
|
||||
Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
|
||||
Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
|
||||
%endif
|
||||
}
|
||||
|
||||
@ -1147,9 +1149,7 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
|
||||
|
||||
Epoch: 1
|
||||
Summary: %{origin_nice} %{featurever} Runtime Environment
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
|
||||
# HotSpot code is licensed under GPLv2
|
||||
# JDK library code is licensed under GPLv2 with the Classpath exception
|
||||
@ -1217,7 +1217,7 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
|
||||
Patch2: rh1648644-java_access_bridge_privileged_security.patch
|
||||
# NSS via SunPKCS11 Provider (disabled due to memory leak).
|
||||
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
|
||||
# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
|
||||
# enable build of speculative store bypass hardened alt-java
|
||||
Patch600: rh1750419-redhat_alt_java.patch
|
||||
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
|
||||
Patch1003: rh1842572-rsa_default_for_keytool.patch
|
||||
@ -1231,6 +1231,11 @@ Patch1002: rh1818909-fips_default_keystore_type.patch
|
||||
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
|
||||
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
|
||||
Patch1007: rh1915071-always_initialise_configurator_access.patch
|
||||
# RH1929465: Improve system FIPS detection
|
||||
Patch1008: rh1929465-improve_system_FIPS_detection.patch
|
||||
# RH1996182: Login to the NSS software token in FIPS mode
|
||||
Patch1009: rh1996182-login_to_nss_software_token.patch
|
||||
Patch1010: rh1996182-extend_security_policy.patch
|
||||
|
||||
#############################################
|
||||
#
|
||||
@ -1257,13 +1262,15 @@ Patch7: pr3695-toggle_system_crypto_policy.patch
|
||||
|
||||
#############################################
|
||||
#
|
||||
# Patches appearing in 11.0.10
|
||||
# Patches appearing in 11.0.13
|
||||
#
|
||||
# This section includes patches which are present
|
||||
# in the listed OpenJDK 11u release and should be
|
||||
# able to be removed once that release is out
|
||||
# and used by this RPM.
|
||||
#############################################
|
||||
# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64
|
||||
Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
@ -1290,8 +1297,8 @@ BuildRequires: libXrandr-devel
|
||||
BuildRequires: libXrender-devel
|
||||
BuildRequires: libXt-devel
|
||||
BuildRequires: libXtst-devel
|
||||
# Requirements for setting up the nss.cfg
|
||||
BuildRequires: nss-devel
|
||||
# Requirements for setting up the nss.cfg and FIPS support
|
||||
BuildRequires: nss-devel >= 3.53
|
||||
BuildRequires: pkgconfig
|
||||
BuildRequires: xorg-x11-proto-devel
|
||||
BuildRequires: zip
|
||||
@ -1310,7 +1317,6 @@ BuildRequires: gcc >= 4.8.3-8
|
||||
%if %{with_systemtap}
|
||||
BuildRequires: systemtap-sdt-devel
|
||||
%endif
|
||||
BuildRequires: make
|
||||
|
||||
# this is always built, also during debug-only build
|
||||
# when it is built in debug-only this package is just placeholder
|
||||
@ -1322,9 +1328,7 @@ The %{origin_nice} %{featurever} runtime environment.
|
||||
%if %{include_debug_build}
|
||||
%package slowdebug
|
||||
Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
|
||||
%{java_rpo -- %{debug_suffix_unquoted}}
|
||||
%description slowdebug
|
||||
@ -1335,9 +1339,7 @@ The %{origin_nice} %{featurever} runtime environment.
|
||||
%if %{include_fastdebug_build}
|
||||
%package fastdebug
|
||||
Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
|
||||
%{java_rpo -- %{fastdebug_suffix_unquoted}}
|
||||
%description fastdebug
|
||||
@ -1348,9 +1350,7 @@ The %{origin_nice} %{featurever} runtime environment.
|
||||
%if %{include_normal_build}
|
||||
%package headless
|
||||
Summary: %{origin_nice} %{featurever} Headless Runtime Environment
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
|
||||
%{java_headless_rpo %{nil}}
|
||||
|
||||
@ -1385,9 +1385,7 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup
|
||||
%if %{include_normal_build}
|
||||
%package devel
|
||||
Summary: %{origin_nice} %{featurever} Development Environment
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
Group: Development/Tools
|
||||
|
||||
%{java_devel_rpo %{nil}}
|
||||
|
||||
@ -1398,9 +1396,7 @@ The %{origin_nice} %{featurever} development tools.
|
||||
%if %{include_debug_build}
|
||||
%package devel-slowdebug
|
||||
Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
Group: Development/Tools
|
||||
|
||||
%{java_devel_rpo -- %{debug_suffix_unquoted}}
|
||||
|
||||
@ -1461,9 +1457,7 @@ The %{origin_nice} %{featurever} libraries for static linking.
|
||||
%if %{include_normal_build}
|
||||
%package jmods
|
||||
Summary: JMods for %{origin_nice} %{featurever}
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
Group: Development/Tools
|
||||
|
||||
%{java_jmods_rpo %{nil}}
|
||||
|
||||
@ -1474,9 +1468,7 @@ The JMods for %{origin_nice} %{featurever}.
|
||||
%if %{include_debug_build}
|
||||
%package jmods-slowdebug
|
||||
Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
Group: Development/Tools
|
||||
|
||||
%{java_jmods_rpo -- %{debug_suffix_unquoted}}
|
||||
|
||||
@ -1500,9 +1492,7 @@ The JMods for %{origin_nice} %{featurever}.
|
||||
%if %{include_normal_build}
|
||||
%package demo
|
||||
Summary: %{origin_nice} %{featurever} Demos
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
|
||||
%{java_demo_rpo %{nil}}
|
||||
|
||||
@ -1513,9 +1503,7 @@ The %{origin_nice} %{featurever} demos.
|
||||
%if %{include_debug_build}
|
||||
%package demo-slowdebug
|
||||
Summary: %{origin_nice} %{featurever} Demos %{debug_on}
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
|
||||
%{java_demo_rpo -- %{debug_suffix_unquoted}}
|
||||
|
||||
@ -1539,9 +1527,7 @@ The %{origin_nice} %{featurever} demos.
|
||||
%if %{include_normal_build}
|
||||
%package src
|
||||
Summary: %{origin_nice} %{featurever} Source Bundle
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
|
||||
%{java_src_rpo %{nil}}
|
||||
|
||||
@ -1553,9 +1539,7 @@ class library source code for use by IDE indexers and debuggers.
|
||||
%if %{include_debug_build}
|
||||
%package src-slowdebug
|
||||
Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Development/Languages
|
||||
%endif
|
||||
|
||||
%{java_src_rpo -- %{debug_suffix_unquoted}}
|
||||
|
||||
@ -1579,9 +1563,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n
|
||||
%if %{include_normal_build}
|
||||
%package javadoc
|
||||
Summary: %{origin_nice} %{featurever} API documentation
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Documentation
|
||||
%endif
|
||||
Requires: javapackages-filesystem
|
||||
Obsoletes: javadoc-debug
|
||||
|
||||
@ -1592,9 +1574,7 @@ The %{origin_nice} %{featurever} API documentation.
|
||||
|
||||
%package javadoc-zip
|
||||
Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
|
||||
%if 0%{?rhel} <= 8
|
||||
Group: Documentation
|
||||
%endif
|
||||
Requires: javapackages-filesystem
|
||||
Obsoletes: javadoc-zip-debug
|
||||
|
||||
@ -1654,6 +1634,7 @@ pushd %{top_level_dir_name}
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
popd # openjdk
|
||||
|
||||
%patch1000
|
||||
@ -1663,6 +1644,9 @@ popd # openjdk
|
||||
%patch1003
|
||||
%patch1004
|
||||
%patch1007
|
||||
%patch1008
|
||||
%patch1009
|
||||
%patch1010
|
||||
|
||||
# Extract systemtap tapsets
|
||||
%if %{with_systemtap}
|
||||
@ -1674,6 +1658,7 @@ cp -r tapset tapset%{debug_suffix}
|
||||
cp -r tapset tapset%{fastdebug_suffix}
|
||||
%endif
|
||||
|
||||
|
||||
for suffix in %{build_loop} ; do
|
||||
for file in "tapset"$suffix/*.in; do
|
||||
OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
|
||||
@ -1742,31 +1727,43 @@ EXTRA_CPP_FLAGS="%ourcppflags"
|
||||
# fix rpmlint warnings
|
||||
EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
|
||||
%endif
|
||||
# Fixes annocheck warnings in assembler files due to missing build notes
|
||||
EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes"
|
||||
export EXTRA_CFLAGS EXTRA_ASFLAGS
|
||||
|
||||
function buildjdk() {
|
||||
local outputdir=${1}
|
||||
local installdir=${2}
|
||||
local buildjdk=${3}
|
||||
local maketargets="${4}"
|
||||
local debuglevel=${5}
|
||||
local link_opt=${6}
|
||||
for suffix in %{build_loop} ; do
|
||||
if [ "x$suffix" = "x" ] ; then
|
||||
debugbuild=release
|
||||
else
|
||||
# change --something to something
|
||||
debugbuild=`echo $suffix | sed "s/-//g"`
|
||||
fi
|
||||
|
||||
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
|
||||
local top_dir_abs_build_path=$(pwd)/${outputdir}
|
||||
for loop in %{main_suffix} %{staticlibs_loop} ; do
|
||||
|
||||
echo "Using output directory: ${outputdir}";
|
||||
echo "Checking build JDK ${buildjdk} is operational..."
|
||||
${buildjdk}/bin/java -version
|
||||
echo "Using make targets: ${maketargets}"
|
||||
echo "Using debuglevel: ${debuglevel}"
|
||||
echo "Using link_opt: ${link_opt}"
|
||||
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
|
||||
if test "x${loop}" = "x%{main_suffix}" ; then
|
||||
# Copy the source tree so we can remove all in-tree libraries
|
||||
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
|
||||
# Remove all libraries that are linked
|
||||
sh %{SOURCE12} %{top_level_dir_name} full
|
||||
# Variable used by configure and hs_err hook on build failures
|
||||
link_opt="system"
|
||||
# Debug builds don't need same targets as release for
|
||||
# build speed-up
|
||||
maketargets="%{release_targets}"
|
||||
if echo $debugbuild | grep -q "debug" ; then
|
||||
maketargets="%{debug_targets}"
|
||||
fi
|
||||
else
|
||||
# Variable used by configure and hs_err hook on build failures
|
||||
link_opt="bundled"
|
||||
# Static library cycle only builds the static libraries
|
||||
maketargets="%{static_libs_target}"
|
||||
fi
|
||||
|
||||
mkdir -p ${outputdir} ${installdir}
|
||||
pushd ${outputdir}
|
||||
top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
|
||||
top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}}
|
||||
mkdir -p ${top_dir_abs_build_path}
|
||||
pushd ${top_dir_abs_build_path}
|
||||
|
||||
bash ${top_dir_abs_src_path}/configure \
|
||||
%ifnarch %{jit_arches}
|
||||
@ -1783,9 +1780,10 @@ function buildjdk() {
|
||||
--with-vendor-url="%{oj_vendor_url}" \
|
||||
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
|
||||
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
|
||||
--with-boot-jdk=${buildjdk} \
|
||||
--with-debug-level=${debuglevel} \
|
||||
--with-native-debug-symbols="%{debug_symbols}" \
|
||||
--with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \
|
||||
--with-debug-level=$debugbuild \
|
||||
--with-native-debug-symbols=internal \
|
||||
--enable-sysconf-nss \
|
||||
--enable-unlimited-crypto \
|
||||
--with-zlib=system \
|
||||
--with-libjpeg=${link_opt} \
|
||||
@ -1803,8 +1801,6 @@ function buildjdk() {
|
||||
--with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \
|
||||
--disable-warnings-as-errors
|
||||
|
||||
cat spec.gmk
|
||||
|
||||
make \
|
||||
JAVAC_FLAGS=-g \
|
||||
LOG=trace \
|
||||
@ -1812,112 +1808,47 @@ function buildjdk() {
|
||||
CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
|
||||
$maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
|
||||
|
||||
popd
|
||||
popd >& /dev/null
|
||||
|
||||
echo "Installing build from ${outputdir} to ${installdir}..."
|
||||
echo "Installing images..."
|
||||
mv ${outputdir}/images ${installdir}
|
||||
if [ -d ${outputdir}/bundles ] ; then
|
||||
echo "Installing bundles...";
|
||||
mv ${outputdir}/bundles ${installdir} ;
|
||||
fi
|
||||
if [ -d ${outputdir}/docs ] ; then
|
||||
echo "Installing docs...";
|
||||
mv ${outputdir}/docs ${installdir} ;
|
||||
fi
|
||||
|
||||
%if !%{with artifacts}
|
||||
echo "Removing output directory...";
|
||||
rm -rf ${outputdir}
|
||||
%endif
|
||||
}
|
||||
|
||||
function installjdk() {
|
||||
local imagepath=${1}
|
||||
|
||||
# the build (erroneously) removes read permissions from some jars
|
||||
# this is a regression in OpenJDK 7 (our compiler):
|
||||
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
|
||||
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
|
||||
|
||||
# Build screws up permissions on binaries
|
||||
# https://bugs.openjdk.java.net/browse/JDK-8173610
|
||||
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
|
||||
find ${imagepath}/bin/ -exec chmod +x {} \;
|
||||
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
install -m 644 nss.cfg ${imagepath}/conf/security/
|
||||
|
||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
|
||||
|
||||
# Use system-wide tzdata
|
||||
rm ${imagepath}/lib/tzdb.dat
|
||||
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
|
||||
|
||||
# Create fake alt-java as a placeholder for future alt-java
|
||||
pushd ${imagepath}
|
||||
# add alt-java man page
|
||||
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
||||
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
||||
popd
|
||||
}
|
||||
|
||||
for suffix in %{build_loop} ; do
|
||||
|
||||
if [ "x$suffix" = "x" ] ; then
|
||||
debugbuild=release
|
||||
else
|
||||
# change --something to something
|
||||
debugbuild=`echo $suffix | sed "s/-//g"`
|
||||
fi
|
||||
|
||||
systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
|
||||
|
||||
for loop in %{main_suffix} %{staticlibs_loop} ; do
|
||||
|
||||
builddir=%{buildoutputdir -- ${suffix}${loop}}
|
||||
bootbuilddir=boot${builddir}
|
||||
installdir=%{installoutputdir -- ${suffix}${loop}}
|
||||
bootinstalldir=boot${installdir}
|
||||
|
||||
if test "x${loop}" = "x%{main_suffix}" ; then
|
||||
# Copy the source tree so we can remove all in-tree libraries
|
||||
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
|
||||
# Remove all libraries that are linked
|
||||
sh %{SOURCE12} %{top_level_dir_name} full
|
||||
# Use system libraries
|
||||
link_opt="system"
|
||||
# Debug builds don't need same targets as release for
|
||||
# build speed-up
|
||||
maketargets="%{release_targets}"
|
||||
if echo $debugbuild | grep -q "debug" ; then
|
||||
maketargets="%{debug_targets}"
|
||||
fi
|
||||
%if %{bootstrap_build}
|
||||
buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
|
||||
buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
|
||||
%{!?with_artifacts:rm -rf ${bootinstalldir}}
|
||||
%else
|
||||
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
|
||||
%endif
|
||||
# Restore original source tree we modified by removing full in-tree sources
|
||||
# Restore original source tree if we modified it by removing full in-tree sources
|
||||
if [ -d %{top_level_dir_name_backup} ] ; then
|
||||
rm -rf %{top_level_dir_name}
|
||||
mv %{top_level_dir_name_backup} %{top_level_dir_name}
|
||||
else
|
||||
# Use bundled libraries for building statically
|
||||
link_opt="bundled"
|
||||
# Static library cycle only builds the static libraries
|
||||
maketargets="%{static_libs_target}"
|
||||
# Always just do the one build for the static libraries
|
||||
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
|
||||
fi
|
||||
|
||||
done # end of main / staticlibs loop
|
||||
|
||||
# Final setup on the main image
|
||||
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
|
||||
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||
|
||||
# the build (erroneously) removes read permissions from some jars
|
||||
# this is a regression in OpenJDK 7 (our compiler):
|
||||
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
|
||||
find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \;
|
||||
|
||||
# Build screws up permissions on binaries
|
||||
# https://bugs.openjdk.java.net/browse/JDK-8173610
|
||||
find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \;
|
||||
find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \;
|
||||
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
|
||||
# Install nss.cfg right away as we will be using the JRE above
|
||||
install -m 644 nss.cfg $JAVA_HOME/conf/security/
|
||||
|
||||
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
|
||||
install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
|
||||
|
||||
# Use system-wide tzdata
|
||||
rm $JAVA_HOME/lib/tzdb.dat
|
||||
ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
|
||||
|
||||
# Create fake alt-java as a placeholder for future alt-java
|
||||
pushd ${JAVA_HOME}
|
||||
# add alt-java man page
|
||||
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
|
||||
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
|
||||
popd
|
||||
|
||||
# build cycles
|
||||
done # end of release / debug cycle loop
|
||||
@ -1927,9 +1858,9 @@ done # end of release / debug cycle loop
|
||||
# We test debug first as it will give better diagnostics on a crash
|
||||
for suffix in %{build_loop} ; do
|
||||
|
||||
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
|
||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||
%if %{include_staticlibs}
|
||||
top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
|
||||
top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
|
||||
%endif
|
||||
|
||||
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
@ -1972,9 +1903,8 @@ readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
|
||||
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
|
||||
%endif
|
||||
|
||||
so_suffix="so"
|
||||
# Check debug symbols are present and can identify code
|
||||
find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
|
||||
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
|
||||
do
|
||||
if [ -f "$lib" ] ; then
|
||||
echo "Testing $lib for debug symbols"
|
||||
@ -2034,16 +1964,10 @@ quit
|
||||
end
|
||||
run -version
|
||||
EOF
|
||||
%if 0%{?fedora} > 0
|
||||
# This fails on s390x for some reason. Disable for now. See:
|
||||
# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227
|
||||
%ifnarch s390x
|
||||
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
|
||||
%endif
|
||||
%endif
|
||||
|
||||
# Check src.zip has all sources. See RHBZ#1130490
|
||||
$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
|
||||
jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
|
||||
|
||||
# Check class files include useful debugging information
|
||||
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
|
||||
@ -2063,9 +1987,9 @@ STRIP_KEEP_SYMTAB=libjvm*
|
||||
|
||||
for suffix in %{build_loop} ; do
|
||||
|
||||
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
|
||||
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
|
||||
%if %{include_staticlibs}
|
||||
top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
|
||||
top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
|
||||
%endif
|
||||
jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
|
||||
|
||||
@ -2133,7 +2057,7 @@ if ! echo $suffix | grep -q "debug" ; then
|
||||
fi
|
||||
|
||||
# Install release notes
|
||||
commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
|
||||
commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir $suffix}
|
||||
install -d -m 755 ${commondocdir}
|
||||
cp -a %{SOURCE10} ${commondocdir}
|
||||
|
||||
@ -2191,7 +2115,13 @@ done
|
||||
-- whether copy-jdk-configs is installed or not. If so, then configs are copied
|
||||
-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
|
||||
local posix = require "posix"
|
||||
local debug = false
|
||||
|
||||
if (os.getenv("debug") == "true") then
|
||||
debug = true;
|
||||
print("cjc: in spec debug is on")
|
||||
else
|
||||
debug = false;
|
||||
end
|
||||
|
||||
SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
|
||||
SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
|
||||
@ -2219,9 +2149,10 @@ else
|
||||
return
|
||||
end
|
||||
end
|
||||
-- run content of included file with fake args
|
||||
arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
|
||||
require "copy_jdk_configs.lua"
|
||||
arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
|
||||
cjc = require "copy_jdk_configs.lua"
|
||||
args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
|
||||
cjc.mainProgram(args)
|
||||
-- the returns from copy_jdk_configs.lua should not affect this 'main', so it shodl run under all circumstances, except fatal error
|
||||
-- https://bugzilla.redhat.com/show_bug.cgi?id=1820172
|
||||
-- https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
|
||||
@ -2306,6 +2237,7 @@ end
|
||||
|
||||
%posttrans devel-slowdebug
|
||||
%{posttrans_devel -- %{debug_suffix_unquoted}}
|
||||
|
||||
%endif
|
||||
|
||||
%if %{include_fastdebug_build}
|
||||
@ -2401,6 +2333,7 @@ end
|
||||
|
||||
%files src-slowdebug
|
||||
%{files_src -- %{debug_suffix_unquoted}}
|
||||
|
||||
%endif
|
||||
|
||||
%if %{include_fastdebug_build}
|
||||
@ -2430,79 +2363,146 @@ end
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-1
|
||||
- Update to jdk-11.0.12.0+8
|
||||
- Update release notes to 11.0.12.0+8
|
||||
- Switch to GA mode for final release.
|
||||
- This tarball is embargoed until 2021-10-19 @ 1pm PT.
|
||||
- Resolves: rhbz#2012333
|
||||
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-4
|
||||
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
|
||||
- Resolves: rhbz#1997357
|
||||
|
||||
* Tue Oct 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.7-0.1.ea
|
||||
- Update to jdk-11.0.13.0+7
|
||||
- Update release notes to 11.0.13.0+7
|
||||
- Update tarball generation script to use git following OpenJDK 11u's move to github
|
||||
- Switch to EA mode for 11.0.13 pre-release builds.
|
||||
- Remove non-Free test from source tarball.
|
||||
- Related: rhbz#2011826
|
||||
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-3
|
||||
- Add patch to login to the NSS software token when in FIPS mode.
|
||||
- Resolves: rhbz#1997357
|
||||
|
||||
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
|
||||
- Restructure the build so a minimal initial build is then used for the final build (with docs)
|
||||
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
|
||||
- Reduce disk footprint by removing build artifacts by default.
|
||||
- Related: rhbz#2011826
|
||||
* Wed Jul 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.7-2
|
||||
- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
|
||||
- Resolves: rhbz#1994104
|
||||
|
||||
* Mon Sep 06 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.12.0.7-1
|
||||
- Minor cosmetic improvements to make spec more comparable between variants
|
||||
- Related: rhbz#2011826
|
||||
|
||||
* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-0
|
||||
* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
|
||||
- Update to jdk-11.0.12.0+7
|
||||
- Update release notes to 11.0.12.0+7
|
||||
- Switch to GA mode for final release.
|
||||
- This tarball is embargoed until 2021-07-20 @ 1pm PT.
|
||||
- Resolves: rhbz#1972395
|
||||
|
||||
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.6-0.0.ea
|
||||
- Update to jdk-11.0.12.0+6
|
||||
- Update release notes to 11.0.12.0+6
|
||||
- Switch to EA mode for 11.0.12 pre-release builds.
|
||||
- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
|
||||
- Re-order source files to sync with Fedora.
|
||||
- Remove explicit compiler flags which should be handled by the upstream build
|
||||
(-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse)
|
||||
- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
|
||||
- Resolves: rhbz#1967374
|
||||
|
||||
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.4-0.0.ea
|
||||
- Update to jdk-11.0.12.0+4
|
||||
- Update release notes to 11.0.12.0+4
|
||||
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
|
||||
- Resolves: rhbz#1967374
|
||||
|
||||
* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.3-0.0.ea
|
||||
- Update to jdk-11.0.12.0+3
|
||||
- Update release notes to 11.0.12.0+3
|
||||
- Resolves: rhbz#1967374
|
||||
|
||||
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.1.ea
|
||||
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
|
||||
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
|
||||
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
|
||||
- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
|
||||
- Resolves: rhbz#1972395
|
||||
- Resolves: rhbz#1966234
|
||||
|
||||
* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.6-0.0.ea
|
||||
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.0.ea
|
||||
- Update to jdk-11.0.12.0+2
|
||||
- Update release notes to 11.0.12.0+2
|
||||
- Resolves: rhbz#1967374
|
||||
|
||||
* Wed Jun 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.3.ea
|
||||
- Remove explicit compiler flags which should be handled by the upstream build
|
||||
(-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse)
|
||||
- Resolves: rhbz#1966234
|
||||
|
||||
* Wed Jun 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.2.ea
|
||||
- Add ppc64le and aarch64 to fastdebug_arches
|
||||
- Resolves: rhbz#1969255
|
||||
|
||||
* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.1.ea
|
||||
- Re-order source files to sync with Fedora.
|
||||
- Resolves: rhbz#1966234
|
||||
|
||||
* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.1-0.1.ea
|
||||
- Add a test verifying system crypto policies can be disabled
|
||||
- Resolves: rhbz#1972395
|
||||
- Resolves: rhbz#1966234
|
||||
|
||||
* Thu Apr 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-2
|
||||
- Require tzdata 2021a to match upstream change JDK-8260356
|
||||
- Resolves: rhbz#1942310
|
||||
* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.0.ea
|
||||
- Update to jdk-11.0.12.0+1
|
||||
- Update release notes to 11.0.12.0+1
|
||||
- Switch to EA mode for 11.0.12 pre-release builds.
|
||||
- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
|
||||
- Resolves: rhbz#1967374
|
||||
|
||||
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-1
|
||||
* Wed Jun 16 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.11.0.9-5
|
||||
- adapted to newst cjc to fix issue with rpm 4.17
|
||||
- Disable copy-jdk-configs for Flatpak builds
|
||||
- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
|
||||
- Resolves: rhbz#1953923
|
||||
|
||||
* Tue Jun 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-4
|
||||
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
|
||||
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
|
||||
- Resolves: rhbz#1929465
|
||||
|
||||
* Tue Jun 08 2021 Martin Balao <mbalao@redhat.com> - 1:11.0.11.0.9-4
|
||||
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
|
||||
- Resolves: rhbz#1929465
|
||||
|
||||
* Wed Apr 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-3
|
||||
- Update to jdk-11.0.11.0+9
|
||||
- Update release notes to 11.0.11.0+9
|
||||
- Switch to GA mode for final release.
|
||||
- This tarball is embargoed until 2021-04-20 @ 1pm PT.
|
||||
- Resolves: rhbz#1938201
|
||||
|
||||
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.1.ea
|
||||
* Thu Apr 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.3.ea
|
||||
- Require tzdata 2021a to match upstream change JDK-8260356
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.2.ea
|
||||
- Update to jdk-11.0.11.0+7
|
||||
- Update release notes to 11.0.11.0+7
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.6-0.2.ea
|
||||
- Update to jdk-11.0.11.0+6
|
||||
- Update release notes to 11.0.11.0+6
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Sat Apr 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.5-0.2.ea
|
||||
- Update to jdk-11.0.11.0+5
|
||||
- Update release notes to 11.0.11.0+5
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.4-0.2.ea
|
||||
- Update to jdk-11.0.11.0+4
|
||||
- Update release notes to 11.0.11.0+4
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.3-0.2.ea
|
||||
- Update to jdk-11.0.11.0+3
|
||||
- Update release notes to 11.0.11.0+3
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.2-0.2.ea
|
||||
- Update to jdk-11.0.11.0+2
|
||||
- Update release notes to 11.0.11.0+2
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Mon Apr 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.1-0.2.ea
|
||||
- Update to jdk-11.0.11.0+1
|
||||
- Update release notes to 11.0.11.0+1
|
||||
- Switch to EA mode for 11.0.11 pre-release builds.
|
||||
- Require tzdata 2020f to match upstream change JDK-8259048
|
||||
- Remove RH1868754 patch as this is now resolved upstream by JDK-8258833
|
||||
- Remove RH1868740 & RH1883849 patches as these are now resolved by JDK-8259319
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Tue Apr 13 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.11.0.7-0.1.ea
|
||||
* Sun Mar 28 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.10.0.9-10
|
||||
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
|
||||
- Add proper quoting so '&' is not treated as a special character by the shell.
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
* Wed Mar 24 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.10.0.9-9
|
||||
- Fixed not-including fastdebug build in case of --without fastdebug
|
||||
- Resolves: rhbz#1942310
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user