rpms
/
java-11-openjdk
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import java-11-openjdk-11.0.14.1.1-6.el8

This commit is contained in:
CentOS Sources 2022-05-10 03:01:16 -04:00 committed by Stepan Oksanichenko
parent 785e294091
commit aaf8ffdea1
10 changed files with 723 additions and 498 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

2
.java-11-openjdk.metadata
View File

@ -1,2 +1,2 @@
9d43605109c7a4c5cad6cef74e19efe42fb163f8 SOURCES/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz
dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz
c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz

211
SOURCES/NEWS
View File

@ -3,217 +3,6 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
New in release OpenJDK 11.0.15 (2022-04-19):
=============================================
Live versions of these release notes can be found at:
* https://bitly.com/openjdk11015
* https://builds.shipilev.net/backports-monitor/release-notes-11.0.15.txt
* New features
- JDK-8253795: Implementation of JEP 391: macOS/AArch64 Port
* Security fixes
- JDK-8269938: Enhance XML processing passes redux
- JDK-8270504, CVE-2022-21426: Better XPath expression handling
- JDK-8272255: Completely handle MIDI files
- JDK-8272261: Improve JFR recording file processing
- JDK-8272594: Better record of recordings
- JDK-8274221: More definite BER encodings
- JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0
- JDK-8275151, CVE-2022-21443: Improved Object Identification
- JDK-8277227: Better identification of OIDs
- JDK-8277672, CVE-2022-21434: Better invocation handler handling
- JDK-8278356: Improve file creation
- JDK-8278449: Improve keychain support
- JDK-8278798: Improve supported intrinsic
- JDK-8278805: Enhance BMP image loading
- JDK-8278972, CVE-2022-21496: Improve URL supports
- JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
* Other changes
- JDK-8065704: Set LC_ALL=C for all relevant commands in the build system
- JDK-8177814: jdk/editpad is not in jdk TEST.groups
- JDK-8186780: clang fastdebug assertion failure in os_linux_x86:os::verify_stack_alignment()
- JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently
- JDK-8193277: SimpleFileObject inconsistency between getName and getShortName
- JDK-8199079: Test javax/swing/UIDefaults/6302464/bug6302464.java is unstable
- JDK-8202142: jfr/event/io/TestInstrumentation is unstable
- JDK-8207011: Remove uses of the register storage class specifier
- JDK-8207793: [TESTBUG] runtime/Metaspace/FragmentMetaspace.java fails: heap needs to be increased
- JDK-8208074: [TESTBUG] vmTestbase/nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption/TestDescription.java failed with NullPointerException
- JDK-8210194: [TESTBUG] jvmti_FollowRefObjects.cpp missing initializer for member _jvmtiHeapCallbacks::heap_reference_callback
- JDK-8210236: Prepare ciReceiverTypeData::translate_receiver_data_from for concurrent class unloading
- JDK-8211170: AArch64: Warnings in C1 and template interpreter
- JDK-8211333: AArch64: Fix another build failure after JDK-8211029
- JDK-8214004: Missing space between compiler thread name and task info in hs_err
- JDK-8214026: Canonicalized archive paths appearing in diagnostics
- JDK-8214761: Bug in parallel Kahan summation implementation
- JDK-8216969: ParseException thrown for certain months with russian locale
- JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient
- JDK-8220634: SymLinkArchiveTest should handle not being able to create symlinks
- JDK-8222825: ARM32 SIGILL issue on single core CPU (not supported PLDW instruction)
- JDK-8223142: Clean-up WS and CB.
- JDK-8225559: assertion error at TransTypes.visitApply
- JDK-8232533: G1 uses only a single thread for pretouching the java heap
- JDK-8233827: Enable screenshots in the enhanced failure handler on Linux/macOS
- JDK-8233986: ProblemList javax/swing/plaf/basic/BasicTextUI/8001470/bug8001470.java for windows-x64
- JDK-8234930: Use MAP_JIT when allocating pages for code cache on macOS
- JDK-8236210: javac generates wrong annotation for fields generated from record components
- JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful
- JDK-8237787: rewrite vmTestbase/vm/compiler/CodeCacheInfo* from shell to java
- JDK-8237798: rewrite vmTestbase/jit/tiered from shell to java
- JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails
- JDK-8240904: Screen flashes on test failures when running tests from make
- JDK-8241004: NMT tests fail on unaligned thread size with debug build
- JDK-8241423: NUMA APIs fail to work in dockers due to dependent syscalls are disabled by default
- JDK-8247272: SA ELF file support has never worked for 64-bit causing address to symbol name mapping to fail
- JDK-8247515: OSX pc_to_symbol() lookup does not work with core files
- JDK-8249019: clean up FileInstaller $test.src $cwd in vmTestbase_vm_compiler tests
- JDK-8250750: JDK-8247515 fix for OSX pc_to_symbol() lookup fails with some symbols
- JDK-8251126: nsk.share.GoldChecker should read golden file from ${test.src}
- JDK-8251127: clean up FileInstaller $test.src $cwd in remaining vmTestbase_vm_compiler tests
- JDK-8251132: make main classes public in vmTestbase/jit tests
- JDK-8251558: J2DBench should support shaped and translucent windows
- JDK-8251998: remove usage of PropertyResolvingWrapper in vmTestbase/jit/t
- JDK-8252005: narrow disabling of allowSmartActionArgs in vmTestbase
- JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost"
- JDK-8253816: Support macOS W^X
- JDK-8253817: Support macOS Aarch64 ABI in Interpreter
- JDK-8253818: Support macOS Aarch64 ABI for compiled wrappers
- JDK-8253819: Implement os/cpu for macOS/AArch64
- JDK-8253839: Update tests and JDK code for macOS/Aarch64
- JDK-8254072: AArch64: Get rid of --disable-warnings-as-errors on Windows+ARM64 build
- JDK-8254085: javax/swing/text/Caret/TestCaretPositionJTextPane.java failed with "RuntimeException: Wrong caret position"
- JDK-8254827: JVMCI: Enable it for Windows+AArch64
- JDK-8254940: AArch64: Cleanup non-product thread members
- JDK-8254941: Implement Serviceability Agent for macOS/AArch64
- JDK-8255035: Update BCEL to Version 6.5.0
- JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale
- JDK-8255410: Add ChaCha20 and Poly1305 support to SunPKCS11 provider
- JDK-8255776: Change build system for macOS/AArch64
- JDK-8256154: Some TestNG tests require default constructors
- JDK-8256321: Some "inactive" color profiles use the wrong profile class
- JDK-8256373: [Windows/HiDPI] The Frame#setBounds does not work in a minimized state
- JDK-8257467: [TESTBUG] -Wdeprecated-declarations is reported at sigset() in exesigtest.c
- JDK-8257769: Cipher.getParameters() throws NPE for ChaCha20-Poly1305
- JDK-8258554: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
- JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream)
- JDK-8261205: AssertionError: Cannot add metadata to an intersection type
- JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt"
- JDK-8262894: [macos_aarch64] SIGBUS in Assembler::ld_st2
- JDK-8262896: [macos_aarch64] Crash in jni_fast_GetLongField
- JDK-8262903: [macos_aarch64] Thread::current() called on detached thread
- JDK-8263185: Mallinfo deprecated in glibc 2.33
- JDK-8264650: Cross-compilation to macos/aarch64
- JDK-8265150: AsyncGetCallTrace crashes on ResourceMark
- JDK-8266168: -Wmaybe-uninitialized happens in check_code.c
- JDK-8266170: -Wnonnull happens in classLoaderData.inline.hpp
- JDK-8266171: -Warray-bounds happens in imageioJPEG.c
- JDK-8266172: -Wstringop-overflow happens in vmError.cpp
- JDK-8266173: -Wmaybe-uninitialized happens in jni_util.c
- JDK-8266174: -Wmisleading-indentation happens in libmlib_image sources
- JDK-8266176: -Wmaybe-uninitialized happens in libArrayIndexOutOfBoundsExceptionTest.c
- JDK-8266187: Memory leak in appendBootClassPath()
- JDK-8266421: Deadlock in Sound System
- JDK-8266889: [macosx-aarch64] Crash with SIGBUS in MarkActivationClosure::do_code_blob during vmTestbase/nsk/jvmti/.../bi04t002 test run
- JDK-8268014: Build failure on SUSE Linux Enterprise Server 11.4 (s390x) due to 'SYS_get_mempolicy' was not declared
- JDK-8268542: serviceability/logging/TestFullNames.java tests only 1st test case
- JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc
- JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor
- JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty
- JDK-8272345: macos doesn't check `os::set_boot_path()` result
- JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong
- JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication
- JDK-8273277: C2: Move conditional negation into rc_predicate
- JDK-8273341: Update Siphash to version 1.0
- JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12
- JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests
- JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests
- JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure
- JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
- JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java
- JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F
- JDK-8273682: Upgrade Jline to 3.20.0
- JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time
- JDK-8273933: [TESTBUG] Test must run without preallocated exceptions
- JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp
- JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror"
- JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures
- JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah
- JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
- JDK-8274658: ISO 4217 Amendment 170 Update
- JDK-8274714: Incorrect verifier protected access error message
- JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily
- JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler
- JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected
- JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime
- JDK-8275610: C2: Object field load floats above its null check resulting in a segfault
- JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11
- JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem
- JDK-8275811: Incorrect instance to dispose
- JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly
- JDK-8276141: XPathFactory set/getProperty method
- JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here"
- JDK-8276314: [JVMCI] check alignment of call displacement during code installation
- JDK-8276623: JDK-8275650 accidentally pushed "out" file
- JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows
- JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for
- JDK-8277385: Zero: Enable CompactStrings support
- JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last
- JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop
- JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
- JDK-8277795: ldap connection timeout not honoured under contention
- JDK-8277796: Bump update version for OpenJDK: jdk-11.0.15
- JDK-8277992: Add fast jdk_svc subtests to jdk:tier3
- JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx
- JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx
- JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux
- JDK-8278309: [windows] use of uninitialized OSThread::_state
- JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec
- JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT
- JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134
- JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob
- JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0
- JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
- JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers
- JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest
- JDK-8279379: GHA: Print tests that are in error
- JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition
- JDK-8279702: [macosx] ignore xcodebuild warnings on M1
- JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16
- JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks
- JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id"
- JDK-8280155: [PPC64, s390] frame size checks are not yet correct
- JDK-8280414: Memory leak in DefaultProxySelector
- JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1}
- JDK-8280786: Build failure on Solaris after 8262392
- JDK-8280999: array_bounds should be array-bounds after 8278507
- JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames
- JDK-8281520: JFR: A wrong parameter is passed to the constructor of LeakKlassWriter
- JDK-8281599: test/lib/jdk/test/lib/KnownOIDs.java is redundant since JDK-8268801
- JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
- JDK-8282372: [11] build issue on MacOS/aarch64 12.2.1 using Xcode 13.1: call to 'log2_intptr' is ambiguous
- JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
- JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods
- JDK-8283018: 11u GHA: Update GCC 9 minor versions
- JDK-8283270: [11u] broken JRT_ENTRY_NO_ASYNC after Backport of JDK-8253795
- JDK-8283778: 11u GHA: Fix GCC 9 ubuntu package names
- JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
Notes on individual issues:
===========================
security-libs/javax.crypto:pkcs11:
JDK-8275737: SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library
==========================================================================================================================
SunPKCS11 provider is enhanced to support the following crypto
services and algorithms when the underlying PKCS11 library supports
the corresponding PKCS#11 mechanisms:
* ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism
* ChaCha20-Poly1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism
* ChaCha20-Poly1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism
* ChaCha20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism
New in release OpenJDK 11.0.14.1 (2022-02-08):
=============================================
Live versions of these release notes can be found at:

12
SOURCES/jdk8257794-remove_broken_assert.patch Normal file
View File

@ -0,0 +1,12 @@
diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
index d18d70b5f9..30ab380e40 100644
--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
+++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
#ifdef ASSERT
if (istate->_msg != initialize) {
assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
}
// Verify linkages.
interpreterState l = istate;

104
SOURCES/jdk8284920-incorrect_token_type.patch
View File

@ -1,104 +0,0 @@
From 34af291680f7554b16412205e7b47aa2f829b29c Mon Sep 17 00:00:00 2001
From: Anton Kozlov <akozlov@azul.com>
Date: Fri, 15 Apr 2022 14:07:52 +0300
Subject: [PATCH] 8284920: Incorrect Token type causes XPath expression to
return empty result
Backport-of: 0d3aea2f11df585b491ae5c07de9f66679601d58
Reviewed-by:
---
.../com/sun/org/apache/xpath/internal/compiler/Lexer.java | 4 ++--
.../com/sun/org/apache/xpath/internal/compiler/Token.java | 4 ++--
.../org/apache/xpath/internal/compiler/XPathParser.java | 8 ++++----
3 files changed, 8 insertions(+), 8 deletions(-)
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
index b7b3f419eb2..41b58da8e99 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java
@@ -360,7 +360,7 @@ class Lexer
addToTokenQueue(pat.substring(i, i + 1));
break;
- case Token.COLON :
+ case Token.COLON_CHAR:
if (i>0)
{
if (posOfNSSep == (i - 1))
@@ -615,7 +615,7 @@ class Lexer
resetTokenMark(tokPos + 1);
}
- if (m_processor.lookahead(Token.COLON, 1))
+ if (m_processor.lookahead(Token.COLON_CHAR, 1))
{
tokPos += 2;
}
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
index 8c4fee146c6..7bce14e5770 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java
@@ -45,10 +45,9 @@ public final class Token {
static final char LPAREN = '(';
static final char RPAREN = ')';
static final char COMMA = ',';
- static final char DOT = '.';
static final char AT = '@';
static final char US = '_';
- static final char COLON = ':';
+ static final char COLON_CHAR = ':';
static final char SQ = '\'';
static final char DQ = '"';
static final char DOLLAR = '$';
@@ -58,6 +57,7 @@ public final class Token {
static final String DIV = "div";
static final String MOD = "mod";
static final String QUO = "quo";
+ static final String DOT = ".";
static final String DDOT = "..";
static final String DCOLON = "::";
static final String ATTR = "attribute";
diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
index c3f9e1494be..22192fd06f6 100644
--- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java
@@ -1413,7 +1413,7 @@ public class XPathParser
matchFound = true;
}
- else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON, 1) && lookahead(Token.LPAREN, 3)))
+ else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON_CHAR, 1) && lookahead(Token.LPAREN, 3)))
{
matchFound = FunctionCall();
}
@@ -1457,7 +1457,7 @@ public class XPathParser
int opPos = m_ops.getOp(OpMap.MAPINDEX_LENGTH);
- if (lookahead(Token.COLON, 1))
+ if (lookahead(Token.COLON_CHAR, 1))
{
appendOp(4, OpCodes.OP_EXTFUNCTION);
@@ -1841,7 +1841,7 @@ public class XPathParser
m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), OpCodes.NODENAME);
m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
- if (lookahead(Token.COLON, 1))
+ if (lookahead(Token.COLON_CHAR, 1))
{
if (tokenIs(Token.STAR))
{
@@ -1944,7 +1944,7 @@ public class XPathParser
protected void QName() throws TransformerException
{
// Namespace
- if(lookahead(Token.COLON, 1))
+ if(lookahead(Token.COLON_CHAR, 1))
{
m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), m_queueMark - 1);
m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1);
--
2.34.1

2
SOURCES/nss.fips.cfg.in
View File

@ -1,6 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
nssSecmodDirectory = @NSS_SECMOD@
nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips

16
SOURCES/rh1996182-login_to_nss_software_token.patch
View File

@ -1,3 +1,9 @@
commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
Author: Martin Balao <mbalao@redhat.com>
Date: Fri Aug 27 19:42:07 2021 +0100
RH1996182: Login to the NSS Software Token in FIPS Mode
diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
index 5460efcf8c..f08dc2fafc 100644
--- openjdk.orig/src/java.base/share/classes/module-info.java
@ -11,11 +17,11 @@ index 5460efcf8c..f08dc2fafc 100644
jdk.attach,
jdk.charsets,
diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
index 099caac605..ffadb43eb1 100644
index 5e227f4531..164de8ff08 100644
--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback;
import com.sun.crypto.provider.ChaCha20Poly1305Parameters;
@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.PasswordCallback;
import jdk.internal.misc.InnocuousThread;
+import jdk.internal.misc.SharedSecrets;
@ -23,7 +29,7 @@ index 099caac605..ffadb43eb1 100644
import sun.security.util.Debug;
import sun.security.util.ResourcesMgr;
import static sun.security.util.SecurityConstants.PROVIDER_VER;
@@ -60,6 +62,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
*/
public final class SunPKCS11 extends AuthProvider {
@ -33,7 +39,7 @@ index 099caac605..ffadb43eb1 100644
private static final long serialVersionUID = -1354835039035306505L;
static final Debug debug = Debug.getInstance("sunpkcs11");
@@ -376,6 +381,24 @@ public final class SunPKCS11 extends AuthProvider {
@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider {
if (nssModule != null) {
nssModule.setProvider(this);
}

99
SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch Normal file
View File

@ -0,0 +1,99 @@
commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Tue Jan 18 02:09:27 2022 +0000
RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
index 28ab1846173..f9726741afd 100644
--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
+++ openjdk/src/java.base/share/classes/java/security/Security.java
@@ -61,10 +61,6 @@ public final class Security {
private static final Debug sdebug =
Debug.getInstance("properties");
- /* System property file*/
- private static final String SYSTEM_PROPERTIES =
- "/etc/crypto-policies/back-ends/java.config";
-
/* The java.security properties */
private static Properties props;
@@ -206,22 +202,36 @@ public final class Security {
}
}
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+ sdebug.println("unable to load security properties " +
+ "-- using defaults");
+ }
+ }
+
String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
"true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
- if (SystemConfigurator.configure(props)) {
- loadedProps = true;
+ if (!SystemConfigurator.configureSysProps(props)) {
+ if (sdebug != null) {
+ sdebug.println("WARNING: System properties could not be loaded.");
+ }
}
}
- if (!loadedProps) {
- initializeStatic();
+ // FIPS support depends on the contents of java.security so
+ // ensure it has loaded first
+ if (loadedProps) {
+ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
if (sdebug != null) {
- sdebug.println("unable to load security properties " +
- "-- using defaults");
+ if (fipsEnabled) {
+ sdebug.println("FIPS support enabled.");
+ } else {
+ sdebug.println("FIPS support disabled.");
+ }
}
}
-
}
/*
diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
index 874c6221ebe..b7ed41acf0f 100644
--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
+++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
@@ -76,7 +76,7 @@ final class SystemConfigurator {
* java.security.disableSystemPropertiesFile property is not set and
* security.useSystemPropertiesFile is true.
*/
- static boolean configure(Properties props) {
+ static boolean configureSysProps(Properties props) {
boolean loadedProps = false;
try (BufferedInputStream bis =
@@ -96,11 +96,19 @@ final class SystemConfigurator {
e.printStackTrace();
}
}
+ return loadedProps;
+ }
+
+ /*
+ * Invoked at the end of java.security.Security initialisation
+ * if java.security properties have been loaded
+ */
+ static boolean configureFIPS(Properties props) {
+ boolean loadedProps = false;
try {
if (enableFips()) {
if (sdebug != null) { sdebug.println("FIPS mode detected"); }
- loadedProps = false;
// Remove all security providers
Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
while (i.hasNext()) {

220
SOURCES/rh2052829-fips_runtime_nss_detection.patch Normal file
View File

@ -0,0 +1,220 @@
commit e2be09f982af1cc05f5e6556d51900bca4757416
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Mon Feb 28 05:30:32 2022 +0000
RH2051605: Detect NSS at Runtime for FIPS detection
diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
index 34d0ff0ce91..8dcb7d9073f 100644
--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
+++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
@@ -23,25 +23,99 @@
* questions.
*/
-#include <dlfcn.h>
#include <jni.h>
#include <jni_util.h>
+#include "jvm_md.h"
#include <stdio.h>
#ifdef SYSCONF_NSS
#include <nss3/pk11pub.h>
+#else
+#include <dlfcn.h>
#endif //SYSCONF_NSS
#include "java_security_SystemConfigurator.h"
+#define MSG_MAX_SIZE 256
#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
-#define MSG_MAX_SIZE 96
+typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
+
+static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
static jmethodID debugPrintlnMethodID = NULL;
static jobject debugObj = NULL;
-static void throwIOException(JNIEnv *env, const char *msg);
-static void dbgPrint(JNIEnv *env, const char* msg);
+static void dbgPrint(JNIEnv *env, const char* msg)
+{
+ jstring jMsg;
+ if (debugObj != NULL) {
+ jMsg = (*env)->NewStringUTF(env, msg);
+ CHECK_NULL(jMsg);
+ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+}
+
+static void throwIOException(JNIEnv *env, const char *msg)
+{
+ jclass cls = (*env)->FindClass(env, "java/io/IOException");
+ if (cls != 0)
+ (*env)->ThrowNew(env, cls, msg);
+}
+
+static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
+{
+ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+ dbgPrint(env, msg);
+ } else {
+ dbgPrint(env, "systemconf: cannot render message");
+ }
+}
+
+// Only used when NSS is not linked at build time
+#ifndef SYSCONF_NSS
+
+static void *nss_handle;
+
+static jboolean loadNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
+ if (nss_handle == NULL) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ dlerror(); /* Clear errors */
+ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
+ if ((errmsg = dlerror()) != NULL) {
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ return JNI_FALSE;
+ }
+ return JNI_TRUE;
+}
+
+static void closeNSS(JNIEnv *env)
+{
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+ const char* errmsg;
+
+ if (dlclose(nss_handle) != 0) {
+ errmsg = dlerror();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
+ errmsg);
+ handle_msg(env, msg, msg_bytes);
+ }
+}
+
+#endif
/*
* Class: java_security_SystemConfigurator
@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
debugObj = (*env)->NewGlobalRef(env, debugObj);
}
+#ifdef SYSCONF_NSS
+ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
+#else
+ if (loadNSS(env) == JNI_FALSE) {
+ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
+ }
+#endif
+
return (*env)->GetVersion(env);
}
@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
return; /* Should not happen */
}
+#ifndef SYSCONF_NSS
+ closeNSS(env);
+#endif
(*env)->DeleteGlobalRef(env, debugObj);
}
}
@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
char msg[MSG_MAX_SIZE];
int msg_bytes;
-#ifdef SYSCONF_NSS
-
- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
- fips_enabled = SECMOD_GetSystemFIPSEnabled();
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
+ if (getSystemFIPSEnabled != NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+ fips_enabled = (*getSystemFIPSEnabled)();
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
} else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " SECMOD_GetSystemFIPSEnabled return value");
- }
- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
-
-#else // SYSCONF_NSS
+ FILE *fe;
- FILE *fe;
-
- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- fips_enabled = fgetc(fe);
- fclose(fe);
- if (fips_enabled == EOF) {
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
return JNI_FALSE;
- }
- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
- " read character is '%c'", fips_enabled);
- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
- dbgPrint(env, msg);
- } else {
- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
- " read character");
- }
- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
-
-#endif // SYSCONF_NSS
-}
-
-static void throwIOException(JNIEnv *env, const char *msg)
-{
- jclass cls = (*env)->FindClass(env, "java/io/IOException");
- if (cls != 0)
- (*env)->ThrowNew(env, cls, msg);
-}
-
-static void dbgPrint(JNIEnv *env, const char* msg)
-{
- jstring jMsg;
- if (debugObj != NULL) {
- jMsg = (*env)->NewStringUTF(env, msg);
- CHECK_NULL(jMsg);
- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
+ handle_msg(env, msg, msg_bytes);
+ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
}
}

553
SPECS/java-11-openjdk.spec
View File

@ -23,6 +23,8 @@
%bcond_without staticlibs
# Remove build artifacts by default
%bcond_with artifacts
# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
%bcond_without fresh_libjvm
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@ -32,6 +34,13 @@
%global include_staticlibs 0
%endif
# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
%if %{with fresh_libjvm}
%global build_hotspot_first 1
%else
%global build_hotspot_first 0
%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
@ -76,7 +85,7 @@
# in alternatives those are slaves and master, very often triplicated by man pages
# in files all masters and slaves are ghosted
# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_
# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
# TODO - fix those hardcoded lists via single list
# Those files must *NOT* be ghosted for *slowdebug* packages
# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
@ -102,7 +111,9 @@
# Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler
%global jit_arches %{debug_arches} %{arm}
%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
# Set of architectures which use the Zero assembler port (!jit_arches)
%global zero_arches ppc s390
# Set of architectures which run a full bootstrap cycle
%global bootstrap_arches %{jit_arches}
# Set of architectures which support SystemTap tapsets
@ -121,6 +132,8 @@
%global zgc_arches x86_64
# Set of architectures for which alt-java has SSB mitigation
%global ssbd_arches x86_64
# Set of architectures where we verify backtraces with gdb
%global gdb_arches %{jit_arches} %{zero_arches}
# By default, we build a slowdebug build during main build on JIT architectures
%if %{with slowdebug}
@ -174,7 +187,7 @@
%global fastdebug_build %{nil}
%endif
# If you disable both builds, then the build fails
# If you disable all builds, then the build fails
# Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
@ -208,6 +221,11 @@
%global release_targets images docs-zip
# No docs nor bootcycle for debug builds
%global debug_targets images
# Target to use to just build HotSpot
%global hotspot_target hotspot
# JDK to use for bootstrapping
%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
# Disable LTO as this causes build failures at the moment.
# See RHBZ#1861401
@ -297,8 +315,8 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
%global updatever 15
%global patchver 0
%global updatever 14
%global patchver 1
# If you bump featurever, you must bump also vendor_version_string
# Used via new version scheme. JDK 11 was
# GA'ed in September 2018 => 18.9
@ -344,8 +362,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 9
%global rpmrelease 2
%global buildver 1
%global rpmrelease 6
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@ -443,6 +461,9 @@
%global alternatives_requires %{_sbindir}/alternatives
%endif
%global family %{name}.%{_arch}
%global family_noarch %{name}
%if %{with_systemtap}
# Where to install systemtap tapset (links)
# We would like these to be in a package specific sub-dir,
@ -460,6 +481,50 @@
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%define save_alternatives() %{expand:
# warning! alternatives are localised!
# LANG=cs_CZ.UTF-8 alternatives --display java | head
# LANG=en_US.UTF-8 alternatives --display java | head
function nonLocalisedAlternativesDisplayOfMaster() {
LANG=en_US.UTF-8 alternatives --display "$MASTER"
}
function headOfAbove() {
nonLocalisedAlternativesDisplayOfMaster | head -n $1
}
MASTER="%{?1}"
LOCAL_LINK="%{?2}"
FAMILY="%{?3}"
rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
if headOfAbove 1 | grep -q manual ; then
if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
fi
fi
fi
}
%define save_and_remove_alternatives() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
upgrade1_uninstal0=%{?3}
if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
%{save_alternatives %{?1} %{?2} %{?4}}
fi
alternatives --remove "%{?1}" "%{?2}"
}
%define set_if_needed_alternatives() %{expand:
MASTER="%{?1}"
FAMILY="%{?2}"
ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
if [ -e "$ALTERNATIVES_FILE" ] ; then
rm "$ALTERNATIVES_FILE"
alternatives --set $MASTER $FAMILY
fi
}
%define post_script() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || :
@ -467,20 +532,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
exit 0
}
%define post_headless() %{expand:
%ifarch %{share_arches}
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
%endif
%define alternatives_java_install() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
ext=.gz
key=java
alternatives \\
--install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\
--install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\
--slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
--slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
--slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
@ -506,12 +570,23 @@ alternatives \\
--slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\
%{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext
%{set_if_needed_alternatives $key %{family}}
for X in %{origin} %{javaver} ; do
alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
key=jre_"$X"
alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
%{set_if_needed_alternatives $key %{family}}
done
update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch}
key=jre_%{javaver}_%{origin}
alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family}
%{set_if_needed_alternatives $key %{family}}
}
%define post_headless() %{expand:
%ifarch %{share_arches}
%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
%endif
update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -538,26 +613,34 @@ exit 0
%define postun_headless() %{expand:
alternatives --remove java %{jrebindir -- %{?1}}/java
alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}}
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
%{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}}
%{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
%{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
%{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
}
%define posttrans_script() %{expand:
%{update_desktop_icons}
}
%define post_devel() %{expand:
%define alternatives_javac_install() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
ext=.gz
key=javac
alternatives \\
--install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\
--install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\
--slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
%ifarch %{aot_arches}
--slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\
@ -565,7 +648,9 @@ alternatives \\
--slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
--slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
--slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
%endif
%endif
--slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
--slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
@ -623,15 +708,22 @@ alternatives \\
--slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\
%{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\
--slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\
%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
%{set_if_needed_alternatives $key %{family}}
for X in %{origin} %{javaver} ; do
alternatives \\
--install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
key=java_sdk_"$X"
alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
%{set_if_needed_alternatives $key %{family}}
done
update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
key=java_sdk_%{javaver}_%{origin}
alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
%{set_if_needed_alternatives $key %{family}}
}
%define post_devel() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@ -639,10 +731,14 @@ exit 0
}
%define postun_devel() %{expand:
alternatives --remove javac %{sdkbindir -- %{?1}}/javac
alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
%{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
%{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
%{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
%{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
update-desktop-database %{_datadir}/applications &> /dev/null || :
@ -654,42 +750,54 @@ exit 0
}
%define posttrans_devel() %{expand:
%{alternatives_javac_install -- %{?1}}
%{update_desktop_icons}
}
%define post_javadoc() %{expand:
%define alternatives_javadoc_install() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
alternatives \\
--install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\
$PRIORITY --family %{name}
key=javadocdir
alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
%{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
%define postun_javadoc() %{expand:
alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
%{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
%define post_javadoc_zip() %{expand:
%define alternatives_javadoczip_install() %{expand:
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
alternatives \\
--install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\
$PRIORITY --family %{name}
key=javadoczip
alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
%{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
%define postun_javadoc_zip() %{expand:
alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
if [ "x$debug" == "xtrue" ] ; then
set -x
fi
post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
%{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@ -760,8 +868,10 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
# Some architectures don't have the serviceability agent
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
@ -855,8 +965,10 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
# Some architectures don't have the serviceability agent
%ifarch %{sa_arches}
%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
%endif
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
@ -1015,8 +1127,8 @@ Requires: ca-certificates
# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
Requires: javapackages-filesystem
# Require zone-info data provided by tzdata-java sub-package
# 2021a required as of JDK-8260356 in April 2021 CPU
Requires: tzdata-java >= 2021a
# 2021e required as of JDK-8275766 in January 2022 CPU
Requires: tzdata-java >= 2021e
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
@ -1029,6 +1141,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# Postun requires alternatives to uninstall tool alternatives
@ -1111,10 +1225,10 @@ Requires(post): %{alternatives_requires}
Requires(postun): %{alternatives_requires}
# Standard JPackage javadoc provides
Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
%if %is_system_jdk
Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release}
Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
%endif
}
@ -1241,6 +1355,10 @@ Patch1011: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
# RH2052819: Fix FIPS reliance on crypto policies
Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
# RH2052829: Detect NSS at Runtime for FIPS detection
Patch1017: rh2052829-fips_runtime_nss_detection.patch
#############################################
#
@ -1269,15 +1387,25 @@ Patch8: jdk8275535-rh2053256-ldap_auth.patch
#############################################
#
# Patches appearing in 11.0.15
# Backportable patches
#
# This section includes patches which are
# present in the current development tree, but
# need to be reviewed & pushed to the appropriate
# updates tree of OpenJDK.
#############################################
# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
Patch101: jdk8257794-remove_broken_assert.patch
#############################################
#
# Patches appearing in 11.0.13
#
# This section includes patches which are present
# in the listed OpenJDK 11u release and should be
# able to be removed once that release is out
# and used by this RPM.
#############################################
# JDK-8284920: Incorrect Token type causes XPath expression to return empty result
Patch9: jdk8284920-incorrect_token_type.patch
BuildRequires: autoconf
BuildRequires: automake
@ -1304,8 +1432,8 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirements for setting up the nss.cfg and FIPS support
BuildRequires: nss-devel >= 3.53
# Requirement for setting up nss.cfg and nss.fips.cfg
BuildRequires: nss-devel
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@ -1313,11 +1441,11 @@ BuildRequires: unzip
BuildRequires: javapackages-filesystem
BuildRequires: java-%{buildjdkver}-openjdk-devel
# Zero-assembler build requirement
%ifnarch %{jit_arches}
%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
# 2021a required as of JDK-8260356 in April 2021 CPU
BuildRequires: tzdata-java >= 2021a
# 2021e required as of JDK-8275766 in January 2022 CPU
BuildRequires: tzdata-java >= 2021e
# Earlier versions have a bug in tree vectorization on PPC
BuildRequires: gcc >= 4.8.3-8
@ -1599,7 +1727,7 @@ Group: Documentation
Requires: javapackages-filesystem
Obsoletes: javadoc-debug
%{java_javadoc_rpo %{nil}}
%{java_javadoc_rpo -- %{nil} %{nil}}
%description javadoc
The %{origin_nice} %{featurever} API documentation.
@ -1612,7 +1740,8 @@ Group: Documentation
Requires: javapackages-filesystem
Obsoletes: javadoc-zip-debug
%{java_javadoc_rpo %{nil}}
%{java_javadoc_rpo -- %{nil} -zip}
%{java_javadoc_rpo -- %{nil} %{nil}}
%description javadoc-zip
The %{origin_nice} %{featurever} API documentation compressed in a single archive.
@ -1668,9 +1797,10 @@ pushd %{top_level_dir_name}
%patch3 -p1
%patch4 -p1
%patch7 -p1
%patch9 -p1
popd # openjdk
%patch101
%patch1000
%patch600
%patch1001
@ -1683,6 +1813,8 @@ popd # openjdk
%patch1011
%patch1014
%patch1015
%patch1016
%patch1017
%patch8
@ -1737,7 +1869,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
%build
# How many CPU's do we have?
@ -1764,17 +1895,21 @@ EXTRA_CPP_FLAGS="%ourcppflags"
# fix rpmlint warnings
EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
%endif
%ifarch %{ix86}
# Align stack boundary on x86_32
EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
%endif
# Fixes annocheck warnings in assembler files due to missing build notes
EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes"
export EXTRA_CFLAGS EXTRA_ASFLAGS
export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS
function buildjdk() {
local outputdir=${1}
local installdir=${2}
local buildjdk=${3}
local maketargets="${4}"
local debuglevel=${5}
local link_opt=${6}
local buildjdk=${2}
local maketargets="${3}"
local debuglevel=${4}
local link_opt=${5}
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
@ -1787,11 +1922,11 @@ function buildjdk() {
echo "Using link_opt: ${link_opt}"
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
mkdir -p ${outputdir} ${installdir}
mkdir -p ${outputdir}
pushd ${outputdir}
bash ${top_dir_abs_src_path}/configure \
%ifnarch %{jit_arches}
%ifarch %{zero_arches}
--with-jvm-variants=zero \
%endif
%ifarch %{ppc64le}
@ -1808,7 +1943,7 @@ function buildjdk() {
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
--enable-sysconf-nss \
--disable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-libjpeg=${link_opt} \
@ -1836,8 +1971,15 @@ function buildjdk() {
$maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
popd
}
function installjdk() {
local outputdir=${1}
local installdir=${2}
local imagepath=${installdir}/images/%{jdkimage}
echo "Installing build from ${outputdir} to ${installdir}..."
mkdir -p ${installdir}
echo "Installing images..."
mv ${outputdir}/images ${installdir}
if [ -d ${outputdir}/bundles ] ; then
@ -1853,38 +1995,46 @@ function buildjdk() {
echo "Removing output directory...";
rm -rf ${outputdir}
%endif
if [ -d ${imagepath} ] ; then
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
fi
}
function installjdk() {
local imagepath=${1}
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
# Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
}
%if %{build_hotspot_first}
# Build a fresh libjvm.so first and use it to bootstrap
cp -LR --preserve=mode,timestamps %{bootjdk} newboot
systemjdk=$(pwd)/newboot
buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
%else
systemjdk=%{bootjdk}
%endif
for suffix in %{build_loop} ; do
@ -1895,7 +2045,6 @@ for suffix in %{build_loop} ; do
debugbuild=`echo $suffix | sed "s/-//g"`
fi
systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
for loop in %{main_suffix} %{staticlibs_loop} ; do
@ -1922,11 +2071,14 @@ for suffix in %{build_loop} ; do
run_bootstrap=%{bootstrap_build}
fi
if ${run_bootstrap} ; then
buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
installjdk ${bootbuilddir} ${bootinstalldir}
buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
else
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name}
@ -1937,15 +2089,12 @@ for suffix in %{build_loop} ; do
# Static library cycle only builds the static libraries
maketargets="%{static_libs_target}"
# Always just do the one build for the static libraries
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
installjdk ${builddir} ${installdir}
fi
done # end of main / staticlibs loop
# Final setup on the main image
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
# build cycles
done # end of release / debug cycle loop
@ -2054,20 +2203,16 @@ gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
handle SIGSEGV pass nostop noprint
handle SIGILL pass nostop noprint
set breakpoint pending on
break javaCalls.cpp:1
break javaCalls.cpp:58
commands 1
backtrace
quit
end
run -version
EOF
%if 0%{?fedora} > 0
# This fails on s390x for some reason. Disable for now. See:
# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227
%ifnarch s390x
%ifarch %{gdb_arches}
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
%endif
%endif
# Check src.zip has all sources. See RHBZ#1130490
$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
@ -2294,6 +2439,9 @@ end
%posttrans
%{posttrans_script %{nil}}
%posttrans headless
%{alternatives_java_install %{nil}}
%post devel
%{post_devel %{nil}}
@ -2303,14 +2451,14 @@ end
%posttrans devel
%{posttrans_devel %{nil}}
%post javadoc
%{post_javadoc %{nil}}
%posttrans javadoc
%{alternatives_javadoc_install %{nil}}
%postun javadoc
%{postun_javadoc %{nil}}
%post javadoc-zip
%{post_javadoc_zip %{nil}}
%posttrans javadoc-zip
%{alternatives_javadoczip_install %{nil}}
%postun javadoc-zip
%{postun_javadoc_zip %{nil}}
@ -2323,6 +2471,9 @@ end
%post headless-slowdebug
%{post_headless -- %{debug_suffix_unquoted}}
%posttrans headless-slowdebug
%{alternatives_java_install -- %{debug_suffix_unquoted}}
%postun slowdebug
%{postun_script -- %{debug_suffix_unquoted}}
@ -2358,6 +2509,9 @@ end
%posttrans fastdebug
%{posttrans_script -- %{fastdebug_suffix_unquoted}}
%posttrans headless-fastdebug
%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
%post devel-fastdebug
%{post_devel -- %{fastdebug_suffix_unquoted}}
@ -2464,99 +2618,148 @@ end
%endif
%changelog
* Sat Apr 16 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.9-2
- Add JDK-8284920 fix for XPath regression
- Related: rhbz#2073422
* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-6
- Detect NSS at runtime for FIPS detection
- Turn off build-time NSS linking and go back to an explicit Requires on NSS
- Resolves: rhbz#2052827
* Fri Apr 15 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.9-2
- Remove security items from release notes that were only in 17u and N/A for 11u
- Related: rhbz#2073422
* Wed Apr 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.9-1
- Update to jdk-11.0.15.0+9
- Update release notes to 11.0.15.0+9
- Switch to GA mode for release
- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. **
- Resolves: rhbz#2073422
* Tue Apr 12 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.15.0.8-0.1.ea
- Update to jdk-11.0.15.0+8
- Update release notes to 11.0.15.0+8
- Switch to EA mode for 11.0.15 pre-release builds.
- Rebase RH1996182 FIPS patch after JDK-8254410
- Related: rhbz#2073422
* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-2
* Fri Feb 25 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-5
- Add JDK-8275535 patch to fix LDAP authentication issue.
- Resolves: rhbz#2055344
- Resolves: rhbz#2053284
* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-1
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-4
- Storing and restoring alterntives during update manually
- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
-- The move of alternatives creation to posttrans to fix:
-- Bug 1200302 - dnf reinstall breaks alternatives
-- Had caused the alternatives to be removed, and then created again,
-- instead of being added, and then removing the old, and thus persisting
-- the selection in family
-- Thus this fix, is storing the family of manually selected master, and if
-- stored, then it is restoring the family of the master
- Resolves: rhbz#2008192
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-3
- Family extracted to globals
- Resolves: rhbz#2008192
* Fri Feb 25 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.1.1-2
- alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
- Resolves: rhbz#2008192
* Fri Feb 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.1.1-1
- Update to jdk-11.0.14.1+1
- Update release notes to 11.0.14.1+1
- Require tzdata 2021e as of JDK-8275766.
- Resolves: rhbz#2052809
- Resolves: rhbz#1966234
* Tue Jan 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-2
* Thu Feb 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-6
- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
- Resolves: rhbz#2052816
* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-5
- Refactor build functions so we can build just HotSpot without any attempt at installation.
- Sync gdb test with java-1.8.0-openjdk.
- Improve architecture restrictions for the gdb test.
- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
- Explicitly list JIT architectures rather than relying on those with slowdebug builds
- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds
- Related: rhbz#2052809
* Fri Feb 11 2022 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.0.9-5
- Give javadoc-zip its own Provides, next to the plain javadoc ones
- Related: rhbz#2052809
* Fri Feb 11 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-4
- Fix FIPS issues in native code and with initialisation of java.security.Security
- Related: rhbz#2039366
- Resolves: rhbz#2021559
* Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-1
* Thu Feb 10 2022 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.14.0.9-3
- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
secmod.db file as part of nss
- Resolves: rhbz#2023534
* Mon Jan 17 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.9-2
- Update to jdk-11.0.14.0+9
- Update release notes to 11.0.14.0+9
- Switch to GA mode for final release.
- This tarball is embargoed until 2022-01-18 @ 1pm PT.
- Resolves: rhbz#2039366
* Fri Jan 14 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.8-0.1.ea
- Update to jdk-11.0.14.0+8
- Update release notes to 11.0.14.0+8
- Resolves: rhbz#2022821
* Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.14.0.1-0.1.ea
- Update to jdk-11.0.14.0+1
- Update release notes to 11.0.14.0+1
- Switch to EA mode for 11.0.14 pre-release builds.
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
- Rename blacklisted.certs to blocked.certs following JDK-8253866
- Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034
- Related: rhbz#2039366
- Related: rhbz#2022821
* Wed Dec 01 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.14.0.8-0.1.ea
* Thu Jan 13 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-5
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
- Related: rhbz#2022821
* Wed Dec 01 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.13.0.8-4
- Replaced hardcoded 11 by featurever where appropriate
- Fixed comment of `for slowdebug` to correct `any debug`
- Related: rhbz#2039366
- Related: rhbz#2022821
* Sun Nov 07 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-4
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#2014212
* Sun Nov 07 2021 Martin Balao <mbalao@redhat.com> - 1:11.0.13.0.8-4
- Add patch to allow plain key import.
- Resolves: rhbz#2014212
* Thu Oct 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-3
- Bump and rebuild to try and get a build correctly tagged.
- Related: rhbz#2012334
* Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-2
- Update to jdk-11.0.12.0+8
- Update release notes to 11.0.12.0+8
* Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-3
- Update to jdk-11.0.13.0+8
- Update release notes to 11.0.13.0+8
- Switch to GA mode for final release.
- This tarball is embargoed until 2021-10-19 @ 1pm PT.
- Resolves: rhbz#2012334
- Resolves: rhbz#2012335
* Tue Oct 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.7-0.1.ea
- Update to jdk-11.0.13.0+7
- Update release notes to 11.0.13.0+7
- Resolves: rhbz#1999938
* Mon Oct 11 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.1-0.1.ea
- Update to jdk-11.0.13.0+1
- Update release notes to 11.0.13.0+1
- Update tarball generation script to use git following OpenJDK 11u's move to github
- Switch to EA mode for 11.0.13 pre-release builds.
- Remove non-Free test from source tarball.
- Remove "-clean" suffix as no 11.0.13 builds are unclean.
- Drop JDK-8269668 patch which is now applied upstream.
- Related: rhbz#2011826
- Related: rhbz#1999938
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-5
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-9
- The bootstrap JDK is now in bootinstalldir, not bootbuilddir.
- Related: rhbz#1999938
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-9
- Reduce disk footprint by removing build artifacts by default.
- Related: rhbz#1999938
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-8
- Restructure the build so a minimal initial build is then used for the final build (with docs)
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
- Reduce disk footprint by removing build artifacts by default.
- Related: rhbz#2011826
- Related: rhbz#1999938
* Mon Sep 06 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.12.0.7-5
* Tue Oct 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-7
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
- Resolves: rhbz#1991003
* Tue Oct 05 2021 Martin Balao <mbalao@redhat.com> - 1:11.0.12.0.7-7
- Add patch to allow plain key import.
- Resolves: rhbz#1991003
* Mon Sep 06 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.12.0.7-6
- Minor cosmetic improvements to make spec more comparable between variants
- Related: rhbz#2011826
- Related: rhbz#1999938
* Mon Sep 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-5
- Remove non-Free test from source tarball.
- Related: rhbz#1999938
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-4
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.