From fcdb3429a49b31b6df141caa19af575c3cf31cb6 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 30 Mar 2021 12:51:48 -0400 Subject: [PATCH] import java-11-openjdk-11.0.9.11-7.el8 --- .gitignore | 2 +- .java-11-openjdk.metadata | 2 +- SOURCES/CheckVendor.java | 57 + SOURCES/NEWS | 782 +++++++ ...12-pkcs11_incorrrect_session_closure.patch | 480 ++++ ...61-rh1895274-crash_in_MinINode_Ideal.patch | 32 + SOURCES/jdk8254177-tzdata2020b.patch | 2041 +++++++++++++++++ ...E_2018_3639-speculative_store_bypass.patch | 61 - .../rh1655466-global_crypto_and_fips.patch | 12 +- SOURCES/rh1750419-redhat_alt_java.patch | 111 + ...rh1818909-fips_default_keystore_type.patch | 52 + .../rh1842572-rsa_default_for_keytool.patch | 12 + ...1860986-disable_tlsv1.3_in_fips_mode.patch | 311 +++ .../rh1868740-cryptoki_access_to_sunjce.patch | 12 + .../rh1868754-pkcs11_cancel_on_failure.patch | 21 + ...cess_to_sunjce_with_security_manager.patch | 60 + SPECS/java-11-openjdk.spec | 701 +++++- 17 files changed, 4577 insertions(+), 172 deletions(-) create mode 100644 SOURCES/CheckVendor.java create mode 100644 SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch create mode 100644 SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch create mode 100644 SOURCES/jdk8254177-tzdata2020b.patch delete mode 100644 SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch create mode 100644 SOURCES/rh1750419-redhat_alt_java.patch create mode 100644 SOURCES/rh1818909-fips_default_keystore_type.patch create mode 100644 SOURCES/rh1842572-rsa_default_for_keytool.patch create mode 100644 SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch create mode 100644 SOURCES/rh1868740-cryptoki_access_to_sunjce.patch create mode 100644 SOURCES/rh1868754-pkcs11_cancel_on_failure.patch create mode 100644 SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch diff --git a/.gitignore b/.gitignore index 5b3300e..fcfb766 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.8+3-4curve.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index 72edf40..e4fe5f2 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -dd60a556a5258490eec471495e2f9aa16e4e9ec6 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.8+3-4curve.tar.xz +4a65c2e79897772480e91d1bc60aca9a4c7e20f2 SOURCES/jdk-updates-jdk11u-jdk-11.0.9+11-4curve.tar.xz 7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/CheckVendor.java b/SOURCES/CheckVendor.java new file mode 100644 index 0000000..e2101cf --- /dev/null +++ b/SOURCES/CheckVendor.java @@ -0,0 +1,57 @@ +/* CheckVendor -- Check the vendor properties match specified values. + Copyright (C) 2020 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +/** + * @test + */ +public class CheckVendor { + + public static void main(String[] args) { + if (args.length < 3) { + System.err.println("CheckVendor "); + System.exit(1); + } + + String vendor = System.getProperty("java.vendor"); + String expectedVendor = args[0]; + String vendorURL = System.getProperty("java.vendor.url"); + String expectedVendorURL = args[1]; + String vendorBugURL = System.getProperty("java.vendor.url.bug"); + String expectedVendorBugURL = args[2]; + + if (!expectedVendor.equals(vendor)) { + System.err.printf("Invalid vendor %s, expected %s\n", + vendor, expectedVendor); + System.exit(2); + } + + if (!expectedVendorURL.equals(vendorURL)) { + System.err.printf("Invalid vendor URL %s, expected %s\n", + vendorURL, expectedVendorURL); + System.exit(3); + } + + if (!expectedVendorBugURL.equals(vendorBugURL)) { + System.err.printf("Invalid vendor bug URL%s, expected %s\n", + vendorBugURL, expectedVendorBugURL); + System.exit(4); + } + + System.err.printf("Vendor information verified as %s, %s, %s\n", + vendor, vendorURL, vendorBugURL); + } +} diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 6a269f1..a50068e 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,6 +3,788 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY +New in release OpenJDK 11.0.9 (2020-10-20): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/openjdk1109 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.txt + +* Security fixes + - JDK-8233624: Enhance JNI linkage + - JDK-8236196: Improve string pooling + - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class + - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts + - JDK-8237995, CVE-2020-14782: Enhance certificate processing + - JDK-8240124: Better VM Interning + - JDK-8241114, CVE-2020-14792: Better range handling + - JDK-8242680, CVE-2020-14796: Improved URI Support + - JDK-8242685, CVE-2020-14797: Better Path Validation + - JDK-8242695, CVE-2020-14798: Enhanced buffer support + - JDK-8243302: Advanced class supports + - JDK-8244136, CVE-2020-14803: Improved Buffer supports + - JDK-8244479: Further constrain certificates + - JDK-8244955: Additional Fix for JDK-8240124 + - JDK-8245407: Enhance zoning of times + - JDK-8245412: Better class definitions + - JDK-8245417: Improve certificate chain handling + - JDK-8248574: Improve jpeg processing + - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit + - JDK-8253019: Enhanced JPEG decoding +* Other changes + - JDK-6532025: GIF reader throws misleading exception with truncated images + - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop + - JDK-8022535: [TEST BUG] javax/swing/text/html/parser/Test8017492.java fails + - JDK-8062947: Fix exception message to correctly represent LDAP connection failure + - JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed + - JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/CloseServerSocket.java fails intermittently with Address already in use + - JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect + - JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider + - JDK-8172404: Tools should warn if weak algorithms are used before restricting them + - JDK-8193367: Annotated type variable bounds crash javac + - JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset + - JDK-8203026: java.rmi.NoSuchObjectException: no such object in table + - JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called + - JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass + - JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout + - JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java + - JDK-8204963: javax.swing.border.TitledBorder has a memory leak + - JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed" + - JDK-8205534: Remove SymbolTable dependency from serviceability agent + - JDK-8206309: Tier1 SA tests fail + - JDK-8208281: java/nio/channels/AsynchronousSocketChannel/Basic.java timed out + - JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1 + - JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect + - JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent! + - JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful + - JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout + - JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2 + - JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC + - JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java + - JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code + - JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3 + - JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack + - JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests + - JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds + - JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout + - JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4 + - JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject + - JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test + - JDK-8211694: JShell: Redeclared variable should be reset + - JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent + - JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest + - JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55 + - JDK-8212807: tools/jar/multiRelease/Basic.java times out + - JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent) + - JDK-8213214: Set -Djava.io.tmpdir= when running tests + - JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found + - JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes + - JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface + - JDK-8214074: Ghash optimization using AVX instructions + - JDK-8214491: Upgrade to JLine 3.9.0 + - JDK-8214797: TestJmapCoreMetaspace.java timed out + - JDK-8215243: JShell tests failing intermitently with \"Problem cleaning up the following threads:\" + - JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed + - JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions) + - JDK-8215438: jshell tool: Ctrl-D causes EOF + - JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows + - JDK-8216974: HttpConnection not returned to the pool after 204 response + - JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time + - JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs + - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs + - JDK-8221658: aarch64: add necessary predicate for ubfx patterns + - JDK-8221759: Crash when completing \"java.io.File.path\" + - JDK-8221918: runtime/SharedArchiveFile/serviceability/ReplaceCriticalClasses.java fails: Shared archive not found + - JDK-8222074: Enhance auto vectorization for x86 + - JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp + - JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command + - JDK-8223688: JShell: crash on the instantiation of raw anonymous class + - JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error + - JDK-8223940: Private key not supported by chosen signature algorithm + - JDK-8224184: jshell got IOException at exiting with AIX + - JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc + - JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException + - JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions + - JDK-8226536: Catch OOM from deopt that fails rematerializing objects + - JDK-8226575: OperatingSystemMXBean should be made container aware + - JDK-8226697: Several tests which need the @key headful keyword are missing it. + - JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous + - JDK-8227059: sun/security/tools/keytool/DefaultSignatureAlgorithm.java timed out + - JDK-8227269: Slow class loading when running with JDWP + - JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6" + - JDK-8228448: Jconsole can't connect to itself + - JDK-8228967: Trust/Key store and SSL context utilities for tests + - JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow + - JDK-8229815: Upgrade Jline to 3.12.1 + - JDK-8230000: some httpclients testng tests run zero test + - JDK-8230002: javax/xml/jaxp/unittest/transform/SecureProcessingTest.java runs zero test + - JDK-8230010: Remove jdk8037819/BasicTest1.java + - JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter + - JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?" + - JDK-8230767: FlightRecorderListener returns null recording + - JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java + - JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread + - JDK-8231586: enlarge encoding space for OopMapValue offsets + - JDK-8231953: Wrong assumption in assertion in oop::register_oop + - JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes + - JDK-8232083: Minimal VM is broken after JDK-8231586 + - JDK-8232161: Align some one-way conversion in MS950 charset with Windows + - JDK-8232855: jshell missing word in /help help + - JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration + - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR + - JDK-8233386: Initialize NULL fields for unused decorations + - JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result + - JDK-8233686: XML transformer uses excessive amount of memory + - JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions + - JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment + - JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose + - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater() + - JDK-8234058: runtime/CompressedOops/CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr + - JDK-8234149: Several regression tests do not dispose Frame at end + - JDK-8234347: "Turkey" meta time zone does not generate composed localized names + - JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/bug6980209.java fails in linux nightly + - JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC + - JDK-8234541: C1 emits an empty message when it inlines successfully + - JDK-8234687: change javap reporting on unknown attributes + - JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11 + - JDK-8236548: Localized time zone name inconsistency between English and other locales + - JDK-8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575 + - JDK-8237182: Update copyright header for shenandoah and epsilon files + - JDK-8237888: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval + - JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java + - JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response + - JDK-8238284: [macos] Zero VM build fails due to an obvious typo + - JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10 + - JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10 + - JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10 + - JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes + - JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code + - JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method"); + - JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD + - JDK-8240169: javadoc fails to link to non-modular api docs + - JDK-8240295: hs_err elapsed time in seconds is not accurate enough + - JDK-8240360: NativeLibraryEvent has wrong library name on Linux + - JDK-8240676: Meet not symmetric failure when running lucene on jdk8 + - JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support + - JDK-8241065: Shenandoah: remove leftover code after JDK-8231086 + - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows + - JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException + - JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector + - JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark + - JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME + - JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure + - JDK-8241750: x86_32 build failure after JDK-8227269 + - JDK-8242184: CRL generation error with RSASSA-PSS + - JDK-8242283: Can't start JVM when java home path includes non-ASCII character + - JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array + - JDK-8243029: Rewrite javax/net/ssl/compatibility/Compatibility.java with a flexible interop test framework + - JDK-8243138: Enhance BaseLdapServer to support starttls extended request + - JDK-8243320: Add SSL root certificates to Oracle Root CA program + - JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program + - JDK-8243389: enhance os::pd_print_cpu_info on linux + - JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment + - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp + - JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions + - JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows) + - JDK-8244087: 2020-04-24 public suffix list update + - JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26 + - JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base + - JDK-8244196: adjust output in os_linux + - JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in + - JDK-8244287: JFR: Methods samples have line number 0 + - JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI + - JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it" + - JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb + - JDK-8244763: Update --release 8 symbol information after JSR 337 MR3 + - JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor + - JDK-8245151: jarsigner should not raise duplicate warnings on verification + - JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9 + - JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch + - JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!" + - JDK-8245832: JDK build make-static-libs should build all JDK libraries + - JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan + - JDK-8245981: Upgrade to jQuery 3.5.1 + - JDK-8246027: Minimal fastdebug build broken after JDK-8245801 + - JDK-8246094: [macos] Sound Recording and playback is not working + - JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode + - JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ + - JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError + - JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN + - JDK-8246330: Add TLS Tests for Legacy ECDSA curves + - JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place" + - JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods + - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node + - JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code + - JDK-8247615: Initialize the bytes left for the heap sampler + - JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand + - JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&' + - JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg + - JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention + - JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield + - JDK-8248348: Regression caused by the update to BCEL 6.0 + - JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1 + - JDK-8248495: [macos] zerovm is broken due to libffi headers location + - JDK-8248851: CMS: Missing memory fences between free chunk check and klass read + - JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows + - JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650 + - JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows. + - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel + - JDK-8249255: Build fails if source code in cygwin home dir + - JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11 + - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList + - JDK-8249560: Shenandoah: Fix racy GC request handling + - JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle + - JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases + - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets + - JDK-8250609: C2 crash in IfNode::fold_compares + - JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics + - JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java + - JDK-8250787: Provider.put no longer registering aliases in FIPS env + - JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM + - JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk + - JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds + - JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher + - JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure + - JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U + - JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java + - JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase + - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured" + - JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility + - JDK-8252258: [11u] JDK-8242154 changes the default vendor + - JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011 + - JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11 + - JDK-8253283: [11u] Test build/translations/VerifyTranslations.java failing after JDK-8252258 + - JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes + +Notes on individual issues: +=========================== + +core-libs/java.nio.charsets: + +JDK-8240196: Modified the MS950 charset Encoder's Conversion Table +================================================================== +In this release, some of the one-way byte-to-char mappings have been +aligned with the preferred mappings provided by the Unicode Consortium +(https://unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/bestfit950.txt). + +core-libs/java.util:i18n: + +JDK-8238914: Localized Time Zone Name Inconsistency Between English and Other Locales +===================================================================================== +English time zone names provided by the CLDR locale provider are now +correctly synthesized following the CLDR spec, rather than substituted +from the COMPAT provider. For example, SHORT style names are no longer +synthesized abbreviations of LONG style names, but instead produce GMT +offset formats. + +core-svc/java.lang.management: + +JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data +============================================================================================ +When executing in a container, or other virtualized operating +environment, the following `OperatingSystemMXBean` methods in this +release return container specific information, if +available. Otherwise, they return host specific data: + +* getFreePhysicalMemorySize() +* getTotalPhysicalMemorySize() +* getFreeSwapSpaceSize() +* getTotalSwapSpaceSize() +* getSystemCpuLoad() + +security-libs/java.security: + +JDK-8250756: Added Entrust Root Certification Authority - G4 certificate +======================================================================== +The Entrust root certificate has been added to the cacerts truststore: + +Alias Name: entrustrootcag4 +Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US + +JDK-8250860: Added 3 SSL Corporation Root CA Certificates +========================================================= +The following root certificates have been added to the cacerts truststore for the SSL Corporation: + +Alias Name: sslrootrsaca +Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US + +Alias Name: sslrootevrsaca +Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US + +Alias Name: sslrooteccca +Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US + +JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default +=================================================================================== +Weak named curves are disabled by default by adding them to the +following `disabledAlgorithms` security properties: + +* jdk.tls.disabledAlgorithms +* jdk.certpath.disabledAlgorithms +* jdk.jar.disabledAlgorithms + +Red Hat has always disabled many of the curves provided by upstream, +so the only addition in this release is: + +* secp256k1 + +The curves that remain enabled are: + +* secp256r1 +* secp384r1 +* secp521r1 +* X25519 +* X448 + +When large numbers of weak named curves need to be disabled, adding +individual named curves to each `disabledAlgorithms` property would be +overwhelming. To relieve this, a new security property, +`jdk.disabled.namedCurves`, is implemented that can list the named +curves common to all of the `disabledAlgorithms` properties. To use +the new property in the `disabledAlgorithms` properties, precede the +full property name with the keyword `include`. Users can still add +individual named curves to `disabledAlgorithms` properties separate +from this new property. No other properties can be included in the +`disabledAlgorithms` properties. + +To restore the named curves, remove the `include +jdk.disabled.namedCurves` either from specific or from all +`disabledAlgorithms` security properties. To restore one or more +curves, remove the specific named curve(s) from the +`jdk.disabled.namedCurves` property. + +JDK-8244286: Tools Warn If Weak Algorithms Are Used Before Restricting Them +=========================================================================== +The `keytool` and `jarsigner` tools have been updated to warn users +about weak cryptographic algorithms being used before they are +disabled. In this release, the tools issue warnings for the SHA-1 hash +algorithm and 1024-bit RSA/DSA keys. + +security-libs/javax.net.ssl: + +JDK-8242147: New System Properties to Configure the TLS Signature Schemes +========================================================================= +Two new system properties have been added to customize the TLS +signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been +added for the TLS client side, and `jdk.tls.server.SignatureSchemes` +has been added for the server side. + +Each system property contains a comma-separated list of supported +signature scheme names specifying the signature schemes that could be +used for the TLS connections. + +The names are described in the "Signature Schemes" section of the +*Java Security Standard Algorithm Names Specification*. + +security-libs/javax.security: + +JDK-8242059: Support for canonicalize in krb5.conf +================================================== + +The 'canonicalize' flag in the [krb5.conf file][0] is now supported by +the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name +canonicalization is requested by clients in TGT requests to KDC +services (AS protocol). Otherwise, and by default, it is not +requested. + +The new default behavior is different from previous releases where +name canonicalization was always requested by clients in TGT requests +to KDC services (provided that support for RFC 6806[1] was not +explicitly disabled with the *sun.security.krb5.disableReferrals* +system or security properties). + +[0]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html +[1]: https://tools.ietf.org/html/rfc6806 + +JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b +==================================================================== +Following JDK's update to tzdata2020b, the long-obsolete files +pacificnew and systemv have been removed. As a result, the +"US/Pacific-New" zone name declared in the pacificnew data file is no +longer available for use. + +Information regarding the update can be viewed at +https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html + +New in release OpenJDK 11.0.8 (2020-07-14): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/oj1108 + * https://builds.shipilev.net/backports-monitor/release-notes-11.0.8.txt + +* Security fixes + - JDK-8230613: Better ASCII conversions + - JDK-8231800: Better listing of arrays + - JDK-8232014: Expand DTD support + - JDK-8233234: Better Zip Naming + - JDK-8233239, CVE-2020-14562: Enhance TIFF support + - JDK-8233255: Better Swing Buttons + - JDK-8234032: Improve basic calendar services + - JDK-8234042: Better factory production of certificates + - JDK-8234418: Better parsing with CertificateFactory + - JDK-8234836: Improve serialization handling + - JDK-8236191: Enhance OID processing + - JDK-8236867, CVE-2020-14573: Enhance Graal interface handling + - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior + - JDK-8237592, CVE-2020-14577: Enhance certificate verification + - JDK-8238002, CVE-2020-14581: Better matrix operations + - JDK-8238013: Enhance String writing + - JDK-8238804: Enhance key handling process + - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable + - JDK-8238843: Enhanced font handing + - JDK-8238920, CVE-2020-14583: Better Buffer support + - JDK-8238925: Enhance WAV file playback + - JDK-8240119, CVE-2020-14593: Less Affine Transformations + - JDK-8240482: Improved WAV file playback + - JDK-8241379: Update JCEKS support + - JDK-8241522: Manifest improved jar headers redux + - JDK-8242136, CVE-2020-14621: Better XML namespace handling +* Other changes + - JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created + - JDK-7124307: JSpinner and changing value by mouse + - JDK-8022574: remove HaltNode code after uncommon trap calls + - JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails + - JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown + - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9) + - JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo + - JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly + - JDK-8080353: JShell: Better error message on attempting to add default method + - JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled + - JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot + - JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout + - JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily + - JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping + - JDK-8175984: ICC_Profile has un-needed, not-empty finalize method + - JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments + - JDK-8183369: RFC unconformity of HttpURLConnection with proxy + - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + - JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently + - JDK-8191930: [Graal] emits unparseable XML into compile log + - JDK-8193879: Java debugger hangs on method invocation + - JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows + - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails + - JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows + - JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/WrongParentAfterRemoveMenu.java debug assert on Windows + - JDK-8198339: Test javax/swing/border/Test6981576.java is unstable + - JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801 + - JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740 + - JDK-8203672: JNI exception pending in PlainSocketImpl.c + - JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398 + - JDK-8204834: Fix confusing "allocate" naming in OopStorage + - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion + - JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure + - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value + - JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M + - JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages + - JDK-8209113: Use WeakReference for lastFontStrike for created Fonts + - JDK-8209333: Socket reset issue for TLS 1.3 socket close + - JDK-8209439: C2 library_call can potentially ignore Math.pow intrinsic or use null pointer + - JDK-8209534: [TESTBUG]runtime/appcds/cacheObject/ArchivedModuleCompareTest.java fails with EnableJVMCI. + - JDK-8210147: adjust some WSAGetLastError usages in windows network coding + - JDK-8210284: "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4 + - JDK-8210303: VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable" + - JDK-8210515: [TESTBUG]CheckArchivedModuleApp.java needs to check if EnableJVMCI is set. + - JDK-8210788: Javadoc for Thread.join(long, int) should specify that it waits forever when both arguments are zero + - JDK-8211301: [macos] support full window content options + - JDK-8211332: Space for stub routines (code_size2) is too small on new Skylake CPUs + - JDK-8211339: NPE during SSL handshake caused by HostnameChecker + - JDK-8211392: compiler/profiling/spectrapredefineclass_classloaders/Launcher.java times out in JDK12 CI + - JDK-8211743: [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames + - JDK-8212154: [TESTBUG] CheckArchivedModuleApp fails with NPE when JVMCI is absent + - JDK-8212167: JShell : Stack trace of exception has wrong line number + - JDK-8212933: Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks + - JDK-8212986: Make Visual Studio compiler check less strict + - JDK-8213250: CDS archive creation aborts due to metaspace object allocation failure + - JDK-8213516: jck test api/javax_accessibility/AccessibleState/fields.html fails intermittent + - JDK-8213947: ARM32: failed check_simd should set UsePopCountInstruction to false + - JDK-8214418: half-closed SSLEngine status may cause application dead loop + - JDK-8214440: ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate" + - JDK-8214444: Wrong strncat limits in dfa.cpp + - JDK-8214481: freetype path does not disable TrueType hinting with AA+FM hints + - JDK-8214571: -Xdoclint of array serialField gives "error: array type not allowed here" + - JDK-8214856: Errors with JSZip in web console after upgrade to 3.1.5 + - JDK-8214862: assert(proj != __null) at compile.cpp:3251 + - JDK-8215369: Jcstress pollute /var/tmp with temporary files. + - JDK-8215551: Missing case label in nmethod::reloc_string_for() + - JDK-8215555: TieredCompilation C2 threads can excessively block handshakes + - JDK-8215711: Missing key_share extension for (EC)DHE key exchange should alert missing_extension + - JDK-8216151: [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug + - JDK-8216154: C4819 warnings at HotSpot sources on Windows + - JDK-8216541: CompiledICHolders of VM locked unloaded nmethods are released too late + - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types() + - JDK-8217404: --with-jvm-features doesn't work when multiple features are explicitly disabled + - JDK-8217447: Develop flag TraceICs is broken + - JDK-8217606: LdapContext#reconnect always opens a new connection + - JDK-8218807: Compilation database (compile_commands.json) may contain obsolete items + - JDK-8219214: Infinite Loop in CodeSection::dump() + - JDK-8219904: ClassCastException when calling FlightRecorderMXBean#getRecordings() + - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl + - JDK-8221121: applications/microbenchmarks are encountering crashes in tier5 + - JDK-8221445: FastSysexMessage constructor crashes MIDI receiption thread + - JDK-8221482: Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode + - JDK-8221741: ClassCastException can happen when fontconfig.properties is used + - JDK-8221823: Requested JDialog width is ignored + - JDK-8223108: Test java/awt/EventQueue/NonComponentSourcePost.java is unstable + - JDK-8223935: PIT: java/awt/font/WindowsIndicFonts.java fails on windows10 + - JDK-8224109: Text spaced incorrectly by drawString under rotation with fractional metric + - JDK-8224632: testbug: java/awt/dnd/RemoveDropTargetCrashTest/RemoveDropTargetCrashTest.java fails on MacOS + - JDK-8224793: os::die() does not honor CreateCoredumpOnCrash option + - JDK-8224847: gc/stress/TestReclaimStringsLeaksMemory.java fails with reserved greater than expected + - JDK-8224931: disable JAOTC invokedynamic support until 8223533 is fixed + - JDK-8224997: ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException + - JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020 + - JDK-8225069: Remove Comodo root certificate that is expiring in May 2020 + - JDK-8225126: Test SetBoundsPaintTest.html faild on Windows when desktop is scaled + - JDK-8225325: Add tests for redefining a class' private method during resolution of the bootstrap specifier + - JDK-8225622: [AOT] runtime/SharedArchiveFile/TestInterpreterMethodEntries.java crashed with AOTed java.base + - JDK-8225653: Provide more information when hitting SIGILL from HaltNode + - JDK-8225783: Incorrect use of binary operators on booleans in type.cpp + - JDK-8225789: Empty method parameter type should generate ClassFormatError + - JDK-8226198: use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state + - JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden. + - JDK-8226653: [accessibility] Can edit text cell correctly, but Accessibility Tool reads nothing about editor + - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread + - JDK-8226879: Memory leak in Type::hashcons + - JDK-8227632: Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4 + - JDK-8228407: JVM crashes with shared archive file mismatch + - JDK-8228482: fix xlc16/xlclang comparison of distinct pointer types and string literal conversion warnings + - JDK-8228757: Fail fast if the handshake type is unknown + - JDK-8229158: make UseSwitchProfiling non-experimental or false by-default + - JDK-8229421: The logic of java/net/ipv6tests/TcpTest.java is flawed + - JDK-8229855: C2 fails with assert(false) failed: bad AD file + - JDK-8230591: AArch64: Missing intrinsics for Math.ceil, floor, rint + - JDK-8231118: ARM32: Math tests failures + - JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo + - JDK-8231243: [TESTBUG] CustomFont.java cannot find font file + - JDK-8231438: [macOS] Dark mode for the desktop is not supported + - JDK-8231550: C2: ShouldNotReachHere() in verify_strip_mined_scheduling + - JDK-8231564: setMaximizedBounds is broken with large display scale and multiple monitors + - JDK-8231572: Use -lobjc instead of -fobjc-link-runtime in libosxsecurity + - JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE + - JDK-8231671: Fix copyright headers in hotspot (missing comma after year) + - JDK-8231720: Some perf regressions after 8225653 + - JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate + - JDK-8231863: Crash if classpath is read from @argument file and the main gets option argument + - JDK-8232080: jlink plugins for vendor information and run-time options + - JDK-8232106: [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it + - JDK-8232134: Change to Visual Studio 2017 15.9.16 for building on Windows at Oracle + - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail + - JDK-8232357: Compare version info of Santuario to legal notice + - JDK-8232572: Add hooks for custom output dir in Bundles.gmk + - JDK-8232634: Problem List ICMColorDataTest.java + - JDK-8232748: Build static versions of certain JDK libraries + - JDK-8232846: ProcessHandle.Info command with non-English shows question marks + - JDK-8233033: C2 produces wrong result while unswitching a loop due to lost control dependencies + - JDK-8233137: runtime/ErrorHandling/VeryEarlyAssertTest.java fails after 8232080 + - JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing + - JDK-8233291: [TESTBUG] tools/jlink/plugins/VendorInfoPluginsTest.java fails with debug or non-server VMs + - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp + - JDK-8233573: Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException + - JDK-8233608: Minimal build broken after JDK-8233494 + - JDK-8233621: Mismatch in jsse.enableMFLNExtension property name + - JDK-8233696: [TESTBUG]Some jtreg tests fail when CAPS_LOCK is ON + - JDK-8233707: systemScale.cpp could not compile with VS2019 + - JDK-8233801: GCMEmptyIv.java test fails on Solaris 11.4 + - JDK-8233880: Support compilers with multi-digit major version numbers + - JDK-8233920: MethodHandles::tryFinally generates illegal bytecode for long/double return type + - JDK-8234137: The "AutoTestOnTop.java" test may run external applications + - JDK-8234146: compiler/jsr292/ContinuousCallSiteTargetChange.java times out on SPARC + - JDK-8234184: [TESTBUG] java/awt/Mouse/EnterExitEvents/ModalDialogEnterExitEventsTest.java fails in Windows + - JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area + - JDK-8234332: [TESTBUG] java/awt/Focus/DisposedWindow/DisposeDialogNotActivateOwnerTest/DisposeDialogNotActivateOwnerTest.java fails on linux-x64 nightly + - JDK-8234398: Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps + - JDK-8234522: [macos] Crash with use of native file dialog + - JDK-8234691: Potential double-free in ParallelSPCleanupTask constructor + - JDK-8234696: tools/jlink/plugins/VendorInfoPluginsTest.java times out + - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3 + - JDK-8234728: Some security tests should support TLSv1.3 + - JDK-8234779: Provide idiom for declaring classes noncopyable + - JDK-8234968: check calloc rv in libinstrument InvocationAdapter + - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails + - JDK-8235183: Remove the "HACK CODE" in comment + - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions + - JDK-8235311: Tag mismatch may alert bad_record_mac + - JDK-8235332: TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM + - JDK-8235452: Strip mined loop verification fails with assert(is_OuterStripMinedLoop()) failed: invalid node class + - JDK-8235584: UseProfiledLoopPredicate fails with assert(_phase->get_loop(c) == loop) failed: have to be in the same loop + - JDK-8235620: Broken merge between JDK-8006406 and JDK-8003559 + - JDK-8235638: NPE in LWWindowPeer.getOnscreenGraphics() + - JDK-8235686: Add more custom hooks in Bundles.gmk + - JDK-8235739: Rare NPE at WComponentPeer.getGraphics() + - JDK-8235762: JVM crash in SWPointer during C2 compilation + - JDK-8235834: IBM-943 charset encoder needs updating + - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property. + - JDK-8235908: omit ThreadPriorityPolicy warning when value is set from image + - JDK-8235984: C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop + - JDK-8236211: [Graal] compiler/graalunit/GraphTest.java is skipped in all testing + - JDK-8236470: Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId + - JDK-8236545: Compilation error in mach5 java/awt/FileDialog/MacOSGoToFolderCrash.java + - JDK-8236700: Upgrading JSZip from v3.1.5 to v3.2.2 + - JDK-8236759: ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling + - JDK-8236897: Fix the copyright header for pkcs11gcm2.h + - JDK-8236921: Add build target to produce a JDK image suitable for a Graal/SVM build + - JDK-8236953: [macos] JavaFX SwingNode is not rendered on macOS + - JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing + - JDK-8237045: JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648 + - JDK-8237055: [TESTBUG] compiler/c2/TestJumpTable.java fails with release VMs + - JDK-8237086: assert(is_MachReturn()) running CTW with fix for JDK-8231291 + - JDK-8237192: Generate stripped/public pdbs on Windows for jdk images + - JDK-8237396: JvmtiTagMap::weak_oops_do() should not trigger barriers + - JDK-8237474: Default SSLEngine should create in server role + - JDK-8237859: C2: Crash when loads float above range check + - JDK-8237951: CTW: C2 compilation fails with "malformed control flow" + - JDK-8237962: give better error output for invalid OCSP response intervals in CertPathValidator checks + - JDK-8238190: [JVMCI] Fix single implementor speculation for diamond shapes. + - JDK-8238356: CodeHeap::blob_count() overestimates the number of blobs + - JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01 + - JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB + - JDK-8238575: DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows) + - JDK-8238676: jni crashes on accessing it from process exit hook + - JDK-8238721: Add failing client jtreg tests to the Problem List + - JDK-8238738: AudioSystem.getMixerInfo() takes about 30 sec to report a gone audio device + - JDK-8238756: C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node + - JDK-8238765: PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly + - JDK-8238898: Missing hash characters for header on license file + - JDK-8238942: Rendering artifacts with LCD text and fractional metrics + - JDK-8238985: [TESTBUG] The arrow image is blue instead of green + - JDK-8239000: handle ContendedPaddingWidth in vm_version_ppc + - JDK-8239055: Wrong implementation of VMState.hasListener + - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code. + - JDK-8239142: C2's UseUniqueSubclasses optimization is broken for array accesses + - JDK-8239224: libproc_impl.c previous_thr may be used uninitialized warning + - JDK-8239351: Give more meaningful InternalError messages in Deflater.c + - JDK-8239365: ProcessBuilder test modifications for AIX execution + - JDK-8239456: vtable stub generation: assert failure (code size estimate) + - JDK-8239457: call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect + - JDK-8239462: jdk.hotspot.agent misses some ReleaseStringUTFChars calls in case of early returns + - JDK-8239557: [TESTBUG] VeryEarlyAssertTest.java validating "END." marker at lastline is not always true + - JDK-8239787: AArch64: String.indexOf may incorrectly handle empty strings + - JDK-8239792: Bump update version for OpenJDK: jdk-11.0.8 + - JDK-8239798: SSLSocket closes socket both socket endpoints on a SocketTimeoutException + - JDK-8239819: XToolkit: Misread of screen information memory + - JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed + - JDK-8239893: Windows handle Leak when starting processes using ProcessBuilder + - JDK-8239915: Zero VM crashes when handling dynamic constant + - JDK-8239931: [win][x86] vtable stub generation: assert failure (code size estimate) follow-up + - JDK-8239976: Put JDK-8239965 on the ProblemList.txt + - JDK-8240073: Fix 'test-make' build target in 11u + - JDK-8240197: Cannot start JVM when $JAVA_HOME includes CJK characters + - JDK-8240202: A few client tests leave mouse buttons pressed + - JDK-8240220: IdealLoopTree::dump_head predicate printing is broken + - JDK-8240223: Use consistent predicate order in and with PhaseIdealLoop::find_predicate + - JDK-8240227: Loop predicates should be copied to unswitched loops + - JDK-8240286: [TESTBUG] Test command error in hotspot/jtreg/compiler/loopopts/superword/SumRedAbsNeg_Float.java + - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print + - JDK-8240529: CheckUnhandledOops breaks NULL check in Modules::define_module + - JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges + - JDK-8240603: Windows 32bit compile error after 8238676 + - JDK-8240629: argfiles parsing broken for argfiles with comment cross 4096 bytes chunk + - JDK-8240711: TestJstatdPort.java failed due to "ExportException: Port already in use:" + - JDK-8240786: [TESTBUG] The test java/awt/Window/GetScreenLocation/GetScreenLocationTest.java fails on HiDPI screen + - JDK-8240824: enhance print_full_memory_info on Linux by THP related information + - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE" + - JDK-8240905: assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once? + - JDK-8240972: macOS codesign fail on macOS 10.13.5 or older + - JDK-8241445: Fix copyright in test/jdk/tools/launcher/ArgFileSyntax.java + - JDK-8241458: [JVMCI] add mark value to expose CodeOffsets::Frame_Complete + - JDK-8241464: [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action + - JDK-8241556: Memory leak if -XX:CompileCommand is set + - JDK-8241568: (fs) UserPrincipalLookupService.lookupXXX failure with IOE "Operation not permitted" + - JDK-8241586: compiler/cpuflags/TestAESIntrinsicsOnUnsupportedConfig.java fails on aarch64 + - JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set + - JDK-8241660: Add virtualization information output to hs_err file on macOS + - JDK-8241808: [TESTBUG] The JDK-8039467 bug appeared on macOS + - JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one + - JDK-8241900: Loop unswitching may cause dependence on null check to be lost + - JDK-8241948: enhance list of environment variables printed in hs_err file + - JDK-8241996: on linux set full relro in the linker flags + - JDK-8242108: Performance regression after fix for JDK-8229496 + - JDK-8242141: New System Properties to configure the TLS signature schemes + - JDK-8242154: Backport parts of JDK-4947890 to OpenJDK 11u + - JDK-8242174: [macos] The NestedModelessDialogTest test make the macOS unstable + - JDK-8242239: [Graal] javax/management/generified/GenericTest.java fails: FAILED: queryMBeans sets same + - JDK-8242294: JSSE Client does not throw SSLException when an alert occurs during handshaking + - JDK-8242379: [TESTBUG] compiler/loopopts/TestLoopUnswitchingLostCastDependency.java fails with release VMs + - JDK-8242470: Update Xerces to Version 2.12.1 + - JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash + - JDK-8242541: Small charset issues (ISO8859-16, x-eucJP-Open, x-IBM834 and x-IBM949C) + - JDK-8242626: enhance posix print_rlimit_info + - JDK-8243059: Build fails when --with-vendor-name contains a comma + - JDK-8243539: Copyright info (Year) should be updated for fix of 8241638 + - JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a + - JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in + - JDK-8244520: problemlist java/awt/font/Rotate/RotatedFontTest.java on linux + - JDK-8244777: ClassLoaderStats VM Op uses constant hash value + - JDK-8244853: The static build of libextnet is missing the JNI_OnLoad_extnet function + - JDK-8244951: Missing entitlements for hardened runtime + - JDK-8245047: [PPC64] C2: ReverseBytes + Load always match to unordered Load (acquire semantics missing) + - JDK-8245649: Revert 8245397 backport of 8230591 + - JDK-8246031: SSLSocket.getSession() doesn't close connection for timeout/ interrupts + - JDK-8246613: Choose the default SecureRandom algo based on registration ordering + - JDK-8248505: Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider + +Notes on individual issues: +=========================== + +security-libs/java.security: + +JDK-8244167: Removal of Comodo Root CA Certificate +================================================== +The following expired Comodo root CA certificate was removed from the `cacerts` keystore: + +alias name "addtrustclass1ca [jdk]" + +Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE + +JDK-8244166: Removal of DocuSign Root CA Certificate +==================================================== +The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: + +alias name "keynectisrootca [jdk]" + +Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR + +security-libs/javax.crypto:pkcs11: + +JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database +============================================================================================================================ +The SunPKCS11 security provider can now be initialized with NSS when +FIPS-enabled external modules are configured in the Security Modules +Database (NSSDB). Prior to this change, the SunPKCS11 provider would +throw a RuntimeException with the message: "FIPS flag set for +non-internal module" when such a library was configured for NSS in +non-FIPS mode. + +This change allows the JDK to work properly with recent NSS releases +in GNU/Linux operating systems when the system-wide FIPS policy is +turned on. + +Further information can be found in JDK-8238555. + +security-libs/javax.net.ssl: + +JDK-8245077: Default SSLEngine Should Create in Server Role +=========================================================== +In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client +mode when handshaking. As a result, the set of default enabled +protocols may differ to what is expected. `SSLEngine` would usually be +used in server mode. From this JDK release onwards, `SSLEngine` will +default to server mode. The +`javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may +be used to configure the mode. + +JDK-8242147: New System Properties to Configure the TLS Signature Schemes +========================================================================= + +Two new System Properties are added to customize the TLS signature +schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS +client side, and `jdk.tls.server.SignatureSchemes` is added for server +side. + +Each System Property contains a comma-separated list of supported +signature scheme names specifying the signature schemes that could be +used for the TLS connections. + +The names are described in the "Signature Schemes" section of the +*Java Security Standard Algorithm Names Specification*. + New in release OpenJDK 11.0.7 (2020-04-14): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch b/SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch new file mode 100644 index 0000000..bba7287 --- /dev/null +++ b/SOURCES/jdk8236512-pkcs11_incorrrect_session_closure.patch @@ -0,0 +1,480 @@ +# HG changeset patch +# User valeriep +# Date 1581468987 0 +# Wed Feb 12 00:56:27 2020 +0000 +# Node ID e47d22d82b0464720ccb7641e290080972b6ce88 +# Parent 5c41dc4c48f85e5a1e1ce6e3836b54674f273367 +8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding +Summary: Removed killSession() calls in certain impl classes when cancelling operations +Reviewed-by: xuelei + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11AEADCipher.java +@@ -1,4 +1,5 @@ +-/* Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++/* ++ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -334,25 +335,25 @@ + } + + private void cancelOperation() { ++ // cancel operation by finishing it; avoid killSession as some ++ // hardware vendors may require re-login ++ int bufLen = doFinalLength(0); ++ byte[] buffer = new byte[bufLen]; ++ byte[] in = dataBuffer.toByteArray(); ++ int inLen = in.length; + try { +- if (session.hasObjects() == false) { +- session = token.killSession(session); +- return; ++ if (encrypt) { ++ token.p11.C_Encrypt(session.id(), 0, in, 0, inLen, ++ 0, buffer, 0, bufLen); + } else { +- // cancel operation by finishing it +- int bufLen = doFinalLength(0); +- byte[] buffer = new byte[bufLen]; +- +- if (encrypt) { +- token.p11.C_Encrypt(session.id(), 0, buffer, 0, bufLen, +- 0, buffer, 0, bufLen); +- } else { +- token.p11.C_Decrypt(session.id(), 0, buffer, 0, bufLen, +- 0, buffer, 0, bufLen); +- } ++ token.p11.C_Decrypt(session.id(), 0, in, 0, inLen, ++ 0, buffer, 0, bufLen); + } + } catch (PKCS11Exception e) { +- throw new ProviderException("Cancel failed", e); ++ if (encrypt) { ++ throw new ProviderException("Cancel failed", e); ++ } ++ // ignore failure for decryption + } + } + +@@ -434,18 +435,21 @@ + if (!initialized) { + return; + } ++ initialized = false; ++ + try { + if (session == null) { + return; + } ++ + if (doCancel && token.explicitCancel) { + cancelOperation(); + } + } finally { + p11Key.releaseKeyID(); + session = token.releaseSession(session); ++ dataBuffer.reset(); + } +- initialized = false; + } + + // see JCE spec +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -409,10 +409,12 @@ + return; + } + initialized = false; ++ + try { + if (session == null) { + return; + } ++ + if (doCancel && token.explicitCancel) { + cancelOperation(); + } +@@ -426,22 +428,21 @@ + + private void cancelOperation() { + token.ensureValid(); +- if (session.hasObjects() == false) { +- session = token.killSession(session); +- return; +- } else { +- try { +- // cancel operation by finishing it +- int bufLen = doFinalLength(0); +- byte[] buffer = new byte[bufLen]; +- if (encrypt) { +- token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen); +- } else { +- token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen); +- } +- } catch (PKCS11Exception e) { ++ // cancel operation by finishing it; avoid killSession as some ++ // hardware vendors may require re-login ++ try { ++ int bufLen = doFinalLength(0); ++ byte[] buffer = new byte[bufLen]; ++ if (encrypt) { ++ token.p11.C_EncryptFinal(session.id(), 0, buffer, 0, bufLen); ++ } else { ++ token.p11.C_DecryptFinal(session.id(), 0, buffer, 0, bufLen); ++ } ++ } catch (PKCS11Exception e) { ++ if (encrypt) { + throw new ProviderException("Cancel failed", e); + } ++ // ignore failure for decryption + } + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Mac.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -124,10 +124,12 @@ + return; + } + initialized = false; ++ + try { + if (session == null) { + return; + } ++ + if (doCancel && token.explicitCancel) { + cancelOperation(); + } +@@ -139,15 +141,12 @@ + + private void cancelOperation() { + token.ensureValid(); +- if (session.hasObjects() == false) { +- session = token.killSession(session); +- return; +- } else { +- try { +- token.p11.C_SignFinal(session.id(), 0); +- } catch (PKCS11Exception e) { +- throw new ProviderException("Cancel failed", e); +- } ++ // cancel operation by finishing it; avoid killSession as some ++ // hardware vendors may require re-login ++ try { ++ token.p11.C_SignFinal(session.id(), 0); ++ } catch (PKCS11Exception e) { ++ throw new ProviderException("Cancel failed", e); + } + } + +@@ -209,7 +208,6 @@ + ensureInitialized(); + return token.p11.C_SignFinal(session.id(), 0); + } catch (PKCS11Exception e) { +- reset(true); + throw new ProviderException("doFinal() failed", e); + } finally { + reset(false); +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11PSSSignature.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2019, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -223,10 +223,12 @@ + return; + } + initialized = false; ++ + try { + if (session == null) { + return; + } ++ + if (doCancel && token.explicitCancel) { + cancelOperation(); + } +@@ -242,14 +244,10 @@ + token.ensureValid(); + if (DEBUG) System.out.print("Cancelling operation"); + +- if (session.hasObjects() == false) { +- if (DEBUG) System.out.println(" by killing session"); +- session = token.killSession(session); +- return; +- } +- // "cancel" operation by finishing it +- if (mode == M_SIGN) { +- try { ++ // cancel operation by finishing it; avoid killSession as some ++ // hardware vendors may require re-login ++ try { ++ if (mode == M_SIGN) { + if (type == T_UPDATE) { + if (DEBUG) System.out.println(" by C_SignFinal"); + token.p11.C_SignFinal(session.id(), 0); +@@ -259,11 +257,7 @@ + if (DEBUG) System.out.println(" by C_Sign"); + token.p11.C_Sign(session.id(), digest); + } +- } catch (PKCS11Exception e) { +- throw new ProviderException("cancel failed", e); +- } +- } else { // M_VERIFY +- try { ++ } else { // M_VERIFY + byte[] signature = + new byte[(p11Key.length() + 7) >> 3]; + if (type == T_UPDATE) { +@@ -275,10 +269,12 @@ + if (DEBUG) System.out.println(" by C_Verify"); + token.p11.C_Verify(session.id(), digest, signature); + } +- } catch (PKCS11Exception e) { +- // will fail since the signature is incorrect +- // XXX check error code + } ++ } catch (PKCS11Exception e) { ++ if (mode == M_SIGN) { ++ throw new ProviderException("cancel failed", e); ++ } ++ // ignore failure for verification + } + } + +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11RSACipher.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -247,10 +247,12 @@ + return; + } + initialized = false; ++ + try { + if (session == null) { + return; + } ++ + if (doCancel && token.explicitCancel) { + cancelOperation(); + } +@@ -264,36 +266,33 @@ + // state variables such as "initialized" + private void cancelOperation() { + token.ensureValid(); +- if (session.hasObjects() == false) { +- session = token.killSession(session); +- return; +- } else { +- try { +- PKCS11 p11 = token.p11; +- int inLen = maxInputSize; +- int outLen = buffer.length; +- long sessId = session.id(); +- switch (mode) { +- case MODE_ENCRYPT: +- p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); +- break; +- case MODE_DECRYPT: +- p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); +- break; +- case MODE_SIGN: +- byte[] tmpBuffer = new byte[maxInputSize]; +- p11.C_Sign(sessId, tmpBuffer); +- break; +- case MODE_VERIFY: +- p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer, +- 0, outLen); +- break; +- default: +- throw new ProviderException("internal error"); +- } +- } catch (PKCS11Exception e) { +- // XXX ensure this always works, ignore error ++ // cancel operation by finishing it; avoid killSession as some ++ // hardware vendors may require re-login ++ try { ++ PKCS11 p11 = token.p11; ++ int inLen = maxInputSize; ++ int outLen = buffer.length; ++ long sessId = session.id(); ++ switch (mode) { ++ case MODE_ENCRYPT: ++ p11.C_Encrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); ++ break; ++ case MODE_DECRYPT: ++ p11.C_Decrypt(sessId, 0, buffer, 0, inLen, 0, buffer, 0, outLen); ++ break; ++ case MODE_SIGN: ++ byte[] tmpBuffer = new byte[maxInputSize]; ++ p11.C_Sign(sessId, tmpBuffer); ++ break; ++ case MODE_VERIFY: ++ p11.C_VerifyRecover(sessId, buffer, 0, inLen, buffer, ++ 0, outLen); ++ break; ++ default: ++ throw new ProviderException("internal error"); + } ++ } catch (PKCS11Exception e) { ++ // XXX ensure this always works, ignore error + } + } + +@@ -362,6 +361,7 @@ + private int implDoFinal(byte[] out, int outOfs, int outLen) + throws BadPaddingException, IllegalBlockSizeException { + if (bufOfs > maxInputSize) { ++ reset(true); + throw new IllegalBlockSizeException("Data must not be longer " + + "than " + maxInputSize + " bytes"); + } +diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java +--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java ++++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Signature.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -270,10 +270,12 @@ + return; + } + initialized = false; ++ + try { + if (session == null) { + return; + } ++ + if (doCancel && token.explicitCancel) { + cancelOperation(); + } +@@ -284,59 +286,51 @@ + } + + private void cancelOperation() { +- + token.ensureValid(); +- if (session.hasObjects() == false) { +- session = token.killSession(session); +- return; +- } else { +- // "cancel" operation by finishing it +- // XXX make sure all this always works correctly ++ // cancel operation by finishing it; avoid killSession as some ++ // hardware vendors may require re-login ++ try { + if (mode == M_SIGN) { +- try { +- if (type == T_UPDATE) { +- token.p11.C_SignFinal(session.id(), 0); +- } else { +- byte[] digest; +- if (type == T_DIGEST) { +- digest = md.digest(); +- } else { // T_RAW +- digest = buffer; +- } +- token.p11.C_Sign(session.id(), digest); ++ if (type == T_UPDATE) { ++ token.p11.C_SignFinal(session.id(), 0); ++ } else { ++ byte[] digest; ++ if (type == T_DIGEST) { ++ digest = md.digest(); ++ } else { // T_RAW ++ digest = buffer; + } +- } catch (PKCS11Exception e) { +- throw new ProviderException("cancel failed", e); ++ token.p11.C_Sign(session.id(), digest); + } + } else { // M_VERIFY + byte[] signature; +- try { +- if (keyAlgorithm.equals("DSA")) { +- signature = new byte[40]; +- } else { +- signature = new byte[(p11Key.length() + 7) >> 3]; ++ if (keyAlgorithm.equals("DSA")) { ++ signature = new byte[40]; ++ } else { ++ signature = new byte[(p11Key.length() + 7) >> 3]; ++ } ++ if (type == T_UPDATE) { ++ token.p11.C_VerifyFinal(session.id(), signature); ++ } else { ++ byte[] digest; ++ if (type == T_DIGEST) { ++ digest = md.digest(); ++ } else { // T_RAW ++ digest = buffer; + } +- if (type == T_UPDATE) { +- token.p11.C_VerifyFinal(session.id(), signature); +- } else { +- byte[] digest; +- if (type == T_DIGEST) { +- digest = md.digest(); +- } else { // T_RAW +- digest = buffer; +- } +- token.p11.C_Verify(session.id(), digest, signature); +- } +- } catch (PKCS11Exception e) { +- long errorCode = e.getErrorCode(); +- if ((errorCode == CKR_SIGNATURE_INVALID) || +- (errorCode == CKR_SIGNATURE_LEN_RANGE)) { +- // expected since signature is incorrect +- return; +- } +- throw new ProviderException("cancel failed", e); ++ token.p11.C_Verify(session.id(), digest, signature); + } + } ++ } catch (PKCS11Exception e) { ++ if (mode == M_VERIFY) { ++ long errorCode = e.getErrorCode(); ++ if ((errorCode == CKR_SIGNATURE_INVALID) || ++ (errorCode == CKR_SIGNATURE_LEN_RANGE)) { ++ // expected since signature is incorrect ++ return; ++ } ++ } ++ throw new ProviderException("cancel failed", e); + } + } + diff --git a/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch b/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch new file mode 100644 index 0000000..b00022f --- /dev/null +++ b/SOURCES/jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch @@ -0,0 +1,32 @@ + +# HG changeset patch +# User thartmann +# Date 1604482955 -3600 +# Node ID 27723943c0dd65a191cbefe031cec001521e4b13 +# Parent e9d90c9daf895b469b461b727b6887e7780b4ac2 +8250861: Crash in MinINode::Ideal(PhaseGVN*, bool) +Summary: Added missing NULL checks. +Reviewed-by: kvn, chagedorn + +diff -r e9d90c9daf89 -r 27723943c0dd src/hotspot/share/opto/addnode.cpp +--- a/src/hotspot/share/opto/addnode.cpp Mon Nov 02 20:20:05 2020 +0100 ++++ b/src/hotspot/share/opto/addnode.cpp Wed Nov 04 10:42:35 2020 +0100 +@@ -917,7 +917,7 @@ + + // Transform MIN2(x + c0, MIN2(x + c1, z)) into MIN2(x + MIN2(c0, c1), z) + // if x == y and the additions can't overflow. +- if (phase->eqv(x,y) && ++ if (phase->eqv(x,y) && tx != NULL && + !can_overflow(tx, x_off) && + !can_overflow(tx, y_off)) { + return new MinINode(phase->transform(new AddINode(x, phase->intcon(MIN2(x_off, y_off)))), r->in(2)); +@@ -925,7 +925,7 @@ + } else { + // Transform MIN2(x + c0, y + c1) into x + MIN2(c0, c1) + // if x == y and the additions can't overflow. +- if (phase->eqv(x,y) && ++ if (phase->eqv(x,y) && tx != NULL && + !can_overflow(tx, x_off) && + !can_overflow(tx, y_off)) { + return new AddINode(x,phase->intcon(MIN2(x_off,y_off))); + diff --git a/SOURCES/jdk8254177-tzdata2020b.patch b/SOURCES/jdk8254177-tzdata2020b.patch new file mode 100644 index 0000000..a9f3282 --- /dev/null +++ b/SOURCES/jdk8254177-tzdata2020b.patch @@ -0,0 +1,2041 @@ +# 8254177: (tz) Upgrade time-zone data to tzdata2020b + +diff --git a/make/data/tzdata/VERSION b/make/data/tzdata/VERSION +--- a/make/data/tzdata/VERSION ++++ b/make/data/tzdata/VERSION +@@ -21,4 +21,4 @@ + # or visit www.oracle.com if you need additional information or have any + # questions. + # +-tzdata2020a ++tzdata2020b +diff --git a/make/data/tzdata/africa b/make/data/tzdata/africa +--- a/make/data/tzdata/africa ++++ b/make/data/tzdata/africa +@@ -87,7 +87,7 @@ + # Corrections are welcome. + + # Algeria +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Algeria 1916 only - Jun 14 23:00s 1:00 S + Rule Algeria 1916 1919 - Oct Sun>=1 23:00s 0 - + Rule Algeria 1917 only - Mar 24 23:00s 1:00 S +@@ -110,10 +110,9 @@ + Rule Algeria 1978 only - Sep 22 3:00 0 - + Rule Algeria 1980 only - Apr 25 0:00 1:00 S + Rule Algeria 1980 only - Oct 31 2:00 0 - +-# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's +-# more precise 0:09:21. ++# See Europe/Paris for PMT-related transitions. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Africa/Algiers 0:12:12 - LMT 1891 Mar 15 0:01 ++Zone Africa/Algiers 0:12:12 - LMT 1891 Mar 16 + 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time + 0:00 Algeria WE%sT 1940 Feb 25 2:00 + 1:00 Algeria CE%sT 1946 Oct 7 +@@ -199,7 +198,7 @@ + # Egypt was mean noon at the Great Pyramid, 2:04:30.5, but apparently this + # did not apply to Cairo, Alexandria, or Port Said. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Egypt 1940 only - Jul 15 0:00 1:00 S + Rule Egypt 1940 only - Oct 1 0:00 0 - + Rule Egypt 1941 only - Apr 15 0:00 1:00 S +@@ -434,7 +433,7 @@ + # now Ghana observed different DST regimes in different years. For + # lack of better info, use Shanks except treat the minus sign as a + # typo, and assume DST started in 1920 not 1936. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Ghana 1920 1942 - Sep 1 0:00 0:20 - + Rule Ghana 1920 1942 - Dec 31 0:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -524,7 +523,7 @@ + # From Paul Eggert (2013-10-25): + # For now, assume they're reverting to the pre-2012 rules of permanent UT +02. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Libya 1951 only - Oct 14 2:00 1:00 S + Rule Libya 1952 only - Jan 1 0:00 0 - + Rule Libya 1953 only - Oct 9 2:00 1:00 S +@@ -647,7 +646,7 @@ + # "The trial ended on March 29, 2009, when the clocks moved back by one hour + # at 2am (or 02:00) local time..." + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Mauritius 1982 only - Oct 10 0:00 1:00 - + Rule Mauritius 1983 only - Mar 21 0:00 0 - + Rule Mauritius 2008 only - Oct lastSun 2:00 1:00 - +@@ -898,17 +897,30 @@ + # https://maroc-diplomatique.net/maroc-le-retour-a-lheure-gmt-est-prevu-dimanche-prochain/ + # http://aujourdhui.ma/actualite/gmt1-retour-a-lheure-normale-dimanche-prochain-1 + # +-# From Paul Eggert (2020-04-14): ++# From Milamber (2020-05-31) ++# In Morocco (where I live), the end of Ramadan (Arabic month) is followed by ++# the Eid al-Fitr, and concretely it's 1 or 2 day offs for the people (with ++# traditional visiting of family, big lunches/dinners, etc.). So for this ++# year the astronomical calculations don't include the following 2 days off in ++# the calc. These 2 days fall in a Sunday/Monday, so it's not acceptable by ++# people to have a time shift during these 2 days off. Perhaps you can modify ++# the (predicted) rules for next years: if the end of Ramadan is a (probable) ++# Friday or Saturday (and so the 2 days off are on a weekend), the next time ++# shift will be the next weekend. ++# ++# From Paul Eggert (2020-05-31): + # For now, guess that in the future Morocco will fall back at 03:00 + # the last Sunday before Ramadan, and spring forward at 02:00 the +-# first Sunday after the day after Ramadan. To implement this, +-# transition dates for 2021 through 2087 were determined by running +-# the following program under GNU Emacs 26.3. +-# (let ((islamic-year 1442)) ++# first Sunday after two days after Ramadan. To implement this, ++# transition dates and times for 2019 through 2087 were determined by ++# running the following program under GNU Emacs 26.3. (This algorithm ++# also produces the correct transition dates for 2016 through 2018, ++# though the times differ due to Morocco's time zone change in 2018.) ++# (let ((islamic-year 1440)) + # (require 'cal-islam) + # (while (< islamic-year 1511) + # (let ((a (calendar-islamic-to-absolute (list 9 1 islamic-year))) +-# (b (1+ (calendar-islamic-to-absolute (list 10 1 islamic-year)))) ++# (b (+ 2 (calendar-islamic-to-absolute (list 10 1 islamic-year)))) + # (sunday 0)) + # (while (/= sunday (mod (setq a (1- a)) 7))) + # (while (/= sunday (mod b 7)) +@@ -923,7 +935,7 @@ + # (car (cdr (cdr b))) (calendar-month-name (car b) t) (car (cdr b))))) + # (setq islamic-year (+ 1 islamic-year)))) + +-# RULE NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Morocco 1939 only - Sep 12 0:00 1:00 - + Rule Morocco 1939 only - Nov 19 0:00 0 - + Rule Morocco 1940 only - Feb 25 0:00 1:00 - +@@ -974,7 +986,7 @@ + Rule Morocco 2022 only - Mar 27 3:00 -1:00 - + Rule Morocco 2022 only - May 8 2:00 0 - + Rule Morocco 2023 only - Mar 19 3:00 -1:00 - +-Rule Morocco 2023 only - Apr 23 2:00 0 - ++Rule Morocco 2023 only - Apr 30 2:00 0 - + Rule Morocco 2024 only - Mar 10 3:00 -1:00 - + Rule Morocco 2024 only - Apr 14 2:00 0 - + Rule Morocco 2025 only - Feb 23 3:00 -1:00 - +@@ -990,7 +1002,7 @@ + Rule Morocco 2029 only - Dec 30 3:00 -1:00 - + Rule Morocco 2030 only - Feb 10 2:00 0 - + Rule Morocco 2030 only - Dec 22 3:00 -1:00 - +-Rule Morocco 2031 only - Jan 26 2:00 0 - ++Rule Morocco 2031 only - Feb 2 2:00 0 - + Rule Morocco 2031 only - Dec 14 3:00 -1:00 - + Rule Morocco 2032 only - Jan 18 2:00 0 - + Rule Morocco 2032 only - Nov 28 3:00 -1:00 - +@@ -1006,7 +1018,7 @@ + Rule Morocco 2037 only - Oct 4 3:00 -1:00 - + Rule Morocco 2037 only - Nov 15 2:00 0 - + Rule Morocco 2038 only - Sep 26 3:00 -1:00 - +-Rule Morocco 2038 only - Oct 31 2:00 0 - ++Rule Morocco 2038 only - Nov 7 2:00 0 - + Rule Morocco 2039 only - Sep 18 3:00 -1:00 - + Rule Morocco 2039 only - Oct 23 2:00 0 - + Rule Morocco 2040 only - Sep 2 3:00 -1:00 - +@@ -1022,7 +1034,7 @@ + Rule Morocco 2045 only - Jul 9 3:00 -1:00 - + Rule Morocco 2045 only - Aug 20 2:00 0 - + Rule Morocco 2046 only - Jul 1 3:00 -1:00 - +-Rule Morocco 2046 only - Aug 5 2:00 0 - ++Rule Morocco 2046 only - Aug 12 2:00 0 - + Rule Morocco 2047 only - Jun 23 3:00 -1:00 - + Rule Morocco 2047 only - Jul 28 2:00 0 - + Rule Morocco 2048 only - Jun 7 3:00 -1:00 - +@@ -1038,7 +1050,7 @@ + Rule Morocco 2053 only - Apr 13 3:00 -1:00 - + Rule Morocco 2053 only - May 25 2:00 0 - + Rule Morocco 2054 only - Apr 5 3:00 -1:00 - +-Rule Morocco 2054 only - May 10 2:00 0 - ++Rule Morocco 2054 only - May 17 2:00 0 - + Rule Morocco 2055 only - Mar 28 3:00 -1:00 - + Rule Morocco 2055 only - May 2 2:00 0 - + Rule Morocco 2056 only - Mar 12 3:00 -1:00 - +@@ -1054,7 +1066,7 @@ + Rule Morocco 2061 only - Jan 16 3:00 -1:00 - + Rule Morocco 2061 only - Feb 27 2:00 0 - + Rule Morocco 2062 only - Jan 8 3:00 -1:00 - +-Rule Morocco 2062 only - Feb 12 2:00 0 - ++Rule Morocco 2062 only - Feb 19 2:00 0 - + Rule Morocco 2062 only - Dec 31 3:00 -1:00 - + Rule Morocco 2063 only - Feb 4 2:00 0 - + Rule Morocco 2063 only - Dec 16 3:00 -1:00 - +@@ -1070,7 +1082,7 @@ + Rule Morocco 2068 only - Oct 21 3:00 -1:00 - + Rule Morocco 2068 only - Dec 2 2:00 0 - + Rule Morocco 2069 only - Oct 13 3:00 -1:00 - +-Rule Morocco 2069 only - Nov 17 2:00 0 - ++Rule Morocco 2069 only - Nov 24 2:00 0 - + Rule Morocco 2070 only - Oct 5 3:00 -1:00 - + Rule Morocco 2070 only - Nov 9 2:00 0 - + Rule Morocco 2071 only - Sep 20 3:00 -1:00 - +@@ -1086,7 +1098,7 @@ + Rule Morocco 2076 only - Jul 26 3:00 -1:00 - + Rule Morocco 2076 only - Sep 6 2:00 0 - + Rule Morocco 2077 only - Jul 18 3:00 -1:00 - +-Rule Morocco 2077 only - Aug 22 2:00 0 - ++Rule Morocco 2077 only - Aug 29 2:00 0 - + Rule Morocco 2078 only - Jul 10 3:00 -1:00 - + Rule Morocco 2078 only - Aug 14 2:00 0 - + Rule Morocco 2079 only - Jun 25 3:00 -1:00 - +@@ -1096,13 +1108,13 @@ + Rule Morocco 2081 only - Jun 1 3:00 -1:00 - + Rule Morocco 2081 only - Jul 13 2:00 0 - + Rule Morocco 2082 only - May 24 3:00 -1:00 - +-Rule Morocco 2082 only - Jun 28 2:00 0 - ++Rule Morocco 2082 only - Jul 5 2:00 0 - + Rule Morocco 2083 only - May 16 3:00 -1:00 - + Rule Morocco 2083 only - Jun 20 2:00 0 - + Rule Morocco 2084 only - Apr 30 3:00 -1:00 - + Rule Morocco 2084 only - Jun 11 2:00 0 - + Rule Morocco 2085 only - Apr 22 3:00 -1:00 - +-Rule Morocco 2085 only - May 27 2:00 0 - ++Rule Morocco 2085 only - Jun 3 2:00 0 - + Rule Morocco 2086 only - Apr 14 3:00 -1:00 - + Rule Morocco 2086 only - May 19 2:00 0 - + Rule Morocco 2087 only - Mar 30 3:00 -1:00 - +@@ -1203,7 +1215,7 @@ + # Use plain "WAT" and "CAT" for the time zone abbreviations, to be compatible + # with Namibia's neighbors. + +-# RULE NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # Vanguard section, for zic and other parsers that support negative DST. + Rule Namibia 1994 only - Mar 21 0:00 -1:00 WAT + Rule Namibia 1994 2017 - Sep Sun>=1 2:00 0 CAT +@@ -1326,7 +1338,7 @@ + # See Africa/Nairobi. + + # South Africa +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule SA 1942 1943 - Sep Sun>=15 2:00 1:00 - + Rule SA 1943 1944 - Mar Sun>=15 2:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -1359,7 +1371,7 @@ + # Abdalla of NTC, archived at: + # https://mm.icann.org/pipermail/tz/2017-October/025333.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Sudan 1970 only - May 1 0:00 1:00 S + Rule Sudan 1970 1985 - Oct 15 0:00 0 - + Rule Sudan 1971 only - Apr 30 0:00 1:00 S +@@ -1447,7 +1459,7 @@ + # http://www.almadenahnews.com/newss/news.php?c=118&id=38036 + # http://www.worldtimezone.com/dst_news/dst_news_tunis02.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Tunisia 1939 only - Apr 15 23:00s 1:00 S + Rule Tunisia 1939 only - Nov 18 23:00s 0 - + Rule Tunisia 1940 only - Feb 25 23:00s 1:00 S +@@ -1474,9 +1486,7 @@ + Rule Tunisia 2006 2008 - Mar lastSun 2:00s 1:00 S + Rule Tunisia 2006 2008 - Oct lastSun 2:00s 0 - + +-# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's +-# more precise 0:09:21. +-# Shanks & Pottenger say the 1911 switch was on Mar 9; go with Howse's Mar 11. ++# See Europe/Paris for PMT-related transitions. + # Zone NAME STDOFF RULES FORMAT [UNTIL] + Zone Africa/Tunis 0:40:44 - LMT 1881 May 12 + 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time +diff --git a/make/data/tzdata/antarctica b/make/data/tzdata/antarctica +--- a/make/data/tzdata/antarctica ++++ b/make/data/tzdata/antarctica +@@ -93,15 +93,30 @@ + # Australian Antarctica Division informed us that Casey changed time + # zone to UTC+11 in "the morning of 22nd October 2016". + ++# From Steffen Thorsen (2020-10-02, as corrected): ++# Based on information we have received from the Australian Antarctic ++# Division, Casey station and Macquarie Island station will move to Tasmanian ++# daylight savings time on Sunday 4 October. This will take effect from 0001 ++# hrs on Sunday 4 October 2020 and will mean Casey and Macquarie Island will ++# be on the same time zone as Hobart. Some past dates too for this 3 hour ++# time change back and forth between UTC+8 and UTC+11 for Casey: ++# - 2018 Oct 7 4:00 - 2019 Mar 17 3:00 - 2019 Oct 4 3:00 - 2020 Mar 8 3:00 ++# and now - 2020 Oct 4 0:01 ++ + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Antarctica/Casey 0 - -00 1969 +- 8:00 - +08 2009 Oct 18 2:00 ++Zone Antarctica/Casey 0 - -00 1969 ++ 8:00 - +08 2009 Oct 18 2:00 + 11:00 - +11 2010 Mar 5 2:00 +- 8:00 - +08 2011 Oct 28 2:00 ++ 8:00 - +08 2011 Oct 28 2:00 + 11:00 - +11 2012 Feb 21 17:00u +- 8:00 - +08 2016 Oct 22 ++ 8:00 - +08 2016 Oct 22 + 11:00 - +11 2018 Mar 11 4:00 +- 8:00 - +08 ++ 8:00 - +08 2018 Oct 7 4:00 ++ 11:00 - +11 2019 Mar 17 3:00 ++ 8:00 - +08 2019 Oct 4 3:00 ++ 11:00 - +11 2020 Mar 8 3:00 ++ 8:00 - +08 2020 Oct 4 0:01 ++ 11:00 - +11 + Zone Antarctica/Davis 0 - -00 1957 Jan 13 + 7:00 - +07 1964 Nov + 0 - -00 1969 Feb +@@ -247,7 +262,7 @@ + # suggested by Bengt-Inge Larsson comment them out for now, and approximate + # with only UTC and CEST. Uncomment them when 2014b is more prevalent. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + #Rule Troll 2005 max - Mar 1 1:00u 1:00 +01 + Rule Troll 2005 max - Mar lastSun 1:00u 2:00 +02 + #Rule Troll 2005 max - Oct lastSun 1:00u 1:00 +01 +diff --git a/make/data/tzdata/asia b/make/data/tzdata/asia +--- a/make/data/tzdata/asia ++++ b/make/data/tzdata/asia +@@ -93,7 +93,7 @@ + ############################################################################### + + # These rules are stolen from the 'europe' file. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EUAsia 1981 max - Mar lastSun 1:00u 1:00 S + Rule EUAsia 1979 1995 - Sep lastSun 1:00u 0 - + Rule EUAsia 1996 max - Oct lastSun 1:00u 0 - +@@ -137,7 +137,7 @@ + # or + # (brief) + # http://www.worldtimezone.com/dst_news/dst_news_armenia03.html +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Armenia 2011 only - Mar lastSun 2:00s 1:00 - + Rule Armenia 2011 only - Oct lastSun 2:00s 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -163,7 +163,7 @@ + # http://vestnikkavkaza.net/news/Azerbaijani-Cabinet-of-Ministers-cancels-daylight-saving-time.html + # http://en.apa.az/xeber_azerbaijan_abolishes_daylight_savings_ti_240862.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Azer 1997 2015 - Mar lastSun 4:00 1:00 - + Rule Azer 1997 2015 - Oct lastSun 5:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -250,7 +250,7 @@ + # http://www.thedailystar.net/newDesign/latest_news.php?nid=22817 + # http://www.worldtimezone.com/dst_news/dst_news_bangladesh06.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Dhaka 2009 only - Jun 19 23:00 1:00 - + Rule Dhaka 2009 only - Dec 31 24:00 0 - + +@@ -326,7 +326,7 @@ + # generally esteemed a success, it was announced early in 1920 that it would + # not be repeated." + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Shang 1919 only - Apr 12 24:00 1:00 D + Rule Shang 1919 only - Sep 30 24:00 0 S + +@@ -422,7 +422,7 @@ + # the Yangtze river delta area during that period of time although the scope + # of such use will need to be investigated to determine. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Shang 1940 only - Jun 1 0:00 1:00 D + Rule Shang 1940 only - Oct 12 24:00 0 S + Rule Shang 1941 only - Mar 15 0:00 1:00 D +@@ -485,7 +485,7 @@ + # to begin on 17 April. + # http://data.people.com.cn/pic/101p/1988/04/1988041201.jpg + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule PRC 1986 only - May 4 2:00 1:00 D + Rule PRC 1986 1991 - Sep Sun>=11 2:00 0 S + Rule PRC 1987 1991 - Apr Sun>=11 2:00 1:00 D +@@ -869,7 +869,7 @@ + # or dates for the 1942 and 1945 transitions. + # The Japanese occupation of Hong Kong began 1941-12-25. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule HK 1946 only - Apr 21 0:00 1:00 S + Rule HK 1946 only - Dec 1 3:30s 0 - + Rule HK 1947 only - Apr 13 3:30s 1:00 S +@@ -996,7 +996,7 @@ + # until 1945-09-21 at 01:00, overriding Shanks & Pottenger. + # Likewise, use Yu-Cheng Chuang's data for DST in Taiwan. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Taiwan 1946 only - May 15 0:00 1:00 D + Rule Taiwan 1946 only - Oct 1 0:00 0 S + Rule Taiwan 1947 only - Apr 15 0:00 1:00 D +@@ -1122,7 +1122,7 @@ + # The 1904 decree says that Macau changed from the meridian of + # Fortaleza do Monte, presumably the basis for the 7:34:10 for LMT. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Macau 1942 1943 - Apr 30 23:00 1:00 - + Rule Macau 1942 only - Nov 17 23:00 0 - + Rule Macau 1943 only - Sep 30 23:00 0 S +@@ -1180,7 +1180,7 @@ + # Cyprus to remain united in time. Cyprus Mail 2017-10-17. + # https://cyprus-mail.com/2017/10/17/cyprus-remain-united-time/ + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Cyprus 1975 only - Apr 13 0:00 1:00 S + Rule Cyprus 1975 only - Oct 12 0:00 0 - + Rule Cyprus 1976 only - May 15 0:00 1:00 S +@@ -1557,7 +1557,7 @@ + # be changed back to its previous state on the 24 hours of the + # thirtieth day of Shahrivar. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Iran 1978 1980 - Mar 20 24:00 1:00 - + Rule Iran 1978 only - Oct 20 24:00 0 - + Rule Iran 1979 only - Sep 18 24:00 0 - +@@ -1699,7 +1699,7 @@ + # We have published a short article in English about the change: + # https://www.timeanddate.com/news/time/iraq-dumps-daylight-saving.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Iraq 1982 only - May 1 0:00 1:00 - + Rule Iraq 1982 1984 - Oct 1 0:00 0 - + Rule Iraq 1983 only - Mar 31 0:00 1:00 - +@@ -1722,6 +1722,10 @@ + + # Israel + ++# For more info about the motivation for DST in Israel, see: ++# Barak Y. Israel's Daylight Saving Time controversy. Israel Affairs. ++# 2020-08-11. https://doi.org/10.1080/13537121.2020.1806564 ++ + # From Ephraim Silverberg (2001-01-11): + # + # I coined "IST/IDT" circa 1988. Until then there were three +@@ -1743,7 +1747,7 @@ + # family is from India). + + # From Shanks & Pottenger: +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 1940 only - Jun 1 0:00 1:00 D + Rule Zion 1942 1944 - Nov 1 0:00 0 S + Rule Zion 1943 only - Apr 1 2:00 1:00 D +@@ -1835,7 +1839,7 @@ + # (except in 2002) is three nights before Yom Kippur [Day of Atonement] + # (the eve of the 7th of Tishrei in the lunar Hebrew calendar). + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 1989 only - Apr 30 0:00 1:00 D + Rule Zion 1989 only - Sep 3 0:00 0 S + Rule Zion 1990 only - Mar 25 0:00 1:00 D +@@ -1851,7 +1855,7 @@ + # Ministry of Interior, Jerusalem, Israel. The spokeswoman can be reached by + # calling the office directly at 972-2-6701447 or 972-2-6701448. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 1994 only - Apr 1 0:00 1:00 D + Rule Zion 1994 only - Aug 28 0:00 0 S + Rule Zion 1995 only - Mar 31 0:00 1:00 D +@@ -1871,7 +1875,7 @@ + # + # where YYYY is the relevant year. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 1996 only - Mar 15 0:00 1:00 D + Rule Zion 1996 only - Sep 16 0:00 0 S + Rule Zion 1997 only - Mar 21 0:00 1:00 D +@@ -1894,7 +1898,7 @@ + # + # ftp://ftp.cs.huji.ac.il/pub/tz/announcements/2000-2004.ps.gz + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 2000 only - Apr 14 2:00 1:00 D + Rule Zion 2000 only - Oct 6 1:00 0 S + Rule Zion 2001 only - Apr 9 1:00 1:00 D +@@ -1916,7 +1920,7 @@ + # + # ftp://ftp.cs.huji.ac.il/pub/tz/announcements/2005+beyond.ps + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 2005 2012 - Apr Fri<=1 2:00 1:00 D + Rule Zion 2005 only - Oct 9 2:00 0 S + Rule Zion 2006 only - Oct 1 2:00 0 S +@@ -1936,7 +1940,7 @@ + # As of 2013, DST starts at 02:00 on the Friday before the last Sunday + # in March. DST ends at 02:00 on the last Sunday of October. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Zion 2013 max - Mar Fri>=23 2:00 1:00 D + Rule Zion 2013 max - Oct lastSun 2:00 0 S + +@@ -2036,7 +2040,7 @@ + # do in any POSIX or C platform. The "25:00" assumes zic from 2007 or later, + # which should be safe now. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Japan 1948 only - May Sat>=1 24:00 1:00 D + Rule Japan 1948 1951 - Sep Sat>=8 25:00 0 S + Rule Japan 1949 only - Apr Sat>=1 24:00 1:00 D +@@ -2113,7 +2117,7 @@ + # From Paul Eggert (2013-12-11): + # As Steffen suggested, consider the past 21-month experiment to be DST. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Jordan 1973 only - Jun 6 0:00 1:00 S + Rule Jordan 1973 1975 - Oct 1 0:00 0 - + Rule Jordan 1974 1977 - May 1 0:00 1:00 S +@@ -2439,7 +2443,7 @@ + # Our government cancels daylight saving time 6th of August 2005. + # From 2005-08-12 our GMT-offset is +6, w/o any daylight saving. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Kyrgyz 1992 1996 - Apr Sun>=7 0:00s 1:00 - + Rule Kyrgyz 1992 1996 - Sep lastSun 0:00 0 - + Rule Kyrgyz 1997 2005 - Mar lastSun 2:30 1:00 - +@@ -2495,7 +2499,7 @@ + # follow and continued to use GMT+9:00 for interoperability. + + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule ROK 1948 only - Jun 1 0:00 1:00 D + Rule ROK 1948 only - Sep 12 24:00 0 S + Rule ROK 1949 only - Apr 3 0:00 1:00 D +@@ -2583,7 +2587,7 @@ + + + # Lebanon +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Lebanon 1920 only - Mar 28 0:00 1:00 S + Rule Lebanon 1920 only - Oct 25 0:00 0 - + Rule Lebanon 1921 only - Apr 3 0:00 1:00 S +@@ -2613,7 +2617,7 @@ + 2:00 Lebanon EE%sT + + # Malaysia +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule NBorneo 1935 1941 - Sep 14 0:00 0:20 - + Rule NBorneo 1935 1941 - Dec 14 0:00 0 - + # +@@ -2758,7 +2762,7 @@ + # September daylight saving time ends. Source: + # http://zasag.mn/news/view/8969 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Mongol 1983 1984 - Apr 1 0:00 1:00 - + Rule Mongol 1983 only - Oct 1 0:00 0 - + # Shanks & Pottenger and IATA SSIM say 1990s switches occurred at 00:00, +@@ -2946,7 +2950,7 @@ + # "People laud PM's announcement to end DST" + # http://www.app.com.pk/en_/index.php?option=com_content&task=view&id=99374&Itemid=2 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Pakistan 2002 only - Apr Sun>=2 0:00 1:00 S + Rule Pakistan 2002 only - Oct Sun>=2 0:00 0 - + Rule Pakistan 2008 only - Jun 1 0:00 1:00 S +@@ -3248,7 +3252,7 @@ + # From Tim Parenti (2016-10-19): + # Predict fall transitions on October's last Saturday at 01:00 from now on. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EgyptAsia 1957 only - May 10 0:00 1:00 S + Rule EgyptAsia 1957 1958 - Oct 1 0:00 0 - + Rule EgyptAsia 1958 only - May 1 0:00 1:00 S +@@ -3348,7 +3352,7 @@ + # influence of the sources. There is no current abbreviation for DST, + # so use "PDT", the usual American style. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Phil 1936 only - Nov 1 0:00 1:00 D + Rule Phil 1937 only - Feb 1 0:00 0 S + Rule Phil 1954 only - Apr 12 0:00 1:00 D +@@ -3496,7 +3500,7 @@ + 5:30 - +0530 + + # Syria +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Syria 1920 1923 - Apr Sun>=15 2:00 1:00 S + Rule Syria 1920 1923 - Oct Sun>=1 2:00 0 - + Rule Syria 1962 only - Apr 29 2:00 1:00 S +diff --git a/make/data/tzdata/australasia b/make/data/tzdata/australasia +--- a/make/data/tzdata/australasia ++++ b/make/data/tzdata/australasia +@@ -36,7 +36,7 @@ + + # Please see the notes below for the controversy about "EST" versus "AEST" etc. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Aus 1917 only - Jan 1 0:01 1:00 D + Rule Aus 1917 only - Mar 25 2:00 0 S + Rule Aus 1942 only - Jan 1 2:00 1:00 D +@@ -55,7 +55,7 @@ + 9:30 Aus AC%sT + # Western Australia + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AW 1974 only - Oct lastSun 2:00s 1:00 D + Rule AW 1975 only - Mar Sun>=1 2:00s 0 S + Rule AW 1983 only - Oct lastSun 2:00s 1:00 D +@@ -93,7 +93,7 @@ + # applies to all of the Whitsundays. + # http://www.australia.gov.au/about-australia/australian-story/austn-islands + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AQ 1971 only - Oct lastSun 2:00s 1:00 D + Rule AQ 1972 only - Feb lastSun 2:00s 0 S + Rule AQ 1989 1991 - Oct lastSun 2:00s 1:00 D +@@ -109,7 +109,7 @@ + 10:00 Holiday AE%sT + + # South Australia +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AS 1971 1985 - Oct lastSun 2:00s 1:00 D + Rule AS 1986 only - Oct 19 2:00s 1:00 D + Rule AS 1987 2007 - Oct lastSun 2:00s 1:00 D +@@ -137,7 +137,7 @@ + # http://www.bom.gov.au/climate/averages/tables/dst_times.shtml + # says King Island didn't observe DST from WWII until late 1971. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AT 1967 only - Oct Sun>=1 2:00s 1:00 D + Rule AT 1968 only - Mar lastSun 2:00s 0 S + Rule AT 1968 1985 - Oct lastSun 2:00s 1:00 D +@@ -170,7 +170,7 @@ + 10:00 AT AE%sT + + # Victoria +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AV 1971 1985 - Oct lastSun 2:00s 1:00 D + Rule AV 1972 only - Feb lastSun 2:00s 0 S + Rule AV 1973 1985 - Mar Sun>=1 2:00s 0 S +@@ -191,7 +191,7 @@ + 10:00 AV AE%sT + + # New South Wales +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule AN 1971 1985 - Oct lastSun 2:00s 1:00 D + Rule AN 1972 only - Feb 27 2:00s 0 S + Rule AN 1973 1981 - Mar Sun>=1 2:00s 0 S +@@ -220,7 +220,7 @@ + 9:30 AS AC%sT + + # Lord Howe Island +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule LH 1981 1984 - Oct lastSun 2:00 1:00 - + Rule LH 1982 1985 - Mar Sun>=1 2:00 0 - + Rule LH 1985 only - Oct lastSun 2:00 0:30 - +@@ -275,8 +275,9 @@ + 10:00 Aus AE%sT 1919 Apr 1 0:00s + 0 - -00 1948 Mar 25 + 10:00 Aus AE%sT 1967 +- 10:00 AT AE%sT 2010 Apr 4 3:00 +- 11:00 - +11 ++ 10:00 AT AE%sT 2010 ++ 10:00 1:00 AEDT 2011 ++ 10:00 AT AE%sT + + # Christmas + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -403,7 +404,7 @@ + # From Michael Deckers (2019-08-06): + # https://www.laws.gov.fj/LawsAsMade/downloadfile/848 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Fiji 1998 1999 - Nov Sun>=1 2:00 1:00 - + Rule Fiji 1999 2000 - Feb lastSun 3:00 0 - + Rule Fiji 2009 only - Nov 29 2:00 1:00 - +@@ -432,7 +433,7 @@ + + # Guam + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # http://guamlegislature.com/Public_Laws_5th/PL05-025.pdf + # http://documents.guam.gov/wp-content/uploads/E.O.-59-7-Guam-Daylight-Savings-Time-May-6-1959.pdf + Rule Guam 1959 only - Jun 27 2:00 1:00 D +@@ -543,7 +544,7 @@ + 12:00 - +12 + + # New Caledonia +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule NC 1977 1978 - Dec Sun>=1 0:00 1:00 - + Rule NC 1978 1979 - Feb 27 0:00 0 - + Rule NC 1996 only - Dec 1 2:00s 1:00 - +@@ -558,7 +559,7 @@ + + # New Zealand + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule NZ 1927 only - Nov 6 2:00 1:00 S + Rule NZ 1928 only - Mar 4 2:00 0 M + Rule NZ 1928 1933 - Oct Sun>=8 2:00 0:30 S +@@ -610,7 +611,7 @@ + + # Cook Is + # From Shanks & Pottenger: +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Cook 1978 only - Nov 12 0:00 0:30 - + Rule Cook 1979 1991 - Mar Sun>=1 0:00 0 - + Rule Cook 1979 1990 - Oct lastSun 0:00 0:30 - +@@ -755,7 +756,7 @@ + # That web page currently lists transitions for 2012/3 and 2013/4. + # Assume the pattern instituted in 2012 will continue indefinitely. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule WS 2010 only - Sep lastSun 0:00 1 - + Rule WS 2011 only - Apr Sat>=1 4:00 0 - + Rule WS 2011 only - Sep lastSat 3:00 1 - +@@ -799,7 +800,7 @@ + 13:00 - +13 + + # Tonga +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Tonga 1999 only - Oct 7 2:00s 1:00 - + Rule Tonga 2000 only - Mar 19 2:00s 0 - + Rule Tonga 2000 2001 - Nov Sun>=1 2:00 1:00 - +@@ -880,7 +881,7 @@ + + + # Vanuatu +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Vanuatu 1983 only - Sep 25 0:00 1:00 - + Rule Vanuatu 1984 1991 - Mar Sun>=23 0:00 0 - + Rule Vanuatu 1984 only - Oct 23 0:00 1:00 - +diff --git a/make/data/tzdata/europe b/make/data/tzdata/europe +--- a/make/data/tzdata/europe ++++ b/make/data/tzdata/europe +@@ -411,7 +411,7 @@ + # http://www.irishstatutebook.ie/eli/1926/sro/919/made/en/print + # http://www.irishstatutebook.ie/eli/1947/sro/71/made/en/print + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # Summer Time Act, 1916 + Rule GB-Eire 1916 only - May 21 2:00s 1:00 BST + Rule GB-Eire 1916 only - Oct 1 2:00s 0 GMT +@@ -552,7 +552,7 @@ + # The following is like GB-Eire and EU, except with standard time in + # summer and negative daylight saving time in winter. It is for when + # negative SAVE values are used. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Eire 1971 only - Oct 31 2:00u -1:00 - + Rule Eire 1972 1980 - Mar Sun>=16 2:00u 0 - + Rule Eire 1972 1980 - Oct Sun>=23 2:00u -1:00 - +@@ -589,7 +589,7 @@ + # predecessor organization, the European Communities. + # For brevity they are called "EU rules" elsewhere in this file. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule EU 1977 1980 - Apr Sun>=1 1:00u 1:00 S + Rule EU 1977 only - Sep lastSun 1:00u 0 - + Rule EU 1978 only - Oct 1 1:00u 0 - +@@ -629,13 +629,13 @@ + # corrected in version 2008d). The circumstantial evidence is simply the + # tz database itself, as seen below: + # +-# Zone Europe/Paris 0:09:21 - LMT 1891 Mar 15 0:01 ++# Zone Europe/Paris ... + # 0:00 France WE%sT 1945 Sep 16 3:00 + # +-# Zone Europe/Monaco 0:29:32 - LMT 1891 Mar 15 ++# Zone Europe/Monaco ... + # 0:00 France WE%sT 1945 Sep 16 3:00 + # +-# Zone Europe/Belgrade 1:22:00 - LMT 1884 ++# Zone Europe/Belgrade ... + # 1:00 1:00 CEST 1945 Sep 16 2:00s + # + # Rule France 1945 only - Sep 16 3:00 0 - +@@ -681,7 +681,7 @@ + # + # The 1917-1921 decree URLs are from Alexander Belopolsky (2016-08-23). + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Russia 1917 only - Jul 1 23:00 1:00 MST # Moscow Summer Time + # + # Decree No. 142 (1917-12-22) http://istmat.info/node/28137 +@@ -795,7 +795,7 @@ + + + # Albania +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Albania 1940 only - Jun 16 0:00 1:00 S + Rule Albania 1942 only - Nov 2 3:00 0 - + Rule Albania 1943 only - Mar 29 2:00 1:00 S +@@ -849,7 +849,7 @@ + # In 1946 the end of DST was on Monday, 7 October 1946, at 3:00 am. + # Shanks had this right. Source: Die Weltpresse, 5. Oktober 1946, page 5. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Austria 1920 only - Apr 5 2:00s 1:00 S + Rule Austria 1920 only - Sep 13 2:00s 0 - + Rule Austria 1946 only - Apr 14 2:00s 1:00 S +@@ -936,7 +936,7 @@ + # The 1918 rules are listed for completeness; they apply to unoccupied Belgium. + # Assume Brussels switched to WET in 1918 when the armistice took effect. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Belgium 1918 only - Mar 9 0:00s 1:00 S + Rule Belgium 1918 1919 - Oct Sat>=1 23:00s 0 - + Rule Belgium 1919 only - Mar 1 23:00s 1:00 S +@@ -996,7 +996,7 @@ + # EET -> EETDST is in 03:00 Local time in last Sunday of March ... + # EETDST -> EET is in 04:00 Local time in last Sunday of October + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Bulg 1979 only - Mar 31 23:00 1:00 S + Rule Bulg 1979 only - Oct 1 1:00 0 - + Rule Bulg 1980 1982 - Apr Sat>=1 23:00 1:00 S +@@ -1028,7 +1028,7 @@ + # We know of no English-language name for historical Czech winter time; + # abbreviate it as "GMT", as it happened to be GMT. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Czech 1945 only - Apr Mon>=1 2:00s 1:00 S + Rule Czech 1945 only - Oct 1 2:00s 0 - + Rule Czech 1946 only - May 6 2:00s 1:00 S +@@ -1084,7 +1084,7 @@ + # Hence the "02:00" of the 1980 law refers to standard time, not + # wall-clock time, and so the EU rules were in effect in 1980. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Denmark 1916 only - May 14 23:00 1:00 S + Rule Denmark 1916 only - Sep 30 23:00 0 - + Rule Denmark 1940 only - May 15 0:00 1:00 S +@@ -1186,7 +1186,7 @@ + # http://naalakkersuisut.gl/~/media/Nanoq/Files/Attached%20Files/Engelske-tekster/Legislation/Executive%20Order%20National%20Park.rtf + # It is their only National Park. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Thule 1991 1992 - Mar lastSun 2:00 1:00 D + Rule Thule 1991 1992 - Sep lastSun 2:00 0 S + Rule Thule 1993 2006 - Apr Sun>=1 2:00 1:00 D +@@ -1317,7 +1317,7 @@ + # From Paul Eggert (2014-06-14): + # Go with Oja over Shanks. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Finland 1942 only - Apr 2 24:00 1:00 S + Rule Finland 1942 only - Oct 4 1:00 0 - + Rule Finland 1981 1982 - Mar lastSun 2:00 1:00 S +@@ -1349,10 +1349,58 @@ + # Françoise Gauquelin, Problèmes de l'heure résolus en astrologie, + # Guy Trédaniel, Paris 1987 + ++# From Michael Deckers (2020-06-11): ++# the law of 1891 ++# was published on 1891-03-15, so it could only take force on 1891-03-16. ++ ++# From Michael Deckers (2020-06-10): ++# Le Gaulois, 1911-03-11, page 1/6, online at ++# https://www.retronews.fr/societe/echo-de-presse/2018/01/29/1911-change-lheure-de-paris ++# ... [ Instantly, all pressure driven clock dials halted... Nine minutes and ++# twenty-one seconds later the hands resumed their circular motion. ] ++# There are also precise reports about how the change was prepared in train ++# stations: all the publicly visible clocks stopped at midnight railway time ++# (or were covered), only the chief of service had a watch, labeled ++# "Heure ancienne", that he kept running until it reached 00:04:21, when ++# he announced "Heure nouvelle". See the "Le Petit Journal 1911-03-11". ++# https://gallica.bnf.fr/ark:/12148/bpt6k6192911/f1.item.zoom ++# ++# From Michael Deckers (2020-06-12): ++# That "all French clocks stopped" for 00:09:21 is a misreading of French ++# newspapers; this sort of adjustment applies only to certain ++# remote-controlled clocks ("pendules pneumatiques", of which there existed ++# perhaps a dozen in Paris, and which simply could not be set back remotely), ++# but not to all the clocks in all French towns and villages. For instance, ++# the following story in the "Courrier de Saône-et-Loire" 1911-03-11, page 2: ++# only works if legal time was stepped back (was not monotone): ... ++# [One can observe that children who had been born at midnight less 5 ++# minutes and who had died at midnight of the old time, would turn out to ++# be dead before being born, time having been set back and having ++# suppressed 9 minutes and 25 seconds of their existence, that is, more ++# than they could spend.] ++# ++# From Paul Eggert (2020-06-12): ++# French time in railway stations was legally five minutes behind civil time, ++# which explains why railway "old time" ran to 00:04:21 instead of to 00:09:21. ++# The law's text (which Michael Deckers noted is at ++# ) says only that ++# at 1911-03-11 00:00 legal time was that of Paris mean time delayed by ++# nine minutes and twenty-one seconds, and does not say how the ++# transition from Paris mean time was to occur. ++# ++# tzdb has no way to represent stopped clocks. As the railway practice ++# was to keep a watch running on "old time" to decide when to restart ++# the other clocks, this could be modeled as a transition for "old time" at ++# 00:09:21. However, since the law was ambiguous and clocks outside railway ++# stations were probably done haphazardly with the popular impression being ++# that the transition was done at 00:00 "old time", simply leave the time ++# blank; this causes zic to default to 00:00 "old time" which is good enough. ++# Do something similar for the 1891-03-16 transition. There are similar ++# problems in Algiers, Monaco and Tunis. + + # + # Shank & Pottenger seem to use '24:00' ambiguously; resolve it with Whitman. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule France 1916 only - Jun 14 23:00s 1:00 S + Rule France 1916 1919 - Oct Sun>=1 23:00s 0 - + Rule France 1917 only - Mar 24 23:00s 1:00 S +@@ -1412,13 +1460,11 @@ + # go with Excoffier's 28/3/76 0hUT and 25/9/76 23hUT. + Rule France 1976 only - Mar 28 1:00 1:00 S + Rule France 1976 only - Sep 26 1:00 0 - +-# Shanks & Pottenger give 0:09:20 for Paris Mean Time, and Whitman 0:09:05, +-# but Howse quotes the actual French legislation as saying 0:09:21. +-# Go with Howse. Howse writes that the time in France was officially based ++# Howse writes that the time in France was officially based + # on PMT-0:09:21 until 1978-08-09, when the time base finally switched to UTC. + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Europe/Paris 0:09:21 - LMT 1891 Mar 15 0:01 +- 0:09:21 - PMT 1911 Mar 11 0:01 # Paris MT ++Zone Europe/Paris 0:09:21 - LMT 1891 Mar 16 ++ 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time + # Shanks & Pottenger give 1940 Jun 14 0:00; go with Excoffier and Le Corre. + 0:00 France WE%sT 1940 Jun 14 23:00 + # Le Corre says Paris stuck with occupied-France time after the liberation; +@@ -1447,7 +1493,7 @@ + # this was equivalent to UT +03, not +04. + + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Germany 1946 only - Apr 14 2:00s 1:00 S + Rule Germany 1946 only - Oct 7 2:00s 0 - + Rule Germany 1947 1949 - Oct Sun>=1 2:00s 0 - +@@ -1499,7 +1545,7 @@ + 1:00 EU CE%sT + + # Greece +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # Whitman gives 1932 Jul 5 - Nov 1; go with Shanks & Pottenger. + Rule Greece 1932 only - Jul 7 0:00 1:00 S + Rule Greece 1932 only - Sep 1 0:00 0 - +@@ -1534,38 +1580,69 @@ + 2:00 EU EE%sT + + # Hungary +-# From Paul Eggert (2014-07-15): +-# Dates for 1916-1945 are taken from: +-# Oross A. Jelen a múlt jövője: a nyári időszámítás Magyarországon 1916-1945. +-# National Archives of Hungary (2012-10-29). +-# http://mnl.gov.hu/a_het_dokumentuma/a_nyari_idoszamitas_magyarorszagon_19161945.html +-# This source does not always give times, which are taken from Shanks +-# & Pottenger (which disagree about the dates). +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S +-Rule Hungary 1918 only - Apr 1 3:00 1:00 S +-Rule Hungary 1918 only - Sep 16 3:00 0 - +-Rule Hungary 1919 only - Apr 15 3:00 1:00 S +-Rule Hungary 1919 only - Nov 24 3:00 0 - ++ ++# From Michael Deckers (2020-06-09): ++# an Austrian encyclopedia of railroads of 1913, online at ++# http://www.zeno.org/Roell-1912/A/Eisenbahnzeit ++# says that the switch [to CET] happened on 1890-11-01. ++ ++# From Géza Nyáry (2020-06-07): ++# Data for 1918-1983 are based on the archive database of Library Hungaricana. ++# The dates are collected from original, scanned governmental orders, ++# bulletins, instructions and public press. ++# [See URLs below.] ++ ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1918/?pg=238 ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1919/?pg=808 ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1920/?pg=201 ++Rule Hungary 1918 1919 - Apr 15 2:00 1:00 S ++Rule Hungary 1918 1920 - Sep Mon>=15 3:00 0 - ++Rule Hungary 1920 only - Apr 5 2:00 1:00 S ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1945/?pg=882 + Rule Hungary 1945 only - May 1 23:00 1:00 S +-Rule Hungary 1945 only - Nov 1 0:00 0 - ++Rule Hungary 1945 only - Nov 1 1:00 0 - ++# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1946_03/?pg=49 + Rule Hungary 1946 only - Mar 31 2:00s 1:00 S +-Rule Hungary 1946 1949 - Oct Sun>=1 2:00s 0 - ++# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1946_09/?pg=54 ++Rule Hungary 1946 only - Oct 7 2:00 0 - ++# https://library.hungaricana.hu/hu/view/KulfBelfHirek_1947_04_1__001-123/?pg=90 ++# https://library.hungaricana.hu/hu/view/DunantuliNaplo_1947_09/?pg=128 ++# https://library.hungaricana.hu/hu/view/KulfBelfHirek_1948_03_3__001-123/?pg=304 ++# https://library.hungaricana.hu/hu/view/Zala_1948_09/?pg=64 ++# https://library.hungaricana.hu/hu/view/SatoraljaujhelyiLeveltar_ZempleniNepujsag_1948/?pg=53 ++# https://library.hungaricana.hu/hu/view/SatoraljaujhelyiLeveltar_ZempleniNepujsag_1948/?pg=160 ++# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1949_09/?pg=94 + Rule Hungary 1947 1949 - Apr Sun>=4 2:00s 1:00 S +-Rule Hungary 1950 only - Apr 17 2:00s 1:00 S +-Rule Hungary 1950 only - Oct 23 2:00s 0 - +-Rule Hungary 1954 1955 - May 23 0:00 1:00 S +-Rule Hungary 1954 1955 - Oct 3 0:00 0 - +-Rule Hungary 1956 only - Jun Sun>=1 0:00 1:00 S +-Rule Hungary 1956 only - Sep lastSun 0:00 0 - +-Rule Hungary 1957 only - Jun Sun>=1 1:00 1:00 S +-Rule Hungary 1957 only - Sep lastSun 3:00 0 - +-Rule Hungary 1980 only - Apr 6 1:00 1:00 S ++Rule Hungary 1947 1949 - Oct Sun>=1 2:00s 0 - ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1954/?pg=513 ++Rule Hungary 1954 only - May 23 0:00 1:00 S ++Rule Hungary 1954 only - Oct 3 0:00 0 - ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1955/?pg=398 ++Rule Hungary 1955 only - May 22 2:00 1:00 S ++Rule Hungary 1955 only - Oct 2 3:00 0 - ++# https://library.hungaricana.hu/hu/view/HevesMegyeiNepujsag_1956_06/?pg=0 ++# https://library.hungaricana.hu/hu/view/EszakMagyarorszag_1956_06/?pg=6 ++# https://library.hungaricana.hu/hu/view/SzolnokMegyeiNeplap_1957_04/?pg=120 ++# https://library.hungaricana.hu/hu/view/PestMegyeiHirlap_1957_09/?pg=143 ++Rule Hungary 1956 1957 - Jun Sun>=1 2:00 1:00 S ++Rule Hungary 1956 1957 - Sep lastSun 3:00 0 - ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1980/?pg=1227 ++Rule Hungary 1980 only - Apr 6 0:00 1:00 S ++Rule Hungary 1980 only - Sep 28 1:00 0 - ++# https://library.hungaricana.hu/hu/view/Delmagyarorszag_1981_01/?pg=79 ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1982/?pg=115 ++# https://library.hungaricana.hu/hu/view/DTT_KOZL_TanacsokKozlonye_1983/?pg=85 ++Rule Hungary 1981 1983 - Mar lastSun 0:00 1:00 S ++Rule Hungary 1981 1983 - Sep lastSun 1:00 0 - ++# + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Europe/Budapest 1:16:20 - LMT 1890 Oct ++Zone Europe/Budapest 1:16:20 - LMT 1890 Nov 1 + 1:00 C-Eur CE%sT 1918 +- 1:00 Hungary CE%sT 1941 Apr 8 ++# https://library.hungaricana.hu/hu/view/OGYK_RT_1941/?pg=1204 ++ 1:00 Hungary CE%sT 1941 Apr 7 23:00 + 1:00 C-Eur CE%sT 1945 +- 1:00 Hungary CE%sT 1980 Sep 28 2:00s ++ 1:00 Hungary CE%sT 1984 + 1:00 EU CE%sT + + # Iceland +@@ -1601,7 +1678,7 @@ + # The information below is taken from the 1988 Almanak; see + # http://www.almanak.hi.is/klukkan.html + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Iceland 1917 1919 - Feb 19 23:00 1:00 - + Rule Iceland 1917 only - Oct 21 1:00 0 - + Rule Iceland 1918 1919 - Nov 16 1:00 0 - +@@ -1693,7 +1770,7 @@ + # to 1944-06-04; although Rome was an open city during this period, it + # was effectively controlled by Germany. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Italy 1916 only - Jun 3 24:00 1:00 S + Rule Italy 1916 1917 - Sep 30 24:00 0 - + Rule Italy 1917 only - Mar 31 24:00 1:00 S +@@ -1803,7 +1880,7 @@ + # urged Lithuania and Estonia to adopt a similar time policy, but it + # appears that they will not do so.... + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Latvia 1989 1996 - Mar lastSun 2:00s 1:00 S + Rule Latvia 1989 1996 - Sep lastSun 2:00s 0 - + +@@ -1896,7 +1973,7 @@ + # Luxembourg + # Whitman disagrees with most of these dates in minor ways; + # go with Shanks & Pottenger. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Lux 1916 only - May 14 23:00 1:00 S + Rule Lux 1916 only - Oct 1 1:00 0 - + Rule Lux 1917 only - Apr 28 23:00 1:00 S +@@ -1937,7 +2014,7 @@ + # From Paul Eggert (2016-10-21): + # Assume 1900-1972 was like Rome, overriding Shanks. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Malta 1973 only - Mar 31 0:00s 1:00 S + Rule Malta 1973 only - Sep 29 0:00s 0 - + Rule Malta 1974 only - Apr 21 0:00s 1:00 S +@@ -2010,7 +2087,7 @@ + # says the 2014-03-30 spring-forward transition was at 02:00 local time. + # Guess that since 1997 Moldova has switched one hour before the EU. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Moldova 1997 max - Mar lastSun 2:00 1:00 S + Rule Moldova 1997 max - Oct lastSun 3:00 0 - + +@@ -2028,11 +2105,24 @@ + 2:00 Moldova EE%sT + + # Monaco +-# Shanks & Pottenger give 0:09:20 for Paris Mean Time; go with Howse's +-# more precise 0:09:21. ++# ++# From Michael Deckers (2020-06-12): ++# In the "Journal de Monaco" of 1892-05-24, online at ++# https://journaldemonaco.gouv.mc/var/jdm/storage/original/application/b1c67c12c5af11b41ea888fb048e4fe8.pdf ++# we read: ... ++# [In virtue of a Sovereign Ordinance of the May 13 of the current [year], ++# legal time in the Principality will be set to, from the date of June 1, ++# 1892 onwards, to the meridian of Paris, as in France.] ++# In the "Journal de Monaco" of 1911-03-28, online at ++# https://journaldemonaco.gouv.mc/var/jdm/storage/original/application/de74ffb7db53d4f599059fe8f0ed482a.pdf ++# we read an ordinance of 1911-03-16: ... ++# [Legal time in the Principality will be set, from the date of promulgation ++# of the present ordinance, to legal time in France.... Consequently, legal ++# time will be retarded by 9 minutes and 21 seconds.] ++# + # Zone NAME STDOFF RULES FORMAT [UNTIL] +-Zone Europe/Monaco 0:29:32 - LMT 1891 Mar 15 +- 0:09:21 - PMT 1911 Mar 11 # Paris Mean Time ++Zone Europe/Monaco 0:29:32 - LMT 1892 Jun 1 ++ 0:09:21 - PMT 1911 Mar 29 # Paris Mean Time + 0:00 France WE%sT 1945 Sep 16 3:00 + 1:00 France CE%sT 1977 + 1:00 EU CE%sT +@@ -2080,7 +2170,7 @@ + # The data entries before 1945 are taken from + # https://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Neth 1916 only - May 1 0:00 1:00 NST # Netherlands Summer Time + Rule Neth 1916 only - Oct 1 0:00 0 AMT # Amsterdam Mean Time + Rule Neth 1917 only - Apr 16 2:00s 1:00 NST +@@ -2117,7 +2207,7 @@ + # Norway + # http://met.no/met/met_lex/q_u/sommertid.html (2004-01) agrees with Shanks & + # Pottenger. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Norway 1916 only - May 22 1:00 1:00 S + Rule Norway 1916 only - Sep 30 0:00 0 - + Rule Norway 1945 only - Apr 2 2:00s 1:00 S +@@ -2186,7 +2276,7 @@ + # The 1919 dates and times can be found in Tygodnik Urzędowy nr 1 (1919-03-20), + # pp 1-2. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Poland 1918 1919 - Sep 16 2:00s 0 - + Rule Poland 1919 only - Apr 15 2:00s 1:00 S + Rule Poland 1944 only - Apr 3 2:00s 1:00 S +@@ -2257,7 +2347,7 @@ + # Guess that the Azores changed to EU rules in 1992 (since that's when Portugal + # harmonized with EU rules), and that they stayed +0:00 that winter. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # DSH writes that despite Decree 1,469 (1915), the change to the clocks was not + # done every year, depending on what Spain did, because of railroad schedules. + # Go with Shanks & Pottenger. +@@ -2370,7 +2460,7 @@ + # assume that Romania and Moldova switched to EU rules in 1997, + # the same year as Bulgaria. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Romania 1932 only - May 21 0:00s 1:00 S + Rule Romania 1932 1939 - Oct Sun>=1 0:00s 0 - + Rule Romania 1933 1939 - Apr Sun>=2 0:00s 1:00 S +@@ -3468,14 +3558,14 @@ + # fallback transition from the next day's 00:59... to 00:00. + + # From Michael Deckers (2016-12-15): +-# The Royal Decree of 1900-06-26 quoted by Planesas, online at ++# The Royal Decree of 1900-07-26 quoted by Planesas, online at + # https://www.boe.es/datos/pdfs/BOE//1900/209/A00383-00384.pdf + # says in its article 5 (my translation): + # These dispositions will enter into force beginning with the + # instant at which, according to the time indicated in article 1, + # the 1st day of January of 1901 will begin. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Spain 1918 only - Apr 15 23:00 1:00 S + Rule Spain 1918 1919 - Oct 6 24:00s 0 - + Rule Spain 1919 only - Apr 6 23:00 1:00 S +@@ -3612,7 +3702,7 @@ + # By the end of the 18th century clocks and watches became commonplace + # and their performance improved enormously. Communities began to keep + # mean time in preference to apparent time - Geneva from 1780 .... +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # From Whitman (who writes "Midnight?"): + # Rule Swiss 1940 only - Nov 2 0:00 1:00 S + # Rule Swiss 1940 only - Dec 31 0:00 0 - +@@ -3699,7 +3789,7 @@ + # 1853-07-16, though it probably occurred at some other date in Zurich, and + # legal civil time probably changed at still some other transition date. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Swiss 1941 1942 - May Mon>=1 1:00 1:00 S + Rule Swiss 1941 1942 - Oct Mon>=1 2:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -3848,7 +3938,7 @@ + # Although Google Translate misfires on that source, it looks like + # Turkey reversed last month's decision, and so will stay at +03. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Turkey 1916 only - May 1 0:00 1:00 S + Rule Turkey 1916 only - Oct 1 0:00 0 - + Rule Turkey 1920 only - Mar 28 0:00 1:00 S +@@ -4006,7 +4096,7 @@ + 2:00 1:00 EEST 1991 Sep 29 3:00 + 2:00 E-Eur EE%sT 1995 + 2:00 EU EE%sT +-# Ruthenia used CET 1990/1991. ++# Transcarpathia used CET 1990/1991. + # "Uzhhorod" is the transliteration of the Rusyn/Ukrainian pronunciation, but + # "Uzhgorod" is more common in English. + Zone Europe/Uzhgorod 1:29:12 - LMT 1890 Oct +diff --git a/make/data/tzdata/leapseconds b/make/data/tzdata/leapseconds +--- a/make/data/tzdata/leapseconds ++++ b/make/data/tzdata/leapseconds +@@ -91,11 +91,11 @@ + # Any additional leap seconds will come after this. + # This Expires line is commented out for now, + # so that pre-2020a zic implementations do not reject this file. +-#Expires 2020 Dec 28 00:00:00 ++#Expires 2021 Jun 28 00:00:00 + + # POSIX timestamps for the data in this file: + #updated 1467936000 (2016-07-08 00:00:00 UTC) +-#expires 1609113600 (2020-12-28 00:00:00 UTC) ++#expires 1624838400 (2021-06-28 00:00:00 UTC) + +-# Updated through IERS Bulletin C59 +-# File expires on: 28 December 2020 ++# Updated through IERS Bulletin C60 ++# File expires on: 28 June 2021 +diff --git a/make/data/tzdata/northamerica b/make/data/tzdata/northamerica +--- a/make/data/tzdata/northamerica ++++ b/make/data/tzdata/northamerica +@@ -193,7 +193,7 @@ + # U.S. government action. So even though the "US" rules have changed + # in the latest release, other countries won't be affected. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule US 1918 1919 - Mar lastSun 2:00 1:00 D + Rule US 1918 1919 - Oct lastSun 2:00 0 S + Rule US 1942 only - Feb 9 2:00 1:00 W # War +@@ -370,7 +370,7 @@ + # Eastern time (i.e., -4:56:01.6) just before the 1883 switch. Round to the + # nearest second. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule NYC 1920 only - Mar lastSun 2:00 1:00 D + Rule NYC 1920 only - Oct lastSun 2:00 0 S + Rule NYC 1921 1966 - Apr lastSun 2:00 1:00 D +@@ -454,7 +454,7 @@ + # The Tennessean 2007-05-11, republished 2015-04-06. + # https://www.tennessean.com/story/insider/extras/2015/04/06/archives-seigenthaler-for-100-years-the-tennessean-had-it-covered/25348545/ + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Chicago 1920 only - Jun 13 2:00 1:00 D + Rule Chicago 1920 1921 - Oct lastSun 2:00 0 S + Rule Chicago 1921 only - Mar lastSun 2:00 1:00 D +@@ -523,7 +523,7 @@ + # El Paso Times. 2018-10-24 06:40 -06. + # https://www.elpasotimes.com/story/news/local/el-paso/2018/10/24/el-pasoans-were-time-rebels-fought-stay-mountain-zone/1744509002/ + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Denver 1920 1921 - Mar lastSun 2:00 1:00 D + Rule Denver 1920 only - Oct lastSun 2:00 0 S + Rule Denver 1921 only - May 22 2:00 0 S +@@ -576,7 +576,7 @@ + # https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props + # https://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule CA 1948 only - Mar 14 2:01 1:00 D + Rule CA 1949 only - Jan 1 2:00 0 S + Rule CA 1950 1966 - Apr lastSun 1:00 1:00 D +@@ -934,7 +934,7 @@ + # going to switch from Central to Eastern Time on March 11, 2007.... + # http://www.indystar.com/apps/pbcs.dll/article?AID=/20070207/LOCAL190108/702070524/0/LOCAL + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Indianapolis 1941 only - Jun 22 2:00 1:00 D + Rule Indianapolis 1941 1954 - Sep lastSun 2:00 0 S + Rule Indianapolis 1946 1954 - Apr lastSun 2:00 1:00 D +@@ -953,7 +953,7 @@ + # + # Eastern Crawford County, Indiana, left its clocks alone in 1974, + # as well as from 1976 through 2005. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Marengo 1951 only - Apr lastSun 2:00 1:00 D + Rule Marengo 1951 only - Sep lastSun 2:00 0 S + Rule Marengo 1954 1960 - Apr lastSun 2:00 1:00 D +@@ -972,7 +972,7 @@ + # Daviess, Dubois, Knox, and Martin Counties, Indiana, + # switched from eastern to central time in April 2006, then switched back + # in November 2007. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Vincennes 1946 only - Apr lastSun 2:00 1:00 D + Rule Vincennes 1946 only - Sep lastSun 2:00 0 S + Rule Vincennes 1953 1954 - Apr lastSun 2:00 1:00 D +@@ -997,7 +997,7 @@ + # The Indianapolis News, Friday 27 October 1967 states that Perry County + # returned to CST. It went again to EST on 27 April 1969, as documented by the + # Indianapolis star of Saturday 26 April. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Perry 1955 only - May 1 0:00 1:00 D + Rule Perry 1955 1960 - Sep lastSun 2:00 0 S + Rule Perry 1956 1963 - Apr lastSun 2:00 1:00 D +@@ -1014,7 +1014,7 @@ + # + # Pike County, Indiana moved from central to eastern time in 1977, + # then switched back in 2006, then switched back again in 2007. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Pike 1955 only - May 1 0:00 1:00 D + Rule Pike 1955 1960 - Sep lastSun 2:00 0 S + Rule Pike 1956 1964 - Apr lastSun 2:00 1:00 D +@@ -1035,7 +1035,7 @@ + # An article on page A3 of the Sunday, 1991-10-27 Washington Post + # notes that Starke County switched from Central time to Eastern time as of + # 1991-10-27. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Starke 1947 1961 - Apr lastSun 2:00 1:00 D + Rule Starke 1947 1954 - Sep lastSun 2:00 0 S + Rule Starke 1955 1956 - Oct lastSun 2:00 0 S +@@ -1052,7 +1052,7 @@ + # + # Pulaski County, Indiana, switched from eastern to central time in + # April 2006 and then switched back in March 2007. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Pulaski 1946 1960 - Apr lastSun 2:00 1:00 D + Rule Pulaski 1946 1954 - Sep lastSun 2:00 0 S + Rule Pulaski 1955 1956 - Oct lastSun 2:00 0 S +@@ -1094,7 +1094,7 @@ + # + # Part of Kentucky left its clocks alone in 1974. + # This also includes Clark, Floyd, and Harrison counties in Indiana. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Louisville 1921 only - May 1 2:00 1:00 D + Rule Louisville 1921 only - Sep 1 2:00 0 S + Rule Louisville 1941 only - Apr lastSun 2:00 1:00 D +@@ -1208,7 +1208,7 @@ + # election Michigan voters narrowly repealed DST, effective 1969. + # + # Most of Michigan observed DST from 1973 on, but was a bit late in 1975. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Detroit 1948 only - Apr lastSun 2:00 1:00 D + Rule Detroit 1948 only - Sep lastSun 2:00 0 S + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -1225,7 +1225,7 @@ + # + # Dickinson, Gogebic, Iron, and Menominee Counties, Michigan, + # switched from EST to CST/CDT in 1973. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER ++# Rule NAME FROM TO - IN ON AT SAVE LETTER + Rule Menominee 1946 only - Apr lastSun 2:00 1:00 D + Rule Menominee 1946 only - Sep lastSun 2:00 0 S + Rule Menominee 1966 only - Apr lastSun 2:00 1:00 D +@@ -1395,7 +1395,7 @@ + # Oct 31, to Oct 27, 1918 (and Sunday is a more likely transition day + # than Thursday) in all Canadian rulesets. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Canada 1918 only - Apr 14 2:00 1:00 D + Rule Canada 1918 only - Oct 27 2:00 0 S + Rule Canada 1942 only - Feb 9 2:00 1:00 W # War +@@ -1418,7 +1418,7 @@ + # that follows the rules is the southeast corner, including Port Hope + # Simpson and Mary's Harbour, but excluding, say, Black Tickle. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule StJohns 1917 only - Apr 8 2:00 1:00 D + Rule StJohns 1917 only - Sep 17 2:00 0 S + # Whitman gives 1919 Apr 5 and 1920 Apr 5; go with Shanks & Pottenger. +@@ -1520,7 +1520,7 @@ + # bill say that it is "accommodating the customs and practices" of those + # regions, which suggests that they have always been in-line with Halifax. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Halifax 1916 only - Apr 1 0:00 1:00 D + Rule Halifax 1916 only - Oct 1 0:00 0 S + Rule Halifax 1920 only - May 9 0:00 1:00 D +@@ -1586,7 +1586,7 @@ + # clear that this was the case since at least 1993. + # For now, assume it started in 1993. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Moncton 1933 1935 - Jun Sun>=8 1:00 1:00 D + Rule Moncton 1933 1935 - Sep Sun>=8 1:00 0 S + Rule Moncton 1936 1938 - Jun Sun>=1 1:00 1:00 D +@@ -1795,7 +1795,7 @@ + # With some exceptions, the use of daylight saving may be said to be limited + # to those cities and towns lying between Quebec city and Windsor, Ont. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Toronto 1919 only - Mar 30 23:30 1:00 D + Rule Toronto 1919 only - Oct 26 0:00 0 S + Rule Toronto 1920 only - May 2 2:00 1:00 D +@@ -1893,7 +1893,7 @@ + # starting 1966. Since 02:00s is clearly correct for 1967 on, assume + # it was also 02:00s in 1966. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Winn 1916 only - Apr 23 0:00 1:00 D + Rule Winn 1916 only - Sep 17 0:00 0 S + Rule Winn 1918 only - Apr 14 2:00 1:00 D +@@ -1984,7 +1984,7 @@ + # long and rather painful to read. + # http://www.qp.gov.sk.ca/documents/English/Statutes/Statutes/T14.pdf + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Regina 1918 only - Apr 14 2:00 1:00 D + Rule Regina 1918 only - Oct 27 2:00 0 S + Rule Regina 1930 1934 - May Sun>=1 0:00 1:00 D +@@ -2034,7 +2034,7 @@ + # Boyer JP. Forcing Choice: The Risky Reward of Referendums. Dundum. 2017. + # ISBN 978-1459739123. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Edm 1918 1919 - Apr Sun>=8 2:00 1:00 D + Rule Edm 1918 only - Oct 27 2:00 0 S + Rule Edm 1919 only - May 27 2:00 0 S +@@ -2143,7 +2143,7 @@ + # https://searcharchives.vancouver.ca/daylight-saving-1918-starts-again-july-7-1941-start-d-s-sept-27-end-of-d-s-1941 + # We have no further details, so omit them for now. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Vanc 1918 only - Apr 14 2:00 1:00 D + Rule Vanc 1918 only - Oct 27 2:00 0 S + Rule Vanc 1942 only - Feb 9 2:00 1:00 W # War +@@ -2472,7 +2472,19 @@ + # consistency with nearby Dawson Creek, Creston, and Fort Nelson. + # https://yukon.ca/en/news/yukon-end-seasonal-time-change + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# From Andrew G. Smith (2020-09-24): ++# Yukon has completed its regulatory change to be on UTC -7 year-round.... ++# http://www.gov.yk.ca/legislation/regs/oic2020_125.pdf ++# What we have done is re-defined Yukon Standard Time, as we are ++# authorized to do under section 33 of our Interpretation Act: ++# http://www.gov.yk.ca/legislation/acts/interpretation_c.pdf ++# ++# From Paul Eggert (2020-09-24): ++# tzdb uses the obsolete YST abbreviation for standard time in Yukon through ++# about 1970, and uses PST for standard time in Yukon since then. Consistent ++# with that, use MST for -07, the new standard time in Yukon effective Nov. 1. ++ ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule NT_YK 1918 only - Apr 14 2:00 1:00 D + Rule NT_YK 1918 only - Oct 27 2:00 0 S + Rule NT_YK 1919 only - May 25 2:00 1:00 D +@@ -2526,12 +2538,12 @@ + Zone America/Whitehorse -9:00:12 - LMT 1900 Aug 20 + -9:00 NT_YK Y%sT 1967 May 28 0:00 + -8:00 NT_YK P%sT 1980 +- -8:00 Canada P%sT 2020 Mar 8 2:00 ++ -8:00 Canada P%sT 2020 Nov 1 + -7:00 - MST + Zone America/Dawson -9:17:40 - LMT 1900 Aug 20 + -9:00 NT_YK Y%sT 1973 Oct 28 0:00 + -8:00 NT_YK P%sT 1980 +- -8:00 Canada P%sT 2020 Mar 8 2:00 ++ -8:00 Canada P%sT 2020 Nov 1 + -7:00 - MST + + +@@ -2746,7 +2758,7 @@ + # 5- The islands, reefs and keys shall take their timezone from the + # longitude they are located at. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Mexico 1939 only - Feb 5 0:00 1:00 D + Rule Mexico 1939 only - Jun 25 0:00 0 S + Rule Mexico 1940 only - Dec 9 0:00 1:00 D +@@ -2951,7 +2963,7 @@ + # rules to sync with the U.S. starting in 2007.... + # http://www.jonesbahamas.com/?c=45&a=10412 + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Bahamas 1964 1975 - Oct lastSun 2:00 0 S + Rule Bahamas 1964 1975 - Apr lastSun 2:00 1:00 D + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -2963,7 +2975,7 @@ + + # For 1899 Milne gives -3:58:29.2; round that. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Barb 1977 only - Jun 12 2:00 1:00 D + Rule Barb 1977 1978 - Oct Sun>=1 2:00 0 S + Rule Barb 1978 1980 - Apr Sun>=15 2:00 1:00 D +@@ -2976,7 +2988,7 @@ + + # Belize + # Whitman entirely disagrees with Shanks; go with Shanks & Pottenger. +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Belize 1918 1942 - Oct Sun>=2 0:00 0:30 -0530 + Rule Belize 1919 1943 - Feb Sun>=9 0:00 0 CST + Rule Belize 1973 only - Dec 5 0:00 1:00 CDT +@@ -3013,7 +3025,7 @@ + + # Milne gives -5:36:13.3 as San José mean time; round to nearest. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule CR 1979 1980 - Feb lastSun 0:00 1:00 D + Rule CR 1979 1980 - Jun Sun>=1 0:00 0 S + Rule CR 1991 1992 - Jan Sat>=15 0:00 1:00 D +@@ -3187,7 +3199,7 @@ + # From Paul Eggert (2012-11-03): + # For now, assume the future rule is first Sunday in November. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Cuba 1928 only - Jun 10 0:00 1:00 D + Rule Cuba 1928 only - Oct 10 0:00 0 S + Rule Cuba 1940 1942 - Jun Sun>=1 0:00 1:00 D +@@ -3256,7 +3268,7 @@ + # decided to revert. + + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule DR 1966 only - Oct 30 0:00 1:00 EDT + Rule DR 1967 only - Feb 28 0:00 0 EST + Rule DR 1969 1973 - Oct lastSun 0:00 0:30 -0430 +@@ -3273,7 +3285,7 @@ + + # El Salvador + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Salv 1987 1988 - May Sun>=1 0:00 1:00 D + Rule Salv 1987 1988 - Sep lastSun 0:00 0 S + # There are too many San Salvadors elsewhere, so use America/El_Salvador +@@ -3302,7 +3314,7 @@ + # (2006-04-19), says DST ends at 24:00. See + # http://www.sieca.org.gt/Sitio_publico/Energeticos/Doc/Medidas/Cambio_Horario_Nac_190406.pdf + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Guat 1973 only - Nov 25 0:00 1:00 D + Rule Guat 1974 only - Feb 24 0:00 0 S + Rule Guat 1983 only - May 21 0:00 1:00 D +@@ -3383,7 +3395,7 @@ + # I have not been able to find a more authoritative source: + # https://www.haitilibre.com/en/news-20319-haiti-notices-time-change-in-haiti.html + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Haiti 1983 only - May 8 0:00 1:00 D + Rule Haiti 1984 1987 - Apr lastSun 0:00 1:00 D + Rule Haiti 1983 1987 - Oct lastSun 0:00 0 S +@@ -3431,7 +3443,7 @@ + # http://www.laprensahn.com/pais_nota.php?id04962=7386 + # So it seems that Honduras will not enter DST this year.... + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Hond 1987 1988 - May Sun>=1 0:00 1:00 D + Rule Hond 1987 1988 - Sep lastSun 0:00 0 S + Rule Hond 2006 only - May Sun>=1 0:00 1:00 D +@@ -3522,7 +3534,7 @@ + # The natural sun time is restored in all the national territory, in that the + # time is returned one hour at 01:00 am of October 1 of 2006. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Nic 1979 1980 - Mar Sun>=16 0:00 1:00 D + Rule Nic 1979 1980 - Jun Mon>=23 0:00 0 S + Rule Nic 2005 only - Apr 10 0:00 1:00 D +diff --git a/make/data/tzdata/pacificnew b/make/data/tzdata/pacificnew +deleted file mode 100644 +--- a/make/data/tzdata/pacificnew ++++ /dev/null +@@ -1,52 +0,0 @@ +-# +-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +-# +-# This code is free software; you can redistribute it and/or modify it +-# under the terms of the GNU General Public License version 2 only, as +-# published by the Free Software Foundation. Oracle designates this +-# particular file as subject to the "Classpath" exception as provided +-# by Oracle in the LICENSE file that accompanied this code. +-# +-# This code is distributed in the hope that it will be useful, but WITHOUT +-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +-# version 2 for more details (a copy is included in the LICENSE file that +-# accompanied this code). +-# +-# You should have received a copy of the GNU General Public License version +-# 2 along with this work; if not, write to the Free Software Foundation, +-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +-# +-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +-# or visit www.oracle.com if you need additional information or have any +-# questions. +-# +-# tzdb data for proposed US election time (this file is obsolete) +- +-# This file is in the public domain, so clarified as of +-# 2009-05-17 by Arthur David Olson. +- +-# From Arthur David Olson (1989-04-05): +-# On 1989-04-05, the U. S. House of Representatives passed (238-154) a bill +-# establishing "Pacific Presidential Election Time"; it was not acted on +-# by the Senate or signed into law by the President. +-# You might want to change the "PE" (Presidential Election) below to +-# "Q" (Quadrennial) to maintain three-character zone abbreviations. +-# If you're really conservative, you might want to change it to "D". +-# Avoid "L" (Leap Year), which won't be true in 2100. +- +-# If Presidential Election Time is ever established, replace "XXXX" below +-# with the year the law takes effect and uncomment the "##" lines. +- +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S +-## Rule Twilite XXXX max - Apr Sun>=1 2:00 1:00 D +-## Rule Twilite XXXX max uspres Oct lastSun 2:00 1:00 PE +-## Rule Twilite XXXX max uspres Nov Sun>=7 2:00 0 S +-## Rule Twilite XXXX max nonpres Oct lastSun 2:00 0 S +- +-# Zone NAME STDOFF RULES/SAVE FORMAT [UNTIL] +-## Zone America/Los_Angeles-PET -8:00 US P%sT XXXX +-## -8:00 Twilite P%sT +- +-# For now... +-Link America/Los_Angeles US/Pacific-New ## +diff --git a/make/data/tzdata/southamerica b/make/data/tzdata/southamerica +--- a/make/data/tzdata/southamerica ++++ b/make/data/tzdata/southamerica +@@ -71,7 +71,7 @@ + # I am sending modifications to the Argentine time zone table... + # AR was chosen because they are the ISO letters that represent Argentina. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Arg 1930 only - Dec 1 0:00 1:00 - + Rule Arg 1931 only - Apr 1 0:00 0 - + Rule Arg 1931 only - Oct 15 0:00 1:00 - +@@ -792,7 +792,7 @@ + # From Paul Eggert (2013-10-17): + # For now, assume western Amazonas will change as well. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + # Decree 20,466 (1931-10-01) + # Decree 21,896 (1932-01-10) + Rule Brazil 1931 only - Oct 3 11:00 1:00 - +@@ -1281,7 +1281,7 @@ + # For now, assume that they will not revert, + # since they have extended the expiration date once already. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Chile 1927 1931 - Sep 1 0:00 1:00 - + Rule Chile 1928 1932 - Apr 1 0:00 0 - + Rule Chile 1968 only - Nov 3 4:00u 1:00 - +@@ -1381,7 +1381,7 @@ + # Milne gives 4:56:16.4 for Bogotá time in 1899; round to nearest. He writes, + # "A variation of fifteen minutes in the public clocks of Bogota is not rare." + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule CO 1992 only - May 3 0:00 1:00 - + Rule CO 1993 only - Apr 4 0:00 0 - + # Zone NAME STDOFF RULES FORMAT [UNTIL] +@@ -1441,7 +1441,7 @@ + # (Not one step back), the clocks went back in 1993 and the experiment was not + # repeated. For now, assume transitions were at 00:00 local time country-wide. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Ecuador 1992 only - Nov 28 0:00 1:00 - + Rule Ecuador 1993 only - Feb 5 0:00 0 - + # +@@ -1535,7 +1535,7 @@ + # For now we will assume permanent -03 for the Falklands + # until advised differently (to apply for 2012 and beyond, after the 2011 + # experiment was apparently successful.) +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Falk 1937 1938 - Sep lastSun 0:00 1:00 - + Rule Falk 1938 1942 - Mar Sun>=19 0:00 0 - + Rule Falk 1939 only - Oct 1 0:00 1:00 - +@@ -1581,7 +1581,7 @@ + # No time of the day is established for the adjustment, so people normally + # adjust their clocks at 0 hour of the given dates. + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Para 1975 1988 - Oct 1 0:00 1:00 - + Rule Para 1975 1978 - Mar 1 0:00 0 - + Rule Para 1979 1991 - Apr 1 0:00 0 - +@@ -1674,7 +1674,7 @@ + # From Paul Eggert (2006-03-22): + # Shanks & Pottenger don't have this transition. Assume 1986 was like 1987. + +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Peru 1938 only - Jan 1 0:00 1:00 - + Rule Peru 1938 only - Apr 1 0:00 0 - + Rule Peru 1938 1939 - Sep lastSun 0:00 1:00 - +@@ -1770,7 +1770,7 @@ + # https://www.impo.com.uy/diariooficial/1926/03/10/2 + # https://www.impo.com.uy/diariooficial/1926/03/18/2 + # +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S ++# Rule NAME FROM TO - IN ON AT SAVE LETTER/S + Rule Uruguay 1923 1925 - Oct 1 0:00 0:30 - + Rule Uruguay 1924 1926 - Apr 1 0:00 0 - + # From Tim Parenti (2018-02-15): +diff --git a/make/data/tzdata/systemv b/make/data/tzdata/systemv +deleted file mode 100644 +--- a/make/data/tzdata/systemv ++++ /dev/null +@@ -1,62 +0,0 @@ +-# +-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +-# +-# This code is free software; you can redistribute it and/or modify it +-# under the terms of the GNU General Public License version 2 only, as +-# published by the Free Software Foundation. Oracle designates this +-# particular file as subject to the "Classpath" exception as provided +-# by Oracle in the LICENSE file that accompanied this code. +-# +-# This code is distributed in the hope that it will be useful, but WITHOUT +-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +-# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +-# version 2 for more details (a copy is included in the LICENSE file that +-# accompanied this code). +-# +-# You should have received a copy of the GNU General Public License version +-# 2 along with this work; if not, write to the Free Software Foundation, +-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +-# +-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +-# or visit www.oracle.com if you need additional information or have any +-# questions. +-# +-# tzdb data for System V rules (this file is obsolete) +- +-# This file is in the public domain, so clarified as of +-# 2009-05-17 by Arthur David Olson. +- +-# Old rules, should the need arise. +-# No attempt is made to handle Newfoundland, since it cannot be expressed +-# using the System V "TZ" scheme (half-hour offset), or anything outside +-# North America (no support for non-standard DST start/end dates), nor +-# the changes in the DST rules in the US after 1976 (which occurred after +-# the old rules were written). +-# +-# If you need the old rules, uncomment ## lines. +-# Compile this *without* leap second correction for true conformance. +- +-# Rule NAME FROM TO TYPE IN ON AT SAVE LETTER/S +-Rule SystemV min 1973 - Apr lastSun 2:00 1:00 D +-Rule SystemV min 1973 - Oct lastSun 2:00 0 S +-Rule SystemV 1974 only - Jan 6 2:00 1:00 D +-Rule SystemV 1974 only - Nov lastSun 2:00 0 S +-Rule SystemV 1975 only - Feb 23 2:00 1:00 D +-Rule SystemV 1975 only - Oct lastSun 2:00 0 S +-Rule SystemV 1976 max - Apr lastSun 2:00 1:00 D +-Rule SystemV 1976 max - Oct lastSun 2:00 0 S +- +-# Zone NAME STDOFF RULES/SAVE FORMAT [UNTIL] +-## Zone SystemV/AST4ADT -4:00 SystemV A%sT +-## Zone SystemV/EST5EDT -5:00 SystemV E%sT +-## Zone SystemV/CST6CDT -6:00 SystemV C%sT +-## Zone SystemV/MST7MDT -7:00 SystemV M%sT +-## Zone SystemV/PST8PDT -8:00 SystemV P%sT +-## Zone SystemV/YST9YDT -9:00 SystemV Y%sT +-## Zone SystemV/AST4 -4:00 - AST +-## Zone SystemV/EST5 -5:00 - EST +-## Zone SystemV/CST6 -6:00 - CST +-## Zone SystemV/MST7 -7:00 - MST +-## Zone SystemV/PST8 -8:00 - PST +-## Zone SystemV/YST9 -9:00 - YST +-## Zone SystemV/HST10 -10:00 - HST +diff --git a/make/gendata/GendataTZDB.gmk b/make/gendata/GendataTZDB.gmk +--- a/make/gendata/GendataTZDB.gmk ++++ b/make/gendata/GendataTZDB.gmk +@@ -29,7 +29,7 @@ + # Time zone data file creation + # + TZDATA_DIR := $(TOPDIR)/make/data/tzdata +-TZDATA_TZFILE := africa antarctica asia australasia europe northamerica pacificnew southamerica backward etcetera gmt jdk11_backward ++TZDATA_TZFILE := africa antarctica asia australasia europe northamerica southamerica backward etcetera gmt jdk11_backward + TZDATA_TZFILES := $(addprefix $(TZDATA_DIR)/,$(TZDATA_TZFILE)) + + GENDATA_TZDB_DAT := $(SUPPORT_OUTPUTDIR)/modules_libs/$(MODULE)/tzdb.dat +diff --git a/src/java.base/aix/conf/tzmappings b/src/java.base/aix/conf/tzmappings +--- a/src/java.base/aix/conf/tzmappings ++++ b/src/java.base/aix/conf/tzmappings +@@ -568,7 +568,6 @@ + US/Michigan America/New_York + US/Mountain America/Denver + US/Pacific America/Los_Angeles +-US/Pacific-New America/Los_Angeles + US/Samoa Pacific/Pago_Pago + USAST-2 Africa/Johannesburg + USAST-2USADT Europe/Istanbul +diff --git a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +--- a/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java ++++ b/src/java.base/share/classes/sun/util/resources/TimeZoneNames.java +@@ -1063,7 +1063,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_de.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_es.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_fr.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_it.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ja.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_ko.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_pt_BR.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_sv.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_CN.java +@@ -1035,7 +1035,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java +--- a/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java ++++ b/src/jdk.localedata/share/classes/sun/util/resources/ext/TimeZoneNames_zh_TW.java +@@ -1037,7 +1037,6 @@ + {"US/Michigan", EST}, + {"US/Mountain", MST}, + {"US/Pacific", PST}, +- {"US/Pacific-New", PST}, + {"US/Samoa", SAMOA}, + {"VST", ICT}, + {"W-SU", MSK}, +diff --git a/test/jdk/java/time/test/java/time/format/ZoneName.java b/test/jdk/java/time/test/java/time/format/ZoneName.java +--- a/test/jdk/java/time/test/java/time/format/ZoneName.java ++++ b/test/jdk/java/time/test/java/time/format/ZoneName.java +@@ -589,7 +589,6 @@ + "US/Michigan", "America_Eastern", "America/New_York", + "US/Mountain", "America_Mountain", "America/Denver", + "US/Pacific", "America_Pacific", "America/Los_Angeles", +- "US/Pacific-New", "America_Pacific", "America/Los_Angeles", + "US/Samoa", "Samoa", "Pacific/Pago_Pago", + "W-SU", "Moscow", "Europe/Moscow", + +@@ -973,7 +972,6 @@ + "US/Michigan", "America/Detroit", + "US/Mountain", "America/Denver", + "US/Pacific", "America/Los_Angeles", +- "US/Pacific-New", "America/Los_Angeles", + "US/Samoa", "Pacific/Pago_Pago", + "UTC", "Etc/UTC", + "Universal", "Etc/UTC", +diff --git a/test/jdk/java/time/test/java/time/zone/TestZoneRules.java b/test/jdk/java/time/test/java/time/zone/TestZoneRules.java +--- a/test/jdk/java/time/test/java/time/zone/TestZoneRules.java ++++ b/test/jdk/java/time/test/java/time/zone/TestZoneRules.java +@@ -88,7 +88,7 @@ + {CASABLANCA, LocalDate.of(2019, 5, 6), ZoneOffset.ofHours(0), ZoneOffset.ofHours(0), false}, + {CASABLANCA, LocalDate.of(2037, 10, 5), ZoneOffset.ofHours(0), ZoneOffset.ofHours(0), false}, + {CASABLANCA, LocalDate.of(2037, 11, 16), ZoneOffset.ofHours(1), ZoneOffset.ofHours(0), true}, +- {CASABLANCA, LocalDate.of(2038, 11, 1), ZoneOffset.ofHours(1), ZoneOffset.ofHours(0), true}, ++ {CASABLANCA, LocalDate.of(2038, 11, 8), ZoneOffset.ofHours(1), ZoneOffset.ofHours(0), true}, + }; + } + +diff --git a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java +--- a/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java ++++ b/test/jdk/sun/util/calendar/zi/TestZoneInfo310.java +@@ -48,7 +48,7 @@ + String TESTDIR = System.getProperty("test.dir", "."); + Path tzdir = Paths.get(System.getProperty("test.root"), + "..", "..", "make", "data", "tzdata"); +- String tzfiles = "africa antarctica asia australasia europe northamerica pacificnew southamerica backward etcetera systemv gmt"; ++ String tzfiles = "africa antarctica asia australasia europe northamerica southamerica backward etcetera gmt"; + Path jdk_tzdir = Paths.get(System.getProperty("test.src"), "tzdata_jdk"); + String jdk_tzfiles = "jdk11_backward"; + String zidir = TESTDIR + File.separator + "zi"; +@@ -215,8 +215,9 @@ + + // test getAvailableIDs(raw); + zids_new = TimeZone.getAvailableIDs(-8 * 60 * 60 * 1000); +- //Arrays.sort(zids_new); ++ Arrays.sort(zids_new); + zids_old = ZoneInfoOld.getAvailableIDs(-8 * 60 * 60 * 1000); ++ Arrays.sort(zids_old); + if (!Arrays.equals(zids_new, zids_old)) { + System.out.println("------------------------"); + System.out.println("NEW.getAvailableIDs(-8:00)"); diff --git a/SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch b/SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch deleted file mode 100644 index bd52828..0000000 --- a/SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch +++ /dev/null @@ -1,61 +0,0 @@ -diff --git openjdk/src/hotspot/os/linux/os_linux.cpp openjdk/src/hotspot/os/linux/os_linux.cpp ---- openjdk/src/hotspot/os/linux/os_linux.cpp -+++ openjdk/src/hotspot/os/linux/os_linux.cpp -@@ -107,6 +107,8 @@ - # include - # include - -+#include -+ - #ifndef _GNU_SOURCE - #define _GNU_SOURCE - #include -@@ -4984,6 +4986,48 @@ - extern void report_error(char* file_name, int line_no, char* title, - char* format, ...); - -+/* Per task speculation control */ -+#ifndef PR_GET_SPECULATION_CTRL -+# define PR_GET_SPECULATION_CTRL 52 -+#endif -+#ifndef PR_SET_SPECULATION_CTRL -+# define PR_SET_SPECULATION_CTRL 53 -+#endif -+/* Speculation control variants */ -+#ifndef PR_SPEC_STORE_BYPASS -+# define PR_SPEC_STORE_BYPASS 0 -+#endif -+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ -+ -+#ifndef PR_SPEC_NOT_AFFECTED -+# define PR_SPEC_NOT_AFFECTED 0 -+#endif -+#ifndef PR_SPEC_PRCTL -+# define PR_SPEC_PRCTL (1UL << 0) -+#endif -+#ifndef PR_SPEC_ENABLE -+# define PR_SPEC_ENABLE (1UL << 1) -+#endif -+#ifndef PR_SPEC_DISABLE -+# define PR_SPEC_DISABLE (1UL << 2) -+#endif -+#ifndef PR_SPEC_FORCE_DISABLE -+# define PR_SPEC_FORCE_DISABLE (1UL << 3) -+#endif -+#ifndef PR_SPEC_DISABLE_NOEXEC -+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) -+#endif -+ -+static void set_speculation() __attribute__((constructor)); -+static void set_speculation() { -+ if ( prctl(PR_SET_SPECULATION_CTRL, -+ PR_SPEC_STORE_BYPASS, -+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { -+ return; -+ } -+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); -+} -+ - // this is called _before_ most of the global arguments have been parsed - void os::init(void) { - char dummy; // used to get a guess on initial stack address diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch index 1c67c83..8bf1ced 100644 --- a/SOURCES/rh1655466-global_crypto_and_fips.patch +++ b/SOURCES/rh1655466-global_crypto_and_fips.patch @@ -1,6 +1,6 @@ diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java ---- openjdk.orig///src/java.base/share/classes/java/security/Security.java -+++ openjdk///src/java.base/share/classes/java/security/Security.java +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java @@ -196,26 +196,8 @@ if (disableSystemProps == null && "true".equalsIgnoreCase(props.getProperty @@ -32,7 +32,7 @@ diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.jav diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java new file mode 100644 --- /dev/null -+++ openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java @@ -0,0 +1,151 @@ +/* + * Copyright (c) 2019, Red Hat, Inc. @@ -174,7 +174,7 @@ new file mode 100644 + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { -+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false")); ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (fipsEnabled) { + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } @@ -186,8 +186,8 @@ new file mode 100644 + } +} diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security ---- openjdk.orig///src/java.base/share/conf/security/java.security -+++ openjdk///src/java.base/share/conf/security/java.security +--- openjdk.orig/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security @@ -87,6 +87,14 @@ #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch new file mode 100644 index 0000000..eaac9f1 --- /dev/null +++ b/SOURCES/rh1750419-redhat_alt_java.patch @@ -0,0 +1,111 @@ +diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk +--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100 ++++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100 +@@ -41,6 +41,15 @@ + OPTIMIZATION := HIGH, \ + )) + ++$(eval $(call SetupBuildLauncher, alt-java, \ ++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA, \ ++ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \ ++ LIBS_windows := user32.lib comctl32.lib, \ ++ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \ ++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \ ++ OPTIMIZATION := HIGH, \ ++)) ++ + ifeq ($(OPENJDK_TARGET_OS), windows) + $(eval $(call SetupBuildLauncher, javaw, \ + CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \ + +diff -r 25e94aa812b2 src/share/bin/alt_main.h +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100 +@@ -0,0 +1,73 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++#ifdef REDHAT_ALT_JAVA ++ ++#include ++ ++ ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ ++#endif // REDHAT_ALT_JAVA +diff -r 25e94aa812b2 src/share/bin/main.c +--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300 ++++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100 +@@ -34,6 +34,10 @@ + #include "jli_util.h" + #include "jni.h" + ++#if defined(linux) && defined(__x86_64) ++#include "alt_main.h" ++#endif ++ + #ifdef _MSC_VER + #if _MSC_VER > 1400 && _MSC_VER < 1600 + diff --git a/SOURCES/rh1818909-fips_default_keystore_type.patch b/SOURCES/rh1818909-fips_default_keystore_type.patch new file mode 100644 index 0000000..ff34f3e --- /dev/null +++ b/SOURCES/rh1818909-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300 +@@ -299,6 +299,11 @@ + keystore.type=pkcs12 + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for JKS and PKCS12 keystore types. + # + # When set to 'true', both JKS and PKCS12 keystore types support loading diff --git a/SOURCES/rh1842572-rsa_default_for_keytool.patch b/SOURCES/rh1842572-rsa_default_for_keytool.patch new file mode 100644 index 0000000..db74cdc --- /dev/null +++ b/SOURCES/rh1842572-rsa_default_for_keytool.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java ++++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java +@@ -1122,7 +1122,7 @@ + } + } else if (command == GENKEYPAIR) { + if (keyAlgName == null) { +- keyAlgName = "DSA"; ++ keyAlgName = "RSA"; + } + doGenKeyPair(alias, dname, keyAlgName, keysize, sigAlgName); + kssave = true; diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch new file mode 100644 index 0000000..0a76cad --- /dev/null +++ b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch @@ -0,0 +1,311 @@ +diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java +--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300 +@@ -1,11 +1,13 @@ + /* +- * Copyright (c) 2019, Red Hat, Inc. ++ * Copyright (c) 2019, 2020, Red Hat, Inc. + * + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License version 2 only, as +- * published by the Free Software Foundation. ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. + * + * This code is distributed in the hope that it will be useful, but WITHOUT + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +@@ -34,10 +36,10 @@ + import java.util.Iterator; + import java.util.Map.Entry; + import java.util.Properties; +-import java.util.function.Consumer; +-import java.util.regex.Matcher; + import java.util.regex.Pattern; + ++import jdk.internal.misc.SharedSecrets; ++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess; + import sun.security.util.Debug; + + /** +@@ -47,7 +49,7 @@ + * + */ + +-class SystemConfigurator { ++final class SystemConfigurator { + + private static final Debug sdebug = + Debug.getInstance("properties"); +@@ -61,15 +63,16 @@ + private static final String CRYPTO_POLICIES_CONFIG = + CRYPTO_POLICIES_BASE_DIR + "/config"; + +- private static final class SecurityProviderInfo { +- int number; +- String key; +- String value; +- SecurityProviderInfo(int number, String key, String value) { +- this.number = number; +- this.key = key; +- this.value = value; +- } ++ private static boolean systemFipsEnabled = false; ++ ++ static { ++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess( ++ new JavaSecuritySystemConfiguratorAccess() { ++ @Override ++ public boolean isSystemFipsEnabled() { ++ return SystemConfigurator.isSystemFipsEnabled(); ++ } ++ }); + } + + /* +@@ -128,9 +131,9 @@ + String nonFipsKeystoreType = props.getProperty("keystore.type"); + props.put("keystore.type", keystoreTypeValue); + if (keystoreTypeValue.equals("PKCS11")) { +- // If keystore.type is PKCS11, javax.net.ssl.keyStore +- // must be "NONE". See JDK-8238264. +- System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); + } + if (System.getProperty("javax.net.ssl.trustStoreType") == null) { + // If no trustStoreType has been set, use the +@@ -144,12 +147,13 @@ + sdebug.println("FIPS mode default keystore.type = " + + keystoreTypeValue); + sdebug.println("FIPS mode javax.net.ssl.keyStore = " + +- System.getProperty("javax.net.ssl.keyStore", "")); ++ System.getProperty("javax.net.ssl.keyStore", "")); + sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + + System.getProperty("javax.net.ssl.trustStoreType", "")); + } + } + loadedProps = true; ++ systemFipsEnabled = true; + } + } catch (Exception e) { + if (sdebug != null) { +@@ -160,13 +164,30 @@ + return loadedProps; + } + ++ /** ++ * Returns whether or not global system FIPS alignment is enabled. ++ * ++ * Value is always 'false' before java.security.Security class is ++ * initialized. ++ * ++ * Call from out of this package through SharedSecrets: ++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ * .isSystemFipsEnabled(); ++ * ++ * @return a boolean value indicating whether or not global ++ * system FIPS alignment is enabled. ++ */ ++ static boolean isSystemFipsEnabled() { ++ return systemFipsEnabled; ++ } ++ + /* + * FIPS is enabled only if crypto-policies are set to "FIPS" + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { +- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); +- if (fipsEnabled) { ++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); ++ if (shouldEnable) { + String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); + if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } + Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); +diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java +--- /dev/null Thu Jan 01 00:00:00 1970 +0000 ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300 +@@ -0,0 +1,30 @@ ++/* ++ * Copyright (c) 2020, Red Hat, Inc. ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. Oracle designates this ++ * particular file as subject to the "Classpath" exception as provided ++ * by Oracle in the LICENSE file that accompanied this code. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package jdk.internal.misc; ++ ++public interface JavaSecuritySystemConfiguratorAccess { ++ boolean isSystemFipsEnabled(); ++} +diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java +--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300 +@@ -76,6 +76,7 @@ + private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess; + private static JavaSecuritySignatureAccess javaSecuritySignatureAccess; + private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess; ++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess; + + public static JavaUtilJarAccess javaUtilJarAccess() { + if (javaUtilJarAccess == null) { +@@ -361,4 +362,12 @@ + } + return javaxCryptoSealedObjectAccess; + } ++ ++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) { ++ javaSecuritySystemConfiguratorAccess = jssca; ++ } ++ ++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() { ++ return javaSecuritySystemConfiguratorAccess; ++ } + } +diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java +--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300 +@@ -31,6 +31,7 @@ + import java.security.cert.*; + import java.util.*; + import javax.net.ssl.*; ++import jdk.internal.misc.SharedSecrets; + import sun.security.action.GetPropertyAction; + import sun.security.provider.certpath.AlgorithmChecker; + import sun.security.validator.Validator; +@@ -542,20 +543,38 @@ + + static { + if (SunJSSE.isFIPS()) { +- supportedProtocols = Arrays.asList( +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- ); ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); + +- serverDefaultProtocols = getAvailableProtocols( +- new ProtocolVersion[] { +- ProtocolVersion.TLS13, +- ProtocolVersion.TLS12, +- ProtocolVersion.TLS11, +- ProtocolVersion.TLS10 +- }); ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } else { ++ supportedProtocols = Arrays.asList( ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ ); ++ ++ serverDefaultProtocols = getAvailableProtocols( ++ new ProtocolVersion[] { ++ ProtocolVersion.TLS13, ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }); ++ } + } else { + supportedProtocols = Arrays.asList( + ProtocolVersion.TLS13, +@@ -620,6 +639,16 @@ + + static ProtocolVersion[] getSupportedProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[] { + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +@@ -949,6 +978,16 @@ + + static ProtocolVersion[] getProtocols() { + if (SunJSSE.isFIPS()) { ++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ return new ProtocolVersion[] { ++ ProtocolVersion.TLS12, ++ ProtocolVersion.TLS11, ++ ProtocolVersion.TLS10 ++ }; ++ } + return new ProtocolVersion[]{ + ProtocolVersion.TLS13, + ProtocolVersion.TLS12, +diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java +--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300 +@@ -27,6 +27,8 @@ + + import java.security.*; + import java.util.*; ++ ++import jdk.internal.misc.SharedSecrets; + import sun.security.rsa.SunRsaSignEntries; + import static sun.security.util.SecurityConstants.PROVIDER_VER; + import static sun.security.provider.SunEntries.createAliases; +@@ -195,8 +197,13 @@ + "sun.security.ssl.SSLContextImpl$TLS11Context", null, null); + ps("SSLContext", "TLSv1.2", + "sun.security.ssl.SSLContextImpl$TLS12Context", null, null); +- ps("SSLContext", "TLSv1.3", +- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess() ++ .isSystemFipsEnabled()) { ++ // RH1860986: TLSv1.3 key derivation not supported with ++ // the Security Providers available in system FIPS mode. ++ ps("SSLContext", "TLSv1.3", ++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null); ++ } + ps("SSLContext", "TLS", + "sun.security.ssl.SSLContextImpl$TLSContext", + (isfips? null : createAliases("SSL")), null); diff --git a/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch b/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch new file mode 100644 index 0000000..d673434 --- /dev/null +++ b/SOURCES/rh1868740-cryptoki_access_to_sunjce.patch @@ -0,0 +1,12 @@ +diff -r eba0f976c468 -r 1fceafb49be5 src/java.base/share/classes/module-info.java +--- openjdk/src/java.base/share/classes/module-info.java Thu Jul 30 15:05:22 2020 +0200 ++++ openjdk/src/java.base/share/classes/module-info.java Thu Aug 13 15:17:59 2020 +0200 +@@ -132,6 +132,8 @@ + // additional qualified exports may be inserted at build time + // see make/gensrc/GenModuleInfo.gmk + ++ exports com.sun.crypto.provider to ++ jdk.crypto.cryptoki; + exports com.sun.security.ntlm to + java.security.sasl; + exports jdk.internal to diff --git a/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch b/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch new file mode 100644 index 0000000..1c47913 --- /dev/null +++ b/SOURCES/rh1868754-pkcs11_cancel_on_failure.patch @@ -0,0 +1,21 @@ +diff -r e10f558e1df5 openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java +--- openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 16:12:32 2020 +0100 ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Cipher.java Mon Aug 31 15:17:50 2020 -0300 +@@ -628,7 +628,7 @@ + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } +- reset(false); ++ reset(true); + throw new ProviderException("update() failed", e); + } + } +@@ -746,7 +746,7 @@ + throw (ShortBufferException) + (new ShortBufferException().initCause(e)); + } +- reset(false); ++ reset(true); + throw new ProviderException("update() failed", e); + } + } diff --git a/SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch b/SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch new file mode 100644 index 0000000..57bb977 --- /dev/null +++ b/SOURCES/rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch @@ -0,0 +1,60 @@ +# HG changeset patch +# User Zdenek Zambersky +# Date 1601403587 -7200 +# Tue Sep 29 20:19:47 2020 +0200 +# Node ID f77ac813eee61b2e9616b2d71a2c5372d0cbd158 +# Parent d484fdfcc7d5c21812de8a0712236d077b0f2dde +Fixed default policy for jdk.crypto.cryptoki + +diff -r d484fdfcc7d5 -r f77ac813eee6 src/java.base/share/lib/security/default.policy +--- openjdk.orig/src/java.base/share/lib/security/default.policy Wed Sep 02 07:36:15 2020 +0200 ++++ openjdk/src/java.base/share/lib/security/default.policy Tue Sep 29 20:19:47 2020 +0200 +@@ -124,6 +124,8 @@ + grant codeBase "jrt:/jdk.crypto.cryptoki" { + permission java.lang.RuntimePermission + "accessClassInPackage.sun.security.*"; ++ permission java.lang.RuntimePermission ++ "accessClassInPackage.com.sun.crypto.provider"; + permission java.lang.RuntimePermission "accessClassInPackage.sun.nio.ch"; + permission java.lang.RuntimePermission "loadLibrary.j2pkcs11"; + permission java.util.PropertyPermission "sun.security.pkcs11.allowSingleThreadedModules", "read"; +# HG changeset patch +# User Zdenek Zambersky +# Date 1601419086 -7200 +# Wed Sep 30 00:38:06 2020 +0200 +# Node ID 02c8b154f728be3dd06239a98519d654e2127186 +# Parent f77ac813eee61b2e9616b2d71a2c5372d0cbd158 +P11Util: Create provider in priviledged block + +diff -r f77ac813eee6 -r 02c8b154f728 src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java +--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Tue Sep 29 20:19:47 2020 +0200 ++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Util.java Wed Sep 30 00:38:06 2020 +0200 +@@ -87,14 +87,20 @@ + } + p = Security.getProvider(providerName); + if (p == null) { +- try { +- @SuppressWarnings("deprecation") +- Object o = Class.forName(className).newInstance(); +- p = (Provider)o; +- } catch (Exception e) { +- throw new ProviderException +- ("Could not find provider " + providerName, e); +- } ++ p = AccessController.doPrivileged( ++ new PrivilegedAction() { ++ public Provider run() { ++ try { ++ @SuppressWarnings("deprecation") ++ Object o = Class.forName(className).newInstance(); ++ return (Provider) o; ++ } catch (Exception e) { ++ throw new ProviderException ++ ("Could not find provider " + providerName, e); ++ } ++ } ++ } ++ ); + } + return p; + } diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index b52e7de..417aa4c 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -4,23 +4,25 @@ # # Examples: # -# Produce release *and* slowdebug builds on x86_64 (default): -# $ rpmbuild -ba java-1.8.0-openjdk.spec +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-11-openjdk.spec # -# Produce only release builds (no slowdebug builds) on x86_64: -# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug # # Only produce a release build on x86_64: -# $ fedpkg mockbuild --without slowdebug -# -# Only produce a debug build on x86_64: -# $ fedpkg local --without release +# $ rhpkg mockbuild --without slowdebug --without fastdebug # +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. %bcond_without slowdebug # Enable release builds by default on relevant arches. %bcond_without release +# Workaround for stripping of debug symbols from static libraries +%define __brp_strip_static_archive %{nil} + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -32,13 +34,16 @@ # See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" # (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) %global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug # quoted one for shell operations %global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" %global normal_suffix "" -# if you want only debug build but providing java build only normal build but set normalbuild_parameter -%global debug_warning This package has full debug on. Install only in need and remove asap. +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. %global debug_on with full debug on +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global for_fastdebug_on with minimal debug on %global for_debug for packages with debug on %if %{with release} @@ -48,9 +53,9 @@ %endif %if %{include_normal_build} -%global build_loop1 %{normal_suffix} +%global normal_build %{normal_suffix} %else -%global build_loop1 %{nil} +%global normal_build %{nil} %endif # We have hardcoded list of files, which is appearing in alternatives, and in files @@ -59,8 +64,8 @@ # the ghosts are here to allow installation via query like `dnf install /usr/bin/java` # you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ # TODO - fix those hardcoded lists via single list -# those files ,must *NOT* be ghosted for *slowdebug* packages -# FIXME - if you are moving jshell or jlink or simialr, always modify all three sections +# Those files must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or similar, always modify all three sections # you can check via headless and devels: # rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin # == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin @@ -76,14 +81,34 @@ # we need to distinguish between big and little endian PPC64 %global ppc64le ppc64le %global ppc64be ppc64 ppc64p7 +# Set of architectures which support multiple ABIs %global multilib_arches %{power64} sparc64 x86_64 -%global jit_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} s390x +# Set of architectures for which we build slowdebug builds +%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 +# Set of architectures with a Just-In-Time (JIT) compiler +%global jit_arches %{debug_arches} %{arm} +# Set of architectures which run a full bootstrap cycle +%global bootstrap_arches %{jit_arches} +# Set of architectures which support SystemTap tapsets +%global systemtap_arches %{jit_arches} +# Set of architectures with a Ahead-Of-Time (AOT) compiler %global aot_arches x86_64 %{aarch64} +# Set of architectures which support the serviceability agent +%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} +# Set of architectures which support class data sharing +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} +# Set of architectures for which we build the Shenandoah garbage collector +%global shenandoah_arches x86_64 %{aarch64} +# Set of architectures for which we build the Z garbage collector +%global zgc_arches x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} -%ifarch %{jit_arches} -%ifnarch %{arm} +%ifarch %{debug_arches} %global include_debug_build 1 %else %global include_debug_build 0 @@ -91,30 +116,53 @@ %else %global include_debug_build 0 %endif -%else -%global include_debug_build 0 -%endif -# On x86_64 and AArch64, we use the Shenandoah HotSpot -%ifarch x86_64 %{aarch64} +# On certain architectures, we compile the Shenandoah GC +%ifarch %{shenandoah_arches} %global use_shenandoah_hotspot 1 +%global shenandoah_feature shenandoahgc %else %global use_shenandoah_hotspot 0 +%global shenandoah_feature -shenandoahgc +%endif + +# On certain architectures, we compile the ZGC +%ifarch %{zgc_arches} +%global use_zgc_hotspot 1 +%global zgc_feature zgc +%else +%global use_zgc_hotspot 0 +%global zgc_feature -zgc +%endif + +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif %endif %if %{include_debug_build} -%global build_loop2 %{debug_suffix} +%global slowdebug_build %{debug_suffix} %else -%global build_loop2 %{nil} +%global slowdebug_build %{nil} %endif -# if you disable both builds, then the build fails -%global build_loop %{build_loop1} %{build_loop2} -# note: that order: normal_suffix debug_suffix, in case of both enabled -# is expected in one single case at the end of the build -%global rev_build_loop %{build_loop2} %{build_loop1} +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} +%else +%global fastdebug_build %{nil} +%endif -%ifarch %{jit_arches} +# If you disable both builds, then the build fails +# Note that the debug build requires the normal build for docs +%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build} +# Test slowdebug first as it provides the best diagnostics +%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} + +%ifarch %{bootstrap_arches} %global bootstrap_build 1 %else %global bootstrap_build 1 @@ -204,7 +252,7 @@ %global stapinstall %{nil} %endif -%ifarch %{jit_arches} +%ifarch %{systemtap_arches} %global with_systemtap 1 %else %global with_systemtap 0 @@ -212,14 +260,15 @@ # New Version-String scheme-style defines %global majorver 11 -%global securityver 8 +# If you bump majorver, you must also bump vendor_version_string +# Used via new version scheme. JDK 11 was +# GA'ed in September 2018 => 18.9 +%global vendor_version_string 18.9 +%global securityver 9 # buildjdkver is usually same as %%{majorver}, # but in time of bootstrap of next jdk, it is majorver-1, # and this it is better to change it here, on single place %global buildjdkver %{majorver} -# Used via new version scheme. JDK 11 was -# GA'ed in September 2018 => 18.9 -%global vendor_version_string 18.9 # Add LTS designator for RHEL builds %if 0%{?rhel} %global lts_designator "LTS" @@ -229,6 +278,26 @@ %global lts_designator_zip "" %endif +# Define vendor information used by OpenJDK +%global oj_vendor Red Hat, Inc. +%global oj_vendor_url "https://www.redhat.com/" +# Define what url should JVM offer in case of a crash report +# order may be important, epel may have rhel declared +%if 0%{?epel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel} +%else +%if 0%{?fedora} +# Does not work for rawhide, keeps the version field empty +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora} +%else +%if 0%{?rhel} +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name} +%else +%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi +%endif +%endif +%endif + # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 3.15.0 @@ -237,8 +306,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global minorver 0 -%global buildver 3 -%global rpmrelease 1 +%global buildver 11 +%global rpmrelease 7 #%%global tagsuffix %%{nil} # priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit %if %is_system_jdk @@ -255,7 +324,7 @@ # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 0 +%global is_ga 1 %if %{is_ga} %global ea_designator "" %global ea_designator_zip "" @@ -309,6 +378,8 @@ %define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} %define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%global alt_java_name alt-java + %global rpm_state_dir %{_localstatedir}/lib/rpm-state/ %if %{with_systemtap} @@ -337,13 +408,9 @@ exit 0 %define post_headless() %{expand: -%ifarch %{jit_arches} -# MetaspaceShared::generate_vtable_methods not implemented for PPC JIT -%ifnarch %{ppc64le} -# see https://bugzilla.redhat.com/show_bug.cgi?id=513605 +%ifarch %{share_arches} %{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null %endif -%endif PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then @@ -354,6 +421,7 @@ ext=.gz alternatives \\ --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\ @@ -362,6 +430,8 @@ alternatives \\ --slave %{_bindir}/unpack200 unpack200 %{jrebindir -- %{?1}}/unpack200 \\ --slave %{_mandir}/man1/java.1$ext java.1$ext \\ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\ + %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\ %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ @@ -433,10 +503,8 @@ alternatives \\ %endif --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ -%ifarch %{jit_arches} -%ifnarch s390x +%ifarch %{sa_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ -%endif %endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ @@ -582,6 +650,7 @@ exit 0 %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool %{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200 @@ -628,12 +697,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so -# Zero and S390x don't have SA -%ifarch %{jit_arches} -%ifnarch s390x +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif -%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so @@ -643,6 +710,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1* @@ -650,11 +718,9 @@ exit 0 %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1* %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ -%ifarch %{jit_arches} -%ifnarch %{power64} +%ifarch %{share_arches} %attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa %endif -%endif %dir %{etcjavasubdir} %dir %{etcjavadir -- %{?1}} %dir %{etcjavadir -- %{?1}}/lib @@ -691,6 +757,7 @@ exit 0 %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_bindir}/java +%ghost %{_bindir}/%{alt_java_name} %ghost %{_jvmdir}/jre # https://bugzilla.redhat.com/show_bug.cgi?id=1312019 %ghost %{_bindir}/jjs @@ -704,6 +771,10 @@ exit 0 %ghost %{_jvmdir}/jre-%{javaver}-%{origin} %endif %endif +# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved } %define files_devel() %{expand: @@ -720,12 +791,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage -# Zero and S390x don't have SA -%ifarch %{jit_arches} -%ifnarch s390x +# Some architectures don't have the serviceability agent +%ifarch %{sa_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %endif -%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -775,6 +844,7 @@ exit 0 %if %{is_release_build -- %{?1}} %ghost %{_bindir}/javac %ghost %{_jvmdir}/java +%ghost %{_jvmdir}/%{alt_java_name} %ghost %{_bindir}/jaotc %ghost %{_bindir}/jlink %ghost %{_bindir}/jmod @@ -822,27 +892,15 @@ exit 0 } %define files_static_libs() %{expand: -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfdlibm.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.a -%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.a +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a } %define files_javadoc() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} -%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java @@ -852,7 +910,7 @@ exit 0 %define files_javadoc_zip() %{expand: %doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip -%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal %if %is_system_jdk %if %{is_release_build -- %{?1}} %ghost %{_javadocdir}/java-zip @@ -895,7 +953,10 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -Requires: tzdata-java >= 2015d +# 2020b required as of JDK-8254177 in October CPU +# Temporarily held at 2020a until 2020b has shipped +Requires: tzdata-java >= 2020a +# for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, @@ -1056,7 +1117,7 @@ URL: http://openjdk.java.net/ # to regenerate source0 (jdk) run update_package.sh # update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz +Source0: jdk-updates-jdk%{majorver}u-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (3.x). @@ -1084,6 +1145,9 @@ Source14: TestECDSA.java # nss fips configuration file Source15: nss.fips.cfg.in +# Ensure vendor settings are correct +Source16: CheckVendor.java + ############################################ # # RPM/distribution specific patches @@ -1096,8 +1160,20 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch Patch2: rh1648644-java_access_bridge_privileged_security.patch # NSS via SunPKCS11 Provider (disabled due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# enable build of speculative store bypass hardened alt-java +Patch600: rh1750419-redhat_alt_java.patch # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode +Patch1002: rh1818909-fips_default_keystore_type.patch +# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +Patch1003: rh1842572-rsa_default_for_keytool.patch +# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available +Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch +# RH1868740: FIPS: IllegalAccessException by pkcs11 provider +Patch1005: rh1868740-cryptoki_access_to_sunjce.patch +# RH1883849: FIPS: IllegalAccessException by pkcs11 provider with security manager on +Patch1006: rh1883849-cryptoki_access_to_sunjce_with_security_manager.patch ############################################# # @@ -1119,18 +1195,28 @@ Patch1001: rh1655466-global_crypto_and_fips.patch Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch # PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch -# RH1566890: CVE-2018-3639 -Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch # PR3695: Allow use of system crypto policy to be disabled by the user Patch7: pr3695-toggle_system_crypto_policy.patch -# S390 ambiguous log2_intptr call -Patch8: s390-8214206_fix.patch +# RH1868754: FIPS: Ciphers remain in broken state (unusable), after being supplied with wrongly sized buffer +Patch11: rh1868754-pkcs11_cancel_on_failure.patch ############################################# # -# JDK 9+ only patches +# Patches appearing in 11.0.10 # +# This section includes patches which are present +# in the listed OpenJDK 11u release and should be +# able to be removed once that release is out +# and used by this RPM. ############################################# +# JDK-8222286: S390 ambiguous log2_intptr call +Patch8: s390-8214206_fix.patch +# JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b +Patch9: jdk8254177-tzdata2020b.patch +# JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding +Patch10: jdk8236512-pkcs11_incorrrect_session_closure.patch +# JDK-8250861, RH1895274: Crash in MinINode::Ideal(PhaseGVN*, bool) +Patch12: jdk8250861-rh1895274-crash_in_MinINode_Ideal.patch BuildRequires: autoconf BuildRequires: automake @@ -1168,7 +1254,9 @@ BuildRequires: java-%{buildjdkver}-openjdk-devel %ifnarch %{jit_arches} BuildRequires: libffi-devel %endif -BuildRequires: tzdata-java >= 2015d +# 2020b required as of JDK-8254177 in October CPU +# Temporarily held at 2020a until 2020b has shipped +BuildRequires: tzdata-java >= 2020a # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1194,6 +1282,17 @@ The %{origin_nice} runtime environment. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} Runtime Environment %{majorver} %{fastdebug_on} +Group: Development/Languages + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} runtime environment. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package headless Summary: %{origin_nice} Headless Runtime Environment %{majorver} @@ -1217,6 +1316,18 @@ The %{origin_nice} runtime environment %{majorver} without audio and video suppo %{debug_warning} %endif +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} Runtime Environment %{fastdebug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} runtime environment %{majorver} without audio and video support. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package devel Summary: %{origin_nice} Development Environment %{majorver} @@ -1240,6 +1351,18 @@ The %{origin_nice} development tools %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} Development Environment %{majorver} %{fastdebug_on} +Group: Development/Tools + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} development tools %{majorver}. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package static-libs Summary: %{origin_nice} libraries for static linking %{majorver} @@ -1261,6 +1384,17 @@ The %{origin_nice} libraries for static linking %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package static-libs-fastdebug +Summary: %{origin_nice} libraries for static linking %{majorver} %{fastdebug_on} + +%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} + +%description static-libs-fastdebug +The %{origin_nice} libraries for static linking %{majorver}. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package jmods Summary: JMods for %{origin_nice} %{majorver} @@ -1284,6 +1418,18 @@ The JMods for %{origin_nice} %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package jmods-fastdebug +Summary: JMods for %{origin_nice} %{majorver} %{fastdebug_on} +Group: Development/Tools + +%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} + +%description jmods-fastdebug +The JMods for %{origin_nice} %{majorver}. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package demo Summary: %{origin_nice} Demos %{majorver} @@ -1307,6 +1453,18 @@ The %{origin_nice} demos %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} Demos %{majorver} %{fastdebug_on} +Group: Development/Languages + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} demos %{majorver}. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package src Summary: %{origin_nice} Source Bundle %{majorver} @@ -1331,6 +1489,18 @@ The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice class library source code for use by IDE indexers and debuggers. Debugging %{for_debug}. %endif +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} Source Bundle %{majorver} %{for_fastdebug} +Group: Development/Languages + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The java-%{origin}-src-fastdebug sub-package contains the complete %{origin_nice} %{majorver} + class library source code for use by IDE indexers and debuggers. Debugging %{for_fastdebug}. +%endif + %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{majorver} API documentation @@ -1342,11 +1512,9 @@ Obsoletes: javadoc-debug %description javadoc The %{origin_nice} %{majorver} API documentation. -%endif -%if %{include_normal_build} %package javadoc-zip -Summary: %{origin_nice} %{majorver} API documentation compressed in single archive +Summary: %{origin_nice} %{majorver} API documentation compressed in a single archive Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-zip-debug @@ -1354,7 +1522,7 @@ Obsoletes: javadoc-zip-debug %{java_javadoc_rpo %{nil}} %description javadoc-zip -The %{origin_nice} %{majorver} API documentation compressed in single archive. +The %{origin_nice} %{majorver} API documentation compressed in a single archive. %endif %prep @@ -1369,19 +1537,29 @@ The %{origin_nice} %{majorver} API documentation compressed in single archive. if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" else - echo "include_normal_build is %{include_normal_build}, thats invalid. Use 1 for yes or 0 for no" + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" exit 11 fi if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then echo "include_debug_build is %{include_debug_build}" else - echo "include_debug_build is %{include_debug_build}, thats invalid. Use 1 for yes or 0 for no" + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" exit 12 fi -if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 ] ; then - echo "You have disabled both include_debug_build and include_normal_build. That is a no go." +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" exit 13 fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." + exit 14 +fi +if [ %{include_normal_build} -eq 0 ] ; then + echo "You have disabled the normal build, but this is required to provide docs for the debug build." + exit 15 +fi %setup -q -c -n %{uniquesuffix ""} -T -a 0 # https://bugzilla.redhat.com/show_bug.cgi?id=1189084 prioritylength=`expr length %{priority}` @@ -1399,13 +1577,22 @@ pushd %{top_level_dir_name} %patch2 -p1 %patch3 -p1 %patch4 -p1 -%patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 popd # openjdk %patch1000 +%patch600 %patch1001 +%patch1002 +%patch1003 +%patch1004 +%patch1005 +%patch1006 # Extract systemtap tapsets %if %{with_systemtap} @@ -1413,6 +1600,9 @@ tar --strip-components=1 -x -I xz -f %{SOURCE8} %if %{include_debug_build} cp -r tapset tapset%{debug_suffix} %endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif for suffix in %{build_loop} ; do @@ -1507,10 +1697,16 @@ bash ../configure \ %ifarch %{ppc64le} --with-jobs=1 \ %endif - --with-version-build=%{buildver} \ + --with-version-build=1 \ --with-version-pre="%{ea_designator}" \ --with-version-opt=%{lts_designator} \ + --with-version-patch=1 \ + --with-version-date="2020-11-04" \ --with-vendor-version-string="%{vendor_version_string}" \ + --with-vendor-name="%{oj_vendor}" \ + --with-vendor-url="%{oj_vendor_url}" \ + --with-vendor-bug-url="%{oj_vendor_bug_url}" \ + --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ --with-debug-level=$debugbuild \ --with-native-debug-symbols=internal \ @@ -1527,9 +1723,7 @@ bash ../configure \ --with-extra-ldflags="%{ourldflags}" \ --with-num-cores="$NUM_PROC" \ --disable-javac-server \ -%ifarch x86_64 - --with-jvm-features=zgc \ -%endif + --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \ --disable-warnings-as-errors # Debug builds don't need same targets as release for @@ -1570,6 +1764,13 @@ install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ rm $JAVA_HOME/lib/tzdb.dat ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat +# Create fake alt-java as a placeholder for future alt-java +pushd ${JAVA_HOME} +# add alt-java man page +echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 +cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 +popd + # build cycles done @@ -1593,6 +1794,15 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" %{oj_vendor_url} %{oj_vendor_bug_url} + +# Check debug symbols in static libraries (smoke test) +export STATIC_LIBS_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{static_libs_image} +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c + # Check debug symbols are present and can identify code find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib do @@ -1711,7 +1921,6 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage} ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix} popd - # Install man pages install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1 for manpage in man/man1/* @@ -1727,15 +1936,18 @@ pushd %{buildoutputdir $suffix}/images/%{jdkimage} popd # Install static libs artefacts +mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc cp -a %{buildoutputdir -- $suffix}/images/%{static_libs_image}/lib/*.a \ - $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib + $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} cp -a %{buildoutputdir $suffix}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir $suffix} - cp -a %{buildoutputdir -- $suffix}/bundles/jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip + #built_doc_archive=jdk-%{newjavaver}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + built_doc_archive=jdk-11.0.9.1+1%{lts_designator_zip}-docs.zip + cp -a %{buildoutputdir -- $suffix}/bundles/${built_doc_archive} $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip fi # Install release notes @@ -1828,6 +2040,28 @@ end -- run content of included file with fake args arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} require "copy_jdk_configs.lua" +-- the returns from copy_jdk_configs.lua should not affect this 'main', so it shodl run under all circumstances, except fatal error +-- https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +-- https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +-- Define the path to directory being replaced below. +-- DO NOT add a trailing slash at the end. +path1 = "%{_jvmdir}/%{sdkdir -- %{nil}}/conf" +path2 = "%{_jvmdir}/%{sdkdir -- %{nil}}/lib/security" +array = {path1, path2} +for index, path in pairs(array) do + st = posix.stat(path) + if st and st.type == "directory" then + status = os.rename(path, path .. ".rpmmoved") + if not status then + suffix = 0 + while not status do + suffix = suffix + 1 + status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix) + end + os.rename(path, path .. ".rpmmoved") + end + end +end %post %{post_script %{nil}} @@ -1893,6 +2127,33 @@ require "copy_jdk_configs.lua" %endif +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} + +%postun headless-fastdebug +%{postun_headless -- %{fastdebug_suffix_unquoted}} + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} + +%endif + %if %{include_normal_build} %files # main package builds always @@ -1927,9 +2188,8 @@ require "copy_jdk_configs.lua" %files javadoc %{files_javadoc %{nil}} -# this puts huge file to /usr/share -# unluckily ti is really a documentation file -# and unluckily it really is architecture-dependent, as eg. aot and grail are now x86_64 only +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only # same for debug variant %files javadoc-zip %{files_javadoc_zip %{nil}} @@ -1959,7 +2219,242 @@ require "copy_jdk_configs.lua" %endif +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%files static-libs-fastdebug +%{files_static_libs -- %{fastdebug_suffix_unquoted}} + +%files jmods-fastdebug +%{files_jmods -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%endif + %changelog +* Tue Dec 01 2020 Jiri Vanek - 1:11.0.9.11-7 +- removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch +- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch +- no longer copying of java->alt-java as it is created by patch600 +- Resolves: rhbz#1784116 + +* Wed Nov 11 2020 Andrew Hughes - 1:11.0.9.11-6 +- Fix typo of build_doc_archive/built_doc_archive +- Resolves: rhbz#1895274 + +* Wed Nov 04 2020 Severin Gehwolf - 1:11.0.9.11-5 +- Update to jdk-11.0.9.1+1 +- RPM version stays at 11.0.9.11 so as to not break upgrade path. +- Adds a single patch for JDK-8250861. +- Resolves: rhbz#1895274 + +* Thu Oct 29 2020 Jiri Vanek - 1:11.0.9.11-4 +- Move all license files to NVR-specific JVM directory. +- This bad placement was killing parallel installability and thus having a bad impact on leapp, if used. +- Resolves: rhbz#1889481 + +* Tue Oct 27 2020 Andrew Hughes - 1:11.0.9.11-3 +- Bump release number to build on RHEL 8.4.0 branch. +- Resolves: rhbz#1876665 +- Resolves: rhbz#1889497 +- Resolves: rhbz#1883849 + +* Wed Oct 21 2020 Andrew Hughes - 1:11.0.9.11-2 +- Add backport of JDK-8236512 to correct use of killSession +- Resolves: rhbz#1889497 + +* Mon Oct 19 2020 Severin Gehwolf - 1:11.0.9.11-2 +- Fix directory ownership of static-libs package +- Resolves: rhbz#1876665 + +* Thu Oct 15 2020 Andrew Hughes - 1:11.0.9.11-1 +- Delay tzdata 2020b dependency until tzdata update has shipped. +- Resolves: rhbz#1876665 + +* Thu Oct 15 2020 Andrew Hughes - 1:11.0.9.11-1 +- Update to jdk-11.0.9+11 +- Update release notes for 11.0.9 release. +- Add backport of JDK-8254177 to update to tzdata 2020b +- Require tzdata 2020b due to resource changes in JDK-8254177 +- This tarball is embargoed until 2020-10-20 @ 1pm PT. +- Resolves: rhbz#1876665 + +* Thu Oct 15 2020 Andrew Hughes - 1:11.0.9.10-0.3.ea +- Improve quoting of vendor name +- Resolves: rhbz#1876665 + +* Wed Oct 14 2020 Jiri Vanek - 1:11.0.9.10-0.3.ea +- Set vendor property and vendor URLs +- Made URLs to be preconfigured by OS +- Moved vendor_version_string to a better place +- Resolves: rhbz#1876665 + +* Wed Oct 14 2020 Andrew Hughes - 1:11.0.9.10-0.2.ea +- Add patch to allow the PKCS11 provider access to the SunJCE provider with the security manager enabled +- Resolves: rhbz#1883849 + +* Tue Oct 13 2020 Andrew Hughes - 1:11.0.9.10-0.1.ea +- Update to jdk-11.0.9+10 (EA) +- Resolves: rhbz#1876665 + +* Tue Oct 13 2020 Andrew Hughes - 1:11.0.9.9-0.1.ea +- Update to jdk-11.0.9+9 (EA) +- Resolves: rhbz#1876665 + +* Tue Oct 13 2020 Andrew Hughes - 1:11.0.9.8-0.1.ea +- Update to jdk-11.0.9+8 (EA) +- Remove JDK-8252258/RH1868406 now applied upstream. +- Resolves: rhbz#1876665 + +* Tue Oct 13 2020 Andrew Hughes - 1:11.0.9.7-0.1.ea +- Update to jdk-11.0.9+7 (EA) +- Resolves: rhbz#1876665 + +* Mon Oct 12 2020 Severin Gehwolf - 1:11.0.9.6-0.2.ea +- Update static-libs packaging to new layout +- Resolves: rhbz#1876665 + +* Sat Oct 10 2020 Andrew Hughes - 1:11.0.9.6-0.1.ea +- Update to jdk-11.0.9+6 (EA) +- Update tarball generation script to use PR3802, handling JDK-8233228 & JDK-8177334 +- Resolves: rhbz#1876665 + +* Thu Oct 08 2020 Andrew Hughes - 1:11.0.9.5-0.1.ea +- Update to jdk-11.0.9+5 (EA) +- Resolves: rhbz#1876665 + +* Thu Oct 08 2020 Andrew Hughes - 1:11.0.9.4-0.1.ea +- Update to jdk-11.0.9+4 (EA) +- Resolves: rhbz#1876665 + +* Wed Oct 07 2020 Andrew Hughes - 1:11.0.9.3-0.1.ea +- Update to jdk-11.0.9+3 (EA) +- Remove JDK-8251117/RH1860990 as now applied upstream. +- Resolves: rhbz#1876665 + +* Mon Oct 05 2020 Andrew Hughes - 1:11.0.9.2-0.2.ea +- Following JDK-8005165, class data sharing can be enabled on all JIT architectures +- Resolves: rhbz#1876665 + +* Mon Oct 05 2020 Andrew Hughes - 1:11.0.9.2-0.1.ea +- Update to jdk-11.0.9+2 (EA) +- With Shenandoah now upstream in OpenJDK 11, we can use jdk-updates/jdk11 directly +- Resolves: rhbz#1876665 + +* Mon Oct 05 2020 Andrew Hughes - 1:11.0.9.1-0.1.ea +- Cleanup architecture and JVM feature handling in preparation for using upstreamed Shenandoah. +- Resolves: rhbz#1876665 + +* Mon Sep 28 2020 Andrew Hughes - 1:11.0.9.1-0.0.ea +- Update to shenandoah-jdk-11.0.9+1 (EA) +- Switch to EA mode for 11.0.9 pre-release builds. +- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard. +- Resolves: rhbz#1876665 + +* Thu Sep 17 2020 Andrew Hughes - 1:11.0.8.10-6 +- Add patch to cancel PKCS#11 operations on failure (RH1868754) +- Add patch to allow the PKCS11 provider access to the SunJCE provider (RH1868740) +- Resolves: rhbz#1868740 +- Resolves: rhbz#1868754 + +* Fri Aug 28 2020 Andrew Hughes - 1:11.0.8.10-5 +- Use 'oj_' prefix on new vendor globals to avoid a conflict with RPM's vendor value. +- Resolves: rhbz#1868406 + +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-4 +- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use. +- Resolves: rhbz#1860986 + +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-3 +- Add JDK-8252258 to return default vendor to the original value of 'Oracle Corporation' +- Include a test in the RPM to check the build has the correct vendor information. +- Resolves: rhbz#1868406 + +* Tue Aug 25 2020 Andrew Hughes - 1:11.0.8.10-2 +- Backport JDK-8251117 to allow key length to be retrieved from PKCS#11 FIPS keys +- Resolves: rhbz#1860990 + +* Sat Jul 11 2020 Andrew Hughes - 1:11.0.8.10-1 +- Update to shenandoah-jdk-11.0.8+10 (GA) +- Switch to GA mode for final release. +- Update release notes with last minute fix (JDK-8248505). +- Resolves: rhbz#1838811 + +* Fri Jul 10 2020 Andrew Hughes - 1:11.0.8.9-0.1.ea +- Update to shenandoah-jdk-11.0.8+9 (EA) +- Update release notes for 11.0.8 release. +- Resolves: rhbz#1838811 + +* Tue Jun 30 2020 Andrew Hughes - 1:11.0.8.8-0.1.ea +- Update to shenandoah-jdk-11.0.8+8 (EA) +- Resolves: rhbz#1838811 + +* Mon Jun 29 2020 Andrew Hughes - 1:11.0.8.7-0.4.ea +- Add support for fastdebug builds on x86_64 only. +- Resolves: rhbz#1836068 + +* Sun Jun 28 2020 Andrew Hughes - 1:11.0.8.7-0.3.ea +- Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY +- Resolves: rhbz#1842572 + +* Wed Jun 24 2020 Andrew Hughes - 1:11.0.8.7-0.2.ea +- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there... +- Resolves: rhbz#1838811 + +* Wed Jun 24 2020 Jiri Vanek - 1:11.0.8.7-0.2.ea +- Create a copy of java as alt-java with alternatives and man pages +- Resolves: rhbz#1838811 + +* Tue Jun 23 2020 Andrew Hughes - 1:11.0.8.7-0.1.ea +- Update to shenandoah-jdk-11.0.8+7 (EA) +- Resolves: rhbz#1838811 + +* Mon Jun 22 2020 Jiri Vanek - 1:11.0.8.6-0.3.ea +- Symlink hunk moved behind the main copy logic, to be more user-friendly with multiple installs +- Resolves: rhbz#1820172 + +* Mon Jun 22 2020 Jiri Vanek - 1:11.0.8.6-0.2.ea +- Added scriplet to handle dir-> symling change when updating el7->el8 +- Resolves: rhbz#182017 + +* Thu Jun 18 2020 Andrew Hughes - 1:11.0.8.6-0.1.ea +- Update to shenandoah-jdk-11.0.8+6 (EA) +- Resolves: rhbz#1838811 + +* Tue Jun 09 2020 Severin Gehwolf - 1:11.0.8.5-0.2.ea +- Disable stripping of debug symbols for static libraries part of + the -static-libs sub-package. +- Resolves: rhbz#1839084 + +* Sun Jun 07 2020 Andrew Hughes - 1:11.0.8.5-0.1.ea +- Update to shenandoah-jdk-11.0.8+5 (EA) +- Resolves: rhbz#1838811 + +* Tue Jun 02 2020 Andrew John Hughes - 1:11.0.8.4-0.3.ea +- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). +- Resolves: rhbz#1725961 + +* Mon Jun 01 2020 Andrew John Hughes - 1:11.0.8.4-0.2.ea +- Use appropriate keystore types when in FIPS mode. +- Resolves: rhbz#1818909 + +* Mon May 25 2020 Andrew Hughes - 1:11.0.8.4-0.1.ea +- Update to shenandoah-jdk-11.0.8+4 (EA) +- Require tzdata 2020a due to resource changes in JDK-8243541 +- Resolves: rhbz#1838811 + * Mon May 25 2020 Andrew Hughes - 1:11.0.8.3-0.1.ea - Update to shenandoah-jdk-11.0.8+3 (EA) - Resolves: rhbz#1838811 @@ -2488,7 +2983,7 @@ require "copy_jdk_configs.lua" - renamed zip javadoc * Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12 -- Enable basic EC ciphers test in %check. +- Enable basic EC ciphers test in %%check. * Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11 - Port Martin Balao's JDK 9 patch for system NSS support to JDK 10.