* RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
* RH2090378: Revert to disabling system security properties and FIPS mode support together
Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
Enable system security properties in the RPM (now disabled by default in the FIPS repo)
Improve security properties test to check both enabled and disabled behaviour
Run security properties test with property debugging on
Resolves: rhbz#2099839
Resolves: rhbz#2100676
...after 19065a8b01 "Temporarily move x86 to use
Zero in order to get a working build":
When building the
> if ${run_bootstrap} ; then
branch for suffix='' and loop='-main', the second
> buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
uses the JDK (`$(pwd)/${bootinstalldir}/images/%{jdkimage}`) from the installjdk
on the previous line. But installjdk does
> rm ${imagepath}/lib/tzdb.dat
> ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
which made that JDK's tzdb.dat link to /app/share/javazi-1.8/tzdb.dat in a
flatpak build (rather than the usual /usr/share/javazi-1.8/tzdb.dat in a non-
flatpak build) which is not present at build-time (but will be present at
runtime in at least the LibreOffice flatpak, which bundles tzdata-java built for
the flatpak /app prefix). So using that JDK's compiler during the build kept
failing due to java.io.FileNotFoundException for its lib/tzdb.dat.
(This was not an issue prior to 19065a8b01, as
installjdk's modification of lib/tzdb.dat used to be done only for the "Final
setup on the main image" at the very end of the build, not during the build for
JDKs that are themselves used later during the build.)
The easiest workaround for this issue appears to be to just not bootstrap_build
in the flatpak case, avoiding the situation that a JDK whose lib/tzdb.dat has
been modified through installjdk is used during the build.
Resolves: rhbz#2067189
Fixing:
Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
The move of alternatives creation to posttrans to fix:
Bug 1200302 - dnf reinstall breaks alternatives
Had caused the alternatives to be removed, and then created again,
instead of being added, and then removing the old, and thus persisting
the selection in family
Thus this fix, is storing the family of manually selected master, and if
stored, then it is restoring the family of the master
Sync gdb test with java-1.8.0-openjdk.
Improve architecture restrictions for the gdb test.
Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
Explicitly list JIT architectures rather than relying on those with slowdebug builds
Disable the serviceability agent on Zero architectures even when the architecture itself is supported
Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds
Give javadoc-zip its own Provides, next to the plain javadoc ones
Related: rhbz#2052834
Update release notes to 11.0.14.0+8
Switch to EA mode for 11.0.14 pre-release builds.
Rename blacklisted.certs to blocked.certs following JDK-8253866
Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034
Resolves: rhbz#2022825
Fedora 35 and better no longer ship the legacy
secmod.db file as part of the nss package. Explicitly
tell OpenJDK to use sqlite-based sec mode.
Resolves: rhbz#2023535
Update release notes to 11.0.13.0+8
Update tarball generation script to use git following OpenJDK 11u's move to github
Remove "-clean" suffix as no 11.0.13 builds are unclean.
Drop JDK-8269668 patch which is now applied upstream.
Resolves: rhbz#2013845
Update release notes to 11.0.12.0+7
Switch to GA mode for final release.
Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
Remove non-Free test from source tarball.
Resolves: rhbz#1967815
Update release notes to 11.0.12.0+6
Correct bug ID JDK-8264846 to intended ID of JDK-8264848
Switch to EA mode for 11.0.12 pre-release builds.
Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
Resolves: rhbz#1967815
Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
Resolves: rhbz#1971689
Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
Disable FIPS mode support unless com.redhat.fips is set to "true".
Use appropriate keystore types when in FIPS mode (RH1818909)
Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
Resolves: rhbz#1971689
Update release notes to 11.0.11.0+9
Perform static library build on a separate source tree with bundled image libraries
Make static library build optional
Hardcode /usr/sbin/alternatives for Flatpak builds
Require tzdata 2020f to match upstream change JDK-8259048
Require tzdata 2021a to match upstream change JDK-8260356
Remove upstreamed patch JDK-8259949
Fix issue where CheckVendor.java test erroneously passes when it should fail.
Add proper quoting so '&' is not treated as a special character by the shell.
Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps)
Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
Remove -fcommon work-around as the OpenJDK 11 code has been fixed.
Resolves: rhbz#1967815