Commit Graph

69 Commits

Author SHA1 Message Date
Andrew Hughes
b9df10f188 Update to jdk-11.0.20.0+8 (GA)
Update release notes to 11.0.20.0+8
Drop local inclusion of JDK-8274864 & JDK-8305113 as they are included in 11.0.20+1
Bump tzdata requirement to 2023c now it is available in the buildroot
Bump bundled LCMS version to 2.15 as in jdk-11.0.20+1.
Bump bundled HarfBuzz version to 7.0.1 as in jdk-11.0.20+7
Use tapsets from the misc tarball
Introduce 'prelease' for the portable release versioning, to handle EA builds
Make sure root installation directory is created first
Use in-place substitution for all but the first of the tapset changes
Sync the copy of the portable specfile with the latest update
Add note at top of spec file about rebuilding

** This tarball is embargoed until 2023-07-18 @ 1pm PT. **

Resolves: rhbz#2217715
Resolves: rhbz#2221106
2023-07-15 17:39:32 +01:00
Andrew Hughes
620fc0623e Include the java-11-openjdk-portable.spec file with instructions on how to rebuild.
Related: rhbz#2150201
2023-04-28 03:06:29 +01:00
Andrew Hughes
338251bfa4 Adjust oj_vendor_bug_url to match the portable so test passes
Related: rhbz#2150201
2023-04-28 01:41:55 +01:00
Andrew Hughes
5f93ca4809 Revert "Restore native build for x86 as there is no portable build"
Reintroduce useful cleanups from x86 reversion
Adjust oj_vendor_version to match the portable so test passes

Related: rhbz#2150201
2023-04-28 01:01:09 +01:00
Andrew Hughes
76462a9181 Update to jdk-11.0.19.0+7
Update release notes to 11.0.19.0+7
Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113
Update generate_tarball.sh to add support for passing a boot JDK to the configure run
Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
Rebase FIPS support against 11.0.19+6
Rebase RH1750419 alt-java patch against 11.0.19+6
Replace local copies of JDK portable binaries with build dependencies
Use portable build on x86_32 now one is available

** This tarball is embargoed until 2023-04-18 @ 1pm PT. **

Resolves: rhbz#2185182
Resolves: rhbz#2150201
2023-04-27 21:07:34 +01:00
Andrew Hughes
f6ad5207e9 On portable architectures, replace build section with extraction of existing builds from portables
Rewrite ELF files so the source file path is correct and debugsources can be assembled
Backport SHA-3 support for PKCS11 provider
Sync patch set with portable build we are using by removing rh1648644-java_access_bridge_privileged_security.patch

Resolves: rhbz#2150201
2023-02-28 10:08:17 +00:00
Andrew Hughes
843d0a6e77 Update to jdk-11.0.18+10 (GA)
Update release notes to 11.0.18+10
Switch to GA mode for release

Resolves: rhbz#2160111
2023-01-20 17:21:23 +00:00
Andrew Hughes
170b9f4b80 Update to jdk-11.0.18+9
Update release notes to 11.0.18+9
Drop local copy of JDK-8293834 now this is upstream
Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
Update TestTranslations.java to test the new America/Ciudad_Juarez zone

Resolves: rhbz#2150197
2023-01-03 01:21:55 +00:00
Andrew Hughes
2d92e384b0 Update to jdk-11.0.18+1
Update release notes to 11.0.18+1
Switch to EA mode for 11.0.18 pre-release builds.
Drop local copies of JDK-8294357 & JDK-8295173 now upstream contains tzdata 2022e
Drop local copy of JDK-8275535 which is finally upstream

Related: rhbz#2150197
2022-12-15 02:04:39 +00:00
Andrew Hughes
6f5a588379 Update to jdk-11.0.17+8 (GA)
Update release notes to 11.0.17+8
Switch to GA mode for release
Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
Update CLDR data with Europe/Kyiv (JDK-8293834)
Drop JDK-8292223 patch which we found to be unnecessary
Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
Remove freetype sources along with zlib sources

Resolves: rhbz#2133695
2022-10-26 05:02:26 +01:00
Andrew Hughes
2714db4052 Update to jdk-11.0.17+7
Update release notes to 11.0.17+7

Resolves: rhbz#2130619
2022-10-05 18:17:05 +01:00
Andrew Hughes
202005cfbc Update to jdk-11.0.17+1
Update release notes to 11.0.17+1
Switch to EA mode for 11.0.17 pre-release builds.
Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
Bump FreeType bundled version to 2.12.1 following JDK-8290334

Related: rhbz#2130619
2022-09-30 21:58:49 +01:00
Andrew Hughes
039e53d5a7 Switch to static builds, reducing system dependencies and making build more portable
Resolves: rhbz#2121275
2022-08-30 01:37:48 +01:00
Andrew Hughes
acf9019a98 Update to jdk-11.0.16.1+1
Update release notes to 11.0.16.1+1
Add patch to provide translations for Europe/Kyiv added in tzdata2022b
Add test to ensure timezones can be translated

Resolves: rhbz#2119528
2022-08-24 19:40:09 +01:00
Andrew Hughes
163ab7d4c9 Update to jdk-11.0.16+8
Update release notes to 11.0.16+8
Switch to GA mode for release

Resolves: rhbz#2106517
2022-07-22 23:04:09 +01:00
Andrew Hughes
524bc89b41 Update to jdk-11.0.16+7
Update release notes to 11.0.16+7
Switch to EA mode for 11.0.16 pre-release builds.
Use same tarball naming style as java-17-openjdk and java-latest-openjdk
Drop JDK-8257794 patch now upstreamed
Print release file during build, which should now include a correct SOURCE value from .src-rev
Update tarball script with IcedTea GitHub URL and .src-rev generation
Use "git apply" with patches in the tarball script to allow binary diffs
Include script to generate bug list for release notes
Update tzdata requirement to 2022a to match JDK-8283350
Make use of the vendor version string to store our version & release rather than an upstream release date
Explicitly require crypto-policies during build and runtime for system security properties
Add additional patch during tarball generation to align tests with ECC changes

Resolves: rhbz#2083325
2022-07-17 00:26:36 +01:00
Andrew Hughes
409bcec3d8 Rebase FIPS patches from fips branch and simplify by using a single patch from that repository
* RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
* RH2090378: Revert to disabling system security properties and FIPS mode support together

Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
Enable system security properties in the RPM (now disabled by default in the FIPS repo)
Improve security properties test to check both enabled and disabled behaviour
Run security properties test with property debugging on

Resolves: rhbz#2099839
Resolves: rhbz#2100676
2022-07-08 17:21:37 +01:00
Francisco Ferrari Bihurriet
ecd7dd9860 RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION

Resolves: rhbz#2102434
2022-07-08 03:39:33 +01:00
Stephan Bergmann
57e78ff50f Fix flatpak builds
...after 19065a8b01 "Temporarily move x86 to use
Zero in order to get a working build":

When building the

>       if ${run_bootstrap} ; then

branch for suffix='' and loop='-main', the second

>           buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}

uses the JDK (`$(pwd)/${bootinstalldir}/images/%{jdkimage}`) from the installjdk
on the previous line.  But installjdk does

> 	rm ${imagepath}/lib/tzdb.dat
> 	ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat

which made that JDK's tzdb.dat link to /app/share/javazi-1.8/tzdb.dat in a
flatpak build (rather than the usual /usr/share/javazi-1.8/tzdb.dat in a non-
flatpak build) which is not present at build-time (but will be present at
runtime in at least the LibreOffice flatpak, which bundles tzdata-java built for
the flatpak /app prefix).  So using that JDK's compiler during the build kept
failing due to java.io.FileNotFoundException for its lib/tzdb.dat.

(This was not an issue prior to 19065a8b01, as
installjdk's modification of lib/tzdb.dat used to be done only for the "Final
setup on the main image" at the very end of the build, not during the build for
JDKs that are themselves used later during the build.)

The easiest workaround for this issue appears to be to just not bootstrap_build
in the flatpak case, avoiding the situation that a JDK whose lib/tzdb.dat has
been modified through installjdk is used during the build.

Resolves: rhbz#2067189
2022-06-30 02:28:51 +01:00
Andrew Hughes
662ffaef92 Update to jdk-11.0.15.0+10
Update release notes to 11.0.15.0+10
Switch to GA mode for release

Resolves: rhbz#2073595
2022-04-24 21:42:02 +01:00
Andrew Hughes
e5ae23fa36 Update to jdk-11.0.15.0+8
Update release notes to 11.0.15.0+8
Rebase RH1996182 FIPS patch after JDK-8254410

Resolves: rhbz#2050458
2022-04-12 18:10:43 +01:00
Andrew Hughes
3b828b2713 Update to jdk-11.0.15.0+1
Update release notes to 11.0.15.0+1
Switch to EA mode for 11.0.15 pre-release builds.

Related: rhbz#2050458
2022-04-12 02:24:24 +01:00
Andrew Hughes
1e74ba104c Detect NSS at runtime for FIPS detection
Turn off build-time NSS linking and go back to an explicit Requires on NSS

Resolves: rhbz#2052831
2022-02-28 05:47:18 +00:00
Andrew Hughes
0e6237743a Introduce tests/tests.yml, based on the one in RHEL 8
Resolves: rhbz#2058489
2022-02-27 03:08:07 +00:00
Jiri
1e24ad6c0b Storing and restoring alterntives during update manually
Fixing:
Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE

The move of alternatives creation to posttrans to fix:
Bug 1200302 - dnf reinstall breaks alternatives
Had caused the alternatives to be removed, and then created again,
instead of being added, and then removing the old, and thus persisting
the selection in family

Thus this fix, is storing the family of manually selected master, and if
stored, then it is restoring the family of the master
2022-02-26 12:02:19 +01:00
Andrew Hughes
35ef9f747b Family extracted to globals
Resolves: rhbz#2008205
2022-02-25 17:39:14 +00:00
Andrew Hughes
9d274e8023 Add JDK-8275535 patch to fix LDAP authentication issue.
Resolves: rhbz#2053523
2022-02-23 04:03:20 +00:00
Andrew Hughes
3e6e30fbbb Update to jdk-11.0.14.1+1
Update release notes to 11.0.14.1+1
Require tzdata 2021e as of JDK-8275766.

Resolves: rhbz#2052834
2022-02-18 02:59:57 +00:00
Andrew Hughes
fcceab5ade Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
Resolves: rhbz#2052820
2022-02-17 19:43:01 +00:00
Andrew Hughes
8bb8c1f9ac Update to jdk-11.0.14.0+9
Update release notes to 11.0.14.0+9
Switch to GA mode for final release.

Resolves: rhbz#2039395
2022-02-16 03:44:21 +00:00
Andrew Hughes
4272f7b1a6 Fix FIPS issues in native code and with initialisation of java.security.Security
Resolves: rhbz#2023530
2022-02-16 00:15:34 +00:00
Andrew Hughes
6fcdd14967 Refactor build functions so we can build just HotSpot without any attempt at installation.
Sync gdb test with java-1.8.0-openjdk.
Improve architecture restrictions for the gdb test.
Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
Explicitly list JIT architectures rather than relying on those with slowdebug builds
Disable the serviceability agent on Zero architectures even when the architecture itself is supported
Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds
Give javadoc-zip its own Provides, next to the plain javadoc ones

Related: rhbz#2052834
2022-02-11 16:00:03 +00:00
Andrew Hughes
233f2edf10 Update to jdk-11.0.14.0+8
Update release notes to 11.0.14.0+8
Switch to EA mode for 11.0.14 pre-release builds.
Rename blacklisted.certs to blocked.certs following JDK-8253866
Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034

Resolves: rhbz#2022825
2022-02-11 12:22:22 +00:00
Andrew Hughes
35d6b3a4f0 Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
Related: rhbz#2022825
2022-02-10 18:11:32 +00:00
Andrew John Hughes
0fd8f1db3f Use 'sql:' prefix in nss.fips.cfg
Fedora 35 and better no longer ship the legacy
secmod.db file as part of the nss package. Explicitly
tell OpenJDK to use sqlite-based sec mode.

Resolves: rhbz#2023535
2021-12-02 02:39:26 +00:00
Andrew John Hughes
bdb34159ca Replaced hardcoded 11 by featurever where appropriate
Fixed comment of `for slowdebug` to correct `any debug`

Related: rhbz#2022825
2021-12-01 20:17:40 +00:00
Jiri Vanek
3c57ec91b9 alternatives creation moved to posttrans
- Thus fixing the old reisntall issue:
- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
2021-11-09 14:13:07 +01:00
Andrew Hughes
23cc423f3a Update to jdk-11.0.13.0+8
Update release notes to 11.0.13.0+8
Update tarball generation script to use git following OpenJDK 11u's move to github
Remove "-clean" suffix as no 11.0.13 builds are unclean.
Drop JDK-8269668 patch which is now applied upstream.

Resolves: rhbz#2013845
2021-11-07 02:38:02 +00:00
Andrew Hughes
42db25eae5 Reduce disk footprint by removing build artifacts by default.
Related: rhbz#1999940
2021-10-12 03:50:02 +01:00
Andrew Hughes
7eeb37f129 Restructure the build so a minimal initial build is then used for the final build (with docs)
This reduces pressure on the system JDK and ensures the JDK being built can do a full build

Related: rhbz#1999940
2021-10-11 15:07:34 +01:00
Andrew Hughes
4db117d817 Add FIPS patch to allow plain key import
Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false

Resolves: rhbz#1994681
2021-10-10 22:59:12 +01:00
Andrew Hughes
358d95621b Minor cosmetic improvements to make spec more comparable between variants
Related: rhbz#1999940
2021-10-04 04:11:23 +01:00
Andrew Hughes
5db4334bb9 Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
Resolves: rhbz#1997360
2021-08-30 17:03:02 +01:00
Andrew Hughes
25304fcaf5 Add patch to login to the NSS software token when in FIPS mode.
Resolves: rhbz#1997360
2021-08-27 20:35:51 +01:00
Mohan Boddu
f61cab7066 Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
Signed-off-by: Mohan Boddu <mboddu@redhat.com>
2021-08-09 21:03:40 +00:00
Andrew Hughes
d3a8a110b5 Update to jdk-11.0.12.0+7
Update release notes to 11.0.12.0+7
Switch to GA mode for final release.
Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
Remove non-Free test from source tarball.

Resolves: rhbz#1967815
2021-08-09 02:23:17 +01:00
Andrew Hughes
16c1b3ca09 Update to jdk-11.0.12.0+6
Update release notes to 11.0.12.0+6
Correct bug ID JDK-8264846 to intended ID of JDK-8264848
Switch to EA mode for 11.0.12 pre-release builds.
Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
Remove restriction on disabling product build, as debug packages no longer have javadoc packages.

Resolves: rhbz#1967815
2021-07-20 22:52:26 +01:00
Andrew Hughes
51b93a0a4a Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.

Resolves: rhbz#1971689
2021-07-20 18:07:12 +01:00
Andrew Hughes
e4c9f84506 Support the FIPS mode crypto policy (RH1655466)
Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
Disable FIPS mode support unless com.redhat.fips is set to "true".
Use appropriate keystore types when in FIPS mode (RH1818909)
Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)

Resolves: rhbz#1971689
2021-07-06 19:00:18 +01:00
Andrew Hughes
a8c3b495b8 Update to jdk-11.0.11.0+9
Update release notes to 11.0.11.0+9
Perform static library build on a separate source tree with bundled image libraries
Make static library build optional
Hardcode /usr/sbin/alternatives for Flatpak builds
Require tzdata 2020f to match upstream change JDK-8259048
Require tzdata 2021a to match upstream change JDK-8260356
Remove upstreamed patch JDK-8259949
Fix issue where CheckVendor.java test erroneously passes when it should fail.
Add proper quoting so '&' is not treated as a special character by the shell.
Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps)
Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
Remove -fcommon work-around as the OpenJDK 11 code has been fixed.

Resolves: rhbz#1967815
2021-07-06 03:42:00 +01:00