Update to jdk-17.0.10+7 (GA)
- Sync the copy of the portable specfile with the latest update - fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch - generate_source_tarball.sh changes: - Add WITH_TEMP environment variable - Multithread xz on all available cores - Add OPENJDK_LATEST environment variable - Update comment about tarball naming - Remove REPO_NAME from FILE_NAME_ROOT - Set compile-command in Emacs - Reformat comment header - Reformat and update help output - Move PROJECT_NAME and REPO_NAME checks - Do a shallow clone, for speed - Append -ea designator when required - Eliminate some removal prompting - Make tarball reproducible - Prefix temporary directory with temp- - shellcheck: Remove x-prefixes since we use Bash - shellcheck: Double-quote variable references - shellcheck: Do not use -a - shellcheck: Do not use $ in expression - Remove temporary directory exit conditions - Add --sort=name to tar invocation for reproducibility - Add note on network usage of OPENJDK_LATEST - Move to -P<n> usage for patch macro which works on all RPM versions - Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release - Remove RH1648644 patch not in portable build (and so not applied to binary used) - Related: RHEL-45216
This commit is contained in:
parent
3240a4e25b
commit
230a7648f8
2
.gitignore
vendored
2
.gitignore
vendored
@ -61,3 +61,5 @@
|
||||
/openjdk-17.0.9+1-ea.tar.xz
|
||||
/openjdk-17.0.9+7-ea.tar.xz
|
||||
/openjdk-17.0.9+9.tar.xz
|
||||
/openjdk-17.0.10+6-ea.tar.xz
|
||||
/openjdk-17.0.10+7.tar.xz
|
||||
|
@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80
|
||||
+ AC_SUBST(NSS_LIBDIR)
|
||||
+])
|
||||
diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
|
||||
index 366682cf044..1f8d782f419 100644
|
||||
index 62db5b16c31..f0bb4333fc9 100644
|
||||
--- a/make/autoconf/libraries.m4
|
||||
+++ b/make/autoconf/libraries.m4
|
||||
@@ -33,6 +33,7 @@ m4_include([lib-std.m4])
|
||||
@ -3496,7 +3496,7 @@ index 00000000000..f8d505ca815
|
||||
+}
|
||||
\ No newline at end of file
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||
index 0736ce997e4..0a937fef377 100644
|
||||
index 39bd783dd25..1146e7f9d80 100644
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
|
||||
@@ -37,6 +37,8 @@ import javax.crypto.*;
|
||||
@ -3529,19 +3529,21 @@ index 0736ce997e4..0a937fef377 100644
|
||||
boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS &&
|
||||
extractable && !tokenObject);
|
||||
this.keyIDHolder = new NativeKeyHolder(this, keyID, session,
|
||||
@@ -383,7 +386,9 @@ abstract class P11Key implements Key, Length {
|
||||
new CK_ATTRIBUTE(CKA_SENSITIVE),
|
||||
new CK_ATTRIBUTE(CKA_EXTRACTABLE),
|
||||
@@ -395,8 +398,10 @@ abstract class P11Key implements Key, Length {
|
||||
new CK_ATTRIBUTE(CKA_EXTRACTABLE),
|
||||
});
|
||||
- if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) {
|
||||
|
||||
- boolean keySensitive = (attrs[0].getBoolean() ||
|
||||
- attrs[1].getBoolean() || !attrs[2].getBoolean());
|
||||
+ boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH");
|
||||
+ if (!exportable && (attributes[1].getBoolean() ||
|
||||
+ (attributes[2].getBoolean() == false))) {
|
||||
return new P11PrivateKey
|
||||
(session, keyID, algorithm, keyLength, attributes);
|
||||
} else {
|
||||
@@ -465,7 +470,8 @@ abstract class P11Key implements Key, Length {
|
||||
}
|
||||
+ boolean keySensitive = (!exportable &&
|
||||
+ (attrs[0].getBoolean() ||
|
||||
+ attrs[1].getBoolean() || !attrs[2].getBoolean()));
|
||||
|
||||
switch (algorithm) {
|
||||
case "RSA":
|
||||
@@ -451,7 +456,8 @@ abstract class P11Key implements Key, Length {
|
||||
|
||||
public String getFormat() {
|
||||
token.ensureValid();
|
||||
- if (sensitive || !extractable || (isNSS && tokenObject)) {
|
||||
@ -4527,7 +4529,7 @@ index aa35e8fa668..1855e5631bd 100644
|
||||
debug.println("logout succeeded");
|
||||
}
|
||||
diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||
index 9858a5faedf..e63585486d9 100644
|
||||
index 1f94fe3e18a..99eec2114e4 100644
|
||||
--- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||
+++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
|
||||
@@ -33,6 +33,7 @@ import java.lang.ref.*;
|
@ -1,51 +1,99 @@
|
||||
#!/bin/bash
|
||||
# Generates the 'source tarball' for JDK projects.
|
||||
#
|
||||
# Example:
|
||||
# When used from local repo set REPO_ROOT pointing to file:// with your repo
|
||||
# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
|
||||
# Example 1:
|
||||
# When used from local repo set REPO_ROOT pointing to file:// with your repo.
|
||||
# If your local repo follows upstream forests conventions, it may be enough to
|
||||
# set OPENJDK_URL.
|
||||
#
|
||||
# Example 2:
|
||||
# This will read the OpenJDK feature version from the spec file, then create a
|
||||
# tarball from the most recent tag for that version in the upstream Git
|
||||
# repository.
|
||||
#
|
||||
# $ OPENJDK_LATEST=1 ./generate_source_tarball.sh
|
||||
# [...]
|
||||
# Tarball is: temp-generated-source-tarball-ujD/openjdk-17.0.10+6-ea.tar.xz
|
||||
#
|
||||
# Unless you use OPENJDK_LATEST, you have to set PROJECT_NAME, REPO_NAME and
|
||||
# VERSION, e.g.:
|
||||
#
|
||||
# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
|
||||
# PROJECT_NAME=openjdk
|
||||
# REPO_NAME=jdk17u
|
||||
# VERSION=jdk-17.0.3+5
|
||||
# or to eg prepare systemtap:
|
||||
# icedtea7's jstack and other tapsets
|
||||
#
|
||||
# or to e.g., prepare systemtap, icedtea7's jstack and other tapsets:
|
||||
#
|
||||
# VERSION=6327cf1cea9e
|
||||
# REPO_NAME=icedtea7-2.6
|
||||
# PROJECT_NAME=release
|
||||
# OPENJDK_URL=http://icedtea.classpath.org/hg/
|
||||
# TO_COMPRESS="*/tapset"
|
||||
#
|
||||
# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set)
|
||||
|
||||
# This script creates a single source tarball out of the repository
|
||||
# based on the given tag and removes code not allowed in fedora/rhel. For
|
||||
# consistency, the source tarball will always contain 'openjdk' as the top
|
||||
# level folder, name is created, based on parameter
|
||||
# They are used to create correct name and are used in construction of sources
|
||||
# URL (unless REPO_ROOT is set).
|
||||
#
|
||||
# This script creates a single source tarball out of the repository based on the
|
||||
# given tag and removes code not allowed in Fedora/RHEL.
|
||||
|
||||
set -e
|
||||
|
||||
OPENJDK_URL_DEFAULT=https://github.com
|
||||
COMPRESSION_DEFAULT=xz
|
||||
|
||||
if [ "x$1" = "xhelp" ] ; then
|
||||
echo -e "Behaviour may be specified by setting the following variables:\n"
|
||||
echo "VERSION - the version of the specified OpenJDK project"
|
||||
echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)"
|
||||
echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)"
|
||||
echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
|
||||
echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
|
||||
echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
|
||||
echo "REPO_ROOT - the location of the Git repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME.git)"
|
||||
echo "TO_COMPRESS - what part of clone to pack (default is ${VERSION})"
|
||||
echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run"
|
||||
if [ "$1" = "help" ] ; then
|
||||
echo "Behaviour may be specified by setting the following variables:"
|
||||
echo
|
||||
echo "VERSION - the version of the specified OpenJDK project"
|
||||
echo " (required unless OPENJDK_LATEST is set)"
|
||||
echo "PROJECT_NAME - the name of the OpenJDK project being archived"
|
||||
echo " (needed to compute REPO_ROOT and/or"
|
||||
echo " FILE_NAME_ROOT automatically;"
|
||||
echo " optional if they are set explicitly)"
|
||||
echo "REPO_NAME - the name of the OpenJDK repository"
|
||||
echo " (needed to compute REPO_ROOT automatically;"
|
||||
echo " optional if REPO_ROOT is set explicitly)"
|
||||
echo "OPENJDK_URL - the URL to retrieve code from"
|
||||
echo " (defaults to ${OPENJDK_URL_DEFAULT})"
|
||||
echo "COMPRESSION - the compression type to use"
|
||||
echo " (defaults to ${COMPRESSION_DEFAULT})"
|
||||
echo "FILE_NAME_ROOT - name of the archive, minus extensions"
|
||||
echo " (defaults to PROJECT_NAME-VERSION)"
|
||||
echo "REPO_ROOT - the location of the Git repository to archive"
|
||||
echo " (defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME.git)"
|
||||
echo "TO_COMPRESS - what part of clone to pack"
|
||||
echo " (defaults to ${VERSION})"
|
||||
echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run"
|
||||
echo " (defaults to packaged JDK version)"
|
||||
echo "WITH_TEMP - run in a temporary directory"
|
||||
echo " (defaults to disabled)"
|
||||
echo "OPENJDK_LATEST - deduce VERSION from most recent upstream tag"
|
||||
echo " (implies WITH_TEMP, computes everything else"
|
||||
echo " automatically; Note: accesses network to read"
|
||||
echo " tag list from remote Git repository)"
|
||||
exit 1;
|
||||
fi
|
||||
|
||||
if [ "$OPENJDK_LATEST" != "" ] ; then
|
||||
FEATURE_VERSION=$(echo '%featurever' \
|
||||
| rpmspec --shell ./*.spec 2>/dev/null \
|
||||
| grep --after-context 1 featurever \
|
||||
| tail --lines 1)
|
||||
PROJECT_NAME=openjdk
|
||||
REPO_NAME=jdk"${FEATURE_VERSION}"u
|
||||
VERSION=$(git ls-remote --tags --refs --sort=-version:refname \
|
||||
"${OPENJDK_URL_DEFAULT}/${PROJECT_NAME}/${REPO_NAME}.git" \
|
||||
"jdk-${FEATURE_VERSION}*" \
|
||||
| head --lines 1 | cut --characters 52-)
|
||||
FILE_NAME_ROOT=open${VERSION}
|
||||
WITH_TEMP=1
|
||||
fi
|
||||
|
||||
if [ "x$VERSION" = "x" ] ; then
|
||||
if [ "$WITH_TEMP" != "" ] ; then
|
||||
pushd "$(mktemp --directory temp-generated-source-tarball-XXX)"
|
||||
fi
|
||||
|
||||
if [ "$VERSION" = "" ] ; then
|
||||
echo "No VERSION specified"
|
||||
exit 2
|
||||
fi
|
||||
@ -57,18 +105,18 @@ BUILD_VER=${NUM_VER##*+}
|
||||
MAJOR_VER=${RELEASE_VER%%.*}
|
||||
echo "Major version is ${MAJOR_VER}, release ${RELEASE_VER}, build ${BUILD_VER}"
|
||||
|
||||
if [ "x$BOOT_JDK" = "x" ] ; then
|
||||
if [ "$BOOT_JDK" = "" ] ; then
|
||||
echo "No boot JDK specified".
|
||||
BOOT_JDK=/usr/lib/jvm/java-${MAJOR_VER}-openjdk;
|
||||
echo -n "Checking for ${BOOT_JDK}...";
|
||||
if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then
|
||||
if [ -d "${BOOT_JDK}" ] && [ -x "${BOOT_JDK}"/bin/java ] ; then
|
||||
echo "Boot JDK found at ${BOOT_JDK}";
|
||||
else
|
||||
echo "Not found";
|
||||
PREV_VER=$((${MAJOR_VER} - 1));
|
||||
PREV_VER=$((MAJOR_VER - 1));
|
||||
BOOT_JDK=/usr/lib/jvm/java-${PREV_VER}-openjdk;
|
||||
echo -n "Checking for ${BOOT_JDK}...";
|
||||
if [ -d ${BOOT_JDK} -a -x ${BOOT_JDK}/bin/java ] ; then
|
||||
if [ -d ${BOOT_JDK} ] && [ -x ${BOOT_JDK}/bin/java ] ; then
|
||||
echo "Boot JDK found at ${BOOT_JDK}";
|
||||
else
|
||||
echo "Not found";
|
||||
@ -79,43 +127,41 @@ else
|
||||
echo "Boot JDK: ${BOOT_JDK}";
|
||||
fi
|
||||
|
||||
# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT
|
||||
if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then
|
||||
if [ "x$PROJECT_NAME" = "x" ] ; then
|
||||
echo "No PROJECT_NAME specified"
|
||||
exit 1
|
||||
fi
|
||||
echo "Project name: ${PROJECT_NAME}"
|
||||
if [ "x$REPO_NAME" = "x" ] ; then
|
||||
echo "No REPO_NAME specified"
|
||||
exit 3
|
||||
fi
|
||||
echo "Repository name: ${REPO_NAME}"
|
||||
fi
|
||||
|
||||
if [ "x$OPENJDK_URL" = "x" ] ; then
|
||||
if [ "$OPENJDK_URL" = "" ] ; then
|
||||
OPENJDK_URL=${OPENJDK_URL_DEFAULT}
|
||||
echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}"
|
||||
else
|
||||
echo "OpenJDK URL: ${OPENJDK_URL}"
|
||||
fi
|
||||
|
||||
if [ "x$COMPRESSION" = "x" ] ; then
|
||||
if [ "$COMPRESSION" = "" ] ; then
|
||||
# rhel 5 needs tar.gz
|
||||
COMPRESSION=${COMPRESSION_DEFAULT}
|
||||
fi
|
||||
echo "Creating a tar.${COMPRESSION} archive"
|
||||
|
||||
if [ "x$FILE_NAME_ROOT" = "x" ] ; then
|
||||
FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
|
||||
if [ "$FILE_NAME_ROOT" = "" ] ; then
|
||||
if [ "$PROJECT_NAME" = "" ] ; then
|
||||
echo "No PROJECT_NAME specified, needed by FILE_NAME_ROOT"
|
||||
exit 1
|
||||
fi
|
||||
FILE_NAME_ROOT=${PROJECT_NAME}-${VERSION}
|
||||
echo "No file name root specified; default to ${FILE_NAME_ROOT}"
|
||||
fi
|
||||
if [ "x$REPO_ROOT" = "x" ] ; then
|
||||
if [ "$REPO_ROOT" = "" ] ; then
|
||||
if [ "$PROJECT_NAME" = "" ] ; then
|
||||
echo "No PROJECT_NAME specified, needed by REPO_ROOT"
|
||||
exit 1
|
||||
fi
|
||||
if [ "$REPO_NAME" = "" ] ; then
|
||||
echo "No REPO_NAME specified, needed by REPO_ROOT"
|
||||
exit 3
|
||||
fi
|
||||
REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git"
|
||||
echo "No repository root specified; default to ${REPO_ROOT}"
|
||||
fi;
|
||||
|
||||
if [ "x$TO_COMPRESS" = "x" ] ; then
|
||||
if [ "$TO_COMPRESS" = "" ] ; then
|
||||
TO_COMPRESS="${VERSION}"
|
||||
echo "No targets to be compressed specified ; default to ${TO_COMPRESS}"
|
||||
fi;
|
||||
@ -131,53 +177,77 @@ echo -e "\tREPO_ROOT: ${REPO_ROOT}"
|
||||
echo -e "\tTO_COMPRESS: ${TO_COMPRESS}"
|
||||
echo -e "\tBOOT_JDK: ${BOOT_JDK}"
|
||||
|
||||
if [ -d ${FILE_NAME_ROOT} ] ; then
|
||||
if [ -d "${FILE_NAME_ROOT}" ] ; then
|
||||
echo "exists exists exists exists exists exists exists "
|
||||
echo "reusing reusing reusing reusing reusing reusing "
|
||||
echo ${FILE_NAME_ROOT}
|
||||
echo "${FILE_NAME_ROOT}"
|
||||
STAT_TIME="$(stat --format=%Y "${FILE_NAME_ROOT}")"
|
||||
TAR_TIME="$(date --date=@"${STAT_TIME}" --iso-8601=seconds)"
|
||||
else
|
||||
mkdir "${FILE_NAME_ROOT}"
|
||||
pushd "${FILE_NAME_ROOT}"
|
||||
echo "Cloning ${VERSION} root repository from ${REPO_ROOT}"
|
||||
git clone -b ${VERSION} ${REPO_ROOT} ${VERSION}
|
||||
git clone --depth=1 -b "${VERSION}" "${REPO_ROOT}" "${VERSION}"
|
||||
pushd "${VERSION}"
|
||||
TAR_TIME="$(git log --max-count 1 --format=%cI)"
|
||||
popd
|
||||
popd
|
||||
fi
|
||||
pushd "${FILE_NAME_ROOT}"
|
||||
EA_PART="$(git tag --contains "${VERSION}" \
|
||||
| grep --quiet '\-ga$' || echo '-ea')"
|
||||
|
||||
# Generate .src-rev so build has knowledge of the revision the tarball was created from
|
||||
# Generate .src-rev so build has knowledge of the revision the tarball was
|
||||
# created from
|
||||
mkdir build
|
||||
pushd build
|
||||
sh ${PWD}/../${VERSION}/configure --with-boot-jdk=${BOOT_JDK}
|
||||
sh "${PWD}"/../"${VERSION}"/configure --with-boot-jdk="${BOOT_JDK}"
|
||||
make store-source-revision
|
||||
popd
|
||||
rm -rf build
|
||||
|
||||
# Remove commit checks
|
||||
echo "Removing $(find ${VERSION} -name '.jcheck' -print)"
|
||||
find ${VERSION} -name '.jcheck' -print0 | xargs -0 rm -r
|
||||
echo "Removing $(find "${VERSION}" -name '.jcheck' -print)"
|
||||
find "${VERSION}" -name '.jcheck' -print0 | xargs -0 rm -r
|
||||
|
||||
# Remove history and GHA
|
||||
echo "find ${VERSION} -name '.hgtags'"
|
||||
find ${VERSION} -name '.hgtags' -exec rm -v '{}' '+'
|
||||
find "${VERSION}" -name '.hgtags' -exec rm -v '{}' '+'
|
||||
echo "find ${VERSION} -name '.hgignore'"
|
||||
find ${VERSION} -name '.hgignore' -exec rm -v '{}' '+'
|
||||
find "${VERSION}" -name '.hgignore' -exec rm -v '{}' '+'
|
||||
echo "find ${VERSION} -name '.gitattributes'"
|
||||
find ${VERSION} -name '.gitattributes' -exec rm -v '{}' '+'
|
||||
find "${VERSION}" -name '.gitattributes' -exec rm -v '{}' '+'
|
||||
echo "find ${VERSION} -name '.gitignore'"
|
||||
find ${VERSION} -name '.gitignore' -exec rm -v '{}' '+'
|
||||
find "${VERSION}" -name '.gitignore' -exec rm -v '{}' '+'
|
||||
# Work around some Git objects not having write permissions.
|
||||
echo "chmod --recursive u+w ${VERSION}/.git"
|
||||
chmod --recursive u+w "${VERSION}"/.git
|
||||
echo "find ${VERSION} -name '.git'"
|
||||
find ${VERSION} -name '.git' -exec rm -rv '{}' '+'
|
||||
find "${VERSION}" -name '.git' -exec rm -rv '{}' '+'
|
||||
echo "find ${VERSION} -name '.github'"
|
||||
find ${VERSION} -name '.github' -exec rm -rv '{}' '+'
|
||||
find "${VERSION}" -name '.github' -exec rm -rv '{}' '+'
|
||||
|
||||
echo "Compressing remaining forest"
|
||||
if [ "X$COMPRESSION" = "Xxz" ] ; then
|
||||
if [ "$COMPRESSION" = "xz" ] ; then
|
||||
SWITCH=cJf
|
||||
else
|
||||
SWITCH=czf
|
||||
fi
|
||||
TARBALL_NAME=${FILE_NAME_ROOT}.tar.${COMPRESSION}
|
||||
tar --exclude-vcs -$SWITCH ${TARBALL_NAME} $TO_COMPRESS
|
||||
mv ${TARBALL_NAME} ..
|
||||
TARBALL_NAME=${FILE_NAME_ROOT}${EA_PART}.tar.${COMPRESSION}
|
||||
XZ_OPT=${XZ_OPT-"-T0"} \
|
||||
tar --mtime="${TAR_TIME}" --owner=root --group=root --sort=name \
|
||||
--exclude-vcs -$SWITCH "${TARBALL_NAME}" "${TO_COMPRESS}"
|
||||
mv "${TARBALL_NAME}" ..
|
||||
popd
|
||||
echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
|
||||
if [ "$WITH_TEMP" != "" ] ; then
|
||||
echo "Tarball is: $(realpath --relative-to=.. .)/${TARBALL_NAME}"
|
||||
popd
|
||||
else
|
||||
echo -n "Done. You may want to remove the uncompressed version"
|
||||
echo " - $FILE_NAME_ROOT."
|
||||
fi
|
||||
|
||||
# Local Variables:
|
||||
# compile-command: "shellcheck generate_source_tarball.sh"
|
||||
# fill-column: 80
|
||||
# End:
|
||||
|
@ -326,7 +326,7 @@
|
||||
# New Version-String scheme-style defines
|
||||
%global featurever 17
|
||||
%global interimver 0
|
||||
%global updatever 9
|
||||
%global updatever 10
|
||||
%global patchver 0
|
||||
# buildjdkver is usually same as %%{featurever},
|
||||
# but in time of bootstrap of next jdk, it is featurever-1,
|
||||
@ -366,7 +366,7 @@
|
||||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||
# Define current Git revision for the FIPS support patches
|
||||
%global fipsver 51e1d00be4e
|
||||
%global fipsver d63771ea660
|
||||
%global javaver %{featurever}
|
||||
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
|
||||
|
||||
@ -381,7 +381,7 @@
|
||||
%global origin_nice OpenJDK
|
||||
%global top_level_dir_name %{vcstag}
|
||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||
%global buildver 9
|
||||
%global buildver 7
|
||||
%global rpmrelease 1
|
||||
#%%global tagsuffix %%{nil}
|
||||
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
|
||||
@ -615,38 +615,45 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
|
||||
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
|
||||
# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
|
||||
# Diff is limited to src and make subdirectories to exclude .github changes
|
||||
# The following list is generated by:
|
||||
# git log %%{vcstag}.. --no-merges --format=%s --reverse:
|
||||
# Fixes currently included:
|
||||
# PR3183, RH1340845: Follow system wide crypto policy
|
||||
# PR3695: Allow use of system crypto policy to be disabled by the user
|
||||
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
|
||||
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
|
||||
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
|
||||
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
|
||||
# PR3183, RH1340845: Support Fedora & RHEL system crypto policy
|
||||
# PR3695: Allow system crypto policy enforcement to be toggled on/off
|
||||
# RH1655466: Support global RHEL crypto policy
|
||||
# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode
|
||||
# RH1860986: Disable TLSv1.3 in FIPS mode
|
||||
# RH1915071: Always initialise configurator access.patch
|
||||
# RH1929465: Improve system FIPS detection
|
||||
# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
|
||||
# RH1996182: Login to the NSS software token in FIPS mode
|
||||
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
|
||||
# RH2021263: Resolve outstanding FIPS issues
|
||||
# RH2052819: Fix FIPS reliance on crypto policies
|
||||
# RH2052829: Detect NSS at Runtime for FIPS detection
|
||||
# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers
|
||||
# RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||
# RH1929465: Don't define unused throwIOException function when using NSS detection
|
||||
# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
|
||||
# RH1991003: Enable the import of plain keys into the NSS software token.
|
||||
# RH2021263: Return in C code after having generated Java exception
|
||||
# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
|
||||
# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
|
||||
# RH2051605: Detect NSS at Runtime for FIPS detection
|
||||
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
||||
# RH2023467: Enable FIPS keys export
|
||||
# RH2094027: SunEC runtime permission for FIPS
|
||||
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
||||
# RH2090378: Revert to disabling system security properties and FIPS mode support together
|
||||
# RH2104724: Avoid import/export of DH private keys
|
||||
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
|
||||
# Build the systemconf library on all platforms
|
||||
# RH2048582: Support PKCS#12 keystores
|
||||
# RH2020290: Support TLS 1.3 in FIPS mode
|
||||
# Add nss.fips.cfg support to OpenJDK tree
|
||||
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||
# Remove forgotten dead code from RH2020290 and RH2104724
|
||||
# OJ1357: Fix issue on FIPS with a SecurityManager in place
|
||||
# RH2134669: Add missing attributes when registering services in FIPS mode.
|
||||
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
|
||||
# RH1940064: Enable XML Signature provider in FIPS mode
|
||||
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
|
||||
# RH2023467: Enable FIPS keys export (#1)
|
||||
# Run workflows on pull request, as we are not using SKARA.
|
||||
# RH2094027: SunEC runtime permission for FIPS (#5)
|
||||
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8)
|
||||
# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4)
|
||||
# Use encoded space rather than quoting for JTReg JAVA_OPTIONS
|
||||
# RH2104724: Avoid import/export of DH private keys (#14)
|
||||
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16)
|
||||
# Build the systemconf library on all platforms (#7)
|
||||
# RH2048582: Support PKCS#12 keystores (#2)
|
||||
# RH2020290: Support TLS 1.3 in FIPS mode (#13)
|
||||
# Add nss.fips.cfg support to OpenJDK tree (#22)
|
||||
# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17)
|
||||
# Remove forgotten dead code from #13 and #14 (#21)
|
||||
# Fix issue on FIPS with a SecurityManager in place (#25)
|
||||
# RH2134669: Add missing attributes when registering services in FIPS mode. (#19)
|
||||
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
|
||||
# RH1940064: Enable XML Signature provider in FIPS mode (#24)
|
||||
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
|
||||
Patch1001: fips-17u-%{fipsver}.patch
|
||||
|
||||
#############################################
|
||||
@ -662,8 +669,8 @@ Patch1001: fips-17u-%{fipsver}.patch
|
||||
# OpenJDK patches appearing in 17.0.10
|
||||
#
|
||||
#############################################
|
||||
# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
|
||||
Patch2000: jdk8312489-max_sig_default_increase.patch
|
||||
|
||||
# Currently empty
|
||||
|
||||
#############################################
|
||||
#
|
||||
@ -941,21 +948,20 @@ sh %{SOURCE12} %{top_level_dir_name}
|
||||
%endif
|
||||
|
||||
# Patch the JDK
|
||||
# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18
|
||||
# -p N: strip N leading slashes from paths
|
||||
pushd %{top_level_dir_name}
|
||||
%patch1 -p1
|
||||
%patch3 -p1
|
||||
%patch6 -p1
|
||||
%patch -P1 -p1
|
||||
%patch -P3 -p1
|
||||
%patch -P6 -p1
|
||||
# Add crypto policy and FIPS support
|
||||
%patch1001 -p1
|
||||
%patch -P1001 -p1
|
||||
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
||||
%patch1000 -p1
|
||||
# JDK-8312489 backport, coming in 17.0.10
|
||||
%patch2000 -p1
|
||||
%patch -P1000 -p1
|
||||
# alt-java support
|
||||
%patch600 -p1
|
||||
%patch -P600 -p1
|
||||
popd # openjdk
|
||||
|
||||
|
||||
# The OpenJDK version file includes the current
|
||||
# upstream version information. For some reason,
|
||||
# configure does not automatically use the
|
||||
@ -973,9 +979,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
|
||||
echo "WARNING: Designator mismatch";
|
||||
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
|
||||
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
|
||||
# Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting
|
||||
# This is fixed in the final upstream version
|
||||
# exit 17
|
||||
exit 17
|
||||
fi
|
||||
|
||||
# Extract systemtap tapsets
|
||||
@ -1697,6 +1701,49 @@ done
|
||||
%{_jvmdir}/%{miscportablearchive}.sha256sum
|
||||
|
||||
%changelog
|
||||
* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.10.0.7-1
|
||||
- Update to jdk-17.0.10+7 (GA)
|
||||
- Update release notes to 17.0.10+7
|
||||
- Move to -P<n> usage for patch macro which works on all RPM versions
|
||||
- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release
|
||||
- Switch to GA mode for release
|
||||
- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
|
||||
|
||||
* Thu Jan 11 2024 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.10.0.6-0.1.ea
|
||||
- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST
|
||||
- generate_source_tarball.sh: Remove unneeded FIXME
|
||||
|
||||
* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.10.0.6-0.1.ea
|
||||
- Update release notes to 17.0.10+6
|
||||
- Revert change to patch macro due to failure on RHEL 8
|
||||
- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility
|
||||
|
||||
* Tue Jan 9 2024 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.10.0.6-0.1.ea
|
||||
- Update to jdk-17.0.10+6 (EA)
|
||||
- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch
|
||||
- generate_source_tarball.sh: Add WITH_TEMP environment variable
|
||||
- generate_source_tarball.sh: Multithread xz on all available cores
|
||||
- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
|
||||
- generate_source_tarball.sh: Update comment about tarball naming
|
||||
- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
|
||||
- generate_source_tarball.sh: Set compile-command in Emacs
|
||||
- generate_source_tarball.sh: Reformat comment header
|
||||
- generate_source_tarball.sh: Reformat and update help output
|
||||
- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
|
||||
- generate_source_tarball.sh: Do a shallow clone, for speed
|
||||
- generate_source_tarball.sh: Append -ea designator when required
|
||||
- generate_source_tarball.sh: Eliminate some removal prompting
|
||||
- generate_source_tarball.sh: Make tarball reproducible
|
||||
- generate_source_tarball.sh: Prefix temporary directory with temp-
|
||||
- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash
|
||||
- generate_source_tarball.sh: shellcheck: Double-quote variable references
|
||||
- generate_source_tarball.sh: shellcheck: Do not use -a
|
||||
- generate_source_tarball.sh: shellcheck: Do not use $ in expression
|
||||
- generate_source_tarball.sh: Remove temporary directory exit conditions
|
||||
|
||||
* Sat Oct 28 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-2
|
||||
- Add missing CVE and release note to sync local NEWS with upstream release announcements
|
||||
|
||||
* Thu Oct 12 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-1
|
||||
- Update to jdk-17.0.9+9 (GA)
|
||||
- Update release notes to 17.0.9+9
|
||||
|
@ -322,7 +322,7 @@
|
||||
# New Version-String scheme-style defines
|
||||
%global featurever 17
|
||||
%global interimver 0
|
||||
%global updatever 9
|
||||
%global updatever 10
|
||||
%global patchver 0
|
||||
# buildjdkver is usually same as %%{featurever},
|
||||
# but in time of bootstrap of next jdk, it is featurever-1,
|
||||
@ -362,7 +362,7 @@
|
||||
# Define IcedTea version used for SystemTap tapsets and desktop file
|
||||
%global icedteaver 6.0.0pre00-c848b93a8598
|
||||
# Define current Git revision for the FIPS support patches
|
||||
%global fipsver 51e1d00be4e
|
||||
%global fipsver d63771ea660
|
||||
%global javaver %{featurever}
|
||||
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
|
||||
|
||||
@ -377,7 +377,7 @@
|
||||
%global origin_nice OpenJDK
|
||||
%global top_level_dir_name %{vcstag}
|
||||
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
||||
%global buildver 9
|
||||
%global buildver 7
|
||||
# rpmrelease numbering must start at 2 to be later than the 9.0 RPM
|
||||
%global rpmrelease 2
|
||||
# Settings used by the portable build
|
||||
@ -1347,8 +1347,6 @@ Patch600: rh1750419-redhat_alt_java.patch
|
||||
|
||||
# Ignore AWTError when assistive technologies are loaded
|
||||
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
|
||||
# Restrict access to java-atk-wrapper classes
|
||||
Patch2: rh1648644-java_access_bridge_privileged_security.patch
|
||||
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
|
||||
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
|
||||
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
||||
@ -1357,38 +1355,45 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
|
||||
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
|
||||
# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
|
||||
# Diff is limited to src and make subdirectories to exclude .github changes
|
||||
# The following list is generated by:
|
||||
# git log %%{vcstag}.. --no-merges --format=%s --reverse:
|
||||
# Fixes currently included:
|
||||
# PR3183, RH1340845: Follow system wide crypto policy
|
||||
# PR3695: Allow use of system crypto policy to be disabled by the user
|
||||
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
|
||||
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
|
||||
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
|
||||
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
|
||||
# PR3183, RH1340845: Support Fedora & RHEL system crypto policy
|
||||
# PR3695: Allow system crypto policy enforcement to be toggled on/off
|
||||
# RH1655466: Support global RHEL crypto policy
|
||||
# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode
|
||||
# RH1860986: Disable TLSv1.3 in FIPS mode
|
||||
# RH1915071: Always initialise configurator access.patch
|
||||
# RH1929465: Improve system FIPS detection
|
||||
# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
|
||||
# RH1996182: Login to the NSS software token in FIPS mode
|
||||
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
|
||||
# RH2021263: Resolve outstanding FIPS issues
|
||||
# RH2052819: Fix FIPS reliance on crypto policies
|
||||
# RH2052829: Detect NSS at Runtime for FIPS detection
|
||||
# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers
|
||||
# RH1996182: Login to the NSS Software Token in FIPS Mode
|
||||
# RH1929465: Don't define unused throwIOException function when using NSS detection
|
||||
# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
|
||||
# RH1991003: Enable the import of plain keys into the NSS software token.
|
||||
# RH2021263: Return in C code after having generated Java exception
|
||||
# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
|
||||
# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
|
||||
# RH2051605: Detect NSS at Runtime for FIPS detection
|
||||
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
||||
# RH2023467: Enable FIPS keys export
|
||||
# RH2094027: SunEC runtime permission for FIPS
|
||||
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
||||
# RH2090378: Revert to disabling system security properties and FIPS mode support together
|
||||
# RH2104724: Avoid import/export of DH private keys
|
||||
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
|
||||
# Build the systemconf library on all platforms
|
||||
# RH2048582: Support PKCS#12 keystores
|
||||
# RH2020290: Support TLS 1.3 in FIPS mode
|
||||
# Add nss.fips.cfg support to OpenJDK tree
|
||||
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
||||
# Remove forgotten dead code from RH2020290 and RH2104724
|
||||
# OJ1357: Fix issue on FIPS with a SecurityManager in place
|
||||
# RH2134669: Add missing attributes when registering services in FIPS mode.
|
||||
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
|
||||
# RH1940064: Enable XML Signature provider in FIPS mode
|
||||
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
|
||||
# RH2023467: Enable FIPS keys export (#1)
|
||||
# Run workflows on pull request, as we are not using SKARA.
|
||||
# RH2094027: SunEC runtime permission for FIPS (#5)
|
||||
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8)
|
||||
# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4)
|
||||
# Use encoded space rather than quoting for JTReg JAVA_OPTIONS
|
||||
# RH2104724: Avoid import/export of DH private keys (#14)
|
||||
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16)
|
||||
# Build the systemconf library on all platforms (#7)
|
||||
# RH2048582: Support PKCS#12 keystores (#2)
|
||||
# RH2020290: Support TLS 1.3 in FIPS mode (#13)
|
||||
# Add nss.fips.cfg support to OpenJDK tree (#22)
|
||||
# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17)
|
||||
# Remove forgotten dead code from #13 and #14 (#21)
|
||||
# Fix issue on FIPS with a SecurityManager in place (#25)
|
||||
# RH2134669: Add missing attributes when registering services in FIPS mode. (#19)
|
||||
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
|
||||
# RH1940064: Enable XML Signature provider in FIPS mode (#24)
|
||||
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
|
||||
Patch1001: fips-17u-%{fipsver}.patch
|
||||
|
||||
#############################################
|
||||
@ -1402,8 +1407,8 @@ Patch1001: fips-17u-%{fipsver}.patch
|
||||
# OpenJDK patches appearing in 17.0.10
|
||||
#
|
||||
#############################################
|
||||
# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
|
||||
Patch2000: jdk8312489-max_sig_default_increase.patch
|
||||
|
||||
# Currently empty
|
||||
|
||||
BuildRequires: autoconf
|
||||
BuildRequires: automake
|
||||
@ -1838,22 +1843,20 @@ sh %{SOURCE12} %{top_level_dir_name}
|
||||
%endif
|
||||
|
||||
# Patch the JDK
|
||||
# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18
|
||||
# -p N: strip N leading slashes from paths
|
||||
pushd %{top_level_dir_name}
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch6 -p1
|
||||
%patch -P1 -p1
|
||||
%patch -P3 -p1
|
||||
%patch -P6 -p1
|
||||
# Add crypto policy and FIPS support
|
||||
%patch1001 -p1
|
||||
%patch -P1001 -p1
|
||||
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
||||
%patch1000 -p1
|
||||
# JDK-8312489 backport, coming in 17.0.10
|
||||
%patch2000 -p1
|
||||
%patch -P1000 -p1
|
||||
# alt-java support
|
||||
%patch600 -p1
|
||||
%patch -P600 -p1
|
||||
popd # openjdk
|
||||
|
||||
|
||||
# The OpenJDK version file includes the current
|
||||
# upstream version information. For some reason,
|
||||
# configure does not automatically use the
|
||||
@ -1871,9 +1874,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
|
||||
echo "WARNING: Designator mismatch";
|
||||
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
|
||||
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
|
||||
# Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting
|
||||
# This is fixed in the final upstream version
|
||||
# exit 17
|
||||
exit 17
|
||||
fi
|
||||
|
||||
# Prepare desktop files
|
||||
@ -2473,6 +2474,41 @@ cjc.mainProgram(args)
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.10.0.7-1
|
||||
- Update to jdk-17.0.10+7 (GA)
|
||||
- Sync the copy of the portable specfile with the latest update
|
||||
- Move to -P<n> usage for patch macro which works on all RPM versions
|
||||
- Remove RH1648644 patch not in portable build (and so not applied to binary used)
|
||||
- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release
|
||||
- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility
|
||||
- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
|
||||
- Related: RHEL-45216
|
||||
|
||||
* Thu Jan 11 2024 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.10.0.7-1
|
||||
- Update to jdk-17.0.10+6 (EA)
|
||||
- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch
|
||||
- generate_source_tarball.sh: Add WITH_TEMP environment variable
|
||||
- generate_source_tarball.sh: Multithread xz on all available cores
|
||||
- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
|
||||
- generate_source_tarball.sh: Update comment about tarball naming
|
||||
- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
|
||||
- generate_source_tarball.sh: Set compile-command in Emacs
|
||||
- generate_source_tarball.sh: Reformat comment header
|
||||
- generate_source_tarball.sh: Reformat and update help output
|
||||
- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
|
||||
- generate_source_tarball.sh: Do a shallow clone, for speed
|
||||
- generate_source_tarball.sh: Append -ea designator when required
|
||||
- generate_source_tarball.sh: Eliminate some removal prompting
|
||||
- generate_source_tarball.sh: Make tarball reproducible
|
||||
- generate_source_tarball.sh: Prefix temporary directory with temp-
|
||||
- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash
|
||||
- generate_source_tarball.sh: shellcheck: Double-quote variable references
|
||||
- generate_source_tarball.sh: shellcheck: Do not use -a
|
||||
- generate_source_tarball.sh: shellcheck: Do not use $ in expression
|
||||
- generate_source_tarball.sh: Remove temporary directory exit conditions
|
||||
- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST
|
||||
- Related: RHEL-45216
|
||||
|
||||
* Thu Oct 12 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-1
|
||||
- Update to jdk-17.0.9+9 (GA)
|
||||
- Sync the copy of the portable specfile with the latest update
|
||||
|
@ -1,50 +0,0 @@
|
||||
commit 5b613e3ebed6c141146e743e64c894fe4f39421e
|
||||
Author: Andrew John Hughes <andrew@openjdk.org>
|
||||
Date: Fri Sep 1 15:53:41 2023 +0000
|
||||
|
||||
8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
|
||||
|
||||
Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750
|
||||
|
||||
diff --git a/src/java.base/share/classes/java/util/jar/JarFile.java b/src/java.base/share/classes/java/util/jar/JarFile.java
|
||||
index bd538649a4f..70cf99504e4 100644
|
||||
--- a/src/java.base/share/classes/java/util/jar/JarFile.java
|
||||
+++ b/src/java.base/share/classes/java/util/jar/JarFile.java
|
||||
@@ -803,7 +803,9 @@ private byte[] getBytes(ZipEntry ze) throws IOException {
|
||||
throw new IOException("Unsupported size: " + uncompressedSize +
|
||||
" for JarEntry " + ze.getName() +
|
||||
". Allowed max size: " +
|
||||
- SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes");
|
||||
+ SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " +
|
||||
+ "You can use the jdk.jar.maxSignatureFileSize " +
|
||||
+ "system property to increase the default value.");
|
||||
}
|
||||
int len = (int)uncompressedSize;
|
||||
int bytesRead;
|
||||
diff --git a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
|
||||
index 4ea9255ba0a..05acdcb9474 100644
|
||||
--- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
|
||||
+++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
|
||||
@@ -856,16 +856,16 @@ private static int initializeMaxSigFileSize() {
|
||||
* the maximum allowed number of bytes for the signature-related files
|
||||
* in a JAR file.
|
||||
*/
|
||||
- Integer tmp = GetIntegerAction.privilegedGetProperty(
|
||||
- "jdk.jar.maxSignatureFileSize", 8000000);
|
||||
+ int tmp = GetIntegerAction.privilegedGetProperty(
|
||||
+ "jdk.jar.maxSignatureFileSize", 16000000);
|
||||
if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
|
||||
if (debug != null) {
|
||||
- debug.println("Default signature file size 8000000 bytes " +
|
||||
- "is used as the specified size for the " +
|
||||
- "jdk.jar.maxSignatureFileSize system property " +
|
||||
+ debug.println("The default signature file size of 16000000 bytes " +
|
||||
+ "will be used for the jdk.jar.maxSignatureFileSize " +
|
||||
+ "system property since the specified value " +
|
||||
"is out of range: " + tmp);
|
||||
}
|
||||
- tmp = 8000000;
|
||||
+ tmp = 16000000;
|
||||
}
|
||||
return tmp;
|
||||
}
|
@ -1,20 +0,0 @@
|
||||
--- openjdk/src/java.base/share/conf/security/java.security
|
||||
+++ openjdk/src/java.base/share/conf/security/java.security
|
||||
@@ -304,6 +304,8 @@
|
||||
#
|
||||
package.access=sun.misc.,\
|
||||
sun.reflect.,\
|
||||
+ org.GNOME.Accessibility.,\
|
||||
+ org.GNOME.Bonobo.,\
|
||||
|
||||
#
|
||||
# List of comma-separated packages that start with or equal this string
|
||||
@@ -316,6 +318,8 @@
|
||||
#
|
||||
package.definition=sun.misc.,\
|
||||
sun.reflect.,\
|
||||
+ org.GNOME.Accessibility.,\
|
||||
+ org.GNOME.Bonobo.,\
|
||||
|
||||
#
|
||||
# Determines whether this properties file can be appended to
|
2
sources
2
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
|
||||
SHA512 (openjdk-17.0.9+9.tar.xz) = 33225a1070077c9504b4857734305f301e51b93a929274d460ddc3dc042ce15943030f8af928c11962743a928619ea39daa453d8fb1c8ea5a334a4b6490a00ee
|
||||
SHA512 (openjdk-17.0.10+7.tar.xz) = 066acec5dbc76d753a3aba3a8a85ef477f9e379ebfd6338c5026e2f8b329b0a08f878fcbb7f6fdefba99ec45415ac22e01e7439831749816717adb1a0d8230d1
|
||||
|
Loading…
Reference in New Issue
Block a user