From 5fc90c9fa13d376ead8a64436fc3cef50304a18b Mon Sep 17 00:00:00 2001
From: eabdullin <eabdullin@almalinux.org>
Date: Wed, 17 Jan 2024 20:43:58 +0000
Subject: [PATCH] import UBI java-17-openjdk-17.0.10.0.7-2.el9

---
 .gitignore                                    |   2 +-
 .java-17-openjdk.metadata                     |   2 +-
 ...0be4e.patch => fips-17u-d63771ea660.patch} |  30 ++--
 SOURCES/java-17-openjdk-portable.specfile     | 139 ++++++++++++------
 .../jdk8312489-max_sig_default_increase.patch |  50 -------
 ...va_access_bridge_privileged_security.patch |  20 ---
 SPECS/java-17-openjdk.spec                    | 134 +++++++++++------
 7 files changed, 196 insertions(+), 181 deletions(-)
 rename SOURCES/{fips-17u-51e1d00be4e.patch => fips-17u-d63771ea660.patch} (99%)
 delete mode 100644 SOURCES/jdk8312489-max_sig_default_increase.patch
 delete mode 100644 SOURCES/rh1648644-java_access_bridge_privileged_security.patch

diff --git a/.gitignore b/.gitignore
index 58b2310..66cf7e5 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-17.0.9+9.tar.xz
+SOURCES/openjdk-17.0.10+7.tar.xz
 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata
index 2a092d0..496b5b3 100644
--- a/.java-17-openjdk.metadata
+++ b/.java-17-openjdk.metadata
@@ -1,2 +1,2 @@
-a58b92201b1d3e26d8375f67708fe2e740cd39eb SOURCES/openjdk-17.0.9+9.tar.xz
+3bf0901457dc879dcf7cd5068c55d94c0b79ead0 SOURCES/openjdk-17.0.10+7.tar.xz
 c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz
diff --git a/SOURCES/fips-17u-51e1d00be4e.patch b/SOURCES/fips-17u-d63771ea660.patch
similarity index 99%
rename from SOURCES/fips-17u-51e1d00be4e.patch
rename to SOURCES/fips-17u-d63771ea660.patch
index da1df4d..4830fb2 100644
--- a/SOURCES/fips-17u-51e1d00be4e.patch
+++ b/SOURCES/fips-17u-d63771ea660.patch
@@ -116,7 +116,7 @@ index 00000000000..f48fc7f7e80
 +  AC_SUBST(NSS_LIBDIR)
 +])
 diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
-index 366682cf044..1f8d782f419 100644
+index 62db5b16c31..f0bb4333fc9 100644
 --- a/make/autoconf/libraries.m4
 +++ b/make/autoconf/libraries.m4
 @@ -33,6 +33,7 @@ m4_include([lib-std.m4])
@@ -3496,7 +3496,7 @@ index 00000000000..f8d505ca815
 +}
 \ No newline at end of file
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
-index 0736ce997e4..0a937fef377 100644
+index 39bd783dd25..1146e7f9d80 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/P11Key.java
 @@ -37,6 +37,8 @@ import javax.crypto.*;
@@ -3529,19 +3529,21 @@ index 0736ce997e4..0a937fef377 100644
          boolean extractKeyInfo = (!DISABLE_NATIVE_KEYS_EXTRACTION && isNSS &&
                  extractable && !tokenObject);
          this.keyIDHolder = new NativeKeyHolder(this, keyID, session,
-@@ -383,7 +386,9 @@ abstract class P11Key implements Key, Length {
-             new CK_ATTRIBUTE(CKA_SENSITIVE),
-             new CK_ATTRIBUTE(CKA_EXTRACTABLE),
+@@ -395,8 +398,10 @@ abstract class P11Key implements Key, Length {
+                     new CK_ATTRIBUTE(CKA_EXTRACTABLE),
          });
--        if (attributes[1].getBoolean() || (attributes[2].getBoolean() == false)) {
+ 
+-        boolean keySensitive = (attrs[0].getBoolean() ||
+-                attrs[1].getBoolean() || !attrs[2].getBoolean());
 +        boolean exportable = plainKeySupportEnabled && !algorithm.equals("DH");
-+        if (!exportable && (attributes[1].getBoolean() ||
-+                (attributes[2].getBoolean() == false))) {
-             return new P11PrivateKey
-                 (session, keyID, algorithm, keyLength, attributes);
-         } else {
-@@ -465,7 +470,8 @@ abstract class P11Key implements Key, Length {
-         }
++        boolean keySensitive = (!exportable &&
++            (attrs[0].getBoolean() ||
++             attrs[1].getBoolean() || !attrs[2].getBoolean()));
+ 
+         switch (algorithm) {
+         case "RSA":
+@@ -451,7 +456,8 @@ abstract class P11Key implements Key, Length {
+ 
          public String getFormat() {
              token.ensureValid();
 -            if (sensitive || !extractable || (isNSS && tokenObject)) {
@@ -4527,7 +4529,7 @@ index aa35e8fa668..1855e5631bd 100644
                  debug.println("logout succeeded");
              }
 diff --git a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
-index 9858a5faedf..e63585486d9 100644
+index 1f94fe3e18a..99eec2114e4 100644
 --- a/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
 +++ b/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/Token.java
 @@ -33,6 +33,7 @@ import java.lang.ref.*;
diff --git a/SOURCES/java-17-openjdk-portable.specfile b/SOURCES/java-17-openjdk-portable.specfile
index 74673fe..0c39875 100644
--- a/SOURCES/java-17-openjdk-portable.specfile
+++ b/SOURCES/java-17-openjdk-portable.specfile
@@ -326,7 +326,7 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 9
+%global updatever 10
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -366,7 +366,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver 51e1d00be4e
+%global fipsver d63771ea660
 %global javaver         %{featurever}
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 
@@ -381,7 +381,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        9
+%global buildver        7
 %global rpmrelease      1
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -615,38 +615,45 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
 # as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
+# The following list is generated by:
+# git log %%{vcstag}.. --no-merges --format=%s --reverse:
 # Fixes currently included:
-# PR3183, RH1340845: Follow system wide crypto policy
-# PR3695: Allow use of system crypto policy to be disabled by the user
-# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# PR3183, RH1340845: Support Fedora & RHEL system crypto policy
+# PR3695: Allow system crypto policy enforcement to be toggled on/off
+# RH1655466: Support global RHEL crypto policy
+# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode
+# RH1860986: Disable TLSv1.3 in FIPS mode
+# RH1915071: Always initialise configurator access.patch
 # RH1929465: Improve system FIPS detection
-# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
-# RH1996182: Login to the NSS software token in FIPS mode
-# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-# RH2021263: Resolve outstanding FIPS issues
-# RH2052819: Fix FIPS reliance on crypto policies
-# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers
+# RH1996182: Login to the NSS Software Token in FIPS Mode
+# RH1929465: Don't define unused throwIOException function when using NSS detection
+# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
+# RH1991003: Enable the import of plain keys into the NSS software token.
+# RH2021263: Return in C code after having generated Java exception
+# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+# RH2051605: Detect NSS at Runtime for FIPS detection
 # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
-# RH2023467: Enable FIPS keys export
-# RH2094027: SunEC runtime permission for FIPS
-# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-# RH2090378: Revert to disabling system security properties and FIPS mode support together
-# RH2104724: Avoid import/export of DH private keys
-# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
-# Build the systemconf library on all platforms
-# RH2048582: Support PKCS#12 keystores
-# RH2020290: Support TLS 1.3 in FIPS mode
-# Add nss.fips.cfg support to OpenJDK tree
-# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
-# Remove forgotten dead code from RH2020290 and RH2104724
-# OJ1357: Fix issue on FIPS with a SecurityManager in place
-# RH2134669: Add missing attributes when registering services in FIPS mode.
-# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
-# RH1940064: Enable XML Signature provider in FIPS mode
-# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
+# RH2023467: Enable FIPS keys export (#1)
+# Run workflows on pull request, as we are not using SKARA.
+# RH2094027: SunEC runtime permission for FIPS (#5)
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8)
+# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4)
+# Use encoded space rather than quoting for JTReg JAVA_OPTIONS
+# RH2104724: Avoid import/export of DH private keys (#14)
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16)
+# Build the systemconf library on all platforms (#7)
+# RH2048582: Support PKCS#12 keystores (#2)
+# RH2020290: Support TLS 1.3 in FIPS mode (#13)
+# Add nss.fips.cfg support to OpenJDK tree (#22)
+# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17)
+# Remove forgotten dead code from #13 and #14 (#21)
+# Fix issue on FIPS with a SecurityManager in place (#25)
+# RH2134669: Add missing attributes when registering services in FIPS mode. (#19)
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
+# RH1940064: Enable XML Signature provider in FIPS mode (#24)
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
 Patch1001: fips-17u-%{fipsver}.patch
 
 #############################################
@@ -662,8 +669,8 @@ Patch1001: fips-17u-%{fipsver}.patch
 # OpenJDK patches appearing in 17.0.10
 #
 #############################################
-# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
-Patch2000: jdk8312489-max_sig_default_increase.patch
+
+# Currently empty
 
 #############################################
 #
@@ -941,21 +948,20 @@ sh %{SOURCE12} %{top_level_dir_name}
 %endif
 
 # Patch the JDK
+# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18
+# -p N: strip N leading slashes from paths
 pushd %{top_level_dir_name}
-%patch1 -p1
-%patch3 -p1
-%patch6 -p1
+%patch -P1 -p1
+%patch -P3 -p1
+%patch -P6 -p1
 # Add crypto policy and FIPS support
-%patch1001 -p1
+%patch -P1001 -p1
 # nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch1000 -p1
-# JDK-8312489 backport, coming in 17.0.10
-%patch2000 -p1
+%patch -P1000 -p1
 # alt-java support
-%patch600 -p1
+%patch -P600 -p1
 popd # openjdk
 
-
 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
 # configure does not automatically use the
@@ -973,9 +979,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
     echo "WARNING: Designator mismatch";
     echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
     echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
-    # Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting
-    # This is fixed in the final upstream version
-    # exit 17
+    exit 17
 fi
 
 # Extract systemtap tapsets
@@ -1697,6 +1701,49 @@ done
 %{_jvmdir}/%{miscportablearchive}.sha256sum
 
 %changelog
+* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.10.0.7-1
+- Update to jdk-17.0.10+7 (GA)
+- Update release notes to 17.0.10+7
+- Move to -P<n> usage for patch macro which works on all RPM versions
+- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release
+- Switch to GA mode for release
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+
+* Thu Jan 11 2024 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.10.0.6-0.1.ea
+- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST
+- generate_source_tarball.sh: Remove unneeded FIXME
+
+* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.10.0.6-0.1.ea
+- Update release notes to 17.0.10+6
+- Revert change to patch macro due to failure on RHEL 8
+- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility
+
+* Tue Jan  9 2024 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.10.0.6-0.1.ea
+- Update to jdk-17.0.10+6 (EA)
+- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch
+- generate_source_tarball.sh: Add WITH_TEMP environment variable
+- generate_source_tarball.sh: Multithread xz on all available cores
+- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
+- generate_source_tarball.sh: Update comment about tarball naming
+- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
+- generate_source_tarball.sh: Set compile-command in Emacs
+- generate_source_tarball.sh: Reformat comment header
+- generate_source_tarball.sh: Reformat and update help output
+- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
+- generate_source_tarball.sh: Do a shallow clone, for speed
+- generate_source_tarball.sh: Append -ea designator when required
+- generate_source_tarball.sh: Eliminate some removal prompting
+- generate_source_tarball.sh: Make tarball reproducible
+- generate_source_tarball.sh: Prefix temporary directory with temp-
+- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash
+- generate_source_tarball.sh: shellcheck: Double-quote variable references
+- generate_source_tarball.sh: shellcheck: Do not use -a
+- generate_source_tarball.sh: shellcheck: Do not use $ in expression
+- generate_source_tarball.sh: Remove temporary directory exit conditions
+
+* Sat Oct 28 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-2
+- Add missing CVE and release note to sync local NEWS with upstream release announcements
+
 * Thu Oct 12 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-1
 - Update to jdk-17.0.9+9 (GA)
 - Update release notes to 17.0.9+9
diff --git a/SOURCES/jdk8312489-max_sig_default_increase.patch b/SOURCES/jdk8312489-max_sig_default_increase.patch
deleted file mode 100644
index 8aeb261..0000000
--- a/SOURCES/jdk8312489-max_sig_default_increase.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-commit 5b613e3ebed6c141146e743e64c894fe4f39421e
-Author: Andrew John Hughes <andrew@openjdk.org>
-Date:   Fri Sep 1 15:53:41 2023 +0000
-
-    8312489: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
-    
-    Backport-of: e47a84f23dd2608c6f5748093eefe301fb5bf750
-
-diff --git a/src/java.base/share/classes/java/util/jar/JarFile.java b/src/java.base/share/classes/java/util/jar/JarFile.java
-index bd538649a4f..70cf99504e4 100644
---- a/src/java.base/share/classes/java/util/jar/JarFile.java
-+++ b/src/java.base/share/classes/java/util/jar/JarFile.java
-@@ -803,7 +803,9 @@ private byte[] getBytes(ZipEntry ze) throws IOException {
-                 throw new IOException("Unsupported size: " + uncompressedSize +
-                         " for JarEntry " + ze.getName() +
-                         ". Allowed max size: " +
--                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes");
-+                        SignatureFileVerifier.MAX_SIG_FILE_SIZE + " bytes. " +
-+                        "You can use the jdk.jar.maxSignatureFileSize " +
-+                        "system property to increase the default value.");
-             }
-             int len = (int)uncompressedSize;
-             int bytesRead;
-diff --git a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
-index 4ea9255ba0a..05acdcb9474 100644
---- a/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
-+++ b/src/java.base/share/classes/sun/security/util/SignatureFileVerifier.java
-@@ -856,16 +856,16 @@ private static int initializeMaxSigFileSize() {
-          * the maximum allowed number of bytes for the signature-related files
-          * in a JAR file.
-          */
--        Integer tmp = GetIntegerAction.privilegedGetProperty(
--                "jdk.jar.maxSignatureFileSize", 8000000);
-+        int tmp = GetIntegerAction.privilegedGetProperty(
-+                "jdk.jar.maxSignatureFileSize", 16000000);
-         if (tmp < 0 || tmp > MAX_ARRAY_SIZE) {
-             if (debug != null) {
--                debug.println("Default signature file size 8000000 bytes " +
--                        "is used as the specified size for the " +
--                        "jdk.jar.maxSignatureFileSize system property " +
-+                debug.println("The default signature file size of 16000000 bytes " +
-+                        "will be used for the jdk.jar.maxSignatureFileSize " +
-+                        "system property since the specified value " +
-                         "is out of range: " + tmp);
-             }
--            tmp = 8000000;
-+            tmp = 16000000;
-         }
-         return tmp;
-     }
diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
deleted file mode 100644
index 53026ad..0000000
--- a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- openjdk/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -304,6 +304,8 @@
- #
- package.access=sun.misc.,\
-                sun.reflect.,\
-+               org.GNOME.Accessibility.,\
-+               org.GNOME.Bonobo.,\
- 
- #
- # List of comma-separated packages that start with or equal this string
-@@ -316,6 +318,8 @@
- #
- package.definition=sun.misc.,\
-                    sun.reflect.,\
-+                   org.GNOME.Accessibility.,\
-+                   org.GNOME.Bonobo.,\
- 
- #
- # Determines whether this properties file can be appended to
diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec
index 6fd2a98..c73a00d 100644
--- a/SPECS/java-17-openjdk.spec
+++ b/SPECS/java-17-openjdk.spec
@@ -322,7 +322,7 @@
 # New Version-String scheme-style defines
 %global featurever 17
 %global interimver 0
-%global updatever 9
+%global updatever 10
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@@ -362,7 +362,7 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver 51e1d00be4e
+%global fipsver d63771ea660
 %global javaver         %{featurever}
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
 
@@ -377,7 +377,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        9
+%global buildver        7
 # rpmrelease numbering must start at 2 to be later than the 9.0 RPM
 %global rpmrelease      2
 # Settings used by the portable build
@@ -1347,8 +1347,6 @@ Patch600: rh1750419-redhat_alt_java.patch
 
 # Ignore AWTError when assistive technologies are loaded
 Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-# Restrict access to java-atk-wrapper classes
-Patch2:    rh1648644-java_access_bridge_privileged_security.patch
 Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
 # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
@@ -1357,38 +1355,45 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
 # Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
 # as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
+# The following list is generated by:
+# git log %%{vcstag}.. --no-merges --format=%s --reverse:
 # Fixes currently included:
-# PR3183, RH1340845: Follow system wide crypto policy
-# PR3695: Allow use of system crypto policy to be disabled by the user
-# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
-# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
-# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
-# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# PR3183, RH1340845: Support Fedora & RHEL system crypto policy
+# PR3695: Allow system crypto policy enforcement to be toggled on/off
+# RH1655466: Support global RHEL crypto policy
+# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode
+# RH1860986: Disable TLSv1.3 in FIPS mode
+# RH1915071: Always initialise configurator access.patch
 # RH1929465: Improve system FIPS detection
-# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
-# RH1996182: Login to the NSS software token in FIPS mode
-# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
-# RH2021263: Resolve outstanding FIPS issues
-# RH2052819: Fix FIPS reliance on crypto policies
-# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers
+# RH1996182: Login to the NSS Software Token in FIPS Mode
+# RH1929465: Don't define unused throwIOException function when using NSS detection
+# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
+# RH1991003: Enable the import of plain keys into the NSS software token.
+# RH2021263: Return in C code after having generated Java exception
+# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+# RH2051605: Detect NSS at Runtime for FIPS detection
 # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
-# RH2023467: Enable FIPS keys export
-# RH2094027: SunEC runtime permission for FIPS
-# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
-# RH2090378: Revert to disabling system security properties and FIPS mode support together
-# RH2104724: Avoid import/export of DH private keys
-# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
-# Build the systemconf library on all platforms
-# RH2048582: Support PKCS#12 keystores
-# RH2020290: Support TLS 1.3 in FIPS mode
-# Add nss.fips.cfg support to OpenJDK tree
-# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
-# Remove forgotten dead code from RH2020290 and RH2104724
-# OJ1357: Fix issue on FIPS with a SecurityManager in place
-# RH2134669: Add missing attributes when registering services in FIPS mode.
-# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
-# RH1940064: Enable XML Signature provider in FIPS mode
-# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
+# RH2023467: Enable FIPS keys export (#1)
+# Run workflows on pull request, as we are not using SKARA.
+# RH2094027: SunEC runtime permission for FIPS (#5)
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8)
+# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4)
+# Use encoded space rather than quoting for JTReg JAVA_OPTIONS
+# RH2104724: Avoid import/export of DH private keys (#14)
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16)
+# Build the systemconf library on all platforms (#7)
+# RH2048582: Support PKCS#12 keystores (#2)
+# RH2020290: Support TLS 1.3 in FIPS mode (#13)
+# Add nss.fips.cfg support to OpenJDK tree (#22)
+# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17)
+# Remove forgotten dead code from #13 and #14 (#21)
+# Fix issue on FIPS with a SecurityManager in place (#25)
+# RH2134669: Add missing attributes when registering services in FIPS mode. (#19)
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
+# RH1940064: Enable XML Signature provider in FIPS mode (#24)
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
 Patch1001: fips-17u-%{fipsver}.patch
 
 #############################################
@@ -1402,8 +1407,8 @@ Patch1001: fips-17u-%{fipsver}.patch
 # OpenJDK patches appearing in 17.0.10
 #
 #############################################
-# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
-Patch2000: jdk8312489-max_sig_default_increase.patch
+
+# Currently empty
 
 BuildRequires: autoconf
 BuildRequires: automake
@@ -1838,22 +1843,20 @@ sh %{SOURCE12} %{top_level_dir_name}
 %endif
 
 # Patch the JDK
+# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18
+# -p N: strip N leading slashes from paths
 pushd %{top_level_dir_name}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
+%patch -P1 -p1
+%patch -P3 -p1
+%patch -P6 -p1
 # Add crypto policy and FIPS support
-%patch1001 -p1
+%patch -P1001 -p1
 # nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch1000 -p1
-# JDK-8312489 backport, coming in 17.0.10
-%patch2000 -p1
+%patch -P1000 -p1
 # alt-java support
-%patch600 -p1
+%patch -P600 -p1
 popd # openjdk
 
-
 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
 # configure does not automatically use the
@@ -1871,9 +1874,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
     echo "WARNING: Designator mismatch";
     echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
     echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
-    # Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting
-    # This is fixed in the final upstream version
-    # exit 17
+    exit 17
 fi
 
 # Prepare desktop files
@@ -2473,6 +2474,41 @@ cjc.mainProgram(args)
 %endif
 
 %changelog
+* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.10.0.7-1
+- Update to jdk-17.0.10+7 (GA)
+- Sync the copy of the portable specfile with the latest update
+- Move to -P<n> usage for patch macro which works on all RPM versions
+- Remove RH1648644 patch not in portable build (and so not applied to binary used)
+- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release
+- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility
+- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
+- Resolves: RHEL-20995
+
+* Thu Jan 11 2024 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.10.0.7-1
+- Update to jdk-17.0.10+6 (EA)
+- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch
+- generate_source_tarball.sh: Add WITH_TEMP environment variable
+- generate_source_tarball.sh: Multithread xz on all available cores
+- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
+- generate_source_tarball.sh: Update comment about tarball naming
+- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
+- generate_source_tarball.sh: Set compile-command in Emacs
+- generate_source_tarball.sh: Reformat comment header
+- generate_source_tarball.sh: Reformat and update help output
+- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
+- generate_source_tarball.sh: Do a shallow clone, for speed
+- generate_source_tarball.sh: Append -ea designator when required
+- generate_source_tarball.sh: Eliminate some removal prompting
+- generate_source_tarball.sh: Make tarball reproducible
+- generate_source_tarball.sh: Prefix temporary directory with temp-
+- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash
+- generate_source_tarball.sh: shellcheck: Double-quote variable references
+- generate_source_tarball.sh: shellcheck: Do not use -a
+- generate_source_tarball.sh: shellcheck: Do not use $ in expression
+- generate_source_tarball.sh: Remove temporary directory exit conditions
+- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST
+- Related: RHEL-20995
+
 * Thu Oct 12 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-1
 - Update to jdk-17.0.9+9 (GA)
 - Sync the copy of the portable specfile with the latest update