Import java-17-openjdk

Resolves: rhbz#1870625

.gitignore

@@ -0,0 +1,6 @@
+/jdk-16.0.1.0.9.f34.aarch64.tar.xz
+/jdk-16.0.1.0.9.f34.ppc64le.tar.xz
+/jdk-16.0.1.0.9.f34.s390x.tar.xz
+/jdk-16.0.1.0.9.f34.x86_64.tar.xz
+/openjdk-jdk17-jdk-17+26.tar.xz
+/tapsets-icedtea-3.15.0.tar.xz

NEWS

@@ -0,0 +1,154 @@
+Key:
+
+JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
+CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+
+New in release OpenJDK 15.0.2 (2021-01-19):
+===========================================
+Live versions of these release notes can be found at:
+  * https://builds.shipilev.net/backports-monitor/release-notes-15.0.2.txt
+
+* Security fixes
+  - JDK-8247619: Improve Direct Buffering of Characters
+* Other changes
+  - JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8
+  - JDK-8239105: Add exception for expiring Digicert root certificates to VerifyCACerts test
+  - JDK-8247741: Test test/hotspot/jtreg/runtime/7162488/TestUnrecognizedVmOption.java fails when -XX:+IgnoreUnrecognizedVMOptions is set
+  - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted
+  - JDK-8248596: [TESTBUG] compiler/loopopts/PartialPeelingUnswitch.java times out with Graal enabled
+  - JDK-8248667: Need support for building native libraries located in the test/lib directory
+  - JDK-8249176: Update GlobalSignR6CA test certificates
+  - JDK-8249192: MonitorInfo stores raw oops across safepoints
+  - JDK-8249217: Unexpected StackOverflowError in "process reaper" thread still happens
+  - JDK-8249781: AArch64: AOT compiled code crashes if C2 allocates r27
+  - JDK-8250257: Bump release strings for JDK 15.0.2
+  - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray
+  - JDK-8251859: sun/security/validator/PKIXValAndRevCheckTests.java fails
+  - JDK-8253191: C2: Masked byte comparisons with large masks produce wrong result on x86
+  - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209)
+  - JDK-8253566: clazz.isAssignableFrom will return false for interface implementors
+  - JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*)
+  - JDK-8253791: Issue with useAppleColor check in CSystemColors.m
+  - JDK-8253960: Memory leak in Java_java_lang_ClassLoader_defineClass0()
+  - JDK-8254081: java/security/cert/PolicyNode/GetPolicyQualifiers.java fails due to an expired certificate
+  - JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp
+  - JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+  - JDK-8254319: Shenandoah: Interpreter native-LRB needs to activate during HAS_FORWARDED
+  - JDK-8254320: Shenandoah: C2 native LRB should activate for non-cset objects
+  - JDK-8254790: SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics
+  - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations
+  - JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+  - JDK-8255065: Zero: accessor_entry misses the IRIW case
+  - JDK-8255067: Restore Copyright line in file modified by 8253191
+  - JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
+  - JDK-8255599: Change jdk 15.0.2 milestone to fcs for build b04
+  - JDK-8255603: Memory/Performance regression after JDK-8210985
+  - JDK-8256051: nmethod_entry_barrier stub miscalculates xmm spill size on x86_32
+  - JDK-8256427: Test com/sun/jndi/dns/ConfigTests/PortUnreachable.java does not work on AIX
+  - JDK-8256618: Zero: Linux x86_32 build still fails
+  - JDK-8257181: s390x builds are very noisy with gc-sections messages
+  - JDK-8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false
+  - JDK-8257701: Shenandoah: objArrayKlass metadata is not marked with chunked arrays
+
+Notes on individual issues:
+===========================
+
+core-libs/java.time:
+
+JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b
+====================================================================
+Following JDK's update to tzdata2020b, the long-obsolete files
+pacificnew and systemv have been removed. As a result, the
+"US/Pacific-New" zone name declared in the pacificnew data file is no
+longer available for use.
+
+Information regarding the update can be viewed at
+https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
+
+New in release OpenJDK 15.0.1 (2020-10-20):
+===========================================
+Live versions of these release notes can be found at:
+  * https://builds.shipilev.net/backports-monitor/release-notes-15.0.1.txt
+
+* Security fixes
+  - JDK-8233624: Enhance JNI linkage
+  - JDK-8236196: Improve string pooling
+  - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+  - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+  - JDK-8237995, CVE-2020-14782: Enhance certificate processing
+  - JDK-8240124: Better VM Interning
+  - JDK-8241114, CVE-2020-14792: Better range handling
+  - JDK-8242680, CVE-2020-14796: Improved URI Support
+  - JDK-8242685, CVE-2020-14797: Better Path Validation
+  - JDK-8242695, CVE-2020-14798: Enhanced buffer support
+  - JDK-8243302: Advanced class supports
+  - JDK-8244136, CVE-2020-14803: Improved Buffer supports
+  - JDK-8244479: Further constrain certificates
+  - JDK-8244955: Additional Fix for JDK-8240124
+  - JDK-8245407: Enhance zoning of times
+  - JDK-8245412: Better class definitions
+  - JDK-8245417: Improve certificate chain handling
+  - JDK-8248574: Improve jpeg processing
+  - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+  - JDK-8253019: Enhanced JPEG decoding
+* Other changes
+  - JDK-8232114: JVM crashed at imjpapi.dll in native code
+  - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
+  - JDK-8247251: Assert '(_pcs_length == 0 || last_pc()->pc_offset() < pc_offset) failed: must specify a new, larger pc offset' failure
+  - JDK-8248495: [macos] zerovm is broken due to libffi headers location
+  - JDK-8248745: Add jarsigner and keytool tests for restricted algorithms
+  - JDK-8249165: Remove unneeded nops introduced by 8234160 changes
+  - JDK-8249183: JVM crash in "AwtFrame::WmSize" method
+  - JDK-8249266: Bump release strings for JDK 15.0.1
+  - JDK-8249266: Change jdk 15.0.1 milestone to fcs for build b02
+  - JDK-8250612: jvmciCompilerToVM.cpp declares jio_printf with "void" return type, should be "int"
+  - JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY
+  - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
+  - JDK-8250876: Fix issues with cross-compile on macos
+  - JDK-8250928: JFR: Improve hash algorithm for stack traces
+  - JDK-8251359: Shenandoah: filter null oops before calling enqueue/SATB barrier
+  - JDK-8251458: Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed"
+  - JDK-8251859: sun/security/validator/PKIXValAndRevCheckTests.java fails
+  - JDK-8251910: Shenandoah: Handshake threads between weak-roots and reset phases
+  - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured"
+  - JDK-8252292: 8240795 may cause anti-dependence to be missed
+  - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+  - JDK-8252367: Undo JDK-8245000: Windows GDI functions don't support large pages
+  - JDK-8252368: Undo JDK-8245002: Windows GDI functions don't support NUMA interleaving
+  - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
+  - JDK-8252660: Shenandoah: support manageable SoftMaxHeapSize option
+  - JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent
+  - JDK-8253222: Shenandoah: unused AlwaysTrueClosure after JDK-8246591
+  - JDK-8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues()
+  - JDK-8253226: Shenandoah: remove unimplemented ShenandoahStrDedupQueue::verify
+  - JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+  - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+  - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+  - JDK-8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads
+  - JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp
+  - JDK-8254560: Shenandoah: Concurrent Strong Roots logging is incorrect
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8250756: Added Entrust Root Certification Authority - G4 certificate
+========================================================================
+The Entrust root certificate has been added to the cacerts truststore:
+
+Alias Name: entrustrootcag4
+Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust,  Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
+
+JDK-8250860: Added 3 SSL Corporation Root CA Certificates
+=========================================================
+The following root certificates have been added to the cacerts truststore for the SSL Corporation:
+
+Alias Name: sslrootrsaca
+Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrootevrsaca
+Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrooteccca
+Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US

TestCryptoLevel.java

@@ -0,0 +1,72 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+   Copyright (C) 2012 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+public class TestCryptoLevel
+{
+  public static void main(String[] args)
+    throws NoSuchFieldException, ClassNotFoundException,
+           IllegalAccessException, InvocationTargetException
+  {
+    Class<?> cls = null;
+    Method def = null, exempt = null;
+
+    try
+      {
+        cls = Class.forName("javax.crypto.JceSecurity");
+      }
+    catch (ClassNotFoundException ex)
+      {
+        System.err.println("Running a non-Sun JDK.");
+        System.exit(0);
+      }
+    try
+      {
+        def = cls.getDeclaredMethod("getDefaultPolicy");
+        exempt = cls.getDeclaredMethod("getExemptPolicy");
+      }
+    catch (NoSuchMethodException ex)
+      {
+        System.err.println("Running IcedTea with the original crypto patch.");
+        System.exit(0);
+      }
+    def.setAccessible(true);
+    exempt.setAccessible(true);
+    PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+    PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+    Class<?> apCls = Class.forName("javax.crypto.CryptoAllPermission");
+    Field apField = apCls.getDeclaredField("INSTANCE");
+    apField.setAccessible(true);
+    Permission allPerms = (Permission) apField.get(null);
+    if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+      {
+        System.err.println("Running with the unlimited policy.");
+        System.exit(0);
+      }
+    else
+      {
+        System.err.println("WARNING: Running with a restricted crypto policy.");
+        System.exit(-1);
+      }
+  }
+}

TestECDSA.java

@@ -0,0 +1,49 @@
+/* TestECDSA -- Ensure ECDSA signatures are working.
+   Copyright (C) 2016 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+
+/**
+ * @test
+ */
+public class TestECDSA {
+
+    public static void main(String[] args) throws Exception {
+        KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+        KeyPair key = keyGen.generateKeyPair();
+        
+        byte[] data = "This is a string to sign".getBytes("UTF-8");
+        
+        Signature dsa = Signature.getInstance("NONEwithECDSA");
+        dsa.initSign(key.getPrivate());
+        dsa.update(data);
+        byte[] sig = dsa.sign();
+        System.out.println("Signature: " + new BigInteger(1, sig).toString(16));
+        
+        Signature dsaCheck = Signature.getInstance("NONEwithECDSA");
+        dsaCheck.initVerify(key.getPublic());
+        dsaCheck.update(data);
+        boolean success = dsaCheck.verify(sig);
+        if (!success) {
+            throw new RuntimeException("Test failed. Signature verification error");
+        }
+        System.out.println("Test passed.");
+    }
+}

TestSecurityProperties.java

@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+    // JDK 11
+    private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+    // JDK 8
+    private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+    public static void main(String[] args) {
+        Properties jdkProps = new Properties();
+        loadProperties(jdkProps);
+        for (Object key: jdkProps.keySet()) {
+            String sKey = (String)key;
+            String securityVal = Security.getProperty(sKey);
+            String jdkSecVal = jdkProps.getProperty(sKey);
+            if (!securityVal.equals(jdkSecVal)) {
+                String msg = "Expected value '" + jdkSecVal + "' for key '" + 
+                             sKey + "'" + " but got value '" + securityVal + "'";
+                throw new RuntimeException("Test failed! " + msg);
+            } else {
+                System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+            }
+        }
+        System.out.println("TestSecurityProperties PASSED!");
+    }
+    
+    private static void loadProperties(Properties props) {
+        String javaVersion = System.getProperty("java.version");
+        System.out.println("Debug: Java version is " + javaVersion);
+        String propsFile = JDK_PROPS_FILE_JDK_11;
+        if (javaVersion.startsWith("1.8.0")) {
+            propsFile = JDK_PROPS_FILE_JDK_8;
+        }
+        try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+            props.load(fin);
+        } catch (Exception e) {
+            throw new RuntimeException("Test failed!", e);
+        }
+    }
+}

jconsole.desktop.in

@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_MAJOR_VERSION@ Monitoring & Management Console @ARCH@
+Comment=Monitor and manage OpenJDK @JAVA_MAJOR_VERSION@ applications for @ARCH@
+Exec=@JAVA_HOME@/jconsole
+Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;Java;
+Version=1.0

nss.cfg.in

@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation

pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch

@@ -0,0 +1,88 @@
+
+# HG changeset patch
+# User andrew
+# Date 1478057514 0
+# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
+# Parent  3d53f19b48384e5252f4ec8891f7a3a82d77af2a
+PR3183: Support Fedora/RHEL system crypto policy
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java	Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/classes/java/security/Security.java	Wed Nov 02 03:31:54 2016 +0000
+@@ -43,6 +43,9 @@
+  * implementation-specific location, which is typically the properties file
+  * {@code conf/security/java.security} in the Java installation directory.
+  *
++ * <p>Additional default values of security properties are read from a
++ * system-specific location, if available.</p>
++ *
+  * @author Benjamin Renaud
+  * @since 1.1
+  */
+@@ -52,6 +55,10 @@
+     private static final Debug sdebug =
+                         Debug.getInstance("properties");
+ 
++    /* System property file*/
++    private static final String SYSTEM_PROPERTIES =
++        "/etc/crypto-policies/back-ends/java.config";
++
+     /* The java.security properties */
+     private static Properties props;
+ 
+@@ -93,6 +100,7 @@
+                 if (sdebug != null) {
+                     sdebug.println("reading security properties file: " +
+                                 propFile);
++                    sdebug.println(props.toString());
+                 }
+             } catch (IOException e) {
+                 if (sdebug != null) {
+@@ -114,6 +122,31 @@
+         }
+ 
+         if ("true".equalsIgnoreCase(props.getProperty
++                ("security.useSystemPropertiesFile"))) {
++
++            // now load the system file, if it exists, so its values
++            // will win if they conflict with the earlier values
++            try (BufferedInputStream bis =
++                 new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++                props.load(bis);
++                loadedProps = true;
++
++                if (sdebug != null) {
++                    sdebug.println("reading system security properties file " +
++                                   SYSTEM_PROPERTIES);
++                    sdebug.println(props.toString());
++                }
++            } catch (IOException e) {
++                if (sdebug != null) {
++                    sdebug.println
++                        ("unable to load security properties from " +
++                         SYSTEM_PROPERTIES);
++                    e.printStackTrace();
++                }
++            }
++        }
++
++        if ("true".equalsIgnoreCase(props.getProperty
+                 ("security.overridePropertiesFile"))) {
+ 
+             String extraPropFile = System.getProperty
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
+--- a/src/java.base/share/conf/security/java.security	Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/conf/security/java.security	Wed Nov 02 03:31:54 2016 +0000
+@@ -276,6 +276,13 @@
+ security.overridePropertiesFile=true
+ 
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=true
++
++#
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #

remove-intree-libraries.sh

@@ -0,0 +1,157 @@
+#!/bin/sh
+
+# Arguments: <JDK TREE> <MINIMAL|FULL>
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+    echo "$0 <JDK_TREE> (MINIMAL|FULL)";
+    exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+    TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+    echo "Type must be minimal or full";
+    exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+	echo "${ZIP_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${ZIP_SRC}
+
+# Minimal is limited to just zlib so finish here
+if test "x${TYPE}" = "xminimal"; then
+    echo "Finished.";
+    exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+	echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+	exit 1
+fi	
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+	echo "${GIF_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+	echo "${PNG_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi	
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+	echo "${LCMS_SRC} does not exist. Refusing to proceed."
+	exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h

rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch

@@ -0,0 +1,16 @@
+diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
+--- a/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jun 13 19:37:49 2019 +0200
++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jul 04 10:35:42 2019 +0200
+@@ -595,7 +595,11 @@
+                 toolkit = new HeadlessToolkit(toolkit);
+             }
+             if (!GraphicsEnvironment.isHeadless()) {
+-                loadAssistiveTechnologies();
++                try {
++                    loadAssistiveTechnologies();
++                } catch (AWTError error) {
++                    // ignore silently
++                }
+             }
+         }
+         return toolkit;

rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch

@@ -0,0 +1,12 @@
+diff -r e3f940bd3c8f src/java.base/share/conf/security/java.security
+--- openjdk/src/java.base/share/conf/security/java.security	Thu Jun 11 21:54:51 2020 +0530
++++ openjdk/src/java.base/share/conf/security/java.security	Mon Aug 24 10:14:31 2020 +0200
+@@ -77,7 +77,7 @@
+ #ifdef macosx
+ security.provider.tbd=Apple
+ #endif
+-security.provider.tbd=SunPKCS11
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+ 
+ #
+ # A list of preferred providers for specific algorithms. These providers will

rh1648644-java_access_bridge_privileged_security.patch

@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+                sun.reflect.,\
++               org.GNOME.Accessibility.,\
++               org.GNOME.Bonobo.,\
+ 
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+                    sun.reflect.,\
++                   org.GNOME.Accessibility.,\
++                   org.GNOME.Bonobo.,\
+ 
+ #
+ # Determines whether this properties file can be appended to

rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch

@@ -0,0 +1,13 @@
+--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:12.038189968 +0100
++++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java	2013-03-01 10:48:11.913188505 +0100
+@@ -48,8 +48,8 @@
+ 
+     private final static String PROP_NAME = "sun.security.smartcardio.library";
+ 
+-    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+-    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
++    private final static String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
++    private final static String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
+     private final static String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+ 
+     PlatformPCSC() {

rh1750419-redhat_alt_java.patch

@@ -0,0 +1,117 @@
+diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
+index 700ddefda49..2882de68eb2 100644
+--- openjdk.orig/make/modules/java.base/Launcher.gmk
++++ openjdk/make/modules/java.base/Launcher.gmk
+@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
+     OPTIMIZATION := HIGH, \
+ ))
+ 
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++    EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
++    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++    OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(call isTargetOs, windows), true)
+   $(eval $(call SetupBuildLauncher, javaw, \
+       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
+new file mode 100644
+index 00000000000..697df2898ac
+--- /dev/null
++++ openjdk/src/java.base/share/native/launcher/alt_main.h
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include <sys/prctl.h>
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL    52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL    53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS          0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED          0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL                 (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE                (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE               (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++  if ( prctl(PR_SET_SPECULATION_CTRL,
++             PR_SPEC_STORE_BYPASS,
++             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++    return;
++  }
++  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
+index b734fe2ba78..79dc8307650 100644
+--- openjdk.orig/src/java.base/share/native/launcher/main.c
++++ openjdk/src/java.base/share/native/launcher/main.c
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+ 
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+ 

rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch

@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+     /* and fill it in */
+     dst_ptr = icc_data;
+     for (seq_no = first; seq_no < last; seq_no++) {
+-        JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++        JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+         unsigned int length =
+             icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+ 

sources

@@ -0,0 +1,6 @@
+SHA512 (jdk-16.0.1.0.9.f34.aarch64.tar.xz) = f0b7036f6e2fe869ffde5addcdab0370a6852068253281d9007891c21d81f364b28b829ed3a9aa6e3fc436b5f851ba9152271956898750affba095d2ce073f70
+SHA512 (jdk-16.0.1.0.9.f34.ppc64le.tar.xz) = a8c03c9922eb11f3b71caa675dd65340051c44ba111735c7f7561c442a84f03776c3ca6caea4bc4ff7c71f4743fe7e13d807cb66967edfd54b68d91cd96731bd
+SHA512 (jdk-16.0.1.0.9.f34.s390x.tar.xz) = 6242e55799bfc8017d941d5beaba80802f371281734a5760d0db6cd3a15e278e0a5e8ee588a2d17ddca2190939d71caef1e9e5379557fc7d53ae0941f47e149c
+SHA512 (jdk-16.0.1.0.9.f34.x86_64.tar.xz) = 9c2322e5635654890ea050910412f332598a8fdf018554d371c34039094be85863beefc26f4e763eb3f20ae8eb35fe3c76e12bdd06acc3a7ba389fd5b3ef0f08
+SHA512 (openjdk-jdk17-jdk-17+26.tar.xz) = a400889ba4f141ecf29e46e42f2b2a07ba6df0760502467e7925a31e88ec6fa07deec99f919a42fd673b30df5c86f2adf5e0dcb00687404f0715527b79f2fec7
+SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671