diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..cd592ed
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
diff --git a/NEWS b/NEWS
new file mode 100644
index 0000000..9d37ff9
--- /dev/null
+++ b/NEWS
@@ -0,0 +1,619 @@
+JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
+CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+New in release OpenJDK 17.0.1 (2021-10-19):
+Live versions of these release notes can be found at:
+ * https://builds.shipilev.net/backports-monitor/release-notes-17.0.1.txt
+* Security fixes
+ - JDK-8263314: Enhance XML Dsig modes
+ - JDK-8265167, CVE-2021-35556: Richer Text Editors
+ - JDK-8265574: Improve handling of sheets
+ - JDK-8265580, CVE-2021-35559: Enhanced style for RTF kit
+ - JDK-8265776: Improve Stream handling for SSL
+ - JDK-8266097, CVE-2021-35561: Better hashing support
+ - JDK-8266103: Better specified spec values
+ - JDK-8266109: More Resilient Classloading
+ - JDK-8266115: More Manifest Jar Loading
+ - JDK-8266137, CVE-2021-35564: Improve Keystore integrity
+ - JDK-8266689, CVE-2021-35567: More Constrained Delegation
+ - JDK-8267086: ArrayIndexOutOfBoundsException in java.security.KeyFactory.generatePublic
+ - JDK-8267712: Better LDAP reference processing
+ - JDK-8267729, CVE-2021-35578: Improve TLS client handshaking
+ - JDK-8267735, CVE-2021-35586: Better BMP support
+ - JDK-8268193: Improve requests of certificates
+ - JDK-8268199: Correct certificate requests
+ - JDK-8268205: Enhance DTLS client handshake
+ - JDK-8268500: Better specified ParameterSpecs
+ - JDK-8268506: More Manifest Digests
+ - JDK-8269618, CVE-2021-35603: Better session identification
+ - JDK-8269624: Enhance method selection support
+ - JDK-8270398: Enhance canonicalization
+ - JDK-8270404: Better canonicalization
+* Other changes
+ - JDK-8225082: Remove IdenTrust certificate that is expiring in September 2021
+ - JDK-8243543: jtreg test security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java fails
+ - JDK-8248899: security/infra/java/security/cert/CertPathValidator/certification/QuoVadisCA.java fails, Certificate has been revoked
+ - JDK-8261088: Repeatable annotations without @Target cannot have containers that target module declarations
+ - JDK-8262731: [macOS] Exception from "Printable.print" is swallowed during "PrinterJob.print"
+ - JDK-8263531: Remove unused buffer int
+ - JDK-8266182: Automate manual steps listed in the test jdk/sun/security/pkcs12/ParamsTest.java
+ - JDK-8267625: AARCH64: typo in LIR_Assembler::emit_profile_type
+ - JDK-8267666: Add option to jcmd GC.heap_dump to use existing file
+ - JDK-8268019: C2: assert(no_dead_loop) failed: dead loop detected
+ - JDK-8268261: C2: assert(n != __null) failed: Bad immediate dominator info.
+ - JDK-8268427: Improve AlgorithmConstraints:checkAlgorithm performance
+ - JDK-8268963: [IR Framework] Some default regexes matching on PrintOptoAssembly in IRNode.java do not work on all platforms
+ - JDK-8269297: Bump version numbers for JDK 17.0.1
+ - JDK-8269478: Shenandoah: gc/shenandoah/mxbeans tests should be more resilient
+ - JDK-8269574: C2: Avoid redundant uncommon traps in GraphKit::builtin_throw() for JVMTI exception events
+ - JDK-8269763: The JEditorPane is blank after JDK-8265167
+ - JDK-8269851: OperatingSystemMXBean getProcessCpuLoad reports incorrect process cpu usage in containers
+ - JDK-8269882: stack-use-after-scope in NewObjectA
+ - JDK-8269897: Shenandoah: Resolve UNKNOWN access strength, where possible
+ - JDK-8269934: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in java_lang_Thread::get_thread_status
+ - JDK-8269993: [Test]: java/net/httpclient/DigestEchoClientSSL.java contains redundant @run tags
+ - JDK-8270094: Shenandoah: Provide human-readable labels for test configurations
+ - JDK-8270096: Shenandoah: Optimize gc/shenandoah/TestRefprocSanity.java for interpreter mode
+ - JDK-8270098: ZGC: ZBarrierSetC2::clone_at_expansion fails with "Guard against surprises" assert
+ - JDK-8270137: Kerberos Credential Retrieval from Cache not Working in Cross-Realm Setup
+ - JDK-8270280: security/infra/java/security/cert/CertPathValidator/certification/LetsEncryptCA.java OCSP response error
+ - JDK-8270344: Session resumption errors
+ - JDK-8271203: C2: assert(iff->Opcode() == Op_If || iff->Opcode() == Op_CountedLoopEnd || iff->Opcode() == Op_RangeCheck) failed: Check this code when new subtype is added
+ - JDK-8271276: C2: Wrong JVM state used for receiver null check
+ - JDK-8271335: Updating RE Configs for BUILD REQUEST 17.0.1+4
+ - JDK-8271589: fatal error with variable shift count integer rotate operation.
+ - JDK-8271723: Unproblemlist runtime/InvocationTests/invokevirtualTests.java
+ - JDK-8271730: Client authentication using RSASSA-PSS fails after correct certificate requests
+ - JDK-8271925: ZGC: Arraycopy stub passes invalid oop to load barrier
+ - JDK-8272124: Cgroup v1 initialization causes NullPointerException when cgroup path contains colon
+ - JDK-8272131: PhaseMacroExpand::generate_slow_arraycopy crash when clone null CallProjections.fallthrough_ioproj
+ - JDK-8272326: java/util/Random/RandomTestMoments.java had two Gaussian fails
+ - JDK-8272332: --with-harfbuzz=system doesn't add -lharfbuzz after JDK-8255790
+ - JDK-8272472: StackGuardPages test doesn't build with glibc 2.34
+ - JDK-8272581: sun/security/pkcs11/Provider/MultipleLogins.sh fails after JDK-8266182
+ - JDK-8272602: [macos] not all KEY_PRESSED events sent when control modifier is used
+ - JDK-8272700: [macos] Build failure with Xcode 13.0 after JDK-8264848
+ - JDK-8272708: [Test]: Cleanup: test/jdk/security/infra/java/security/cert/CertPathValidator/certification/BuypassCA.java no longer needs ocspEnabled
+ - JDK-8272806: [macOS] "Apple AWT Internal Exception" when input method is changed
+ - JDK-8273358: macOS Monterey does not have the font Times needed by Serif
+Notes on individual issues:
+JDK-8271434: Removed IdenTrust Root Certificate
+The following root certificate from IdenTrust has been removed from
+the `cacerts` keystore:
+Alias Name: identrustdstx3 [jdk]
+Distinguished Name: CN=DST Root CA X3, O=Digital Signature Trust Co.
+New in release OpenJDK 17.0.0 (2021-09-14):
+The full list of changes in the interim releases from 11u to 17u can be found at:
+ * https://builds.shipilev.net/backports-monitor/release-notes-12.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-13.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-14.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-15.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-16.txt
+ * https://builds.shipilev.net/backports-monitor/release-notes-17.txt
+Major changes are listed below. Some changes may have been backported
+to earlier releases following their first appearance in OpenJDK 12
+through to 17.
+Language Features
+Switch Expressions
+Extend the `switch` statement so that it can be used as either a
+statement or an expression, and that both forms can use either a
+"traditional" or "simplified" scoping and control flow behavior. Both
+forms can use either traditional `case ... :` labels (with fall
+through) or new `case ... ->` labels (with no fall through), with a
+further new statement for yielding a value from a `switch`
+expression. These changes will simplify everyday coding, and also
+prepare the way for the use of pattern matching in `switch`.
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 12 & 13 and became final in OpenJDK 14.
+Text Blocks
+Add text blocks to the Java language. A text block is a multi-line
+string literal that avoids the need for most escape sequences,
+automatically formats the string in a predictable way, and gives the
+developer control over format when desired.
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 13 & 14 and became final in OpenJDK 15.
+Pattern Matching for instanceof
+Enhance the Java programming language with pattern matching for the
+`instanceof` operator. Pattern matching allows common logic in a
+program, namely the conditional extraction of components from objects,
+to be expressed more concisely and safely.
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 14 & 15 and became final in OpenJDK 16.
+Enhance the Java programming language with records. Records provide a
+compact syntax for declaring classes which are transparent holders for
+shallowly immutable data.
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 14 & 15 and became final in OpenJDK 16.
+Sealed Classes
+Enhance the Java programming language with sealed classes and
+interfaces. Sealed classes and interfaces restrict which other classes
+or interfaces may extend or implement them.
+This was a preview feature (http://openjdk.java.net/jeps/12) in
+OpenJDK 15 & 16 and became final in OpenJDK 17.
+Restore Always-Strict Floating-Point Semantics
+Make floating-point operations consistently strict, rather than have
+both strict floating-point semantics (`strictfp`) and subtly different
+default floating-point semantics. This will restore the original
+floating-point semantics to the language and VM, matching the
+semantics before the introduction of strict and default floating-point
+modes in Java SE 1.2.
+Pattern Matching for switch
+Enhance the Java programming language with pattern matching for
+`switch` expressions and statements, along with extensions to the
+language of patterns. Extending pattern matching to `switch` allows an
+expression to be tested against a number of patterns, each with a
+specific action, so that complex data-oriented queries can be
+expressed concisely and safely.
+This is a preview feature (http://openjdk.java.net/jeps/12) in OpenJDK
+Library Features
+JVM Constants API
+Introduce an API to model nominal descriptions of key class-file and
+run-time artifacts, in particular constants that are loadable from the
+constant pool.
+Reimplement the Legacy Socket API
+Replace the underlying implementation used by the `java.net.Socket`
+and `java.net.ServerSocket` APIs with a simpler and more modern
+implementation that is easy to maintain and debug. The new
+implementation will be easy to adapt to work with user-mode threads,
+a.k.a. fibers, currently being explored in Project Loom
+JFR Event Streaming
+Expose JDK Flight Recorder data for continuous monitoring.
+Non-Volatile Mapped Byte Buffers
+Add new JDK-specific file mapping modes so that the `FileChannel` API
+can be used to create `MappedByteBuffer` instances that refer to
+non-volatile memory.
+Helpful NullPointerExceptions
+Improve the usability of `NullPointerException`s generated by the JVM
+by describing precisely which variable was `null`.
+Foreign-Memory Access API
+Introduce an API to allow Java programs to safely and efficiently
+access foreign memory outside of the Java heap.
+This was a incubation feature (https://openjdk.java.net/jeps/11) in
+OpenJDK 14, 15 & 16, now superseded by the Foreign Function & Memory
+API in OpenJDK 17 (see below).
+Edwards-Curve Digital Signature Algorithm (EdDSA)
+Implement cryptographic signatures using the Edwards-Curve Digital
+Signature Algorithm (EdDSA) as described by RFC 8032
+Hidden Classes
+Introduce hidden classes, which are classes that cannot be used
+directly by the bytecode of other classes. Hidden classes are intended
+for use by frameworks that generate classes at run time and use them
+indirectly, via reflection. A hidden class may be defined as a member
+of an access control nest (https://openjdk.java.net/jeps/181), and may
+be unloaded independently of other classes.
+Reimplement the Legacy DatagramSocket API
+Replace the underlying implementations of the
+`java.net.DatagramSocket` and `java.net.MulticastSocket` APIs with
+simpler and more modern implementations that are easy to maintain and
+debug. The new implementations will be easy to adapt to work with
+virtual threads, currently being explored in Project Loom
+(https://openjdk.java.net/projects/loom). This is a follow-on to JEP
+353 (see above), which already reimplemented the legacy Socket API.
+Vector API
+Provide an initial iteration of an incubator module,
+`jdk.incubator.vector`, to express vector computations that reliably
+compile at runtime to optimal vector hardware instructions on
+supported CPU architectures and thus achieve superior performance to
+equivalent scalar computations.
+This is an incubation feature (https://openjdk.java.net/jeps/11)
+introduced in OpenJDK 16.
+Unix-Domain Socket Channels
+Add Unix-domain (`AF_UNIX`) socket support to the socket channel and
+server-socket channel APIs in the `java.nio.channels` package. Extend
+the inherited channel mechanism to support Unix-domain socket channels
+and server socket channels.
+Foreign Linker API (Incubator)
+Introduce an API that offers statically-typed, pure-Java access to
+native code. This API, together with the Foreign-Memory API (see
+above), will considerably simplify the otherwise error-prone process
+of binding to a native library.
+This was an incubation feature (https://openjdk.java.net/jeps/11)
+introduced in OpenJDK 16, now superseded by the Foreign Function &
+Memory API in OpenJDK 17 (see below).
+Strongly Encapsulate JDK Internals by Default
+Strongly encapsulate all internal elements of the JDK by default,
+except for critical internal APIs such as `sun.misc.Unsafe`. It will
+no longer be possible to relax the strong encapsulation of internal
+elements via a single command-line option, as was possible in OpenJDK
+9 through 16.
+Enhanced Pseudo-Random Number Generators
+Provide new interface types and implementations for pseudo-random
+number generators (PRNGs), including jumpable PRNGs and an additional
+class of splittable PRNG algorithms (LXM).
+Foreign Function & Memory API
+Introduce an API by which Java programs can interoperate with code and
+data outside of the Java runtime. By efficiently invoking foreign
+functions (i.e., code outside the JVM), and by safely accessing
+foreign memory (i.e., memory not managed by the JVM), the API enables
+Java programs to call native libraries and process native data without
+the brittleness and danger of JNI.
+This API is an incubation feature (https://openjdk.java.net/jeps/11)
+introduced in OpenJDK 17, and is an evolution of the Foreign Memory
+Access API (OpenJDK 14 through 16) and Foreign Linker API (OpenJDK
+16) (see above).
+Context-Specific Deserialization Filters
+Allow applications to configure context-specific and
+dynamically-selected deserialization filters via a JVM-wide filter
+factory that is invoked to select a filter for each individual
+deserialization operation.
+Packaging Tool
+Provide the `jpackage` tool, for packaging self-contained Java
+JVM Features
+Shenandoah: A Low-Pause-Time Garbage Collector
+Add a new garbage collection (GC) algorithm named Shenandoah which
+reduces GC pause times by doing evacuation work concurrently with the
+running Java threads. Pause times with Shenandoah are independent of
+heap size, meaning you will have the same consistent pause times
+whether your heap is 200 MB or 200 GB.
+Shenandoah has been provided in Red Hat builds of OpenJDK 8 since
+8u131 in April 2017 and in all 11u builds.
+Upstream, it was introduced in OpenJDK 12 as an experimental feature
+and became a production feature in OpenJDK 15. It was backported to
+OpenJDK 11 with the 11.0.9 release in October 2020.
+Abortable Mixed Collections for G1
+Make G1 mixed collections abortable if they might exceed the pause
+Promptly Return Unused Committed Memory from G1
+Enhance the G1 garbage collector to automatically return Java heap
+memory to the operating system when idle.
+Dynamic CDS Archives
+Extend application class-data sharing to allow the dynamic archiving
+of classes at the end of Java application execution. The archived
+classes will include all loaded application classes and library
+classes that are not present in the default, base-layer CDS archive.
+ZGC: Uncommit Unused Memory (Experimental)
+Enhance ZGC to return unused heap memory to the operating system.
+NUMA-Aware Memory Allocation for G1
+Improve G1 performance on large machines by implementing NUMA-aware
+memory allocation.
+ZGC on macOS (Experimental)
+Port the ZGC garbage collector to macOS.
+ZGC on Windows (Experimental)
+Port the ZGC garbage collector to Windows.
+ZGC: A Scalable Low-Latency Garbage Collector (Production)
+Change the Z Garbage Collector from an experimental feature into a
+product feature.
+ZGC: Concurrent Thread-Stack Processing
+Move ZGC thread-stack processing from safepoints to a concurrent
+Elastic Metaspace
+Return unused HotSpot class-metadata (i.e., metaspace) memory to the
+operating system more promptly, reduce metaspace footprint, and
+simplify the metaspace code in order to reduce maintenance costs.
+Alpine Linux Port
+Port the JDK to Alpine Linux, and to other Linux distributions that
+use musl as their primary C library, on both the x64 and AArch64
+Windows/AArch64 Port
+Port the JDK to Windows/AArch64.
+New macOS Rendering Pipeline
+Implement a Java 2D internal rendering pipeline for macOS using the
+Apple Metal API as alternative to the existing pipeline, which uses
+the deprecated Apple OpenGL API.
+macOS/AArch64 Port
+Port the JDK to macOS/AArch64.
+Deprecate the ParallelScavenge + SerialOld GC Combination
+Deprecate the combination of the Parallel Scavenge and Serial Old
+garbage collection algorithms.
+Deprecate and Disable Biased Locking
+Disable biased locking by default, and deprecate all related
+command-line options.
+Warnings for Value-Based Classes
+Designate the primitive wrapper classes as value-based and deprecate
+their constructors for removal, prompting new deprecation
+warnings. Provide warnings about improper attempts to synchronize on
+instances of any value-based classes in the Java Platform.
+Deprecate the Applet API for Removal
+Deprecate the Applet API for removal. It is essentially irrelevant
+since all web-browser vendors have either removed support for Java
+browser plug-ins or announced plans to do so.
+Deprecate the Security Manager for Removal
+Deprecate the Security Manager for removal in a future release. The
+Security Manager dates from Java 1.0. It has not been the primary
+means of securing client-side Java code for many years, and it has
+rarely been used to secure server-side code. To move Java forward, we
+intend to deprecate the Security Manager for removal in concert with
+the legacy Applet API (see above). .
+Remove the Concurrent Mark Sweep (CMS) Garbage Collector
+Remove the Concurrent Mark Sweep (CMS) garbage collector.
+Remove the Pack200 Tools and API
+Remove the `pack200` and `unpack200` tools, and the `Pack200` API in
+the `java.util.jar` package. These tools and API were deprecated for
+removal in OpenJDK 11 with the express intent to remove them in a
+future release.
+Remove the Nashorn JavaScript Engine
+Remove the Nashorn JavaScript script engine and APIs, and the `jjs`
+tool. The engine, the APIs, and the tool were deprecated for removal
+in OpenJDK 11 with the express intent to remove them in a future
+Remove the Solaris and SPARC Ports
+Remove the source code and build support for the Solaris/SPARC,
+Solaris/x64, and Linux/SPARC ports. These ports were deprecated for
+removal in OpenJDK 14 (JEP 362) and removed in OpenJDK 15 (JEP 381).
+Remove RMI Activation
+Remove the Remote Method Invocation (RMI) Activation mechanism, while
+preserving the rest of RMI. RMI Activation is an obsolete part of RMI
+that has been optional since OpenJDK 8 and was deprecated in OpenJDK
+Remove the Experimental AOT and JIT Compiler
+Remove the experimental Java-based ahead-of-time (AOT) and
+just-in-time (JIT) compiler. This compiler has seen little use since
+its introduction and the effort required to maintain it is
+significant. Retain the experimental Java-level JVM compiler
+interface (JVMCI) so that developers can continue to use
+externally-built versions of the compiler for JIT compilation.
diff --git a/TestCryptoLevel.java b/TestCryptoLevel.java
new file mode 100644
index 0000000..b32b7ae
--- /dev/null
+++ b/TestCryptoLevel.java
@@ -0,0 +1,72 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+ Copyright (C) 2012 Red Hat, Inc.
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+GNU Affero General Public License for more details.
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+import java.security.Permission;
+import java.security.PermissionCollection;
+public class TestCryptoLevel
+ public static void main(String[] args)
+ throws NoSuchFieldException, ClassNotFoundException,
+ IllegalAccessException, InvocationTargetException
+ {
+ Class> cls = null;
+ Method def = null, exempt = null;
+ try
+ {
+ cls = Class.forName("javax.crypto.JceSecurity");
+ }
+ catch (ClassNotFoundException ex)
+ {
+ System.err.println("Running a non-Sun JDK.");
+ System.exit(0);
+ }
+ try
+ {
+ def = cls.getDeclaredMethod("getDefaultPolicy");
+ exempt = cls.getDeclaredMethod("getExemptPolicy");
+ }
+ catch (NoSuchMethodException ex)
+ {
+ System.err.println("Running IcedTea with the original crypto patch.");
+ System.exit(0);
+ }
+ def.setAccessible(true);
+ exempt.setAccessible(true);
+ PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+ PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+ Class> apCls = Class.forName("javax.crypto.CryptoAllPermission");
+ Field apField = apCls.getDeclaredField("INSTANCE");
+ apField.setAccessible(true);
+ Permission allPerms = (Permission) apField.get(null);
+ if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+ {
+ System.err.println("Running with the unlimited policy.");
+ System.exit(0);
+ }
+ else
+ {
+ System.err.println("WARNING: Running with a restricted crypto policy.");
+ System.exit(-1);
+ }
+ }
diff --git a/TestECDSA.java b/TestECDSA.java
new file mode 100644
index 0000000..6eb9cb2
--- /dev/null
+++ b/TestECDSA.java
@@ -0,0 +1,49 @@
+/* TestECDSA -- Ensure ECDSA signatures are working.
+ Copyright (C) 2016 Red Hat, Inc.
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+GNU Affero General Public License for more details.
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+ * @test
+ */
+public class TestECDSA {
+ public static void main(String[] args) throws Exception {
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+ KeyPair key = keyGen.generateKeyPair();
+ byte[] data = "This is a string to sign".getBytes("UTF-8");
+ Signature dsa = Signature.getInstance("NONEwithECDSA");
+ dsa.initSign(key.getPrivate());
+ dsa.update(data);
+ byte[] sig = dsa.sign();
+ System.out.println("Signature: " + new BigInteger(1, sig).toString(16));
+ Signature dsaCheck = Signature.getInstance("NONEwithECDSA");
+ dsaCheck.initVerify(key.getPublic());
+ dsaCheck.update(data);
+ boolean success = dsaCheck.verify(sig);
+ if (!success) {
+ throw new RuntimeException("Test failed. Signature verification error");
+ }
+ System.out.println("Test passed.");
+ }
diff --git a/TestSecurityProperties.java b/TestSecurityProperties.java
new file mode 100644
index 0000000..06a0b07
--- /dev/null
+++ b/TestSecurityProperties.java
@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+public class TestSecurityProperties {
+ // JDK 11
+ private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+ // JDK 8
+ private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+ public static void main(String[] args) {
+ Properties jdkProps = new Properties();
+ loadProperties(jdkProps);
+ for (Object key: jdkProps.keySet()) {
+ String sKey = (String)key;
+ String securityVal = Security.getProperty(sKey);
+ String jdkSecVal = jdkProps.getProperty(sKey);
+ if (!securityVal.equals(jdkSecVal)) {
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ sKey + "'" + " but got value '" + securityVal + "'";
+ throw new RuntimeException("Test failed! " + msg);
+ } else {
+ System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ }
+ }
+ System.out.println("TestSecurityProperties PASSED!");
+ }
+ private static void loadProperties(Properties props) {
+ String javaVersion = System.getProperty("java.version");
+ System.out.println("Debug: Java version is " + javaVersion);
+ String propsFile = JDK_PROPS_FILE_JDK_11;
+ if (javaVersion.startsWith("1.8.0")) {
+ propsFile = JDK_PROPS_FILE_JDK_8;
+ }
+ try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec
new file mode 100644
index 0000000..bd2d867
--- /dev/null
+++ b/java-17-openjdk.spec
@@ -0,0 +1,2360 @@
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+# Examples:
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-17-openjdk.spec
+# Produce only release builds (no debug builds) on x86_64:
+# $ rpmbuild -ba java-17-openjdk.spec --without slowdebug --without fastdebug
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%global include_staticlibs 0
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+# With LTO flags enabled, debuginfo checks fail for some reason. Disable
+# LTO for a passing build. This really needs to be looked at.
+%define _lto_cflags %{nil}
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+%if %{with release}
+%global include_normal_build 1
+%global include_normal_build 0
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%global normal_build %{nil}
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless- | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug- | grep bin
+# != rpm -ql java-11-openjdk-headless- | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 0
+%global aarch64 aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le ppc64le
+%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build debug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{debug_arches} %{arm}
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches x86_64 %{aarch64}
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures which support the serviceability agent
+%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# See https://bugzilla.redhat.com/show_bug.cgi?id=513605
+# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT
+%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures for which java has short vector math library (libsvml.so)
+%global svml_arches x86_64
+# By default, we build a debug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%global include_debug_build 0
+%global include_debug_build 0
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%global use_shenandoah_hotspot 0
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%global include_fastdebug_build 0
+%global include_fastdebug_build 0
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%global slowdebug_build %{nil}
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%global fastdebug_build %{nil}
+# If you disable both builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%global staticlibs_loop %{nil}
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%global bootstrap_build false
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%global static_libs_target %{nil}
+# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
+%global debug_symbols internal
+# unlike portables,the rpms have to use static_libs_target very dynamically
+%global bootstrap_targets images
+%global release_targets images docs-zip
+# No docs nor bootcycle for debug builds
+%global debug_targets images
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
+# the initialization must be here. Later the pkg-config have buggy behavior
+# looks like openjdk RPM specific bug
+# Always set this so the nss.cfg file is not broken
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _build_cpu
+%ifarch x86_64
+%global archinstall amd64
+%ifarch ppc
+%global archinstall ppc
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%ifarch %{ix86}
+%global archinstall i686
+%ifarch ia64
+%global archinstall ia64
+%ifarch s390
+%global archinstall s390
+%ifarch s390x
+%global archinstall s390x
+%ifarch %{arm}
+%global archinstall arm
+%ifarch %{aarch64}
+%global archinstall aarch64
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%ifnarch %{jit_arches}
+%global archinstall %{_arch}
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%global with_systemtap 0
+# New Version-String scheme-style defines
+%global featurever 17
+%global interimver 0
+%global updatever 1
+%global patchver 0
+# If you bump featurever, you must also bump vendor_version_string
+# Used via new version scheme. JDK 17 was
+# GA'ed in September 2021 => 21.9
+%global vendor_version_string 21.9
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver 17
+# We don't add any LTS designator for STS packages (this package).
+# Neither for Fedora nor EPEL which would have %%{rhel} macro defined.
+ %global lts_designator ""
+ %global lts_designator_zip ""
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver 6.0.0pre00-c848b93a8598
+# Standard JPackage naming and versioning defines
+%global origin openjdk
+%global origin_nice OpenJDK
+%global top_level_dir_name %{origin}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver 12
+%global rpmrelease 8
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means would have had a priority of 11000911 as before
+# A would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+%global javaver %{featurever}
+# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
+%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga 1
+%if %{is_ga}
+%global build_type GA
+%global expected_ea_designator ""
+%global ea_designator_zip ""
+%global extraver %{nil}
+%global eaprefix %{nil}
+%global build_type EA
+%global expected_ea_designator ea
+%global ea_designator_zip -%{expected_ea_designator}
+%global extraver .%{expected_ea_designator}
+%global eaprefix 0.
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%if 0%{?rhel}
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%global bugs https://bugzilla.redhat.com/enter_bug.cgi
+# parametrized macros are order-sensitive
+%global compatiblename java-%{featurever}-%{origin}
+%global fullversion %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage jdk
+%global static_libs_image static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for any debug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%global alt_java_name alt-java
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%global alternatives_requires %{_sbindir}/alternatives
+%if %{with_systemtap}
+# Where to install systemtap tapset (links)
+# We would like these to be in a package specific sub-dir,
+# but currently systemtap doesn't support that, so we have to
+# use the root tapset dir for now. To distinguish between 64
+# and 32 bit architectures we place the tapsets under the arch
+# specific dir (note that systemtap will only pickup the tapset
+# for the primary arch for now). Systemtap uses the machine name
+# aka build_cpu as architecture specific directory name.
+%global tapsetroot /usr/share/systemtap
+%global tapsetdirttapset %{tapsetroot}/tapset/
+%global tapsetdir %{tapsetdirttapset}/%{_build_cpu}
+# not-duplicated scriptlets for normal/debug packages
+%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+%define post_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+exit 0
+%define alternatives_java_install() %{expand:
+if [ "%{?1}" == %{debug_suffix} ]; then
+alternatives \\
+ --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\
+ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
+ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
+ --slave %{_mandir}/man1/java.1$ext java.1$ext \\
+ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
+ %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
+ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
+ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext
+for X in %{origin} %{javaver} ; do
+ alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+%define post_headless() %{expand:
+%ifarch %{share_arches}
+%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+# see pretrans where this file is declared
+# also see that pretrans is only for non-debug
+if [ ! "%{?1}" == %{debug_suffix} ]; then
+ if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then
+ sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}}
+ fi
+exit 0
+%define postun_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+exit 0
+%define postun_headless() %{expand:
+ alternatives --remove java %{jrebindir -- %{?1}}/java
+ alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+ alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
+ alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}}
+%define posttrans_script() %{expand:
+%define alternatives_javac_install() %{expand:
+if [ "%{?1}" == %{debug_suffix} ]; then
+alternatives \\
+ --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\
+ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
+ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
+%ifarch %{sa_arches}
+ --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
+ --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
+ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
+ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
+ --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
+ --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
+ --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
+ --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
+ --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
+ --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\
+ --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\
+ --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\
+ --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\
+ --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\
+ --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\
+ --slave %{_bindir}/jpackage jpackage %{sdkbindir -- %{?1}}/jpackage \\
+ --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\
+ --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\
+ --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
+ --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
+ --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
+ --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
+ --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
+ %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\
+ %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\
+ %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\
+ %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
+ %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+ %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
+ %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
+ %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\
+ %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\
+ %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\
+ %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\
+ %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jpackage.1$ext jpackage.1$ext \\
+ %{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\
+ %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\
+ %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
+ %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
+ %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
+ %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\
+for X in %{origin} %{javaver} ; do
+ alternatives \\
+ --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+%define post_devel() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+exit 0
+%define postun_devel() %{expand:
+ alternatives --remove javac %{sdkbindir -- %{?1}}/javac
+ alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+ alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
+ alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+exit 0
+%define posttrans_devel() %{expand:
+%{alternatives_javac_install -- %{?1}}
+%define alternatives_javadoc_install() %{expand:
+if [ "%{?1}" == %{debug_suffix} ]; then
+alternatives \\
+ --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\
+ $PRIORITY --family %{name}
+exit 0
+%define postun_javadoc() %{expand:
+ alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api
+exit 0
+%define alternatives_javadoczip_install() %{expand:
+if [ "%{?1}" == %{debug_suffix} ]; then
+alternatives \\
+ --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\
+ $PRIORITY --family %{name}
+exit 0
+%define postun_javadoc_zip() %{expand:
+ alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+exit 0
+%define files_jre() %{expand:
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
+%define files_jre_headless() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
+%dir %{_sysconfdir}/.java/.systemPrefs
+%dir %{_sysconfdir}/.java
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}
+%{_jvmdir}/%{sdkdir -- %{?1}}/release
+%{_jvmdir}/%{jrelnk -- %{?1}}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
+%ifarch %{jit_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
+%ifarch %{svml_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsvml.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsyslookup.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
+%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
+%ifarch %{share_arches}
+%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa
+%dir %{etcjavasubdir}
+%dir %{etcjavadir -- %{?1}}
+%dir %{etcjavadir -- %{?1}}/lib
+%dir %{etcjavadir -- %{?1}}/lib/security
+%{etcjavadir -- %{?1}}/lib/security/cacerts
+%dir %{etcjavadir -- %{?1}}/conf
+%dir %{etcjavadir -- %{?1}}/conf/sdp
+%dir %{etcjavadir -- %{?1}}/conf/management
+%dir %{etcjavadir -- %{?1}}/conf/security
+%dir %{etcjavadir -- %{?1}}/conf/security/policy
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
+ %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
+# This is a config template, thus not config-noreplace
+%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
+%config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/conf
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/java
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_jvmdir}/jre
+%ghost %{_bindir}/keytool
+%ghost %{_bindir}/pack200
+%ghost %{_bindir}/rmid
+%ghost %{_bindir}/rmiregistry
+%ghost %{_bindir}/unpack200
+%ghost %{_jvmdir}/jre-%{origin}
+%ghost %{_jvmdir}/jre-%{javaver}
+%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
+# https://bugzilla.redhat.com/show_bug.cgi?id=1820172
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
+%define files_devel() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
+%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jpackage
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
+%{_jvmdir}/%{sdkdir -- %{?1}}/include
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
+%if %{with_systemtap}
+%{_jvmdir}/%{sdkdir -- %{?1}}/tapset
+%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jpackage-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz
+%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz
+%if %{with_systemtap}
+%dir %{tapsetroot}
+%dir %{tapsetdirttapset}
+%dir %{tapsetdir}
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/javac
+%ghost %{_jvmdir}/java
+%ghost %{_jvmdir}/%{alt_java_name}
+%ghost %{_bindir}/jlink
+%ghost %{_bindir}/jmod
+%ghost %{_bindir}/jhsdb
+%ghost %{_bindir}/jar
+%ghost %{_bindir}/jarsigner
+%ghost %{_bindir}/javadoc
+%ghost %{_bindir}/javap
+%ghost %{_bindir}/jcmd
+%ghost %{_bindir}/jconsole
+%ghost %{_bindir}/jdb
+%ghost %{_bindir}/jdeps
+%ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jimage
+%ghost %{_bindir}/jinfo
+%ghost %{_bindir}/jmap
+%ghost %{_bindir}/jps
+%ghost %{_bindir}/jrunscript
+%ghost %{_bindir}/jshell
+%ghost %{_bindir}/jstack
+%ghost %{_bindir}/jstat
+%ghost %{_bindir}/jstatd
+%ghost %{_bindir}/serialver
+%ghost %{_jvmdir}/java-%{origin}
+%ghost %{_jvmdir}/java-%{javaver}
+%ghost %{_jvmdir}/java-%{javaver}-%{origin}
+%define files_jmods() %{expand:
+%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
+%define files_demo() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/demo
+%{_jvmdir}/%{sdkdir -- %{?1}}/sample
+%define files_src() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
+%define files_static_libs() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
+%define files_javadoc() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java
+%define files_javadoc_zip() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java-zip
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+Requires: fontconfig%{?_isa}
+Requires: xorg-x11-fonts-Type1
+# Require libXcomposite explicitly since it's only dynamically loaded
+# at runtime. Fixes screenshot issues. See JDK-8150954.
+Requires: libXcomposite%{?_isa}
+# Requires rest of java
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# for java-X-openjdk package's desktop binding
+%if 0%{?rhel} >= 8
+Recommends: gtk3%{?_isa}
+Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+# Standard JPackage base provides
+Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre%{?1} = %{epoch}:%{version}-%{release}
+%define java_headless_rpo() %{expand:
+# Require /etc/pki/java/cacerts
+Requires: ca-certificates
+# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
+Requires: javapackages-filesystem
+# Require zone-info data provided by tzdata-java sub-package
+Requires: tzdata-java >= 2015d
+# for support of kernel stream control
+# libsctp.so.1 is being `dlopen`ed on demand
+Requires: lksctp-tools%{?_isa}
+%if ! 0%{?flatpak}
+# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
+# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
+# considered as regression
+Requires: copy-jdk-configs >= 4.0
+OrderWithRequires: copy-jdk-configs
+# for printing support
+Requires: cups-libs
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+# for optional support of kernel stream control, card reader and printing bindings
+Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa}
+# Standard JPackage base provides
+Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-headless%{?1} = %{epoch}:%{version}-%{release}
+%define java_devel_rpo() %{expand:
+# Requires base package
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+# Standard JPackage devel provides
+Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release}
+%define java_static_libs_rpo() %{expand:
+Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+%define java_jmods_rpo() %{expand:
+# Requires devel package
+# as jmods are bytecode, they should be OK without any _isa
+Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release}
+%define java_demo_rpo() %{expand:
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%define java_javadoc_rpo() %{expand:
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install javadoc alternative
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall javadoc alternative
+Requires(postun): %{alternatives_requires}
+# Standard JPackage javadoc provides
+Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release}
+%define java_src_rpo() %{expand:
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Standard JPackage sources provides
+Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+Name: java-17-%{origin}
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+Epoch: 1
+Summary: %{origin_nice} %{featurever} Runtime Environment
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL: http://openjdk.java.net/
+# to regenerate source0 (jdk) run update_package.sh
+# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
+Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+# Desktop files. Adapted from IcedTea
+Source9: jconsole.desktop.in
+# Release notes
+Source10: NEWS
+# nss configuration file
+Source11: nss.cfg.in
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+# RPM/distribution specific patches
+# NSS via SunPKCS11 Provider (disabled comment
+# due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
+Patch600: rh1750419-redhat_alt_java.patch
+# Ignore AWTError when assistive technologies are loaded
+Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+# Restrict access to java-atk-wrapper classes
+Patch2: rh1648644-java_access_bridge_privileged_security.patch
+Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# Follow system wide crypto policy RHBZ#1249083
+Patch4: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+# PR3695: Allow use of system crypto policy to be disabled by the user
+Patch5: pr3695-toggle_system_crypto_policy.patch
+# Depend on pcs-lite-libs instead of pcs-lite-devel as this is only in optional repo
+Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+# FIPS support patches
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+Patch1001: rh1655466-global_crypto_and_fips.patch
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+Patch1002: rh1818909-fips_default_keystore_type.patch
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+Patch1007: rh1915071-always_initialise_configurator_access.patch
+# RH1929465: Improve system FIPS detection
+Patch1008: rh1929465-improve_system_FIPS_detection.patch
+Patch1011: rh1929465-dont_define_unused_throwioexception.patch
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+Patch1009: rh1995150-disable_non-fips_crypto.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1010: rh1996182-login_to_nss_software_token.patch
+Patch1012: rh1996182-extend_security_policy.patch
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+Patch1013: rh1991003-enable_fips_keys_import.patch
+# OpenJDK patches in need of upstreaming
+# JDK-8276572: Fake libsyslookup.so library causes tooling issues
+Patch2000: jdk8276572-fake_libsyslookup_causes_tooling_issues.patch
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: fontconfig-devel
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirements for setting up the nss.cfg and FIPS support
+BuildRequires: nss-devel >= 3.53
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+BuildRequires: javapackages-filesystem
+BuildRequires: java-latest-openjdk-devel
+# Zero-assembler build requirement
+%ifnarch %{jit_arches}
+BuildRequires: libffi-devel
+BuildRequires: tzdata-java >= 2015d
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+BuildRequires: make
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+The %{origin_nice} %{featurever} runtime environment.
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment.
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment.
+%if %{include_normal_build}
+%package headless
+Summary: %{origin_nice} %{featurever} Headless Runtime Environment
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_headless_rpo %{nil}}
+%description headless
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%if %{include_debug_build}
+%package headless-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+Group: Development/Languages
+%{java_headless_rpo -- %{debug_suffix_unquoted}}
+%description headless-slowdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%if %{include_fastdebug_build}
+%package headless-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+Group: Development/Languages
+%{java_headless_rpo -- %{fastdebug_suffix_unquoted}}
+%description headless-fastdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_devel_rpo %{nil}}
+%description devel
+The %{origin_nice} %{featurever} development tools.
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools.
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on}
+Group: Development/Tools
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+%description devel-fastdebug
+The %{origin_nice} %{featurever} development tools .
+%if %{include_staticlibs}
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking
+%{java_static_libs_rpo %{nil}}
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking.
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on}
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on}
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+# staticlibs
+%if %{include_normal_build}
+%package jmods
+Summary: JMods for %{origin_nice} %{featurever}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_jmods_rpo %{nil}}
+%description jmods
+The JMods for %{origin_nice} %{featurever}.
+%if %{include_debug_build}
+%package jmods-slowdebug
+Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_jmods_rpo -- %{debug_suffix_unquoted}}
+%description jmods-slowdebug
+The JMods for %{origin_nice} %{featurever}.
+%if %{include_fastdebug_build}
+%package jmods-fastdebug
+Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on}
+Group: Development/Tools
+%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}}
+%description jmods-fastdebug
+The JMods for %{origin_nice} %{featurever}.
+%if %{include_normal_build}
+%package demo
+Summary: %{origin_nice} %{featurever} Demos
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_demo_rpo %{nil}}
+%description demo
+The %{origin_nice} %{featurever} demos.
+%if %{include_debug_build}
+%package demo-slowdebug
+Summary: %{origin_nice} %{featurever} Demos %{debug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_demo_rpo -- %{debug_suffix_unquoted}}
+%description demo-slowdebug
+The %{origin_nice} %{featurever} demos.
+%if %{include_fastdebug_build}
+%package demo-fastdebug
+Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on}
+Group: Development/Languages
+%{java_demo_rpo -- %{fastdebug_suffix_unquoted}}
+%description demo-fastdebug
+The %{origin_nice} %{featurever} demos.
+%if %{include_normal_build}
+%package src
+Summary: %{origin_nice} %{featurever} Source Bundle
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_src_rpo %{nil}}
+%description src
+The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever}
+class library source code for use by IDE indexers and debuggers.
+%if %{include_debug_build}
+%package src-slowdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%{java_src_rpo -- %{debug_suffix_unquoted}}
+%description src-slowdebug
+The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_debug}.
+%if %{include_fastdebug_build}
+%package src-fastdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug}
+Group: Development/Languages
+%{java_src_rpo -- %{fastdebug_suffix_unquoted}}
+%description src-fastdebug
+The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_fastdebug}.
+%if %{include_normal_build}
+%package javadoc
+Summary: %{origin_nice} %{featurever} API documentation
+%if 0%{?rhel} <= 8
+Group: Documentation
+Requires: javapackages-filesystem
+Obsoletes: javadoc-slowdebug < 1:
+%{java_javadoc_rpo %{nil}}
+%description javadoc
+The %{origin_nice} %{featurever} API documentation.
+%if %{include_normal_build}
+%package javadoc-zip
+Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
+%if 0%{?rhel} <= 8
+Group: Documentation
+Requires: javapackages-filesystem
+Obsoletes: javadoc-zip-slowdebug < 1:
+%{java_javadoc_rpo %{nil}}
+%description javadoc-zip
+The %{origin_nice} %{featurever} API documentation compressed in a single archive.
+if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
+ echo "include_normal_build is %{include_normal_build}"
+ echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 11
+if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then
+ echo "include_debug_build is %{include_debug_build}"
+ echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 12
+if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then
+ echo "include_fastdebug_build is %{include_fastdebug_build}"
+ echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 13
+if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+ exit 14
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+# OpenJDK patches
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+# Patch the JDK
+pushd %{top_level_dir_name}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
+%patch6 -p1
+popd # openjdk
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+for suffix in %{build_loop} ; do
+ for file in "tapset"$suffix/*.in; do
+ OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
+ sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
+ sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+ sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
+ sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
+ sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+ sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
+ sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+ done
+# systemtap tapsets ends
+# Prepare desktop files
+# The _X_ syntax indicates variables that are replaced by make upstream
+# The @X@ syntax indicates variables that are replaced by configure upstream
+for suffix in %{build_loop} ; do
+for file in %{SOURCE9}; do
+ FILE=`basename $file | sed -e s:\.in$::g`
+ EXT="${FILE##*.}"
+ NAME="${FILE%.*}"
+ sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
+ sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE
+ sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+# Setup nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+# Explicitly set the C++ standard as the default has changed on GCC >= 6
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+function buildjdk() {
+ local outputdir=${1}
+ local buildjdk=${2}
+ local maketargets="${3}"
+ local debuglevel=${4}
+ local link_opt=${5}
+ local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+ local top_dir_abs_build_path=$(pwd)/${outputdir}
+ # The OpenJDK version file includes the current
+ # upstream version information. For some reason,
+ # configure does not automatically use the
+ # default pre-version supplied there (despite
+ # what the file claims), so we pass it manually
+ # to configure
+ VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf
+ if [ -f ${VERSION_FILE} ] ; then
+ else
+ echo "Could not find OpenJDK version file.";
+ exit 16
+ fi
+ if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then
+ echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}";
+ exit 17
+ fi
+ echo "Using output directory: ${outputdir}";
+ echo "Checking build JDK ${buildjdk} is operational..."
+ ${buildjdk}/bin/java -version
+ echo "Using make targets: ${maketargets}"
+ echo "Using debuglevel: ${debuglevel}"
+ echo "Using link_opt: ${link_opt}"
+ echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}"
+ mkdir -p ${outputdir}
+ pushd ${outputdir}
+ bash ${top_dir_abs_src_path}/configure \
+%ifnarch %{jit_arches}
+ --with-jvm-variants=zero \
+%ifarch %{ppc64le}
+ --with-jobs=1 \
+ --with-version-build=%{buildver} \
+ --with-version-pre="${EA_DESIGNATOR}" \
+ --with-version-opt=%{lts_designator} \
+ --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-name="Red Hat, Inc." \
+ --with-vendor-url="https://www.redhat.com/" \
+ --with-vendor-bug-url="%{bugs}" \
+ --with-vendor-vm-bug-url="%{bugs}" \
+ --with-boot-jdk=${buildjdk} \
+ --with-debug-level=${debuglevel} \
+ --with-native-debug-symbols="%{debug_symbols}" \
+ --enable-sysconf-nss \
+ --enable-unlimited-crypto \
+ --with-zlib=system \
+ --with-libjpeg=${link_opt} \
+ --with-giflib=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+ --with-harfbuzz=${link_opt} \
+ --with-stdc++lib=dynamic \
+ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
+ --with-extra-cflags="$EXTRA_CFLAGS" \
+ --with-extra-ldflags="%{ourldflags}" \
+ --with-num-cores="$NUM_PROC" \
+ --with-source-date="${SOURCE_DATE_EPOCH}" \
+ --disable-javac-server \
+%ifarch %{zgc_arches}
+ --with-jvm-features=zgc \
+ --disable-warnings-as-errors
+ cat spec.gmk
+ make \
+ LOG=trace \
+ WARNINGS_ARE_ERRORS="-Wno-error" \
+ $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
+ popd
+function installjdk() {
+ local imagepath=${1}
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/conf/security/
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+ # Use system-wide tzdata
+ rm ${imagepath}/lib/tzdb.dat
+ ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+ # Create fake alt-java as a placeholder for future alt-java
+ pushd ${imagepath}
+ # add alt-java man page
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+for suffix in %{build_loop} ; do
+ if [ "x$suffix" = "x" ] ; then
+ debugbuild=release
+ else
+ # change --something to something
+ debugbuild=`echo $suffix | sed "s/-//g"`
+ fi
+ systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
+ for loop in %{main_suffix} %{staticlibs_loop} ; do
+ builddir=%{buildoutputdir -- ${suffix}${loop}}
+ bootbuilddir=boot${builddir}
+ if test "x${loop}" = "x%{main_suffix}" ; then
+ # Copy the source tree so we can remove all in-tree libraries
+ cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+ # Remove all libraries that are linked
+ sh %{SOURCE12} %{top_level_dir_name} full
+ # Use system libraries
+ link_opt="system"
+ # Debug builds don't need same targets as release for
+ # build speed-up. We also avoid bootstrapping these
+ # slower builds.
+ if echo $debugbuild | grep -q "debug" ; then
+ maketargets="%{debug_targets}"
+ run_bootstrap=false
+ else
+ maketargets="%{release_targets}"
+ run_bootstrap=%{bootstrap_build}
+ fi
+ if ${run_bootstrap} ; then
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
+ buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
+ rm -rf ${bootbuilddir}
+ else
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+ fi
+ # Restore original source tree we modified by removing full in-tree sources
+ rm -rf %{top_level_dir_name}
+ mv %{top_level_dir_name_backup} %{top_level_dir_name}
+ else
+ # Use bundled libraries for building statically
+ link_opt="bundled"
+ # Static library cycle only builds the static libraries
+ maketargets="%{static_libs_target}"
+ # Always just do the one build for the static libraries
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+ fi
+ done # end of main / staticlibs loop
+ # Final setup on the main image
+ top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+ installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
+# build cycles
+done # end of release / debug cycle loop
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+# Check system crypto (policy) can be disabled
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
+ done
+ IFS="$old_IFS"
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" < 0
+# This fails on s390x for some reason. Disable for now. See:
+# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227
+%ifnarch s390x
+grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
+# Check src.zip has all sources. See RHBZ#1130490
+$JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
+# Check class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
+# Check generated class files include useful debugging information
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+$JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
+# build cycles check
+for suffix in %{build_loop} ; do
+top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
+# Install the jdk
+mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
+cp -a ${jdk_image} $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}
+pushd ${jdk_image}
+%if %{with_systemtap}
+ # Install systemtap support files
+ install -dm 755 $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset
+ # note, that uniquesuffix is in BUILD dir in this case
+ cp -a $RPM_BUILD_DIR/%{uniquesuffix ""}/tapset$suffix/*.stp $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
+ pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/
+ tapsetFiles=`ls *.stp`
+ popd
+ install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
+ for name in $tapsetFiles ; do
+ targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
+ ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
+ done
+ # Remove empty cacerts database
+ rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
+ # Install cacerts symlink needed by some apps which hard-code the path
+ pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security
+ ln -sf /etc/pki/java/cacerts .
+ popd
+ # Install version-ed symlinks
+ pushd $RPM_BUILD_ROOT%{_jvmdir}
+ ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
+ popd
+ # Install man pages
+ install -d -m 755 $RPM_BUILD_ROOT%{_mandir}/man1
+ for manpage in man/man1/*
+ do
+ # Convert man pages to UTF8 encoding
+ iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp
+ mv -f $manpage.tmp $manpage
+ install -m 644 -p $manpage $RPM_BUILD_ROOT%{_mandir}/man1/$(basename \
+ $manpage .1)-%{uniquesuffix -- $suffix}.1
+ done
+ # Remove man pages from jdk image
+ rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
+# Install static libs artefacts
+%if %{include_staticlibs}
+mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
+cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
+ $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc
+if ! echo $suffix | grep -q "debug" ; then
+ # Install Javadoc documentation
+ install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir}
+ cp -a ${top_dir_abs_main_build_path}/images/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}
+ built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip
+ cp -a ${top_dir_abs_main_build_path}/bundles/${built_doc_archive} \
+ $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip || ls -l ${top_dir_abs_main_build_path}/bundles/
+# Install release notes
+commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
+install -d -m 755 ${commondocdir}
+cp -a %{SOURCE10} ${commondocdir}
+# Install icons and menu entries
+for s in 16 24 32 48 ; do
+ install -D -p -m 644 \
+ %{top_level_dir_name}/src/java.desktop/unix/classes/sun/awt/X11/java-icon${s}.png \
+ $RPM_BUILD_ROOT%{_datadir}/icons/hicolor/${s}x${s}/apps/java-%{javaver}-%{origin}.png
+# Install desktop files
+install -d -m 755 $RPM_BUILD_ROOT%{_datadir}/{applications,pixmaps}
+for e in jconsole$suffix ; do
+ desktop-file-install --vendor=%{uniquesuffix -- $suffix} --mode=644 \
+ --dir=$RPM_BUILD_ROOT%{_datadir}/applications $e.desktop
+# Install /etc/.java/.systemPrefs/ directory
+# See https://bugzilla.redhat.com/show_bug.cgi?id=741821
+mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/.java/.systemPrefs
+# copy samples next to demos; samples are mostly js files
+cp -r %{top_level_dir_name}/src/sample $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/
+# moving config files to /etc
+mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
+mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
+mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
+mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
+pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
+ ln -s %{etcjavadir -- $suffix}/conf ./conf
+pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
+ ln -s %{etcjavadir -- $suffix}/lib/security ./security
+# end moving files to /etc
+# stabilize permissions
+find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -name "*.so" -exec chmod 755 {} \; ;
+find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/ -type d -exec chmod 755 {} \; ;
+find $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/legal -type f -exec chmod 644 {} \; ;
+# end, dual install
+%if %{include_normal_build}
+# intentionally only for non-debug
+%pretrans headless -p
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre
+-- if copy-jdk-configs is in transaction, it installs in pretrans to temp
+-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is
+-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends
+-- whether copy-jdk-configs is installed or not. If so, then configs are copied
+-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
+local posix = require "posix"
+if (os.getenv("debug") == "true") then
+ debug = true;
+ print("cjc: in spec debug is on")
+ debug = false;
+SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
+SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
+local stat1 = posix.stat(SOURCE1, "type");
+local stat2 = posix.stat(SOURCE2, "type");
+ if (stat1 ~= nil) then
+ if (debug) then
+ print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.")
+ end;
+ package.path = package.path .. ";" .. SOURCE1
+ if (stat2 ~= nil) then
+ if (debug) then
+ print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.")
+ end;
+ package.path = package.path .. ";" .. SOURCE2
+ else
+ if (debug) then
+ print(SOURCE1 .." does NOT exists")
+ print(SOURCE2 .." does NOT exists")
+ print("No config files will be copied")
+ end
+ return
+ end
+arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
+cjc = require "copy_jdk_configs.lua"
+args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
+%{post_script %{nil}}
+%post headless
+%{post_headless %{nil}}
+%{postun_script %{nil}}
+%postun headless
+%{postun_headless %{nil}}
+%{posttrans_script %{nil}}
+%posttrans headless
+%{alternatives_java_install %{nil}}
+%post devel
+%{post_devel %{nil}}
+%postun devel
+%{postun_devel %{nil}}
+%posttrans devel
+%{posttrans_devel %{nil}}
+%posttrans javadoc
+%{alternatives_javadoc_install %{nil}}
+%postun javadoc
+%{postun_javadoc %{nil}}
+%posttrans javadoc-zip
+%{alternatives_javadoczip_install %{nil}}
+%postun javadoc-zip
+%{postun_javadoc_zip %{nil}}
+%if %{include_debug_build}
+%post slowdebug
+%{post_script -- %{debug_suffix_unquoted}}
+%post headless-slowdebug
+%{post_headless -- %{debug_suffix_unquoted}}
+%posttrans headless-slowdebug
+%{alternatives_java_install -- %{debug_suffix_unquoted}}
+%postun slowdebug
+%{postun_script -- %{debug_suffix_unquoted}}
+%postun headless-slowdebug
+%{postun_headless -- %{debug_suffix_unquoted}}
+%posttrans slowdebug
+%{posttrans_script -- %{debug_suffix_unquoted}}
+%post devel-slowdebug
+%{post_devel -- %{debug_suffix_unquoted}}
+%postun devel-slowdebug
+%{postun_devel -- %{debug_suffix_unquoted}}
+%posttrans devel-slowdebug
+%{posttrans_devel -- %{debug_suffix_unquoted}}
+%if %{include_fastdebug_build}
+%post fastdebug
+%{post_script -- %{fastdebug_suffix_unquoted}}
+%post headless-fastdebug
+%{post_headless -- %{fastdebug_suffix_unquoted}}
+%postun fastdebug
+%{postun_script -- %{fastdebug_suffix_unquoted}}
+%postun headless-fastdebug
+%{postun_headless -- %{fastdebug_suffix_unquoted}}
+%posttrans fastdebug
+%{posttrans_script -- %{fastdebug_suffix_unquoted}}
+%posttrans headless-fastdebug
+%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
+%post devel-fastdebug
+%{post_devel -- %{fastdebug_suffix_unquoted}}
+%postun devel-fastdebug
+%{postun_devel -- %{fastdebug_suffix_unquoted}}
+%posttrans devel-fastdebug
+%{posttrans_devel -- %{fastdebug_suffix_unquoted}}
+%if %{include_normal_build}
+# main package builds always
+%{files_jre %{nil}}
+# placeholder
+%if %{include_normal_build}
+%files headless
+# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+# all config/noreplace files (and more) have to be declared in pretrans. See pretrans
+%{files_jre_headless %{nil}}
+%files devel
+%{files_devel %{nil}}
+%if %{include_staticlibs}
+%files static-libs
+%{files_static_libs %{nil}}
+%files jmods
+%{files_jmods %{nil}}
+%files demo
+%{files_demo %{nil}}
+%files src
+%{files_src %{nil}}
+%files javadoc
+%{files_javadoc %{nil}}
+# This puts a huge documentation file in /usr/share
+# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only
+# same for debug variant
+%files javadoc-zip
+%{files_javadoc_zip %{nil}}
+%if %{include_debug_build}
+%files slowdebug
+%{files_jre -- %{debug_suffix_unquoted}}
+%files headless-slowdebug
+%{files_jre_headless -- %{debug_suffix_unquoted}}
+%files devel-slowdebug
+%{files_devel -- %{debug_suffix_unquoted}}
+%if %{include_staticlibs}
+%files static-libs-slowdebug
+%{files_static_libs -- %{debug_suffix_unquoted}}
+%files jmods-slowdebug
+%{files_jmods -- %{debug_suffix_unquoted}}
+%files demo-slowdebug
+%{files_demo -- %{debug_suffix_unquoted}}
+%files src-slowdebug
+%{files_src -- %{debug_suffix_unquoted}}
+%if %{include_fastdebug_build}
+%files fastdebug
+%{files_jre -- %{fastdebug_suffix_unquoted}}
+%files headless-fastdebug
+%{files_jre_headless -- %{fastdebug_suffix_unquoted}}
+%files devel-fastdebug
+%{files_devel -- %{fastdebug_suffix_unquoted}}
+%if %{include_staticlibs}
+%files static-libs-fastdebug
+%{files_static_libs -- %{fastdebug_suffix_unquoted}}
+%files jmods-fastdebug
+%{files_jmods -- %{fastdebug_suffix_unquoted}}
+%files demo-fastdebug
+%{files_demo -- %{fastdebug_suffix_unquoted}}
+%files src-fastdebug
+%{files_src -- %{fastdebug_suffix_unquoted}}
+* Thu Nov 18 2021 Jiri Vanek - 1:
+- inital import
diff --git a/jconsole.desktop.in b/jconsole.desktop.in
new file mode 100644
index 0000000..8a3b04d
--- /dev/null
+++ b/jconsole.desktop.in
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
+Comment=Monitor and manage OpenJDK applications
diff --git a/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch b/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch
new file mode 100644
index 0000000..dee144b
--- /dev/null
+++ b/jdk8276572-fake_libsyslookup_causes_tooling_issues.patch
@@ -0,0 +1,21 @@
+commit a4724332098cd8bff44ee27e9190fd28fa5c1865
+Author: Andrew John Hughes
+Date: Fri Nov 5 21:05:42 2021 +0000
+ 8276572: Fake libsyslookup.so library causes tooling issues
+ Reviewed-by: shade, mcimadamore
+diff --git openjdk.orig/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c openjdk/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c
+index fdf99866786..b1f543bfdb7 100644
+--- openjdk.orig/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c
++++ openjdk/src/jdk.incubator.foreign/share/native/libsyslookup/syslookup.c
+@@ -26,3 +26,8 @@
+ // Note: the include below is not strictly required, as dependencies will be pulled using linker flags.
+ // Adding at least one #include removes unwanted warnings on some platforms.
+ #include
++// Simple dummy function so this library appears as a normal library to tooling.
++char* syslookup() {
++ return "syslookup";
diff --git a/nss.cfg.in b/nss.cfg.in
new file mode 100644
index 0000000..377a39c
--- /dev/null
+++ b/nss.cfg.in
@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation
diff --git a/nss.fips.cfg.in b/nss.fips.cfg.in
new file mode 100644
index 0000000..1aff153
--- /dev/null
+++ b/nss.fips.cfg.in
@@ -0,0 +1,6 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = sql:/etc/pki/nssdb
+nssDbMode = readOnly
+nssModule = fips
diff --git a/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
new file mode 100644
index 0000000..4efbe9a
--- /dev/null
+++ b/pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
@@ -0,0 +1,88 @@
+# HG changeset patch
+# User andrew
+# Date 1478057514 0
+# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
+# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
+PR3183: Support Fedora/RHEL system crypto policy
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
+@@ -43,6 +43,9 @@
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ *
Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+@@ -52,6 +55,10 @@
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
++ /* System property file*/
++ private static final String SYSTEM_PROPERTIES =
++ "/etc/crypto-policies/back-ends/java.config";
+ /* The java.security properties */
+ private static Properties props;
+@@ -93,6 +100,7 @@
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -114,6 +122,31 @@
+ }
+ if ("true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ e.printStackTrace();
++ }
++ }
++ }
++ if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+ String extraPropFile = System.getProperty
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
+--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
+@@ -276,6 +276,13 @@
+ security.overridePropertiesFile=true
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #
diff --git a/pr3695-toggle_system_crypto_policy.patch b/pr3695-toggle_system_crypto_policy.patch
new file mode 100644
index 0000000..3799237
--- /dev/null
+++ b/pr3695-toggle_system_crypto_policy.patch
@@ -0,0 +1,78 @@
+# HG changeset patch
+# User andrew
+# Date 1545198926 0
+# Wed Dec 19 05:55:26 2018 +0000
+# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
+# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
+PR3695: Allow use of system crypto policy to be disabled by the user
+Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -125,31 +125,6 @@
+ }
+ if ("true".equalsIgnoreCase(props.getProperty
+- ("security.useSystemPropertiesFile"))) {
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
+- loadedProps = true;
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- e.printStackTrace();
+- }
+- }
+- }
+- if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+ String extraPropFile = System.getProperty
+@@ -215,6 +190,33 @@
+ }
+ }
++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
++ if (disableSystemProps == null &&
++ "true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ e.printStackTrace();
++ }
++ }
++ }
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh
new file mode 100644
index 0000000..e999c7e
--- /dev/null
+++ b/remove-intree-libraries.sh
@@ -0,0 +1,157 @@
+# Arguments:
+if test "x${TREE}" = "x"; then
+ echo "$0 (MINIMAL|FULL)";
+ exit 1;
+if test "x${TYPE}" = "x"; then
+ TYPE=minimal;
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+ echo "Type must be minimal or full";
+ exit 2;
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+cd ${TREE}
+echo "Removing built-in libs (they will be linked)"
+# On full runs, allow for zlib having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+ echo "${ZIP_SRC} does not exist. Refusing to proceed."
+ exit 1
+rm -rvf ${ZIP_SRC}
+# Minimal is limited to just zlib so finish here
+if test "x${TYPE}" = "xminimal"; then
+ echo "Finished.";
+ exit 0;
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+ echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+ exit 1
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+ echo "${GIF_SRC} does not exist. Refusing to proceed."
+ exit 1
+rm -rvf ${GIF_SRC}
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+ echo "${PNG_SRC} does not exist. Refusing to proceed."
+ exit 1
+rm -rvf ${PNG_SRC}
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+ echo "${LCMS_SRC} does not exist. Refusing to proceed."
+ exit 1
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
diff --git a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
new file mode 100644
index 0000000..3042186
--- /dev/null
+++ b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@@ -0,0 +1,16 @@
+diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
+--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200
++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200
+@@ -595,7 +595,11 @@
+ toolkit = new HeadlessToolkit(toolkit);
+ }
+ if (!GraphicsEnvironment.isHeadless()) {
+- loadAssistiveTechnologies();
++ try {
++ loadAssistiveTechnologies();
++ } catch (AWTError error) {
++ // ignore silently
++ }
+ }
+ }
+ return toolkit;
diff --git a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
new file mode 100644
index 0000000..7be1fae
--- /dev/null
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -0,0 +1,12 @@
+diff --git openjdk/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
+index 534bdae5a16..2df2b59cbf6 100644
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
+ security.provider.tbd=Apple
+ #endif
+ security.provider.tbd=SunPKCS11
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+ #
+ # A list of preferred providers for specific algorithms. These providers will
diff --git a/rh1648644-java_access_bridge_privileged_security.patch b/rh1648644-java_access_bridge_privileged_security.patch
new file mode 100644
index 0000000..53026ad
--- /dev/null
+++ b/rh1648644-java_access_bridge_privileged_security.patch
@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+ #
+ # Determines whether this properties file can be appended to
diff --git a/rh1655466-global_crypto_and_fips.patch b/rh1655466-global_crypto_and_fips.patch
new file mode 100644
index 0000000..80cd91c
--- /dev/null
+++ b/rh1655466-global_crypto_and_fips.patch
@@ -0,0 +1,205 @@
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -196,26 +196,8 @@
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
++ if (SystemConfigurator.configure(props)) {
+ loadedProps = true;
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- e.printStackTrace();
+- }
+ }
+ }
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+--- /dev/null
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,151 @@
++ * Copyright (c) 2019, Red Hat, Inc.
++ *
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++package java.security;
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++import java.nio.file.Files;
++import java.nio.file.Path;
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++import java.util.function.Consumer;
++import java.util.regex.Matcher;
++import java.util.regex.Pattern;
++import sun.security.util.Debug;
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++class SystemConfigurator {
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++ private static final String CRYPTO_POLICIES_CONFIG =
++ private static final class SecurityProviderInfo {
++ int number;
++ String key;
++ String value;
++ SecurityProviderInfo(int number, String key, String value) {
++ this.number = number;
++ this.key = key;
++ this.value = value;
++ }
++ }
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configure(Properties props) {
++ boolean loadedProps = false;
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ loadedProps = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ e.printStackTrace();
++ }
++ }
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ loadedProps = false;
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry