Commit Graph

147 Commits

Author SHA1 Message Date
Andrew Hughes
b9b37d75af Move maintenance scripts to a scripts subdirectory
- Related: RHEL-52734
2024-08-04 22:23:39 +01:00
Andrew Hughes
36507ff0e2 generate_source_tarball.sh: Only add --depth=1 on non-local repositories
- Related: RHEL-52734
2024-08-04 22:23:36 +01:00
Andrew Hughes
f685749527 generate_source_tarball.sh: Create directory in TMPDIR when using WITH_TEMP
- Related: RHEL-52734
2024-08-04 22:23:33 +01:00
Andrew Hughes
82e376a033 generate_source_tarball.sh: Cleanup message issued when checkout already exists
- Related: RHEL-52734
2024-08-04 22:23:31 +01:00
Thomas Fitzsimmons
5f4c27a01b generate_source_tarball.sh: Update examples in header for clarity
- Related: RHEL-52734
2024-08-04 22:23:29 +01:00
Thomas Fitzsimmons
8e6afb27a0 Sync generate_source_tarball.sh from Fedora rawhide
- Related: RHEL-52734
2024-08-04 22:23:26 +01:00
Thomas Fitzsimmons
5a73fc942e Change a fix-me comment to a note instead
- Related: RHEL-52734
2024-08-04 22:23:24 +01:00
Thomas Fitzsimmons
e110d448fd Label as error a designator mismatch
- Related: RHEL-52734
2024-08-04 22:23:22 +01:00
Thomas Fitzsimmons
41062cec39 Update to jdk-17.0.12+6 (EA)
- Add openjdk-17.0.12+6-ea.tar.xz to .gitignore
- Set updatever to 12
- Set buildver to 6
- Set rpmrelease to 1
- Set is_ga to 0
- Update sources to openjdk-17.0.12+6-ea.tar.xz
- Require tzdata-java 2024a at runtime and for build (JDK-8325150)
- Update lcms2 bundled provides to 2.16.0
- Add zlib 1.3.1 bundled provides and zlib-devel build requirement (OPENJDK-3065)

- Related: RHEL-52734
2024-08-04 22:22:53 +01:00
Andrew Hughes
4a95eb8669 Handle debugedit being a separate package installed in /usr on RHEL/CentOS 10
Related: RHEL-45216
2024-07-31 05:37:35 +01:00
Andrew Hughes
62330df1bf Set this to *not* be the default/system JDK providing 'java', 'jre', 'java-devel' ,etc.
This is actually a no-op following the sync with RHEL 9, because
java-17-openjdk is not the default there either.

Resolves: RHEL-45722
2024-07-31 05:37:32 +01:00
Andrew Hughes
c92c114d34 Fix gating.yaml to reference RHEL 10
- Resolves: RHEL-51870
2024-07-31 05:37:30 +01:00
Thomas Fitzsimmons
c9b2d8797c Update to jdk-17.0.11+9 (GA)
- Add openjdk-17.0.11+9.tar.xz to .gitignore
- Update buildjdkver to match the featurever
- Use featurever macro to specify fips patch
- Explain patchN syntax situation in a comment
- Sync generate_source_tarball.sh
- Require tzdata 2023d (JDK-8322725)
- openjdk_news.sh: Use grep -E instead of egrep
- Remove RH1649512 patch for libjpeg-turbo FAR macro
- Move pcsc-lite-libs patch to in-need-of-upstreaming section
- Sync java-17-openjdk-portable.specfile from openjdk-portable-rhel-8
- Update tzdata Requires comment to mention that 2024a is not yet in the buildroot
- Update tzdata BuildRequires comment to mention that 2024a is not yet in the buildroot
- Update tzdata BuildRequires from 2023c to 2023d

- Resolves: RHEL-45216

** This tarball is embargoed until 2024-04-16 @ 1pm PT. **
2024-07-31 05:37:27 +01:00
Thomas Fitzsimmons
230a7648f8 Update to jdk-17.0.10+7 (GA)
- Sync the copy of the portable specfile with the latest update
- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch
- generate_source_tarball.sh changes:
  - Add WITH_TEMP environment variable
  - Multithread xz on all available cores
  - Add OPENJDK_LATEST environment variable
  - Update comment about tarball naming
  - Remove REPO_NAME from FILE_NAME_ROOT
  - Set compile-command in Emacs
  - Reformat comment header
  - Reformat and update help output
  - Move PROJECT_NAME and REPO_NAME checks
  - Do a shallow clone, for speed
  - Append -ea designator when required
  - Eliminate some removal prompting
  - Make tarball reproducible
  - Prefix temporary directory with temp-
  - shellcheck: Remove x-prefixes since we use Bash
  - shellcheck: Double-quote variable references
  - shellcheck: Do not use -a
  - shellcheck: Do not use $ in expression
  - Remove temporary directory exit conditions
  - Add --sort=name to tar invocation for reproducibility
  - Add note on network usage of OPENJDK_LATEST
- Move to -P<n> usage for patch macro which works on all RPM versions
- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release
- Remove RH1648644 patch not in portable build (and so not applied to binary used)

- Related: RHEL-45216
2024-07-31 05:37:24 +01:00
Andrew Hughes
3240a4e25b Update to jdk-17.0.9+9 (GA)
Update release notes to 17.0.9+9
Re-generate FIPS patch against 17.0.9+1 following backport of JDK-8209398
Bump libpng version to 1.6.39 following JDK-8305815
Bump HarfBuzz version to 7.2.0 following JDK-8307301
Bump freetype version to 2.13.0 following JDK-8306881
Update generate_tarball.sh to be closer to upstream vanilla script inc. no more ECC removal
Sync generate_tarball.sh with 11u version
Update bug URL for RHEL to point to the Red Hat customer portal
Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
Use upstream release URL for OpenJDK source
Apply all patches using -p1
Temporarily turn off 'fresh_libjvm' due to removal of JVM_IsThreadAlive (JDK-8305425)
Fix packaging of CDS archives
Following JDK-8005165, class data sharing can be enabled on all JIT architectures
Exclude classes_nocoops.jsa on i686 and arm32
Introduce vm_variant global for consistency with future JDK builds
Add missing JFR and jpackage alternative ghosts
Move jcmd to the headless package

The JDK build includes CDS archives, classes.jsa and classes_nocoops.jsa
already since JEP 341. Executing -Xshare:dump in the headless post
script breaks AppCDS workflows using dynamic dumps since that relies
on the base CDS archive from the JDK to be unchanged.

** This tarball is embargoed until 2023-10-17 @ 1pm PT. **

- Related: RHEL-45216
2024-07-31 05:37:20 +01:00
Andrew Hughes
c1acd76c82 Set portablerelease and portablerhel to use the CentOS 9 build
Related: RHEL-45216
2024-07-31 05:37:16 +01:00
Andrew Hughes
07bb241a34 Bump release number so we are newer than 9.0
Related: RHEL-45216
2024-07-31 05:37:14 +01:00
Andrew Hughes
df01c10dc7 Update to jdk-17.0.8.1+1 (GA)
Update release notes to 17.0.8.1+1
Add backport of JDK-8312489 already upstream in 17.0.10 (see OPENJDK-2095)
Update openjdk_news script to specify subdirectory last
Add missing discover_trees script required by openjdk_news
Synchronise runtime and buildtime tzdata requirements

Related: RHEL-45216
2024-07-31 05:37:10 +01:00
Andrew Hughes
74bb692207 Bump release number so we are newer than 9.0
Related: RHEL-45216
2024-07-31 05:37:07 +01:00
Andrew Hughes
f82f4f8003 Update to jdk-17.0.8+7 (GA)
- Update release notes to 17.0.8+7
- Drop local inclusion of JDK-8274864 & JDK-8305113 as they are included in 17.0.8+1
- Bump bundled LCMS version to 2.15 as in jdk-17.0.8+1.
- Bump bundled HarfBuzz version to 7.0.1 as in jdk-17.0.8+1
- Use tapsets from the misc tarball
- Introduce 'prelease' for the portable release versioning, to handle EA builds
- Make sure root installation directory is created first
- Use in-place substitution for all but the first of the tapset changes
- Sync the copy of the portable specfile with the latest update
- Add note at top of spec file about rebuilding

* This tarball is embargoed until 2023-07-18 @ 1pm PT. *

Related: RHEL-45216
2024-07-31 05:37:04 +01:00
Severin Gehwolf
5a851c3cdd Fix packaging of CDS archives
The JDK build includes CDS archives, classes.jsa and classes_nocoops.jsa
already since JEP 341. Executing -Xshare:dump in the headless post
script breaks AppCDS workflows using dynamic dumps since that relies
on the base CDS archive from the JDK to be unchanged.

Following JDK-8005165, class data sharing can be enabled on all JIT architectures

Exclude classes_nocoops.jsa on i686 and arm32

Introduce vm_variant global for consistency with future JDK builds

Related: RHEL-45216
2024-07-31 05:37:01 +01:00
Andrew Hughes
1469710053 Update to jdk-17.0.7.0+7
Update release notes to 17.0.7.0+7
Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113
Update generate_tarball.sh to add support for passing a boot JDK to the configure run
Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace
Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs
Update FIPS support against 17.0.7+6 and bring in latest changes:
- * RH2134669: Add missing attributes when registering services in FIPS mode.
- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
- * RH1940064: Enable XML Signature provider in FIPS mode
- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
Fix trailing '.' in tarball name
Use portablerelease in vendor version to avoid inclusion of dist tag
Replace local copies of JDK portable binaries with build dependencies
Include the java-17-openjdk-portable.spec file with instructions on how to rebuild.

** This tarball is embargoed until 2023-04-18 @ 1pm PT. **

Related: RHEL-45216
2024-07-31 05:36:58 +01:00
Andrew Hughes
e11662f402 Replace build section with extraction of existing builds from portables
Related: RHEL-45216
2024-07-31 05:36:54 +01:00
Andrew Hughes
d569f27fea Update to jdk-17.0.6.0+10
Update release notes to 17.0.6.0+10
Switch to GA mode for release

Related: RHEL-45216
2024-07-31 05:36:51 +01:00
Andrew Hughes
bb1b4135ec Update FIPS support to bring in latest changes
* OJ1357: Fix issue on FIPS with a SecurityManager in place

Related: RHEL-45216
2024-07-31 05:36:48 +01:00
Stephan Bergmann
7b0d9a0664 Fix flatpak builds
...after
<6eee73b250>
"Update to jdk-11.0.16.1+1" added the TestTranslations.java "test to ensure
timezones can be translated":  Similar to the previous
<1ac4052b44>
"Fix flatpak builds", during a flatpak build of java-11-openjdk its
.../images/jdk/lib/tzdb.dat is a dangling symlink to
/app/share/javazi-1.8/tzdb.dat (but which will be a working symlink in at least
the assembled LibreOffice flatpak).  That causes execution of
TestTranslations.java during the build to fail due to a
java.io.FileNotFoundException when trying to access that tzdb.dat.  The easiest
fix appears to be to just not run that specific test for a flatpak build.

Related: RHEL-45216

n Bergmann <sbergman@redhat.com>
2024-07-31 05:36:46 +01:00
Andrew Hughes
e7c2a55a19 Update to jdk-17.0.6+9
- Update release notes to 17.0.6+9
- Switch to EA mode for 17.0.6 pre-release builds.
- Re-enable EA upstream status check now it is being actively maintained.
- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream
- Drop JDK-8275535 local patch now this has been accepted and backported upstream
- Bump tzdata requirement to 2022e now the package is available in RHEL
- Drop local copy of JDK-8293834 now this is upstream
- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804
- Update TestTranslations.java to test the new America/Ciudad_Juarez zone

Related: RHEL-45216
2024-07-31 05:36:43 +01:00
Andrew Hughes
cbb53afa39 Update FIPS support to bring in latest changes
* Add nss.fips.cfg support to OpenJDK tree
* RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
* Remove forgotten dead code from RH2020290 and RH2104724

Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build

Related: RHEL-45216
2024-07-31 05:36:40 +01:00
Andrew Hughes
834f6b6cf7 Update to jdk-17.0.5+8 (GA)
- Update release notes to 17.0.5+8 (GA)
- Switch to EA mode for 17.0.5 pre-release builds.
- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853
- Bump FreeType bundled version to 2.12.1 following JDK-8290334
- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173
- Update CLDR data with Europe/Kyiv (JDK-8293834)
- Drop JDK-8292223 patch which we found to be unnecessary
- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream
- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds
- Remove freetype sources along with zlib sources

Related: RHEL-45216
2024-07-31 05:36:36 +01:00
Andrew Hughes
ed2d771885 Switch to static builds, reducing system dependencies and making build more portable
Related: RHEL-45216
2024-07-31 05:36:32 +01:00
Andrew Hughes
eae97cbd22 Fix flatpak builds (catering for their uncompressed manual pages)
...see
<https://docs.fedoraproject.org/en-US/flatpak/troubleshooting/#_uncompressed_manual_pages>
for details

Fix flatpak builds

...after 19065a8b01585a1aa5f22e38e99fc0c47c597074 "Temporarily move x86 to use
Zero in order to get a working build":

When building the

>       if ${run_bootstrap} ; then

branch for suffix='' and loop='-main', the second

>           buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}

uses the JDK (`$(pwd)/${bootinstalldir}/images/%{jdkimage}`) from the installjdk
on the previous line.  But installjdk does

>       rm ${imagepath}/lib/tzdb.dat
>       ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat

which made that JDK's tzdb.dat link to /app/share/javazi-1.8/tzdb.dat in a
flatpak build (rather than the usual /usr/share/javazi-1.8/tzdb.dat in a non-
flatpak build) which is not present at build-time (but will be present at
runtime in at least the LibreOffice flatpak, which bundles tzdata-java built for
the flatpak /app prefix).  So using that JDK's compiler during the build kept
failing due to java.io.FileNotFoundException for its lib/tzdb.dat.

(This was not an issue prior to 19065a8b01585a1aa5f22e38e99fc0c47c597074, as
installjdk's modification of lib/tzdb.dat used to be done only for the "Final
setup on the main image" at the very end of the build, not during the build for
JDKs that are themselves used later during the build.)

The easiest workaround for this issue appears to be to just not bootstrap_build
in the flatpak case, avoiding the situation that a JDK whose lib/tzdb.dat has
been modified through installjdk is used during the build.

Related: RHEL-45216
2024-07-31 05:36:30 +01:00
Andrew Hughes
017ff0106a Update FIPS support to bring in latest changes
* RH2104724: Avoid import/export of DH private keys
* RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
* Build the systemconf library on all platforms
* RH2048582: Support PKCS#12 keystores
* RH2020290: Support TLS 1.3 in FIPS mode

Related: RHEL-45216
2024-07-31 05:36:28 +01:00
Andrew Hughes
01cdf65fff Update to jdk-17.0.4.1+1
Update release notes to 17.0.4.1+1
Add patch to provide translations for Europe/Kyiv added in tzdata2022b
Add test to ensure timezones can be translated

Related: RHEL-45216
2024-07-31 05:36:26 +01:00
Andrew Hughes
afb8dc6abe Update to jdk-17.0.3.0+8
Update release notes to 17.0.3.0+8
Switch to GA mode for release

Related: RHEL-45216
2024-07-31 05:36:23 +01:00
Andrew Hughes
ec138c6d2c - Revert the following changes until copy-java-configs has adapted to relative symlinks:
* Move cacerts replacement to install section and retain original of this and tzdb.dat
* Run tests on the installed image, rather than the build image
* Introduce variables to refer to the static library installation directories
* Use relative symlinks so they work within the image
* Run debug symbols check during build stage, before the install strips them

The move of turning on system security properties is retained so we don't ship with them off

Related: RHEL-45216
2024-07-31 05:36:20 +01:00
Andrew Hughes
7bbc863a62 Update to jdk-17.0.4.0+7
- Update release notes to 17.0.4.0+7
- Switch to EA mode for 17.0.4 pre-release builds.
- Print release file during build, which should now include a correct SOURCE value from .src-rev
- Update tarball script with IcedTea GitHub URL and .src-rev generation
- Include script to generate bug list for release notes
- Update tzdata requirement to 2022a to match JDK-8283350
- Move EA designator check to prep so failures can be caught earlier
- Make EA designator check non-fatal while upstream is not maintaining it
- Need to include the '.S' suffix in debuginfo checks after JDK-8284661
- Explicitly require crypto-policies during build and runtime for system security properties
- Make use of the vendor version string to store our version & release rather than an upstream release date
- Include a test in the RPM to check the build has the correct vendor information.
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.

Related: RHEL-45216
2024-07-31 05:36:17 +01:00
Andrew Hughes
788e506735 Fix whitespace in spec file
Related: RHEL-45216
2024-07-31 05:36:13 +01:00
Andrew Hughes
5635e8e6a1 Sequence spec file sections as they are run by rpmbuild (build, install then test)
Related: RHEL-45216
2024-07-31 05:36:11 +01:00
Andrew Hughes
332589c5ef Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository
* Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
* RH2023467: Enable FIPS keys export
* RH2094027: SunEC runtime permission for FIPS

- Update FIPS support to bring in latest changes

* RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
* RH2090378: Revert to disabling system security properties and FIPS mode support together

- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch
- Enable system security properties in the RPM (now disabled by default in the FIPS repo)
- Improve security properties test to check both enabled and disabled behaviour
- Run security properties test with property debugging on
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Use SunPKCS11 Attributes Configuration to set CKA_SIGN=true on SecretKey generate/import operations in FIPS mode, see:
https://docs.oracle.com/en/java/javase/17/security/pkcs11-reference-guide1.html#GUID-C4ABFACB-B2C9-4E71-A313-79F881488BB9__PKCS11-ATTRIBUTES-CONFIGURATION
- Turn on system security properties as part of the build's install section
- Move cacerts replacement to install section and retain original of this and tzdb.dat
- Run tests on the installed image, rather than the build image
- Introduce variables to refer to the static library installation directories
- Use relative symlinks so they work within the image
- Run debug symbols check during build stage, before the install strips them

Related: RHEL-45216
2024-07-31 05:36:08 +01:00
Andrew Hughes
6cd790a2b6 April 2022 security update to jdk 17.0.3+7
- Update release notes to 17.0.3.0+7
- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value
- Add missing README.md and generate_source_tarball.sh
- JDK-8283911 patch no longer needed now we're GA...

Related: RHEL-45216
2024-07-31 05:36:04 +01:00
Andrew Hughes
91d1b8f7ad Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
Related: RHEL-45216
2024-07-31 05:36:01 +01:00
Andrew Hughes
a9bd5e27a5 Add rpminspect.yaml to turn off Java bytecode inspections
java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode

Related: RHEL-45216
2024-07-31 05:35:58 +01:00
Andrew Hughes
b98991e223 Introduce tests/tests.yml, based on the one in java-11-openjdk
Related: RHEL-45216
2024-07-31 05:35:55 +01:00
Jiri
fdb9e3b16f Storing and restoring alterntives during update manually
Fixing:
Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE

The move of alternatives creation to posttrans to fix:
Bug 1200302 - dnf reinstall breaks alternatives
Had caused the alternatives to be removed, and then created again,
instead of being added, and then removing the old, and thus persisting
the selection in family

Thus this fix, is storing the family of manually selected master, and if
stored, then it is restoring the family of the master

Related: RHEL-45216
2024-07-31 05:35:52 +01:00
Andrew Hughes
5624b80cb1 Family extracted to globals
Related: RHEL-45216
2024-07-31 05:35:50 +01:00
Andrew Hughes
5e2c1d6e74 Detect NSS at runtime for FIPS detection
Turn off build-time NSS linking and go back to an explicit Requires on NSS

Related: RHEL-45216
2024-07-31 05:35:47 +01:00
Andrew Hughes
8000ad05ee Add JDK-8275535 patch to fix LDAP authentication issue.
Related: RHEL-45216
2024-07-31 05:35:45 +01:00
Andrew Hughes
71bdf191f1 Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
Related: RHEL-45216
2024-07-31 05:35:42 +01:00
Andrew Hughes
1e0281f633 Fix FIPS issues in native code and with initialisation of java.security.Security
Related: RHEL-45216
2024-07-31 05:35:40 +01:00
Andrew Hughes
c9d027baf9 Cherry-pick appropriate spec file changes from Fedora
* Restructure the build so a minimal initial build is then used for the final build (with docs)
  - This reduces pressure on the system JDK and ensures the JDK being built can do a full build
* Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
* Handle Fedora in distro conditionals that currently only pertain to RHEL.
* Replace tabs by sets of spaces to make rpmlint happy
  - Run OpenJDK normalizer script on the spec file to fix further rogue whitespace
* javadoc-zip gets its own provides next to plain javadoc ones
* Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions.
* Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
  - Need to support noarch for creating source RPMs for non-scratch builds.
* Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK.
  - Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
  - Explicitly list JIT architectures rather than relying on those with slowdebug builds
  - Disable the serviceability agent on Zero architectures even when the architecture itself is supported

Related: RHEL-45216
2024-07-31 05:35:37 +01:00