Patch and documentation cleanup

Update documentation (README.md) Replace alt-java patch with a binary separate from the JDK Drop stale patches that are of little use any more: - * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work - * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more - * No use of system libjpeg turbo to warrant RH649512 patch any more - Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed Adapt alt-java test to new binary where there is always a set_speculation function Related: RHEL-12996
2023-08-24 02:06:25 +01:00 · 2023-08-24 02:06:25 +01:00 · e04786271f
commit e04786271f
parent b7035cb980
11 changed files with 276 additions and 263 deletions
--- a/README.md
+++ b/README.md
@ -1,14 +1,12 @@
-OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform.
+OpenJDK 21 is the latest Long-Term Support (LTS) release of the Java platform.
-For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream
+For a list of major changes from OpenJDK 17 (java-17-openjdk), see the upstream
-release page for OpenJDK 17 and the preceding interim releases:
+release page for OpenJDK 21 and the preceding interim releases:
-* 12: https://openjdk.java.net/projects/jdk/12/
+* 18: https://openjdk.java.net/projects/jdk/18/
-* 13: https://openjdk.java.net/projects/jdk/13/
+* 19: https://openjdk.java.net/projects/jdk/19/
-* 14: https://openjdk.java.net/projects/jdk/14/
+* 20: https://openjdk.java.net/projects/jdk/20/
-* 15: https://openjdk.java.net/projects/jdk/15/
+* 21: https://openjdk.java.net/projects/jdk/21/
 * 16: https://openjdk.java.net/projects/jdk/16/
 * 17: https://openjdk.java.net/projects/jdk/17/
 # Rebuilding the OpenJDK package
@ -20,21 +18,21 @@ multiple builds which only differ by the platform they were built on.
 This does make rebuilding the package slightly more complicated than a
 normal package. Modifications should be made to the
-`java-17-openjdk-portable.specfile` file, which can be found with this
+`java-21-openjdk-portable.specfile` file, which can be found with this
 README file in the source RPM or installed in the documentation tree
-by the `java-17-openjdk-headless` RPM.
+by the `java-21-openjdk-headless` RPM.
-Once the modified `java-17-openjdk-portable` RPMs are built, they
+Once the modified `java-21-openjdk-portable` RPMs are built, they
 should be installed and will produce a number of tarballs in the
-`/usr/lib/jvm` directory. The `java-17-openjdk` RPMs can then be
+`/usr/lib/jvm` directory. The `java-21-openjdk` RPMs can then be
 built, which will use these tarballs to create the usual RPMs found in
-RHEL. The `java-17-openjdk-portable` RPMs can be uninstalled once the
+RHEL. The `java-21-openjdk-portable` RPMs can be uninstalled once the
 desired final RPMs are produced.
-Note that the `java-17-openjdk.spec` file has a hard requirement on
+Note that the `java-21-openjdk.spec` file has a hard requirement on
-the exact version of java-17-openjdk-portable to use, so this will
+the exact version of java-21-openjdk-portable to use, so this will
 need to be modified if the version or rpmrelease values are changed in
-`java-17-openjdk-portable.specfile`.
+`java-21-openjdk-portable.specfile`.
 To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
 builds may be disabled using `--without fastdebug` and `--without
--- a/alt-java.c
+++ b/alt-java.c
@ -0,0 +1,100 @@
 /*
 * Copyright (C) 2023 Red Hat, Inc.
 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 *
 * This code is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License version 2 only, as
 * published by the Free Software Foundation.  Red Hat designates this
 * particular file as subject to the "Classpath" exception as provided
 * by Red Hat in the LICENSE file that accompanied this code.
 *
 * This code is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * version 2 for more details (a copy is included in the LICENSE file that
 * accompanied this code).
 *
 * You should have received a copy of the GNU General Public License version
 * 2 along with this work; if not, write to the Free Software Foundation,
 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 *
 */
 #include <errno.h>
 #include <libgen.h>
 #include <linux/limits.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/prctl.h>
 #include <unistd.h>
 /* Per task speculation control */
 #ifndef PR_GET_SPECULATION_CTRL
 # define PR_GET_SPECULATION_CTRL    52
 #endif
 #ifndef PR_SET_SPECULATION_CTRL
 # define PR_SET_SPECULATION_CTRL    53
 #endif
 /* Speculation control variants */
 #ifndef PR_SPEC_STORE_BYPASS
 # define PR_SPEC_STORE_BYPASS          0
 #endif
 /* Return and control values for PR_SET/GET_SPECULATION_CTRL */
 #ifndef PR_SPEC_NOT_AFFECTED
 # define PR_SPEC_NOT_AFFECTED          0
 #endif
 #ifndef PR_SPEC_PRCTL
 # define PR_SPEC_PRCTL                 (1UL << 0)
 #endif
 #ifndef PR_SPEC_ENABLE
 # define PR_SPEC_ENABLE                (1UL << 1)
 #endif
 #ifndef PR_SPEC_DISABLE
 # define PR_SPEC_DISABLE               (1UL << 2)
 #endif
 #ifndef PR_SPEC_FORCE_DISABLE
 # define PR_SPEC_FORCE_DISABLE         (1UL << 3)
 #endif
 #ifndef PR_SPEC_DISABLE_NOEXEC
 # define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
 #endif
 static void set_speculation() {
 #if defined(__linux__) && defined(__x86_64__)
  // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it
  //  if ( prctl(PR_SET_SPECULATION_CTRL,
  //           PR_SPEC_STORE_BYPASS,
  //           PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
  //  return;
  // }
  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
 #else
 #warning alt-java requested but SSB mitigation not available on this platform.
 #endif
 }
 int main(int argc, char **argv) {
  set_speculation();
  char our_name[PATH_MAX], java_name[PATH_MAX];
  ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1);
  if (len < 0) {
    perror("I can't find myself");
    exit(2);
  }
  our_name[len] = '\0'; // readlink(2) doesn't append a null byte
  char *path = dirname(our_name);
  strncpy(java_name, path, PATH_MAX - 1);
  size_t remaining_bytes = PATH_MAX - strlen(path) - 1;
  strncat(java_name, "/java", remaining_bytes);
  execv(java_name, argv);
  fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno));
  exit(1);
 }
--- a/java-21-openjdk.spec
+++ b/java-21-openjdk.spec
@ -226,12 +226,6 @@
 %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
 %global ourldflags %{__global_ldflags}
 # With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
 # the initialization must be here. Later the pkg-config have buggy behavior
 # looks like openjdk RPM specific bug
 # Always set this so the nss.cfg file is not broken
 %global NSS_LIBDIR %(pkg-config --variable=libdir nss)
 # In some cases, the arch used by the JDK does
 # not match _arch.
 # Also, in some cases, the machine name used by SystemTap
@ -352,9 +346,9 @@
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        35
-%global rpmrelease      1
+%global rpmrelease      2
 # Settings used by the portable build
-%global portablerelease 1
+%global portablerelease 2
 %global portablesuffix el8
 %global portablebuilddir /builddir/build/BUILD
@ -440,6 +434,7 @@
 %define jrebindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
 %global alt_java_name     alt-java
 %global alt_java_versioned %{alt_java_name}-%{featurever}
 %global rpm_state_dir %{_localstatedir}/lib/rpm-state/
@ -536,7 +531,7 @@ key=java
 alternatives \\
  --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
  --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
-  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{_bindir}/%{alt_java_versioned} \\
  --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
  --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
  --slave %{_mandir}/man1/java.1$ext java.1$ext \\
@ -815,6 +810,7 @@ exit 0
 %define files_jre_headless() %{expand:
 %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
 %{_bindir}/%{alt_java_versioned}
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile
@ -825,7 +821,6 @@ exit 0
 %{_jvmdir}/%{jrelnk -- %{?1}}
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
@ -919,7 +914,6 @@ exit 0
 %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
 # This is a config template, thus not config-noreplace
@ -1028,7 +1022,6 @@ exit 0
 %if %{is_release_build -- %{?1}}
 %ghost %{_bindir}/javac
 %ghost %{_jvmdir}/java
 %ghost %{_jvmdir}/%{alt_java_name}
 %ghost %{_bindir}/jlink
 %ghost %{_bindir}/jmod
 %ghost %{_bindir}/jhsdb
@ -1315,8 +1308,8 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz
 # Desktop files. Adapted from IcedTea
 Source9: jconsole.desktop.in
-# nss configuration file
+# Source code for alt-java
-Source11: nss.cfg.in
+Source11: alt-java.c
 # Removed libraries that we link instead
 Source12: remove-intree-libraries.sh
@ -1356,20 +1349,6 @@ Source20: java-%{featurever}-openjdk-portable.specfile
 #
 ############################################
 # NSS via SunPKCS11 Provider (disabled comment
 # due to memory leak).
 Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
 # RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
 Patch600: rh1750419-redhat_alt_java.patch
 # Ignore AWTError when assistive technologies are loaded
 Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
 # Restrict access to java-atk-wrapper classes
 Patch2:    rh1648644-java_access_bridge_privileged_security.patch
 Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
 # Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
 # Crypto policy and FIPS support patches
 # Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
 # as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
@ -1414,6 +1393,12 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
 #
 #############################################
 # JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
 # PR: https://github.com/openjdk/jdk/pull/15409
 Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch
 # Currently empty
 #############################################
 #
 # OpenJDK patches which missed last update
@ -1449,7 +1434,7 @@ BuildRequires: libXrandr-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirement for setting up nss.cfg and nss.fips.cfg
+# Requirement for setting up nss.fips.cfg
 BuildRequires: nss-devel
 # Requirement for system security property test
 BuildRequires: crypto-policies
@ -1865,15 +1850,10 @@ sh %{SOURCE12} %{top_level_dir_name}
 # Patch the JDK
 pushd %{top_level_dir_name}
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
 %patch6 -p1
 # Add crypto policy and FIPS support
 %patch1001 -p1
-# nss.cfg PKCS11 support; must come last as it also alters java.security
+# Patches in need of upstreaming
-%patch1000 -p1
+%patch6 -p1
 %patch600 -p1
 popd # openjdk
@ -1943,9 +1923,6 @@ for file in %{SOURCE9}; do
 done
 done
 # Setup nss.cfg
 sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
 %build
 function customisejdk() {
@ -1987,7 +1964,7 @@ for suffix in %{build_loop} ; do
  portablenvr="%{name}-%{VERSION}-%{portablerelease}.%{portablesuffix}.%{_arch}"
  for file in $(find ${installdir} -type f) ; do
      if file ${file} | grep -q 'ELF'; then
-	  %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
+          %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
      fi
  done
@ -2043,10 +2020,12 @@ $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=tru
 if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
 # Check alt-java launcher has SSB mitigation on supported architectures
 # set_speculation function exists in both cases, so check for prctl call
 alt_java_binary=${RPM_BUILD_ROOT}%{_bindir}/%{alt_java_versioned}
 %ifarch %{ssbd_arches}
-nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+nm ${alt_java_binary} | grep prctl
 %else
-if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+if ! nm ${alt_java_binary} | grep prctl ; then true ; else false; fi
 %endif
 %if ! 0%{?flatpak}
@ -2159,6 +2138,10 @@ jdk_image=$(pwd)/%{installoutputdir -- ${suffix}}
 docdir=$(pwd)/%{installoutputdir -- "-docs"}
 miscdir=%{installoutputdir -- "-misc"}
 # Install %{alt_java_name} binary versioned
 install -D -p -m 755 ${miscdir}/%{alt_java_name} \
        $RPM_BUILD_ROOT%{_bindir}/%{alt_java_versioned}
 # Install release notes and rebuild instructions
 commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
 install -d -m 755 ${commondocdir}
@ -2506,6 +2489,17 @@ require "copy_jdk_configs.lua"
 %endif
 %changelog
 * Thu Aug 24 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-2
 - Update documentation (README.md)
 - Replace alt-java patch with a binary separate from the JDK
 - Drop stale patches that are of little use any more:
 - * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
 - * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more
 - * No use of system libjpeg turbo to warrant RH649512 patch any more
 - Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
 - Adapt alt-java test to new binary where there is always a set_speculation function
 - Related: RHEL-12996
 * Mon Aug 21 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-1
 - Update to jdk-21.0.0+35
 - Update system crypto policy & FIPS patch from new fips-21u tree
--- a/jdk8009550-rh910107-fail_to_load_pcsc_library.patch
+++ b/jdk8009550-rh910107-fail_to_load_pcsc_library.patch
@ -0,0 +1,125 @@
 commit d0523302416bc6507696f20d1068f16427bcf6b8
 Author: Andrew Hughes <gnu.andrew@redhat.com>
 Date:   Thu Aug 24 01:23:49 2023 +0100
    8009550: PlatformPCSC should load versioned so
 diff --git a/src/java.base/share/classes/sun/security/util/Debug.java b/src/java.base/share/classes/sun/security/util/Debug.java
 index bff273c6548..e5a6b288ff8 100644
 --- a/src/java.base/share/classes/sun/security/util/Debug.java
 +++ b/src/java.base/share/classes/sun/security/util/Debug.java
@@ -81,6 +81,7 @@ public static void Help()
         System.err.println("logincontext  login context results");
         System.err.println("jca           JCA engine class debugging");
         System.err.println("keystore      KeyStore debugging");
 +        System.err.println("pcsc          Smartcard library debugging");
         System.err.println("policy        loading and granting");
         System.err.println("provider      security provider debugging");
         System.err.println("pkcs11        PKCS11 session manager debugging");
 diff --git a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
 index bacff32efbc..d9f605ada1e 100644
 --- a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
 +++ b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
@@ -1,5 +1,6 @@
 /*
  * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
 + * Copyright (c) 2023, Red Hat Inc. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,8 +47,13 @@ class PlatformPCSC {
     private static final String PROP_NAME = "sun.security.smartcardio.library";
 -    private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
 -    private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
 +    private static final String[] LIB_TEMPLATES = { "/usr/$LIBISA/libpcsclite.so",
 +                                                    "/usr/local/$LIBISA/libpcsclite.so",
 +                                                    "/usr/lib/$ARCH-linux-gnu/libpcsclite.so",
 +                                                    "/usr/lib/arm-linux-gnueabi/libpcsclite.so",
 +                                                    "/usr/lib/arm-linux-gnueabihf/libpcsclite.so",
 +                                                    "/usr/lib/$ARCH-kfreebsd-gnu/libpcsclite.so" };
 +    private static final String[] LIB_SUFFIXES = { ".1", ".0", "" };
     private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
     PlatformPCSC() {
@@ -73,23 +79,38 @@ public Throwable run() {
     });
     // expand $LIBISA to the system specific directory name for libraries
 +    // expand $ARCH to the Debian system architecture in use
     private static String expand(String lib) {
         int k = lib.indexOf("$LIBISA");
 -        if (k == -1) {
 -            return lib;
 +        if (k != -1) {
 +            String libDir;
 +            if ("64".equals(System.getProperty("sun.arch.data.model"))) {
 +                // assume Linux convention
 +                libDir = "lib64";
 +            } else {
 +                // must be 32-bit
 +                libDir = "lib";
 +            }
 +            lib = lib.replace("$LIBISA", libDir);
         }
 -        String s1 = lib.substring(0, k);
 -        String s2 = lib.substring(k + 7);
 -        String libDir;
 -        if ("64".equals(System.getProperty("sun.arch.data.model"))) {
 -            // assume Linux convention
 -            libDir = "lib64";
 -        } else {
 -            // must be 32-bit
 -            libDir = "lib";
 +
 +        k = lib.indexOf("$ARCH");
 +        if (k != -1) {
 +            String arch = System.getProperty("os.arch");
 +            lib = lib.replace("$ARCH", getDebianArchitecture(arch));
         }
 -        String s = s1 + libDir + s2;
 -        return s;
 +
 +        return lib;
 +    }
 +
 +    private static String getDebianArchitecture(String jdkArch) {
 +        return switch (jdkArch) {
 +            case "amd64" -> "x86_64";
 +            case "ppc" -> "powerpc";
 +            case "ppc64" -> "powerpc64";
 +            case "ppc64le" -> "powerpc64le";
 +            default -> jdkArch;
 +        };
     }
     private static String getLibraryName() throws IOException {
@@ -98,15 +119,18 @@ private static String getLibraryName() throws IOException {
         if (lib.length() != 0) {
             return lib;
         }
 -        lib = expand(LIB1);
 -        if (new File(lib).isFile()) {
 -            // if LIB1 exists, use that
 -            return lib;
 -        }
 -        lib = expand(LIB2);
 -        if (new File(lib).isFile()) {
 -            // if LIB2 exists, use that
 -            return lib;
 +
 +        for (String template : LIB_TEMPLATES) {
 +            for (String suffix : LIB_SUFFIXES) {
 +                lib = expand(template) + suffix;
 +                if (debug != null) {
 +                    debug.println("Looking for " + lib);
 +                }
 +                if (new File(lib).isFile()) {
 +                    // if library exists, use that
 +                    return lib;
 +                }
 +            }
         }
         // As of macos 11, framework libraries have been removed from the file
--- a/nss.cfg.in
+++ b/nss.cfg.in
@ -1,5 +0,0 @@
 name = NSS
 nssLibraryDirectory = @NSS_LIBDIR@
 nssDbMode = noDb
 attributes = compatibility
 handleStartupErrors = ignoreMultipleInitialisation
--- a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+++ b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@ -1,16 +0,0 @@
 diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
 --- a/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jun 13 19:37:49 2019 +0200
 +++ b/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jul 04 10:35:42 2019 +0200
@@ -595,7 +595,11 @@
                 toolkit = new HeadlessToolkit(toolkit);
             }
             if (!GraphicsEnvironment.isHeadless()) {
 -                loadAssistiveTechnologies();
 +                try {
 +                    loadAssistiveTechnologies();
 +                } catch (AWTError error) {
 +                    // ignore silently
 +                }
             }
         }
         return toolkit;
--- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@ -1,12 +0,0 @@
 diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
 index 68a9c1a2d08..7aa25eb2cb7 100644
 --- openjdk.orig/src/java.base/share/conf/security/java.security
 +++ openjdk/src/java.base/share/conf/security/java.security
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
 security.provider.tbd=Apple
 #endif
 security.provider.tbd=SunPKCS11
 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
 #
 # Security providers used when FIPS mode support is active
--- a/rh1648644-java_access_bridge_privileged_security.patch
+++ b/rh1648644-java_access_bridge_privileged_security.patch
@ -1,20 +0,0 @@
 --- openjdk/src/java.base/share/conf/security/java.security
 +++ openjdk/src/java.base/share/conf/security/java.security
@@ -304,6 +304,8 @@
 #
 package.access=sun.misc.,\
                sun.reflect.,\
 +               org.GNOME.Accessibility.,\
 +               org.GNOME.Bonobo.,\
 #
 # List of comma-separated packages that start with or equal this string
@@ -316,6 +318,8 @@
 #
 package.definition=sun.misc.,\
                    sun.reflect.,\
 +                   org.GNOME.Accessibility.,\
 +                   org.GNOME.Bonobo.,\
 #
 # Determines whether this properties file can be appended to
--- a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+++ b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
@ -1,15 +0,0 @@
 diff --git a/openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
 index bacff32efbc..ff7b3dcc81c 100644
 --- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
 +++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
@@ -46,8 +46,8 @@ class PlatformPCSC {
     private static final String PROP_NAME = "sun.security.smartcardio.library";
 -    private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
 -    private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
 +    private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
 +    private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
     private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
     PlatformPCSC() {
--- a/rh1750419-redhat_alt_java.patch
+++ b/rh1750419-redhat_alt_java.patch
@ -1,117 +0,0 @@
 diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
 index 700ddefda49..2882de68eb2 100644
 --- openjdk.orig/make/modules/java.base/Launcher.gmk
 +++ openjdk/make/modules/java.base/Launcher.gmk
@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
     OPTIMIZATION := HIGH, \
 ))
 +#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
 +$(eval $(call SetupBuildLauncher, alt-java, \
 +    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
 +    EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
 +    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
 +    OPTIMIZATION := HIGH, \
 +))
 +
 ifeq ($(call isTargetOs, windows), true)
   $(eval $(call SetupBuildLauncher, javaw, \
       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
 diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
 new file mode 100644
 index 00000000000..697df2898ac
 --- /dev/null
 +++ openjdk/src/java.base/share/native/launcher/alt_main.h
@@ -0,0 +1,73 @@
 +/*
 + * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
 + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
 + *
 + * This code is free software; you can redistribute it and/or modify it
 + * under the terms of the GNU General Public License version 2 only, as
 + * published by the Free Software Foundation.  Oracle designates this
 + * particular file as subject to the "Classpath" exception as provided
 + * by Oracle in the LICENSE file that accompanied this code.
 + *
 + * This code is distributed in the hope that it will be useful, but WITHOUT
 + * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 + * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 + * version 2 for more details (a copy is included in the LICENSE file that
 + * accompanied this code).
 + *
 + * You should have received a copy of the GNU General Public License version
 + * 2 along with this work; if not, write to the Free Software Foundation,
 + * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
 + *
 + * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
 + * or visit www.oracle.com if you need additional information or have any
 + * questions.
 + */
 +
 +#ifdef REDHAT_ALT_JAVA
 +
 +#include <sys/prctl.h>
 +
 +
 +/* Per task speculation control */
 +#ifndef PR_GET_SPECULATION_CTRL
 +# define PR_GET_SPECULATION_CTRL    52
 +#endif
 +#ifndef PR_SET_SPECULATION_CTRL
 +# define PR_SET_SPECULATION_CTRL    53
 +#endif
 +/* Speculation control variants */
 +#ifndef PR_SPEC_STORE_BYPASS
 +# define PR_SPEC_STORE_BYPASS          0
 +#endif
 +/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
 +
 +#ifndef PR_SPEC_NOT_AFFECTED
 +# define PR_SPEC_NOT_AFFECTED          0
 +#endif
 +#ifndef PR_SPEC_PRCTL
 +# define PR_SPEC_PRCTL                 (1UL << 0)
 +#endif
 +#ifndef PR_SPEC_ENABLE
 +# define PR_SPEC_ENABLE                (1UL << 1)
 +#endif
 +#ifndef PR_SPEC_DISABLE
 +# define PR_SPEC_DISABLE               (1UL << 2)
 +#endif
 +#ifndef PR_SPEC_FORCE_DISABLE
 +# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
 +#endif
 +#ifndef PR_SPEC_DISABLE_NOEXEC
 +# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
 +#endif
 +
 +static void set_speculation() __attribute__((constructor));
 +static void set_speculation() {
 +  if ( prctl(PR_SET_SPECULATION_CTRL,
 +             PR_SPEC_STORE_BYPASS,
 +             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
 +    return;
 +  }
 +  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
 +}
 +
 +#endif // REDHAT_ALT_JAVA
 diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
 index b734fe2ba78..79dc8307650 100644
 --- openjdk.orig/src/java.base/share/native/launcher/main.c
 +++ openjdk/src/java.base/share/native/launcher/main.c
@@ -34,6 +34,14 @@
 #include "jli_util.h"
 #include "jni.h"
 +#ifdef REDHAT_ALT_JAVA
 +#if defined(__linux__) && defined(__x86_64__)
 +#include "alt_main.h"
 +#else
 +#warning alt-java requested but SSB mitigation not available on this platform.
 +#endif
 +#endif
 +
 /*
  * Entry point.
  */
--- a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+++ b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@ -1,19 +0,0 @@
 Remove uses of FAR in jpeg code
 Upstream libjpeg-trubo removed the (empty) FAR macro:
 http://sourceforge.net/p/libjpeg-turbo/code/1312/
 Adjust our code to not use the undefined FAR macro anymore.
 diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
 --- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
 +++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
@@ -1385,7 +1385,7 @@
     /* and fill it in */
     dst_ptr = icc_data;
     for (seq_no = first; seq_no < last; seq_no++) {
 -        JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
 +        JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
         unsigned int length =
             icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;