Patch and documentation cleanup

Update documentation (README.md) Replace alt-java patch with a binary separate from the JDK Drop stale patches that are of little use any more: - * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work - * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more - * No use of system libjpeg turbo to warrant RH649512 patch any more - Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed Adapt alt-java test to new binary where there is always a set_speculation function Related: RHEL-12996
2023-08-24 02:06:25 +01:00 · 2023-08-24 02:06:25 +01:00 · e04786271f
commit e04786271f
parent b7035cb980
11 changed files with 276 additions and 263 deletions
--- a/README.md
+++ b/README.md
@ -1,14 +1,12 @@
-OpenJDK 17 is the latest Long-Term Support (LTS) release of the Java platform.
+OpenJDK 21 is the latest Long-Term Support (LTS) release of the Java platform.

-For a list of major changes from OpenJDK 11 (java-11-openjdk), see the upstream
-release page for OpenJDK 17 and the preceding interim releases:
+For a list of major changes from OpenJDK 17 (java-17-openjdk), see the upstream
+release page for OpenJDK 21 and the preceding interim releases:

-* 12: https://openjdk.java.net/projects/jdk/12/
-* 13: https://openjdk.java.net/projects/jdk/13/
-* 14: https://openjdk.java.net/projects/jdk/14/
-* 15: https://openjdk.java.net/projects/jdk/15/
-* 16: https://openjdk.java.net/projects/jdk/16/
-* 17: https://openjdk.java.net/projects/jdk/17/
+* 18: https://openjdk.java.net/projects/jdk/18/
+* 19: https://openjdk.java.net/projects/jdk/19/
+* 20: https://openjdk.java.net/projects/jdk/20/
+* 21: https://openjdk.java.net/projects/jdk/21/

 # Rebuilding the OpenJDK package

@ -20,21 +18,21 @@ multiple builds which only differ by the platform they were built on.

 This does make rebuilding the package slightly more complicated than a
 normal package. Modifications should be made to the
-`java-17-openjdk-portable.specfile` file, which can be found with this
+`java-21-openjdk-portable.specfile` file, which can be found with this
 README file in the source RPM or installed in the documentation tree
-by the `java-17-openjdk-headless` RPM.
+by the `java-21-openjdk-headless` RPM.

-Once the modified `java-17-openjdk-portable` RPMs are built, they
+Once the modified `java-21-openjdk-portable` RPMs are built, they
 should be installed and will produce a number of tarballs in the
-`/usr/lib/jvm` directory. The `java-17-openjdk` RPMs can then be
+`/usr/lib/jvm` directory. The `java-21-openjdk` RPMs can then be
 built, which will use these tarballs to create the usual RPMs found in
-RHEL. The `java-17-openjdk-portable` RPMs can be uninstalled once the
+RHEL. The `java-21-openjdk-portable` RPMs can be uninstalled once the
 desired final RPMs are produced.

-Note that the `java-17-openjdk.spec` file has a hard requirement on
-the exact version of java-17-openjdk-portable to use, so this will
+Note that the `java-21-openjdk.spec` file has a hard requirement on
+the exact version of java-21-openjdk-portable to use, so this will
 need to be modified if the version or rpmrelease values are changed in
-`java-17-openjdk-portable.specfile`.
+`java-21-openjdk-portable.specfile`.

 To reduce the number of RPMs involved, the `fastdebug` and `slowdebug`
 builds may be disabled using `--without fastdebug` and `--without
--- a/alt-java.c
+++ b/alt-java.c
@ -0,0 +1,100 @@
+/*
+ * Copyright (C) 2023 Red Hat, Inc.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.  Red Hat designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Red Hat in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ */
+
+#include <errno.h>
+#include <libgen.h>
+#include <linux/limits.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/prctl.h>
+#include <unistd.h>
+
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL    52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL    53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS          0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED          0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL                 (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE                (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE               (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
+#endif
+
+static void set_speculation() {
+#if defined(__linux__) && defined(__x86_64__)
+  // PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it
+  //  if ( prctl(PR_SET_SPECULATION_CTRL,
+  //           PR_SPEC_STORE_BYPASS,
+  //           PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+  //  return;
+  // }
+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+#else
+#warning alt-java requested but SSB mitigation not available on this platform.
+#endif
+}
+
+int main(int argc, char **argv) {
+  set_speculation();
+
+  char our_name[PATH_MAX], java_name[PATH_MAX];
+  ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1);
+  if (len < 0) {
+    perror("I can't find myself");
+    exit(2);
+  }
+
+  our_name[len] = '\0'; // readlink(2) doesn't append a null byte
+  char *path = dirname(our_name);
+  strncpy(java_name, path, PATH_MAX - 1);
+
+  size_t remaining_bytes = PATH_MAX - strlen(path) - 1;
+  strncat(java_name, "/java", remaining_bytes);
+
+  execv(java_name, argv);
+  fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno));
+
+  exit(1);
+}
+
--- a/java-21-openjdk.spec
+++ b/java-21-openjdk.spec
@ -226,12 +226,6 @@
 %global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
 %global ourldflags %{__global_ldflags}

-# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
-# the initialization must be here. Later the pkg-config have buggy behavior
-# looks like openjdk RPM specific bug
-# Always set this so the nss.cfg file is not broken
-%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
-
 # In some cases, the arch used by the JDK does
 # not match _arch.
 # Also, in some cases, the machine name used by SystemTap
@ -352,9 +346,9 @@
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        35
-%global rpmrelease      1
+%global rpmrelease      2
 # Settings used by the portable build
-%global portablerelease 1
+%global portablerelease 2
 %global portablesuffix el8
 %global portablebuilddir /builddir/build/BUILD

@ -440,6 +434,7 @@
 %define jrebindir()     %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}

 %global alt_java_name     alt-java
+%global alt_java_versioned %{alt_java_name}-%{featurever}

 %global rpm_state_dir %{_localstatedir}/lib/rpm-state/

@ -536,7 +531,7 @@ key=java
 alternatives \\
  --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY  --family %{family} \\
  --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
-  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+  --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{_bindir}/%{alt_java_versioned} \\
  --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
  --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
  --slave %{_mandir}/man1/java.1$ext java.1$ext \\
@ -815,6 +810,7 @@ exit 0

 %define files_jre_headless() %{expand:
 %license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_bindir}/%{alt_java_versioned}
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/README.md
 %doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/java-%{featurever}-openjdk-portable.specfile
@ -825,7 +821,6 @@ exit 0
 %{_jvmdir}/%{jrelnk -- %{?1}}
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
-%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
 %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
@ -919,7 +914,6 @@ exit 0
 %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
-%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
 %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
 # This is a config template, thus not config-noreplace
@ -1028,7 +1022,6 @@ exit 0
 %if %{is_release_build -- %{?1}}
 %ghost %{_bindir}/javac
 %ghost %{_jvmdir}/java
-%ghost %{_jvmdir}/%{alt_java_name}
 %ghost %{_bindir}/jlink
 %ghost %{_bindir}/jmod
 %ghost %{_bindir}/jhsdb
@ -1315,8 +1308,8 @@ Source8: tapsets-icedtea-%{icedteaver}.tar.xz
 # Desktop files. Adapted from IcedTea
 Source9: jconsole.desktop.in

-# nss configuration file
-Source11: nss.cfg.in
+# Source code for alt-java
+Source11: alt-java.c

 # Removed libraries that we link instead
 Source12: remove-intree-libraries.sh
@ -1356,20 +1349,6 @@ Source20: java-%{featurever}-openjdk-portable.specfile
 #
 ############################################

-# NSS via SunPKCS11 Provider (disabled comment
-# due to memory leak).
-Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
-# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
-Patch600: rh1750419-redhat_alt_java.patch
-
-# Ignore AWTError when assistive technologies are loaded
-Patch1:    rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
-# Restrict access to java-atk-wrapper classes
-Patch2:    rh1648644-java_access_bridge_privileged_security.patch
-Patch3:    rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
-# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
-Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
-
 # Crypto policy and FIPS support patches
 # Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
 # as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
@ -1414,6 +1393,12 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
 #
 #############################################

+# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
+# PR: https://github.com/openjdk/jdk/pull/15409
+Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch
+
+# Currently empty
+
 #############################################
 #
 # OpenJDK patches which missed last update
@ -1449,7 +1434,7 @@ BuildRequires: libXrandr-devel
 BuildRequires: libXrender-devel
 BuildRequires: libXt-devel
 BuildRequires: libXtst-devel
-# Requirement for setting up nss.cfg and nss.fips.cfg
+# Requirement for setting up nss.fips.cfg
 BuildRequires: nss-devel
 # Requirement for system security property test
 BuildRequires: crypto-policies
@ -1865,15 +1850,10 @@ sh %{SOURCE12} %{top_level_dir_name}

 # Patch the JDK
 pushd %{top_level_dir_name}
-%patch1 -p1
-%patch2 -p1
-%patch3 -p1
-%patch6 -p1
 # Add crypto policy and FIPS support
 %patch1001 -p1
-# nss.cfg PKCS11 support; must come last as it also alters java.security
-%patch1000 -p1
-%patch600 -p1
+# Patches in need of upstreaming
+%patch6 -p1
 popd # openjdk


@ -1943,9 +1923,6 @@ for file in %{SOURCE9}; do
 done
 done

-# Setup nss.cfg
-sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
-
 %build

 function customisejdk() {
@ -1987,7 +1964,7 @@ for suffix in %{build_loop} ; do
  portablenvr="%{name}-%{VERSION}-%{portablerelease}.%{portablesuffix}.%{_arch}"
  for file in $(find ${installdir} -type f) ; do
      if file ${file} | grep -q 'ELF'; then
-	  %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
+          %{debugedit} -b %{portablebuilddir}/${portablenvr} -d $(pwd) -n ${file}
      fi
  done

@ -2043,10 +2020,12 @@ $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=tru
 if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi

 # Check alt-java launcher has SSB mitigation on supported architectures
+# set_speculation function exists in both cases, so check for prctl call
+alt_java_binary=${RPM_BUILD_ROOT}%{_bindir}/%{alt_java_versioned}
 %ifarch %{ssbd_arches}
-nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+nm ${alt_java_binary} | grep prctl
 %else
-if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+if ! nm ${alt_java_binary} | grep prctl ; then true ; else false; fi
 %endif

 %if ! 0%{?flatpak}
@ -2159,6 +2138,10 @@ jdk_image=$(pwd)/%{installoutputdir -- ${suffix}}
 docdir=$(pwd)/%{installoutputdir -- "-docs"}
 miscdir=%{installoutputdir -- "-misc"}

+# Install %{alt_java_name} binary versioned
+install -D -p -m 755 ${miscdir}/%{alt_java_name} \
+        $RPM_BUILD_ROOT%{_bindir}/%{alt_java_versioned}
+
 # Install release notes and rebuild instructions
 commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
 install -d -m 755 ${commondocdir}
@ -2506,6 +2489,17 @@ require "copy_jdk_configs.lua"
 %endif

 %changelog
+* Thu Aug 24 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-2
+- Update documentation (README.md)
+- Replace alt-java patch with a binary separate from the JDK
+- Drop stale patches that are of little use any more:
+- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
+- * No accessibility subpackage to warrant RH1648242 & RH1648644 patches any more
+- * No use of system libjpeg turbo to warrant RH649512 patch any more
+- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
+- Adapt alt-java test to new binary where there is always a set_speculation function
+- Related: RHEL-12996
+
 * Mon Aug 21 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-1
 - Update to jdk-21.0.0+35
 - Update system crypto policy & FIPS patch from new fips-21u tree
--- a/jdk8009550-rh910107-fail_to_load_pcsc_library.patch
+++ b/jdk8009550-rh910107-fail_to_load_pcsc_library.patch
@ -0,0 +1,125 @@
+commit d0523302416bc6507696f20d1068f16427bcf6b8
+Author: Andrew Hughes <gnu.andrew@redhat.com>
+Date:   Thu Aug 24 01:23:49 2023 +0100
+
+    8009550: PlatformPCSC should load versioned so
+
+diff --git a/src/java.base/share/classes/sun/security/util/Debug.java b/src/java.base/share/classes/sun/security/util/Debug.java
+index bff273c6548..e5a6b288ff8 100644
+--- a/src/java.base/share/classes/sun/security/util/Debug.java
+++ b/src/java.base/share/classes/sun/security/util/Debug.java
+@@ -81,6 +81,7 @@ public static void Help()
+         System.err.println("logincontext  login context results");
+         System.err.println("jca           JCA engine class debugging");
+         System.err.println("keystore      KeyStore debugging");
+        System.err.println("pcsc          Smartcard library debugging");
+         System.err.println("policy        loading and granting");
+         System.err.println("provider      security provider debugging");
+         System.err.println("pkcs11        PKCS11 session manager debugging");
+diff --git a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+index bacff32efbc..d9f605ada1e 100644
+--- a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+++ b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+@@ -1,5 +1,6 @@
+ /*
+  * Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2023, Red Hat Inc. All rights reserved.
+  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+  *
+  * This code is free software; you can redistribute it and/or modify it
+@@ -46,8 +47,13 @@ class PlatformPCSC {
+ 
+     private static final String PROP_NAME = "sun.security.smartcardio.library";
+ 
+-    private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
+-    private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
+    private static final String[] LIB_TEMPLATES = { "/usr/$LIBISA/libpcsclite.so",
+                                                    "/usr/local/$LIBISA/libpcsclite.so",
+                                                    "/usr/lib/$ARCH-linux-gnu/libpcsclite.so",
+                                                    "/usr/lib/arm-linux-gnueabi/libpcsclite.so",
+                                                    "/usr/lib/arm-linux-gnueabihf/libpcsclite.so",
+                                                    "/usr/lib/$ARCH-kfreebsd-gnu/libpcsclite.so" };
+    private static final String[] LIB_SUFFIXES = { ".1", ".0", "" };
+     private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
+ 
+     PlatformPCSC() {
+@@ -73,23 +79,38 @@ public Throwable run() {
+     });
+ 
+     // expand $LIBISA to the system specific directory name for libraries
+    // expand $ARCH to the Debian system architecture in use
+     private static String expand(String lib) {
+         int k = lib.indexOf("$LIBISA");
+-        if (k == -1) {
+-            return lib;
+        if (k != -1) {
+            String libDir;
+            if ("64".equals(System.getProperty("sun.arch.data.model"))) {
+                // assume Linux convention
+                libDir = "lib64";
+            } else {
+                // must be 32-bit
+                libDir = "lib";
+            }
+            lib = lib.replace("$LIBISA", libDir);
+         }
+-        String s1 = lib.substring(0, k);
+-        String s2 = lib.substring(k + 7);
+-        String libDir;
+-        if ("64".equals(System.getProperty("sun.arch.data.model"))) {
+-            // assume Linux convention
+-            libDir = "lib64";
+-        } else {
+-            // must be 32-bit
+-            libDir = "lib";
+
+        k = lib.indexOf("$ARCH");
+        if (k != -1) {
+            String arch = System.getProperty("os.arch");
+            lib = lib.replace("$ARCH", getDebianArchitecture(arch));
+         }
+-        String s = s1 + libDir + s2;
+-        return s;
+
+        return lib;
+    }
+
+    private static String getDebianArchitecture(String jdkArch) {
+        return switch (jdkArch) {
+            case "amd64" -> "x86_64";
+            case "ppc" -> "powerpc";
+            case "ppc64" -> "powerpc64";
+            case "ppc64le" -> "powerpc64le";
+            default -> jdkArch;
+        };
+     }
+ 
+     private static String getLibraryName() throws IOException {
+@@ -98,15 +119,18 @@ private static String getLibraryName() throws IOException {
+         if (lib.length() != 0) {
+             return lib;
+         }
+-        lib = expand(LIB1);
+-        if (new File(lib).isFile()) {
+-            // if LIB1 exists, use that
+-            return lib;
+-        }
+-        lib = expand(LIB2);
+-        if (new File(lib).isFile()) {
+-            // if LIB2 exists, use that
+-            return lib;
+
+        for (String template : LIB_TEMPLATES) {
+            for (String suffix : LIB_SUFFIXES) {
+                lib = expand(template) + suffix;
+                if (debug != null) {
+                    debug.println("Looking for " + lib);
+                }
+                if (new File(lib).isFile()) {
+                    // if library exists, use that
+                    return lib;
+                }
+            }
+         }
+ 
+         // As of macos 11, framework libraries have been removed from the file
--- a/nss.cfg.in
+++ b/nss.cfg.in
@ -1,5 +0,0 @@
-name = NSS
-nssLibraryDirectory = @NSS_LIBDIR@
-nssDbMode = noDb
-attributes = compatibility
-handleStartupErrors = ignoreMultipleInitialisation
--- a/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+++ b/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@ -1,16 +0,0 @@
-diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
--- a/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jun 13 19:37:49 2019 +0200
-+++ b/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jul 04 10:35:42 2019 +0200
-@@ -595,7 +595,11 @@
-                 toolkit = new HeadlessToolkit(toolkit);
-             }
-             if (!GraphicsEnvironment.isHeadless()) {
-                loadAssistiveTechnologies();
-+                try {
-+                    loadAssistiveTechnologies();
-+                } catch (AWTError error) {
-+                    // ignore silently
-+                }
-             }
-         }
-         return toolkit;
--- a/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+++ b/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@ -1,12 +0,0 @@
-diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
-index 68a9c1a2d08..7aa25eb2cb7 100644
--- openjdk.orig/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
- security.provider.tbd=Apple
- #endif
- security.provider.tbd=SunPKCS11
-+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
- 
- #
- # Security providers used when FIPS mode support is active
--- a/rh1648644-java_access_bridge_privileged_security.patch
+++ b/rh1648644-java_access_bridge_privileged_security.patch
@ -1,20 +0,0 @@
--- openjdk/src/java.base/share/conf/security/java.security
-+++ openjdk/src/java.base/share/conf/security/java.security
-@@ -304,6 +304,8 @@
- #
- package.access=sun.misc.,\
-                sun.reflect.,\
-+               org.GNOME.Accessibility.,\
-+               org.GNOME.Bonobo.,\
- 
- #
- # List of comma-separated packages that start with or equal this string
-@@ -316,6 +318,8 @@
- #
- package.definition=sun.misc.,\
-                    sun.reflect.,\
-+                   org.GNOME.Accessibility.,\
-+                   org.GNOME.Bonobo.,\
- 
- #
- # Determines whether this properties file can be appended to
--- a/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
+++ b/rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
@ -1,15 +0,0 @@
-diff --git a/openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
-index bacff32efbc..ff7b3dcc81c 100644
--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
-+++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
-@@ -46,8 +46,8 @@ class PlatformPCSC {
- 
-     private static final String PROP_NAME = "sun.security.smartcardio.library";
- 
-    private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
-    private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
-+    private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
-+    private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
-     private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
- 
-     PlatformPCSC() {
--- a/rh1750419-redhat_alt_java.patch
+++ b/rh1750419-redhat_alt_java.patch
@ -1,117 +0,0 @@
-diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
-index 700ddefda49..2882de68eb2 100644
--- openjdk.orig/make/modules/java.base/Launcher.gmk
-+++ openjdk/make/modules/java.base/Launcher.gmk
-@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
-     OPTIMIZATION := HIGH, \
- ))
- 
-+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
-+$(eval $(call SetupBuildLauncher, alt-java, \
-+    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
-+    EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
-+    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
-+    OPTIMIZATION := HIGH, \
-+))
-+
- ifeq ($(call isTargetOs, windows), true)
-   $(eval $(call SetupBuildLauncher, javaw, \
-       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
-diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
-new file mode 100644
-index 00000000000..697df2898ac
--- /dev/null
-+++ openjdk/src/java.base/share/native/launcher/alt_main.h
-@@ -0,0 +1,73 @@
-+/*
-+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
-+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-+ *
-+ * This code is free software; you can redistribute it and/or modify it
-+ * under the terms of the GNU General Public License version 2 only, as
-+ * published by the Free Software Foundation.  Oracle designates this
-+ * particular file as subject to the "Classpath" exception as provided
-+ * by Oracle in the LICENSE file that accompanied this code.
-+ *
-+ * This code is distributed in the hope that it will be useful, but WITHOUT
-+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-+ * version 2 for more details (a copy is included in the LICENSE file that
-+ * accompanied this code).
-+ *
-+ * You should have received a copy of the GNU General Public License version
-+ * 2 along with this work; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+#ifdef REDHAT_ALT_JAVA
-+
-+#include <sys/prctl.h>
-+
-+
-+/* Per task speculation control */
-+#ifndef PR_GET_SPECULATION_CTRL
-+# define PR_GET_SPECULATION_CTRL    52
-+#endif
-+#ifndef PR_SET_SPECULATION_CTRL
-+# define PR_SET_SPECULATION_CTRL    53
-+#endif
-+/* Speculation control variants */
-+#ifndef PR_SPEC_STORE_BYPASS
-+# define PR_SPEC_STORE_BYPASS          0
-+#endif
-+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
-+
-+#ifndef PR_SPEC_NOT_AFFECTED
-+# define PR_SPEC_NOT_AFFECTED          0
-+#endif
-+#ifndef PR_SPEC_PRCTL
-+# define PR_SPEC_PRCTL                 (1UL << 0)
-+#endif
-+#ifndef PR_SPEC_ENABLE
-+# define PR_SPEC_ENABLE                (1UL << 1)
-+#endif
-+#ifndef PR_SPEC_DISABLE
-+# define PR_SPEC_DISABLE               (1UL << 2)
-+#endif
-+#ifndef PR_SPEC_FORCE_DISABLE
-+# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
-+#endif
-+#ifndef PR_SPEC_DISABLE_NOEXEC
-+# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
-+#endif
-+
-+static void set_speculation() __attribute__((constructor));
-+static void set_speculation() {
-+  if ( prctl(PR_SET_SPECULATION_CTRL,
-+             PR_SPEC_STORE_BYPASS,
-+             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
-+    return;
-+  }
-+  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
-+}
-+
-+#endif // REDHAT_ALT_JAVA
-diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
-index b734fe2ba78..79dc8307650 100644
--- openjdk.orig/src/java.base/share/native/launcher/main.c
-+++ openjdk/src/java.base/share/native/launcher/main.c
-@@ -34,6 +34,14 @@
- #include "jli_util.h"
- #include "jni.h"
- 
-+#ifdef REDHAT_ALT_JAVA
-+#if defined(__linux__) && defined(__x86_64__)
-+#include "alt_main.h"
-+#else
-+#warning alt-java requested but SSB mitigation not available on this platform.
-+#endif
-+#endif
-+
- /*
-  * Entry point.
-  */
--- a/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+++ b/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@ -1,19 +0,0 @@
-Remove uses of FAR in jpeg code
-
-Upstream libjpeg-trubo removed the (empty) FAR macro:
-http://sourceforge.net/p/libjpeg-turbo/code/1312/
-
-Adjust our code to not use the undefined FAR macro anymore.
-
-diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
-@@ -1385,7 +1385,7 @@
-     /* and fill it in */
-     dst_ptr = icc_data;
-     for (seq_no = first; seq_no < last; seq_no++) {
-        JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-+        JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
-         unsigned int length =
-             icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
-