Exclude %{bootjdkpkg}-portable-devel%{?bootdebugpkg:-%{bootdebugpkg}} from BR for bootstrap build

Portable
2025-10-08 18:55:39 +03:00 · 2025-10-07 14:50:13 +03:00
25 changed files with 163 additions and 5547 deletions
--- a/.gitignore
+++ b/.gitignore
@ -39,11 +39,3 @@
 /openjdk-21.0.8+8-ea.tar.xz
 /openjdk-21.0.8+9.tar.xz
 /openjdk-22.0.2+9.tar.xz
-/openjdk-23.0.2+7.tar.xz
-/openjdk-24.0.2+12.tar.xz
-/openjdk-25+36.tar.xz
-/openjdk-25.0.1+8.tar.xz
-/nssadapter-0.1.0.tar.xz
-/openjdk-25.0.2+10.tar.xz
-/nssadapter-0.1.1.tar.xz
-/openjdk-25.0.3+9.tar.xz
--- a/1404
+++ b/1404
--- a/TestSecurityProperties.java
+++ b/TestSecurityProperties.java
@ -21,32 +21,15 @@ import java.security.Security;
 import java.util.Properties;

 public class TestSecurityProperties {
-    private static final String JAVA_HOME = System.getProperty("java.home");
    // JDK 11
-    private static final String JDK_PROPS_FILE_JDK_11 = JAVA_HOME + "/conf/security/java.security";
+    private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
    // JDK 8
-    private static final String JDK_PROPS_FILE_JDK_8 = JAVA_HOME + "/lib/security/java.security";
-    // JDK 25
-    // Omit fips.properties files since they are not relevant to this test.
-    // Omit JAVA_HOME + "/conf/security/redhat/crypto-policies.properties" which simply includes
-    // true/crypto-policies.properties in case redhat.crypto-policies is left undefined.
-    private static final String[] JDK_PROPS_FILES_JDK_25_ENABLED = {
-            JAVA_HOME + "/conf/security/redhat/true/crypto-policies.properties",
-            "/etc/crypto-policies/back-ends/java.config"
-    };
-    private static final String[] JDK_PROPS_FILES_JDK_25_DISABLED = {
-            JAVA_HOME + "/conf/security/redhat/false/crypto-policies.properties"
-    };
+    private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";

    private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";

    private static final String MSG_PREFIX = "DEBUG: ";

-    private static final String javaVersion = System.getProperty("java.version");
-
-    // float for java 1.8
-    private static final float JAVA_FEATURE = Float.parseFloat(System.getProperty("java.specification.version"));
-
    public static void main(String[] args) {
        if (args.length == 0) {
            System.err.println("TestSecurityProperties <true|false>");
@ -57,24 +40,18 @@ public class TestSecurityProperties {
        boolean enabled = Boolean.valueOf(args[0]);
        System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
        Properties jdkProps = new Properties();
-        loadProperties(jdkProps, enabled);
+        loadProperties(jdkProps);
        if (enabled) {
            loadPolicy(jdkProps);
        }
-        for (Object key : jdkProps.keySet()) {
-            String sKey = (String) key;
-            if (JAVA_FEATURE >= 25 && sKey.equals("include")) {
-                // Avoid the following exception on 25: IllegalArgumentException: Key 'include' is
-                // reserved and cannot be used as a Security property name.  Hard-code the includes
-                // in JDK_PROPS_FILES_JDK_25_ENABLED and JDK_PROPS_FILES_JDK_25_DISABLED instead.
-                continue;
-            }
+        for (Object key: jdkProps.keySet()) {
+            String sKey = (String)key;
            System.out.println(MSG_PREFIX + "Checking " + sKey);
            String securityVal = Security.getProperty(sKey);
            String jdkSecVal = jdkProps.getProperty(sKey);
            if (!jdkSecVal.equals(securityVal)) {
                String msg = "Expected value '" + jdkSecVal + "' for key '" +
-                        sKey + "'" + " but got value '" + securityVal + "'";
+                             sKey + "'" + " but got value '" + securityVal + "'";
                throw new RuntimeException("Test failed! " + msg);
            } else {
                System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
@ -83,26 +60,17 @@ public class TestSecurityProperties {
        System.out.println("TestSecurityProperties PASSED!");
    }

-    private static void loadPropertiesFile(Properties props, String propsFile) {
-        try (FileInputStream fin = new FileInputStream(propsFile)) {
-            props.load(fin);
-        } catch (Exception e) {
-            throw new RuntimeException("Test failed!", e);
-        }
-    }
-
-    private static void loadProperties(Properties props, boolean enabled) {
+    private static void loadProperties(Properties props) {
+        String javaVersion = System.getProperty("java.version");
        System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
        String propsFile = JDK_PROPS_FILE_JDK_11;
        if (javaVersion.startsWith("1.8.0")) {
            propsFile = JDK_PROPS_FILE_JDK_8;
        }
-        loadPropertiesFile(props, propsFile);
-        if (JAVA_FEATURE >= 25) {
-            for (String file : enabled ? JDK_PROPS_FILES_JDK_25_ENABLED : JDK_PROPS_FILES_JDK_25_DISABLED) {
-                System.out.println(MSG_PREFIX + "Loading " + file);
-                loadPropertiesFile(props, file);
-            }
+        try (FileInputStream fin = new FileInputStream(propsFile)) {
+            props.load(fin);
+        } catch (Exception e) {
+            throw new RuntimeException("Test failed!", e);
        }
    }

@ -115,17 +83,3 @@ public class TestSecurityProperties {
    }

 }
-
-/*
- * Local Variables:
- * compile-command: "\
- * /usr/lib/jvm/java-25-openjdk/bin/javac TestSecurityProperties.java \
- * && (/usr/lib/jvm/java-25-openjdk/bin/java                                TestSecurityProperties false ; [[ $? == 1 ]]) \
- * && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true  TestSecurityProperties false ; [[ $? == 1 ]]) \
- * && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties true  ; [[ $? == 1 ]]) \
- * &&  /usr/lib/jvm/java-25-openjdk/bin/java                                TestSecurityProperties true                   \
- * &&  /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true  TestSecurityProperties true                   \
- * &&  /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties false"                 \
- * fill-column: 124
- * End:
- */
--- a/TestTranslations.java
+++ b/TestTranslations.java
@ -52,9 +52,9 @@ public class TestTranslations {
        map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
                                              "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MST",
                                              "heure des Rocheuses", "UTC\u221207:00", "MST"});
-        map.put(Locale.GERMANY, new String[] { "Rocky-Mountains-Normalzeit", "GMT-07:00", "MST",
-                                               "Rocky-Mountains-Sommerzeit", "GMT-06:00", "MST",
-                                               "Rocky-Mountains-Zeit", "GMT-07:00", "MST"});
+        map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST",
+                                               "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MST",
+                                               "Rocky-Mountain-Zeit", "GMT-07:00", "MST"});
        CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
    }

--- a/create-redhat-properties-files.bash
+++ b/create-redhat-properties-files.bash
@ -1,168 +0,0 @@
-#!/bin/bash
-#
-# Create Red Hat OpenJDK security properties directory hierarchy.
-#
-# Copyright (C) 2025 IBM Corporation. All rights reserved.
-#
-# Written by:
-#     Francisco Ferrari Bihurriet <fferrari@redhat.com>
-#     Thomas Fitzsimmons <fitzsim@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-# Usage:
-#
-# bash create-redhat-properties-files.bash <target directory> <nssadapter path>
-#
-# Example usage in spec file:
-#
-# bash -x create-redhat-properties-files.bash ${installdir}/conf/security \
-#     %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
-#
-# When you make changes to the file set here, also update the %files
-# section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables
-# in TestSecurityProperties.java.
-
-[[ $# == 2 ]] || exit 1
-
-SECURITY="${1}"
-NSSADAPTER="${2}"
-VENDOR="${SECURITY}"/redhat
-install --directory --mode=755 "${VENDOR}"
-install --directory --mode=755 "${VENDOR}"/true
-install --directory --mode=755 "${VENDOR}"/false
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
-install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<EOF
-name = FIPS
-library = ${NSSADAPTER}
-slot = 3
-nssUseSecmod = false
-attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/crypto-policies.properties
-install --mode 644 /dev/stdin "${VENDOR}"/false/crypto-policies.properties <<'EOF'
-# Empty on purpose, for ${redhat.crypto-policies}=false
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/crypto-policies.properties
-install --mode 644 /dev/stdin "${VENDOR}"/true/crypto-policies.properties <<'EOF'
-#
-# Apply the system-wide crypto policy
-#
-include /etc/crypto-policies/back-ends/java.config
-
-#
-# Apply the FIPS-specific security properties, if needed
-#
-include ../${__redhat_fips__}/fips.properties
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/crypto-policies.properties
-install --mode 644 /dev/stdin "${VENDOR}"/crypto-policies.properties <<'EOF'
-#
-# Default choice for the crypto-policies setup
-#
-include true/crypto-policies.properties
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/fips.properties
-install --mode 644 /dev/stdin "${VENDOR}"/false/fips.properties <<'EOF'
-# Empty on purpose, for when FIPS is disabled.
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/fips.properties
-install --mode 644 /dev/stdin "${VENDOR}"/true/fips.properties <<'EOF'
-#
-# Enable the downstream-patch RedHatFIPSFilter code
-#
-__redhat_fips_filter__=true
-
-#
-# FIPS mode Security Providers List
-#
-security.provider.1=SunPKCS11 ${java.home}/conf/security/redhat/SunPKCS11-FIPS.cfg
-security.provider.2=SUN
-security.provider.3=SunEC
-security.provider.4=SunJSSE
-security.provider.5=SunJCE
-security.provider.6=SunRsaSign
-security.provider.7=XMLDSig
-security.provider.8=
-#                   ^ empty on purpose, to finish the Providers List
-
-#
-# FIPS mode default keystore type
-#
-keystore.type=pkcs12
-EOF
-
-# Make sure java.security exists before appending
-test -e "${SECURITY}"/java.security || ( echo "${SECURITY}/java.security not found" && false )
-cat >> "${SECURITY}"/java.security <<'EOF'
-
-#
-# System-wide crypto-policies and FIPS setup
-#
-# The following crypto-policies setup automatically detects when the system
-# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to
-# ignore the system and disable its FIPS setup, just disable the usage of
-# the system crypto-policies, by any of the methods described below.
-#
-# The redhat.crypto-policies system property is a boolean switch that
-# controls the usage on a per-run basis. For example, pass
-# -Dredhat.crypto-policies=false to disable the system crypto-policies.
-#
-# This setup consists of the following files in $JAVA_HOME/conf/security:
-#
-#   'redhat/false/crypto-policies.properties' (policies usage disabled file)
-#      Empty file, applied when the boolean switch is passed as false.
-#
-#   'redhat/true/crypto-policies.properties' (policies usage enabled file)
-#      Performs the crypto-policies and FIPS setup, applied when the boolean
-#      switch is passed as true.
-#
-#   'redhat/crypto-policies.properties' (policies usage default file)
-#      Determines the default choice by including one of the previous files,
-#      applied when the boolean switch is not passed.
-#      The system crypto-policies usage is enabled by default:
-#        include true/crypto-policies.properties
-#
-# To enable or disable the usage of the crypto-policies on a per-deployment
-# basis, edit the policies usage default file, changing the included file.
-# For example, execute the following command to persistently disable the
-# crypto-policies:
-#   sed -i s/true/false/ $JAVA_HOME/conf/security/redhat/crypto-policies.properties
-# Applications can still override this on a per-run basis, for example by
-# passing -Dredhat.crypto-policies=true.
-#
-# To disable the redhat.crypto-policies boolean switch, modify the following
-# include directive as follows. Replace ${redhat.crypto-policies} by true to
-# force-apply the system crypto-policies:
-#   include redhat/true/crypto-policies.properties
-# Remove or comment out the include directive to force-disable the setup:
-#   #include redhat/${redhat.crypto-policies}/crypto-policies.properties
-#
-include redhat/${redhat.crypto-policies}/crypto-policies.properties
-#       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-# WARNING: anything placed after this include directive will apply on top
-# of the described setup. Adding properties below this section is strongly
-# discouraged, as it poses a risk of overriding the system crypto-policies
-# or invalidating the FIPS deployment.
-EOF
-
-# Local Variables:
-# compile-command: "shellcheck create-redhat-properties-files.bash"
-# End:
--- a/fips-25u-57722aab802.patch
+++ b/fips-25u-57722aab802.patch
@ -1,87 +0,0 @@
-diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
-index de2845fb550..60eeab678ca 100644
--- a/src/java.base/share/classes/java/security/Provider.java
-+++ b/src/java.base/share/classes/java/security/Provider.java
-@@ -1203,6 +1203,34 @@ public Set<Service> getServices() {
-         return serviceSet;
-     }
- 
-+    /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */
-+    private static final class RedHatFIPSFilter {
-+        static final boolean IS_ON = Boolean.parseBoolean(
-+                Security.getProperty("__redhat_fips_filter__"));
-+        private static final Map<String, Set<String>> ALLOW_LIST = Map.of(
-+                "SUN", Set.of(
-+                        "AlgorithmParameterGenerator",
-+                        "AlgorithmParameters", "CertificateFactory",
-+                        "CertPathBuilder", "CertPathValidator", "CertStore",
-+                        "Configuration", "KeyStore"),
-+                "SunEC", Set.of(
-+                        "AlgorithmParameters", "KeyFactory"),
-+                "SunJCE", Set.of(
-+                        "AlgorithmParameters",
-+                        "AlgorithmParameterGenerator", "KeyFactory",
-+                        "SecretKeyFactory"),
-+                "SunRsaSign", Set.of(
-+                        "KeyFactory", "AlgorithmParameters")
-+        );
-+
-+        static boolean isAllowed(String provName, String serviceType) {
-+            Set<String> allowedServiceTypes = ALLOW_LIST.get(provName);
-+            return allowedServiceTypes == null ||
-+                    allowedServiceTypes.contains(serviceType);
-+        }
-+    }
-+    /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
-+
-     /**
-      * Add a service. If a service of the same type with the same algorithm
-      * name exists, and it was added using {@link #putService putService()},
-@@ -1231,6 +1259,15 @@ protected void putService(Service s) {
-                     ("service.getProvider() must match this Provider object");
-         }
-         String type = s.getType();
-+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
-+        if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) {
-+            if (debug != null) {
-+                debug.println("The previous " + name + ".putService() call " +
-+                        "was skipped by " + RedHatFIPSFilter.class.getName());
-+            }
-+            return;
-+        }
-+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
-         String algorithm = s.getAlgorithm();
-         ServiceKey key = new ServiceKey(type, algorithm, true);
-         implRemoveService(serviceMap.get(key));
-diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
-index 6969fe8a8e1..4501d5971c4 100644
--- a/src/java.base/share/classes/java/security/Security.java
-+++ b/src/java.base/share/classes/java/security/Security.java
-@@ -323,7 +323,27 @@ public Properties getInitialProperties() {
-     }
- 
-     private static void initialize() {
-+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
-+        /*   This 'include'-directives-only magic property is an internal     */
-+        /*   implementation detail that could (and probably will!) change.    */
-+        /*   Red Hat customers should NOT rely on this for their own use.     */
-+        String fipsKernelFlag = "/proc/sys/crypto/fips_enabled";
-+        boolean fipsModeOn;
-+        try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) {
-+            fipsModeOn = is.read() == '1';
-+        } catch (IOException ioe) {
-+            fipsModeOn = false;
-+            if (sdebug != null) {
-+                sdebug.println("Failed to read FIPS kernel file: " + ioe);
-+            }
-+        }
-+        String fipsMagicPropName = "__redhat_fips__";
-+        System.setProperty(fipsMagicPropName, "" + fipsModeOn);
-+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
-         SecPropLoader.loadAll();
-+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
-+        System.clearProperty(fipsMagicPropName);
-+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
-         initialSecurityProperties = (Properties) props.clone();
-         if (sdebug != null) {
-             for (String key : props.stringPropertyNames()) {
--- a/java-25-openjdk-portable.specfile
+++ b/java-25-openjdk-portable.specfile
@ -226,7 +226,7 @@
 # other targets since this target is configured to use in-tree
 # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
 # and possibly others
-%global static_libs_target static-libs-graal-image
+%global static_libs_target static-libs-image
 %else
 %global static_libs_target %{nil}
 %endif
@ -247,13 +247,6 @@
 %global dtsversion 10
 %endif

-# Check if pandoc is available to generate docs (including man pages)
-%if 0%{?rhel} == 8
-%global pandoc_available 1
-%else
-%global pandoc_available 0
-%endif
-
 # Filter out flags from the optflags macro that cause problems with the OpenJDK build
 # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
 # We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
@ -334,9 +327,10 @@
 %endif

 # New Version-String scheme-style defines
-%global featurever 25
+%global featurever 22
+%global fakefeaturever 25
 %global interimver 0
-%global updatever 3
+%global updatever 2
 %global patchver 0
 # buildjdkver is usually same as %%{featurever},
 # but in time of bootstrap of next jdk, it is featurever-1,
@ -351,6 +345,21 @@
  %global lts_designator ""
  %global lts_designator_zip ""
 %endif
+# JDK to use for bootstrapping
+%global bootjdkpkg java-%{fakefeaturever}-openjdk
+%ifarch %{fastdebug_arches}
+%global bootdebugpkg fastdebug
+%endif
+%global bootjdkzip %{_jvmdir}/%{bootjdkpkg}-*.portable%{?bootdebugpkg:.%{bootdebugpkg}}.jdk.%{_arch}.tar.xz
+%global bootjdk %{_builddir}/%{bootjdkpkg}.boot
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+# This will only work where the bootstrap JDK is the same major version
+# as the JDK being built
+%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif

 # Define vendor information used by OpenJDK
 %global oj_vendor Red Hat, Inc.
@ -376,10 +385,11 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver 57722aab802
+%global fipsver 9203d50836c
 # Define JDK versions
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-%global javaver         %{featurever}
+# Force 25 until we are actually ready to build that JDK version
+%global javaver         %{fakefeaturever}
 # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
 %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
 # The tag used to create the OpenJDK tarball
@ -391,7 +401,7 @@
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
 %global buildver        9
-%global rpmrelease      1
+%global rpmrelease      2
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
 %if %is_system_jdk
@ -426,16 +436,16 @@
 %endif

 # parametrized macros are order-sensitive
-%global compatiblename  java-%{featurever}-%{origin}
+%global compatiblename  java-%{fakefeaturever}-%{origin}
 %global fullversion     %{compatiblename}-%{version}-%{release}
 # images directories from upstream build
 %global jdkimage                jdk
-%global static_libs_image       static-libs-graal
+%global static_libs_image       static-libs
 # output dir stub
-%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
-%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
+%define buildoutputdir() %{expand:build/jdk%{fakefeaturever}.build%{?1}}
+%define installoutputdir() %{expand:install/jdk%{fakefeaturever}.install%{?1}}
 %global altjavaoutputdir install/altjava.install
-%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}}
+%define packageoutputdir() %{expand:packages/jdk%{fakefeaturever}.packages%{?1}}
 # we can copy the javadoc to not arched dir, or make it not noarch
 %define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
 # main id and dir of this jdk
@ -458,22 +468,6 @@
 %define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g")
 %define miscportablearchive()  %{miscportablename}.tar.xz

-# JDK to use for bootstrapping
-%global bootjdkpkg java-%{featurever}-%{origin}
-%ifarch %{fastdebug_arches}
-%global bootdebugpkg fastdebug
-%endif
-%global bootjdkzip %{_jvmdir}/%{bootjdkpkg}-*.portable%{?bootdebugpkg:.%{bootdebugpkg}}.jdk.%{_arch}.tar.xz
-%global bootjdk %{_builddir}/%{uniquesuffix -- ""}/%{bootjdkpkg}.boot
-# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
-# This will only work where the bootstrap JDK is the same major version
-# as the JDK being built
-%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
-%global build_hotspot_first 1
-%else
-%global build_hotspot_first 0
-%endif
-
 #################################################################
 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
 #         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
@ -603,7 +597,7 @@ Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
 # Systemtap tapsets. Zipped up to keep it small.
-Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+Source8: tapsets-icedtea-%%{icedteaver}.tar.xz

 # Desktop files. Adapted from IcedTea
 # Disabled in portables
@ -640,13 +634,41 @@ Source18: TestTranslations.java
 ############################################
 # Crypto policy and FIPS support patches
 # Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u
-# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
+# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
 # Fixes currently included:
-# OPENJDK-2108: Internal __redhat_fips__ property
-# OPENJDK-2123: Algorithms lockdown
-# OPENJDK-4559: Red Hat Build of OpenJDK 25 should not restrict all the providers in FIPS
-Patch1001: fips-%{featurever}u-%{fipsver}.patch
+# PR3183, RH1340845: Follow system wide crypto policy
+# PR3695: Allow use of system crypto policy to be disabled by the user
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+# RH1929465: Improve system FIPS detection
+# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
+# RH1996182: Login to the NSS software token in FIPS mode
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+# RH2021263: Resolve outstanding FIPS issues
+# RH2052819: Fix FIPS reliance on crypto policies
+# RH2052829: Detect NSS at Runtime for FIPS detection
+# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
+# RH2023467: Enable FIPS keys export
+# RH2094027: SunEC runtime permission for FIPS
+# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
+# RH2090378: Revert to disabling system security properties and FIPS mode support together
+# RH2104724: Avoid import/export of DH private keys
+# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
+# Build the systemconf library on all platforms
+# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
+# RH2020290: Support TLS 1.3 in FIPS mode
+# Add nss.fips.cfg support to OpenJDK tree
+# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
+# Remove forgotten dead code from RH2020290 and RH2104724
+# OJ1357: Fix issue on FIPS with a SecurityManager in place
+# RH2134669: Add missing attributes when registering services in FIPS mode.
+# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
+# RH1940064: Enable XML Signature provider in FIPS mode
+# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
+# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch

 #############################################
 #
@ -662,8 +684,7 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
 #
 #############################################

-# JDK-8375294: (fs) Files.copy can fail with EOPNOTSUPP when copy_file_range not supported
-Patch2001: jdk8375294-handle-EOPNOTSUPP-in-copying.patch
+# Currently empty

 #############################################
 #
@ -717,14 +738,13 @@ BuildRequires: zip
 BuildRequires: tar
 BuildRequires: unzip
 BuildRequires: javapackages-filesystem
-BuildRequires: %{bootjdkpkg}-portable-devel%{?bootdebugpkg:-%{bootdebugpkg}} >= %{buildjdkver}
 # Zero-assembler build requirement
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
 # Full documentation build requirements
 # pandoc is only available on RHEL/CentOS 8
-%if %{pandoc_available}
+%if 0%{?rhel} == 8
 BuildRequires: graphviz
 BuildRequires: pandoc
 %endif
@ -746,19 +766,19 @@ BuildRequires: libpng-devel
 BuildRequires: zlib-devel
 %else
 # Version in src/java.desktop/share/legal/freetype.md
-Provides: bundled(freetype) = 2.14.2
+Provides: bundled(freetype) = 2.13.3
 # Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h
-Provides: bundled(giflib) = 6.1.2
+Provides: bundled(giflib) = 5.2.2
 # Version in src/java.desktop/share/native/libharfbuzz/hb-version.h
-Provides: bundled(harfbuzz) = 12.3.2
+Provides: bundled(harfbuzz) = 10.4.0
 # Version in src/java.desktop/share/native/liblcms/lcms2.h
 Provides: bundled(lcms2) = 2.17.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.57
+Provides: bundled(libpng) = 1.6.47
 # Version in src/java.base/share/native/libzip/zlib/zlib.h
-Provides: bundled(zlib) = 1.3.2
+Provides: bundled(zlib) = 1.3.1
 # We link statically against libstdc++ to increase portability
 %ifnarch %{devkit_arches}
 BuildRequires: libstdc++-static
@ -976,17 +996,10 @@ sh %{SOURCE12} %{top_level_dir_name}
 # rpmbuild.
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
-%patch -P1001 -p1
-# Add EOPNOTSUPP patch
-%patch -P2001 -p1
+# Disabled until 25
+#%patch -P1001 -p1
 popd # openjdk

-echo "Generating %{alt_java_name} man page"
-altjavamanpage=%{top_level_dir_name}/src/java.base/share/man/%{alt_java_name}.md
-altjavatext="Hardened java binary recommended for launching untrusted code from the Web e.g. javaws"
-sed -r -e 's|([^/.])java([^./])|\1alt-java\2|g' %{top_level_dir_name}/src/java.base/share/man/java.md | \
-    sed -e 's|JAVA(|ALT-JAVA(|' | \
-    sed -e "s|java - launch a Java application|alt-java - ${altjavatext}|" >> ${altjavamanpage}

 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
@ -1052,7 +1065,7 @@ pushd %{_jvmdir}
 sha256sum --check %{bootjdkzip}.sha256sum
 popd
 tar -xJf %{bootjdkzip}
-mv java-%{featurever}-openjdk-%{buildjdkver}* %{bootjdk}
+mv java-%{fakefeaturever}-openjdk-%{featurever}* %{bootjdk}
 # Print release information
 echo "Installed boot JDK:"
 cat %{bootjdk}/release
@ -1347,7 +1360,6 @@ function installjdk() {
    # legacy-jre-image target does not install any man pages for the JRE
    # We copy the jdk man directory and then remove pages for binaries that
    # don't exist in the JRE
-%if %{pandoc_available}
    cp -a ${jdkimagepath}/man ${jreimagepath}
    for manpage in $(find ${jreimagepath}/man -name '*.1'); do
        filename=$(basename ${manpage});
@ -1357,7 +1369,6 @@ function installjdk() {
            rm -f ${manpage};
        fi;
    done
-%endif

    for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do

@ -1508,7 +1519,7 @@ function packagejdk() {
 %if %{with_systemtap}
        cp -a ${tapsetdir}* ${miscname}
 %endif
-        cp -av ${altjavadir}/%{alt_java_name} ${miscname}
+        cp -av ${altjavadir}/%{alt_java_name}{,.1} ${miscname}
        createtar ${miscname} ${miscarchive}
        genchecksum ${miscarchive}
    fi
@ -1549,6 +1560,10 @@ function packagejdk() {
 echo "Building %{SOURCE11}"
 mkdir -p %{altjavaoutputdir}
 LD_LIBRARY_PATH="${LIBPATH}" ${GCC} ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11}
+echo "Generating %{alt_java_name} man page"
+altjavamanpage=%{altjavaoutputdir}/%{alt_java_name}.1
+echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > ${altjavamanpage}
+cat %{top_level_dir_name}/src/java.base/share/man/java.1 >> ${altjavamanpage}

 echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"

@ -1698,23 +1713,18 @@ $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -versi
  $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
 %endif

-  # Check blocked.certs is valid (OPENJDK-4362)
-  jtreg_test=$(pwd)/%{top_level_dir_name}/test/jdk/sun/security/lib/CheckBlockedCerts.java
-  jtreg_dir=$(dirname ${jtreg_test})
-  $JAVA_HOME/bin/java --add-exports java.base/sun.security.util=ALL-UNNAMED -Dtest.src=${jtreg_dir} ${jtreg_test}
-
  # Check src.zip has all sources. See RHBZ#1130490
  unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'

  # Check class files include useful debugging information
-  $JAVA_HOME/bin/javap -c -l java.lang.Object | grep "Compiled from"
-  $JAVA_HOME/bin/javap -c -l java.lang.Object | grep LineNumberTable
-  $JAVA_HOME/bin/javap -c -l java.lang.Object | grep LocalVariableTable
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable

  # Check generated class files include useful debugging information
-  $JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep "Compiled from"
-  $JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep LineNumberTable
-  $JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep LocalVariableTable
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable

 %else

@ -1946,94 +1956,6 @@ done
 %endif

 %changelog
-* Sat Apr 18 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.3.0.9-1
- Update to jdk-25.0.3+9 (GA)
- Update release notes to 25.0.3+9
- Update FIPS patch to 57722aab802 version synced with 25.0.3+8
- Drop local libpng patches now JDK-8372534, JDK-8375063 & JDK-8377526 are included upstream
- Drop local HarfBuzz patch now JDK-8375057 is included upstream
- Bump freetype version to 2.14.2 following JDK-8373290 & JDK-8379158
- Bump giflib version to 6.1.2 following JDK-8379256 & JDK-8380078
- Bump libpng version to 1.6.57 following JDK-8380959 & JDK-8382047
- Bump zlib version to 1.3.2 following JDK-8378631
- Add JDK-8375294 EOPNOTSUPP patch ahead of 25.0.4
- ** This tarball is embargoed until 2026-04-21 @ 1pm PT. **
- Resolves: OPENJDK-4634
- Resolves: OPENJDK-4656
- Resolves: OPENJDK-4607
- Resolves: OPENJDK-4675
-
-* Tue Mar 03 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-3
- Update FIPS patch to e55ada9353e to include the fix for the too restrictive provider lockdown
- Fix FIPS issue list to represent the new 25u version
- Add JDK-8375063 libpng 1.6.54 ahead of 25.0.3
- Add JDK-8375057 harfbuzz 12.3.2 ahead of 25.0.3
- Add JDK-8377526 libpng 1.6.55 ahead of 25.0.3
- Bump libpng version to 1.6.55 following JDK-8375063 & JDK-8377526
- Bump harfbuzz version to 12.3.2 following JDK-8375057
- Resolves: OPENJDK-4570
- Resolves: OPENJDK-4304
- Resolves: OPENJDK-4524
- Resolves: OPENJDK-4544
- Resolves: OPENJDK-4553
-
-* Mon Jan 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-2
- Add JDK-8372534 libpng 1.6.51 ahead of 25.0.3
- Bump libpng version to 1.6.51 following JDK-8372534
- Add CVEs for 25.0.2 to NEWS
- Correct version and date for this upcoming release in NEWS
- Related: OPENJDK-4359
-
-* Mon Jan 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-1
- Update to jdk-25.0.2+10 (GA)
- Update release notes to 25.0.2+10
- Add test to ensure blocked.certs is valid (OPENJDK-4362)
- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. **
- Resolves: OPENJDK-4359
- Resolves: OPENJDK-4362
-
-* Tue Dec 02 2025 Severin Gehwolf <sgehwolf@redhat.com> - 1:25.0.1.0.8-2
- Switch from static-libs-image to static-libs-graal-image to avoid large unneeded libjvm.a
- Resolves: OPENJDK-4197
-
-* Tue Dec 02 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-2
- Incorporate new FIPS patch for 25u
- Resolves: OPENJDK-4184
-
-* Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-1
- Update to jdk-25.0.1+8 (GA)
- Update release notes to 25.0.1+8
- Related: RHELBU-3203
-
-* Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.0.0.36-2
- Drop fakefeaturever and rebuild with ourselves now we have reached OpenJDK 25
- Related: RHELBU-3203
-
-* Sun Nov 09 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.0.0.36-1
- Update to jdk-25.0.0+36 (GA)
- Update release notes with features of JDK 25
- Mention finalisation JEP for features finalised in JDK 22, 23 & 24
- Resolves: RHELBU-3203
-
-* Wed Nov 05 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:24.0.2.0.12-1
- Update to jdk-24.0.2+12 (GA)
- Update release notes with features of JDK 24
- Generate alt-java.md during prep following removal of pre-generated man pages in JDK-8344056
- Introduce pandoc_available global for conditional handling of both pandoc dependency and manpages
- Adjust TestTranslations.java with updated German translations from CLDR 46 (JDK-8333582) (Mountain->Mountains)
- Run javap with the disassembled code (-c) option now required for -l by JDK-8345145
- Related: RHELBU-3203
-
-* Sat Oct 25 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:23.0.2.0.7-1
- Update to jdk-23.0.2+7 (GA)
- Update release notes with features of JDK 23
- Switch buildjdkver to featurever + 1
- Use buildjdkver in the path to the extracted bootstrap JDK
- Move bootstrap declarations later so they can use variables like uniquesuffix
- Fix bootjdk so it uses our build subdirectory created in setup (_builddir only gives the top-level BUILD)
- Fix double '%' in specification of IcedTea sources
- Related: RHELBU-3203
-
 * Mon Sep 22 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:22.0.2.0.9-2
 - Build using ourselves rather than the system JDK as java-25-openjdk is unavailable on older systems
 - Switch buildjdkver back to featurever temporarily for this rebuild
--- a/java-25-openjdk.spec
+++ b/java-25-openjdk.spec
--- a/java-25-openjdk.spec
+++ b/java-25-openjdk.spec
@ -0,0 +1 @@
+java-25-openjdk-portable.specfile
--- a/jdk8375294-handle-EOPNOTSUPP-in-copying.patch
+++ b/jdk8375294-handle-EOPNOTSUPP-in-copying.patch
@ -1,63 +0,0 @@
-From dbbdc1dffd10608195487fa139e77c4a90c80658 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Ji=C5=99=C3=AD=20Van=C4=9Bk?= <jvanek@openjdk.org>
-Date: Wed, 15 Apr 2026 12:54:49 +0000
-Subject: [PATCH] 8375294: (fs) Files.copy can fail with EOPNOTSUPP when
- copy_file_range not supported
-
-Reviewed-by: andrew
-Backport-of: 30cda00010888b6e9a2bf8cdeaedbb3eb4b6a222
---
- src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c    | 5 +++--
- src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c | 3 ++-
- 2 files changed, 5 insertions(+), 3 deletions(-)
-
-diff --git a/src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c b/src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c
-index efbd0ca5684..54d640b03a4 100644
--- a/src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c
-+++ b/src/java.base/linux/native/libnio/ch/FileDispatcherImpl.c
-@@ -1,5 +1,5 @@
- /*
- * Copyright (c) 2000, 2024, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2000, 2026, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -63,7 +63,7 @@ Java_sun_nio_ch_FileDispatcherImpl_transferFrom0(JNIEnv *env, jobject this,
-     if (n < 0) {
-         if (errno == EAGAIN)
-             return IOS_UNAVAILABLE;
-        if (errno == ENOSYS)
-+        if (errno == ENOSYS || errno == EOPNOTSUPP)
-             return IOS_UNSUPPORTED_CASE;
-         if ((errno == EBADF || errno == EINVAL || errno == EXDEV) &&
-             ((ssize_t)count >= 0))
-@@ -103,6 +103,7 @@ Java_sun_nio_ch_FileDispatcherImpl_transferTo0(JNIEnv *env, jobject this,
-                 case EINVAL:
-                 case ENOSYS:
-                 case EXDEV:
-+                case EOPNOTSUPP:
-                     // ignore and try sendfile()
-                     break;
-                 default:
-diff --git a/src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c b/src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c
-index c90e99dda07..4677411b0ba 100644
--- a/src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c
-+++ b/src/java.base/linux/native/libnio/fs/LinuxNativeDispatcher.c
-@@ -1,5 +1,5 @@
- /*
- * Copyright (c) 2008, 2024, Oracle and/or its affiliates. All rights reserved.
-+ * Copyright (c) 2008, 2026, Oracle and/or its affiliates. All rights reserved.
-  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-  *
-  * This code is free software; you can redistribute it and/or modify it
-@@ -193,6 +193,7 @@ Java_sun_nio_fs_LinuxNativeDispatcher_directCopy0
-                     case EINVAL:
-                     case ENOSYS:
-                     case EXDEV:
-+                    case EOPNOTSUPP:
-                         // ignore and try sendfile()
-                         break;
-                     default:
-- 
-2.52.0
-
--- a/rpminspect.yaml
+++ b/rpminspect.yaml
@ -1,4 +1,3 @@
 ---
 inspections:
    javabytecode: off
-    abidiff: off
--- a/scripts/builds/build_rhel_7_portable_build.sh
+++ b/scripts/builds/build_rhel_7_portable_build.sh
@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2026 Red Hat, Inc.
+# Copyright (C) 2024 Red Hat, Inc.
 # Written by:
 #     Andrew John Hughes <gnu.andrew@redhat.com>
 #
@ -17,30 +17,12 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-# Waive the usual tier0 gating issue
-# Should be resolved by OPENJDK-4517
+# Builds the portable on RHEL 7

-RHEL_VER=${1}
-NVR=${2}
-
-WORKING_DIR=$(dirname "${0}")
-
-if test "x${RHEL_VER}" = "x"; then
-    echo "No RHEL version specified.";
-    echo "${0} <RHEL_VER> <NVR>";
-    exit 1;
-fi
-
-if test "x${NVR}" = "x"; then
-    echo "No NVR specified.";
-    echo "${0} <RHEL_VER> <NVR>";
-    exit 2;
-fi
-
-"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" osci.brew-build.tier0.functional "Test unable to parse spec file"
+rhpkg -v build --target=java-openjdk-rhel-7-build --skip-nvr-check

 # Local Variables:
-# compile-command: "shellcheck waive_usual_tier0.sh"
+# compile-command: "shellcheck build_rhel_7_portable_build.sh"
 # fill-column: 80
 # indent-tabs-mode: nil
 # sh-basic-offset: 4
--- a/scripts/builds/waive_leapp_issue.sh
+++ b/scripts/builds/waive_leapp_issue.sh
@ -1,6 +1,6 @@
 #!/bin/sh

-# Copyright (C) 2026 Red Hat, Inc.
+# Copyright (C) 2024 Red Hat, Inc.
 # Written by:
 #     Andrew John Hughes <gnu.andrew@redhat.com>
 #
@ -17,29 +17,26 @@
 # You should have received a copy of the GNU Affero General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.

-# Waive the leapp gating test which never seems to work
+# Builds the RPM on RHEL 8

-RHEL_VER=${1}
-NVR=${2}
+NVR=${1}
+USER=${2}

-WORKING_DIR=$(dirname "${0}")
-
-if test "x${RHEL_VER}" = "x"; then
-    echo "No RHEL version specified.";
-    echo "${0} <RHEL_VER> <NVR>";
+if test "${NVR}" = ""; then
+    echo "${0} <NVR> <USER>";
    exit 1;
 fi

-if test "x${NVR}" = "x"; then
-    echo "No NVR specified.";
-    echo "${0} <RHEL_VER> <NVR>";
+if test "${USER}" = ""; then
+    echo "${0} <NVR> <USER>";
    exit 2;
 fi

-"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" leapp.brew-build.upgrade.distro "AWOL"
+METADATA="{\"osci\": {\"upstream_nvr\": \"${NVR}\", \"upstream_owner_name\": \"${USER}\"}, \"rhel-target\": \"latest\"}"
+rhpkg -v build --target=java-openjdk-rhel-8-build --custom-user-metadata "${METADATA}"

 # Local Variables:
-# compile-command: "shellcheck waive_leapp_issue.sh"
+# compile-command: "shellcheck build_rhel_8.sh"
 # fill-column: 80
 # indent-tabs-mode: nil
 # sh-basic-offset: 4
--- a/scripts/builds/check_signatures.sh
+++ b/scripts/builds/check_signatures.sh
@ -1,77 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Check the signatures (if any) in RHEL RPM buildinfo
-# This is intended to be run from the tagging scripts
-
-# Return codes:
-# - 1 - Buildinfo file not specified
-# - 2 = Missing buildinfo file
-# - 3 = No signatures
-# - 4 = Multiple signature types found
-# - 5 = PQC signature found
-# - 6 = Old signature (fd431d51) found
-# - 7 = Unknown signature found
-
-BUILDINFO=${1}
-NEW_SIGNATURE="release4";
-OLD_SIGNATURE="fd431d51";
-
-if test "${BUILDINFO}" = ""; then
-    echo "${0} <BUILDINFO>";
-    exit 1;
-fi
-
-if ! test -e "${BUILDINFO}" ; then
-    echo "${BUILDINFO} not found.";
-    exit 2;
-fi
-
-if cat ${BUILDINFO} | grep -q Signatures ; then
-    signature=$(cat ${BUILDINFO} | grep Signatures|cut -d ' ' -f 2-|uniq -c);
-    uniq_count=$(echo ${signature} | wc -l);
-    if test ${uniq_count} -gt 1; then
-        echo "Multiple signature types found:";
-        echo "${signature}";
-        exit 4;
-    fi
-    sig_count=$(echo ${signature} | cut -d ' ' -f 1);
-    sig_type=$(echo ${signature} | cut -d ' ' -f 2);
-    echo "${sig_count} signatures of type ${sig_type} found";
-    if echo "${sig_type}" | grep -q "${NEW_SIGNATURE}" ; then
-        echo "PQC signature found.";
-        exit 5;
-    elif echo "${sig_type}" | grep -q "${OLD_SIGNATURE}"; then
-        echo "Old pre-PQC signature found.";
-        exit 6;
-    else
-        echo "Unknown signature found.";
-        exit 7;
-    fi
-else
-    echo "Build has no signatures.";
-    exit 3;
-fi
-
-# Local Variables:
-# compile-command: "shellcheck check_signatures.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/get_gating_results.sh
+++ b/scripts/builds/get_gating_results.sh
@ -1,63 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Retrieve the results of a gating test using the ID from the JSON
-# retrieved by query_build_gating.sh
-
-RESULT_ID=${1}
-
-if test "${RESULT_ID}" = ""; then
-    echo "No ID specified.";
-    echo "${0} <RESULT_ID>";
-    exit 1;
-fi
-
-CURL=$(command -v curl)
-JSON_TOOL=$(command -v jq)
-
-if test "${CURL}" = ""; then
-    echo "curl not found";
-    exit 2;
-fi
-
-if test "${JSON_TOOL}" = ""; then
-    echo "jq not found";
-    exit 3;
-fi
-
-URL="https://resultsdb-api.engineering.redhat.com/api/v2.0/results/${RESULT_ID}"
-JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
-
-CMD=("${CURL}" --silent --show-error "${URL}")
-
-echo "${CMD[@]}"
-
-if command "${CMD[@]}" > "${JSON_OUT}" ; then
-    "${JSON_TOOL}" < "${JSON_OUT}"
-else
-    echo "Failed to obtain JSON";
-    exit 4;
-fi
-
-# Local Variables:
-# compile-command: "shellcheck get_gating_results.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/query_build_gating.sh
+++ b/scripts/builds/query_build_gating.sh
@ -1,94 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Retrieve the status of a build's progress through gating
-
-RHEL_VER=${1}
-NVR=${2}
-
-if test "${RHEL_VER}" = ""; then
-    echo "No RHEL version specified.";
-    echo "${0} <RHEL_VER> <NVR>";
-    exit 1;
-fi
-
-if test "${NVR}" = ""; then
-    echo "No NVR specified.";
-    echo "${0} <RHEL_VER> <NVR>";
-    exit 2;
-fi
-
-CURL=$(command -v curl)
-JSON_TOOL=$(command -v jq)
-JSON_FILE=$(mktemp --tmpdir query.XXXXXX.json)
-JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
-URL="https://greenwave.engineering.redhat.com/api/v1.0/decision"
-
-if test "${CURL}" = ""; then
-    echo "curl not found";
-    exit 3;
-fi
-
-if test "${JSON_TOOL}" = ""; then
-    echo "jq not found";
-    exit 4;
-fi
-
-{
-    echo "{";
-    printf "\t\"decision_context\":\"osci_compose_gate\",\n";
-    printf "\t\"product_version\":\"rhel-%d\",\n" "${RHEL_VER}";
-    printf "\t\"subject_type\":\"koji_build\",\n";
-    printf "\t\"subject_identifier\":\"%s\",\n" "${NVR}";
-    printf "\t\"verbose\":false\n";
-    echo "}";
-} > "${JSON_FILE}"
-
-echo "Sending the following JSON...";
-cat "${JSON_FILE}"
-
-CMD=("${CURL}" --silent --show-error -X POST)
-
-JSON_COMMAND="--json";
-# Check --json is available
-${CURL} ${JSON_COMMAND} 2> /dev/null
-if [ $? -eq 2 ] ; then
-    echo "--json unsupported; falling back on --data-ascii";
-    CMD=("${CMD[@]}" --header Content-Type:application/json --data-ascii);
-else
-    CMD=("${CMD[@]}" "${JSON_COMMAND}");
-fi
-
-CMD=("${CMD[@]}" "@${JSON_FILE}" "${URL}")
-
-echo "${CMD[@]}"
-
-if command "${CMD[@]}" > "${JSON_OUT}" ; then
-    "${JSON_TOOL}" < "${JSON_OUT}"
-else
-    echo "Failed to obtain JSON";
-    exit 5;
-fi
-
-# Local Variables:
-# compile-command: "shellcheck query_build_gating.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/tag_rhel.sh
+++ b/scripts/builds/tag_rhel.sh
@ -1,87 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Tag public RHEL RPMs into gating for all supported streams
-# This is intended to be run from tag_rhel_<ver>_(public|embargoed).sh
-
-BUILD="${1}"
-BUILDLOG="${2}"
-SUFFIX="${3}"
-shift 3;
-SUPPORTED_VERS="$*"
-
-CMD_SYNTAX="${0} <BUILD> <BUILDLOG> <SUFFIX> <SUPPORTED_VERS>";
-GATE_SUFFIX="gate"
-
-if test "${BUILD}" = ""; then
-    echo "${CMD_SYNTAX}";
-    exit 1;
-fi
-
-if test "${BUILDLOG}" = ""; then
-    echo "${CMD_SYNTAX}";
-    exit 2;
-fi
-
-if test "${SUPPORTED_VERS}" = ""; then
-    echo "${CMD_SYNTAX}";
-    exit 3;
-fi
-
-buildtags=$(grep "^Tag" "${BUILDLOG}" | cut -d : -f 2-)
-echo "Build has tags ${buildtags}";
-
-if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] ; then
-    echo "Gating system can only handle one tag at a time."
-    echo "Script will need to be re-run for subsequent tags once previous tag has moved to -candidate."
-    if echo "${buildtags}" | grep -q "${GATE_SUFFIX}"; then
-        echo "Tag with \"-${GATE_SUFFIX}\" found. Please complete gating before re-running.";
-        exit 1;
-    fi
-fi
-
-done=0;
-for ver in ${SUPPORTED_VERS}; do
-    vertag="rhel-${ver}";
-    proposedtag="${vertag}-${SUFFIX}";
-    echo "Checking if ${BUILD} has been added to ${vertag}...";
-    if echo "${buildtags}" | grep -q "${vertag}" ; then
-        echo "${BUILD} has been tagged into ${proposedtag}";
-    else
-        if [ "${SUFFIX}" = "${GATE_SUFFIX}" ] && [ "${done}" -eq 1 ]; then
-            echo "Already added a tag. Need to tag ${proposedtag} in a future run.";
-        else
-            echo "Tagging ${BUILD} into ${proposedtag}";
-            brew tag-build --nowait "${proposedtag}" "${BUILD}";
-            done=1;
-        fi
-    fi
-done
-if [ "${done}" -eq 1 ]; then
-    brew watch-task --mine;
-else
-    echo "Nothing to do.";
-fi
-
-# Local Variables:
-# compile-command: "shellcheck tag_rhel.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/tag_rhel_10_embargoed_pqc.sh
+++ b/scripts/builds/tag_rhel_10_embargoed_pqc.sh
@ -1,67 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Tag newer PQC embargoed RHEL 10 RPMs into supported z-streams
-
-BUILD=${1}
-
-if test "${BUILD}" = ""; then
-    echo "${0} <BUILD>";
-    exit 1;
-fi
-
-BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
-SUPPORTED_VERS="10.2-z 10.1-z"
-WORKING_DIR=$(dirname "${0}")
-EMBARGOED_SUFFIX="nocompose-candidate"
-
-echo "Obtaining buildinfo for ${BUILD}...";
-brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
-
-echo "Checking signatures for ${BUILD}...";
-"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
-
-# Return codes:
-# - 1 - Buildinfo file not specified
-# - 2 = Missing buildinfo file
-# - 3 = No signatures
-# - 4 = Multiple signature types found
-# - 5 = PQC signature found
-# - 6 = Old signature (fd431d51) found
-# - 7 = Unknown signature found
-ret=$?;
-if [ "${ret}" -eq 6 ] ; then
-    echo "Build has old signatures which should not be the case for OpenJDK 25";
-    exit 2;
-elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
-    echo "Signature check failed.";
-    exit 3;
-fi
-
-echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
-"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
-
-rm -f "${BUILDLOG}"
-
-# Local Variables:
-# compile-command: "shellcheck tag_rhel_10_embargoed_pqc.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/tag_rhel_10_public_pqc.sh
+++ b/scripts/builds/tag_rhel_10_public_pqc.sh
@ -1,67 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Tag newer PQC public RHEL 10 RPMs into gating for all supported streams
-
-BUILD=${1}
-
-if test "${BUILD}" = ""; then
-    echo "${0} <BUILD>";
-    exit 1;
-fi
-
-BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
-SUPPORTED_VERS="10.3 10.2-z 10.1-z"
-WORKING_DIR=$(dirname "${0}")
-GATE_SUFFIX="gate"
-
-echo "Obtaining buildinfo for ${BUILD}...";
-brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
-
-echo "Checking signatures for ${BUILD}...";
-"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
-
-# Return codes:
-# - 1 - Buildinfo file not specified
-# - 2 = Missing buildinfo file
-# - 3 = No signatures
-# - 4 = Multiple signature types found
-# - 5 = PQC signature found
-# - 6 = Old signature (fd431d51) found
-# - 7 = Unknown signature found
-ret=$?;
-if [ "${ret}" -eq 6 ] ; then
-    echo "Build has old signatures which should not be the case for OpenJDK 25";
-    exit 2;
-elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
-    echo "Signature check failed.";
-    exit 3;
-fi
-
-echo "Tagging build into gating for ${SUPPORTED_VERS}...";
-"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
-
-rm -f "${BUILDLOG}"
-
-# Local Variables:
-# compile-command: "shellcheck tag_rhel_10_public_pqc.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/tag_rhel_9_embargoed_pqc.sh
+++ b/scripts/builds/tag_rhel_9_embargoed_pqc.sh
@ -1,67 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Tag newer PQC embargoed RHEL 9 RPMs into supported z-streams
-
-BUILD=${1}
-
-if test "${BUILD}" = ""; then
-    echo "${0} <BUILD>";
-    exit 1;
-fi
-
-BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
-SUPPORTED_VERS="9.8.0-z 9.7.0-z"
-WORKING_DIR=$(dirname "${0}")
-EMBARGOED_SUFFIX="nocompose-candidate"
-
-echo "Obtaining buildinfo for ${BUILD}...";
-brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
-
-echo "Checking signatures for ${BUILD}...";
-"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
-
-# Return codes:
-# - 1 - Buildinfo file not specified
-# - 2 = Missing buildinfo file
-# - 3 = No signatures
-# - 4 = Multiple signature types found
-# - 5 = PQC signature found
-# - 6 = Old signature (fd431d51) found
-# - 7 = Unknown signature found
-ret=$?;
-if [ "${ret}" -eq 6 ] ; then
-    echo "Build has old signatures which should not be the case for OpenJDK 25";
-    exit 2;
-elif ! { [ "${ret}" -eq 6 ] || [ "${ret}" -eq 3 ] ; } ; then
-    echo "Signature check failed.";
-    exit 3;
-fi
-
-echo "Tagging embargoed build for ${SUPPORTED_VERS}...";
-"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${EMBARGOED_SUFFIX}" "${SUPPORTED_VERS}"
-
-rm -f "${BUILDLOG}"
-
-# Local Variables:
-# compile-command: "shellcheck tag_rhel_9_embargoed_pqc.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/tag_rhel_9_public_pqc.sh
+++ b/scripts/builds/tag_rhel_9_public_pqc.sh
@ -1,67 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Tag newer PQC public RHEL 9 RPMs into gating for all supported streams
-
-BUILD=${1}
-
-if test "${BUILD}" = ""; then
-    echo "${0} <BUILD>";
-    exit 1;
-fi
-
-BUILDLOG=$(mktemp --tmpdir "temp-${BUILD}-buildinfo-XXX")
-SUPPORTED_VERS="9.9.0 9.8.0-z 9.7.0-z"
-WORKING_DIR=$(dirname "${0}")
-GATE_SUFFIX="gate"
-
-echo "Obtaining buildinfo for ${BUILD}...";
-brew buildinfo "${BUILD}" 2>&1 | tee "${BUILDLOG}" > /dev/null
-
-echo "Checking signatures for ${BUILD}...";
-"${WORKING_DIR}"/check_signatures.sh "${BUILDLOG}"
-
-# Return codes:
-# - 1 - Buildinfo file not specified
-# - 2 = Missing buildinfo file
-# - 3 = No signatures
-# - 4 = Multiple signature types found
-# - 5 = PQC signature found
-# - 6 = Old signature (fd431d51) found
-# - 7 = Unknown signature found
-ret=$?;
-if [ "${ret}" -eq 6 ] ; then
-    echo "Build has old signatures which should not be the case for OpenJDK 25";
-    exit 2;
-elif ! { [ "${ret}" -eq 5 ] || [ "${ret}" -eq 3 ] ; } ; then
-    echo "Signature check failed.";
-    exit 3;
-fi
-
-echo "Tagging build into gating for ${SUPPORTED_VERS}...";
-"${WORKING_DIR}"/tag_rhel.sh "${BUILD}" "${BUILDLOG}" "${GATE_SUFFIX}" "${SUPPORTED_VERS}"
-
-rm -f "${BUILDLOG}"
-
-# Local Variables:
-# compile-command: "shellcheck tag_rhel_9_public_pqc.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/waive_issue.sh
+++ b/scripts/builds/waive_issue.sh
@ -1,132 +0,0 @@
-#!/bin/bash
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Waive a gating issue
-
-RHEL_VER=${1}
-NVR=${2}
-TESTCASE=${3}
-COMMENT=${4}
-
-CURL=$(command -v curl)
-JSON_TOOL=$(command -v json_verify)
-JSON_FORMAT=$(command -v jq)
-JSON_FILE=$(mktemp --tmpdir waive.XXXXXX.json)
-HEADER_FILE=$(mktemp --tmpdir waive.XXXXXX.headers)
-JSON_OUT=$(mktemp --tmpdir out.XXXXXX.json)
-
-CACERT=/etc/ssl/certs/2022-IT-Root-CA.pem
-CACERT_DIR=$(dirname ${CACERT})
-URL="https://waiverdb.engineering.redhat.com/api/v1.0/waivers/"
-
-if test -z "${JSON_TOOL}" -o ! -x "${JSON_TOOL}" ; then
-    echo "JSON verifier not found. Skipping verification.";
-    SKIP_JSON=1;
-else
-    SKIP_JSON=0;
-fi
-
-if test "x${RHEL_VER}" = "x"; then
-    echo "No RHEL version specified.";
-    echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
-    exit 1;
-fi
-
-if test "x${NVR}" = "x"; then
-    echo "No NVR specified.";
-    echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
-    exit 2;
-fi
-
-if test "x${TESTCASE}" = "x"; then
-    echo "No testcase specified.";
-    echo "${0} <RHEL_VER> <NVR> <TESTCASE> <COMMENT>";
-    exit 3;
-fi
-
-if test "x${COMMENT}" = "x"; then
-    COMMENT="Gating broken";
-    echo "Setting COMMENT to default of '${COMMENT}'"
-fi
-
-if test "${CURL}" = ""; then
-    echo "curl not found";
-    exit 4;
-fi
-
-if test "${JSON_FORMAT}" = ""; then
-    echo "jq not found";
-    exit 5;
-fi
-
-{
-    echo "{";
-    printf "\t\"subject_type\":\"brew-build\",\n";
-    printf "\t\"subject_identifier\":\"%s\",\n" "${NVR}";
-    printf "\t\"testcase\":\"%s\",\n" "${TESTCASE}";
-    printf "\t\"waived\":true,\n";
-    printf "\t\"product_version\":\"rhel-%d\",\n" "${RHEL_VER}"
-    printf "\t\"comment\":\"%s\"\n" "${COMMENT}";
-    echo "}"
-} > "${JSON_FILE}"
-
-if [ "${SKIP_JSON}" -eq 0 ] ; then
-   "${JSON_TOOL}" < "${JSON_FILE}" || exit 6;
-fi
-
-CMD=("${CURL}" --silent --show-error --capath "${CACERT_DIR}" --negotiate -u :)
-
-JSON_COMMAND="--json";
-# Check --json is available
-${CURL} ${JSON_COMMAND} 2> /dev/null
-if [ $? -eq 2 ] ; then
-    echo "--json unsupported; falling back on --data-binary";
-    {
-        echo "Content-Type: application/json";
-        echo "Accept: application/json";
-    } > "${HEADER_FILE}"
-    echo "Header file:";
-    cat "${HEADER_FILE}"
-    CMD=("${CMD[@]}" --header "@${HEADER_FILE}" --data-binary);
-else
-    CMD=("${CMD[@]}" "${JSON_COMMAND}");
-fi
-CMD=("${CMD[@]}" "@${JSON_FILE}" "${URL}")
-
-echo "Sending the following JSON...";
-cat "${JSON_FILE}"
-
-echo "${CMD[@]}"
-
-if command "${CMD[@]}" > "${JSON_OUT}" ; then
-    "${JSON_FORMAT}" < "${JSON_OUT}"
-else
-    echo "Failed to file waiver";
-    exit 7;
-fi
-
-rm -v "${JSON_FILE}"
-rm -v "${HEADER_FILE}"
-
-# Local Variables:
-# compile-command: "shellcheck waive_issue.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/waive_rpminspect.sh
+++ b/scripts/builds/waive_rpminspect.sh
@ -1,53 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Waive a rpminspect gating issue
-
-RHEL_VER=${1}
-NVR=${2}
-COMMENT=${3}
-
-WORKING_DIR=$(dirname "${0}")
-
-if test "x${RHEL_VER}" = "x"; then
-    echo "No RHEL version specified.";
-    echo "${0} <RHEL_VER> <NVR> <COMMENT>";
-    exit 1;
-fi
-
-if test "x${NVR}" = "x"; then
-    echo "No NVR specified.";
-    echo "${0} <RHEL_VER> <NVR> <COMMENT>";
-    exit 2;
-fi
-
-if test "${COMMENT}" = ""; then
-    echo "No comment specified.";
-    echo "${0} <RHEL_VER> <NVR> <COMMENT>";
-    exit 3;
-fi
-
-"${WORKING_DIR}"/waive_issue.sh "${RHEL_VER}" "${NVR}" osci.brew-build.rpminspect.static-analysis "${COMMENT}"
-
-# Local Variables:
-# compile-command: "shellcheck waive_rpminspect.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/builds/waive_usual_rpminspect.sh
+++ b/scripts/builds/waive_usual_rpminspect.sh
@ -1,46 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) 2026 Red Hat, Inc.
-# Written by:
-#     Andrew John Hughes <gnu.andrew@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-# Waive the recurring rpminspect gating issues
-# Should be resolved by RHELPLAN-102267
-
-RHEL_VER=${1}
-NVR=${2}
-
-if test "x${RHEL_VER}" = "x"; then
-    echo "No RHEL version specified.";
-    echo "${0} <RHEL_VER> <NVR>";
-    exit 1;
-fi
-
-if test "x${NVR}" = "x"; then
-    echo "No NVR specified.";
-    echo "${0} <RHEL_VER> <NVR>";
-    exit 2;
-fi
-
-"${WORKING_DIR}"/waive_rpminspect.sh "${RHEL_VER}" "${NVR}" \
-		"Usual failures we waived through rpmdiff; slowdebug unoptimised, RPATH and IPv4 functions"
-
-# Local Variables:
-# compile-command: "shellcheck waive_usual_rpminspect.sh"
-# fill-column: 80
-# indent-tabs-mode: nil
-# sh-basic-offset: 4
-# End:
--- a/scripts/openjdk_news.sh
+++ b/scripts/openjdk_news.sh
@ -98,7 +98,7 @@ else
    echo "No apparent backouts.";
 fi
 printf "\nChecking for bundled library updates...";
-if grep -iE ':( \(tz\))? (update|upgrade).*(freetype|gif|harfbuzz|lcms|jpeg|png|timezone|zlib)' "${TMPDIR}/fixes" > "${TMPDIR}/bundles"; then
+if grep -iE ':( \(tz\))? update.*(freetype|gif|harfbuzz|lcms|jpeg|png|timezone|zlib)' "${TMPDIR}/fixes" > "${TMPDIR}/bundles"; then
    printf "found.\nWARNING: Review the following with respect to bundled provides:\n";
    cat "${TMPDIR}/bundles";
    echo "Compare the output of $(dirname "${0}")/get_bundle_versions.sh with the RPM using the JDK source tree"
--- a/3
+++ b/3
@ -1,3 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (nssadapter-0.1.1.tar.xz) = 2b4675cfbfa2ccb6c9a4870a4b58ae555267f5b8c9bdb0cf37b075483e6e9ea929561c05070453cf0d67b0b029de5408274555bf2ff50e9533219e898b2717f9
-SHA512 (openjdk-25.0.3+9.tar.xz) = 382dcf42ede35c7e48e0f9403d30172e6bc6367517e0c49211ab9d2e43373c3d7e586969c27795f0bfd17ae5c9f00702e955495a31d7ea757f54f06e8a4cf113
+SHA512 (openjdk-22.0.2+9.tar.xz) = 960746381f56cb516a2298f75dbf877554b59e73752dc29b040b8629b153174d2ea2f612d3479b511aaac293e4d336c798a58fd1ba4d2b9d5933899f64d04313
Author	SHA1	Message	Date
eabdullin	6c2ab26cd7	Exclude %{bootjdkpkg}-portable-devel%{?bootdebugpkg:-%{bootdebugpkg}} from BR for bootstrap build	2025-10-08 18:55:39 +03:00
eabdullin	91dc9761a6	Portable	2025-10-07 14:50:13 +03:00