Exclude %{bootjdkpkg}-portable-devel%{?bootdebugpkg:-%{bootdebugpkg}} from BR for bootstrap build

.gitignore

@@ -39,9 +39,3 @@
 /openjdk-21.0.8+8-ea.tar.xz
 /openjdk-21.0.8+9.tar.xz
 /openjdk-22.0.2+9.tar.xz
-/openjdk-23.0.2+7.tar.xz
-/openjdk-24.0.2+12.tar.xz
-/openjdk-25+36.tar.xz
-/openjdk-25.0.1+8.tar.xz
-/nssadapter-0.1.0.tar.xz
-/openjdk-25.0.2+10.tar.xz

TestSecurityProperties.java

@@ -21,32 +21,15 @@ import java.security.Security;
 import java.util.Properties;
 
 public class TestSecurityProperties {
-    private static final String JAVA_HOME = System.getProperty("java.home");
     // JDK 11
-    private static final String JDK_PROPS_FILE_JDK_11 = JAVA_HOME + "/conf/security/java.security";
+    private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
     // JDK 8
-    private static final String JDK_PROPS_FILE_JDK_8 = JAVA_HOME + "/lib/security/java.security";
-    // JDK 25
-    // Omit fips.properties files since they are not relevant to this test.
-    // Omit JAVA_HOME + "/conf/security/redhat/crypto-policies.properties" which simply includes
-    // true/crypto-policies.properties in case redhat.crypto-policies is left undefined.
-    private static final String[] JDK_PROPS_FILES_JDK_25_ENABLED = {
-            JAVA_HOME + "/conf/security/redhat/true/crypto-policies.properties",
-            "/etc/crypto-policies/back-ends/java.config"
-    };
-    private static final String[] JDK_PROPS_FILES_JDK_25_DISABLED = {
-            JAVA_HOME + "/conf/security/redhat/false/crypto-policies.properties"
-    };
+    private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
 
     private static final String POLICY_FILE = "/etc/crypto-policies/back-ends/java.config";
 
     private static final String MSG_PREFIX = "DEBUG: ";
 
-    private static final String javaVersion = System.getProperty("java.version");
-
-    // float for java 1.8
-    private static final float JAVA_FEATURE = Float.parseFloat(System.getProperty("java.specification.version"));
-
     public static void main(String[] args) {
         if (args.length == 0) {
             System.err.println("TestSecurityProperties <true|false>");
@@ -57,24 +40,18 @@ public class TestSecurityProperties {
         boolean enabled = Boolean.valueOf(args[0]);
         System.out.println(MSG_PREFIX + "System security properties enabled: " + enabled);
         Properties jdkProps = new Properties();
-        loadProperties(jdkProps, enabled);
+        loadProperties(jdkProps);
         if (enabled) {
             loadPolicy(jdkProps);
         }
-        for (Object key : jdkProps.keySet()) {
-            String sKey = (String) key;
-            if (JAVA_FEATURE >= 25 && sKey.equals("include")) {
-                // Avoid the following exception on 25: IllegalArgumentException: Key 'include' is
-                // reserved and cannot be used as a Security property name.  Hard-code the includes
-                // in JDK_PROPS_FILES_JDK_25_ENABLED and JDK_PROPS_FILES_JDK_25_DISABLED instead.
-                continue;
-            }
+        for (Object key: jdkProps.keySet()) {
+            String sKey = (String)key;
             System.out.println(MSG_PREFIX + "Checking " + sKey);
             String securityVal = Security.getProperty(sKey);
             String jdkSecVal = jdkProps.getProperty(sKey);
             if (!jdkSecVal.equals(securityVal)) {
                 String msg = "Expected value '" + jdkSecVal + "' for key '" +
-                        sKey + "'" + " but got value '" + securityVal + "'";
+                             sKey + "'" + " but got value '" + securityVal + "'";
                 throw new RuntimeException("Test failed! " + msg);
             } else {
                 System.out.println(MSG_PREFIX + sKey + " = " + jdkSecVal + " as expected.");
@@ -83,26 +60,17 @@ public class TestSecurityProperties {
         System.out.println("TestSecurityProperties PASSED!");
     }
 
-    private static void loadPropertiesFile(Properties props, String propsFile) {
-        try (FileInputStream fin = new FileInputStream(propsFile)) {
-            props.load(fin);
-        } catch (Exception e) {
-            throw new RuntimeException("Test failed!", e);
-        }
-    }
-
-    private static void loadProperties(Properties props, boolean enabled) {
+    private static void loadProperties(Properties props) {
+        String javaVersion = System.getProperty("java.version");
         System.out.println(MSG_PREFIX + "Java version is " + javaVersion);
         String propsFile = JDK_PROPS_FILE_JDK_11;
         if (javaVersion.startsWith("1.8.0")) {
             propsFile = JDK_PROPS_FILE_JDK_8;
         }
-        loadPropertiesFile(props, propsFile);
-        if (JAVA_FEATURE >= 25) {
-            for (String file : enabled ? JDK_PROPS_FILES_JDK_25_ENABLED : JDK_PROPS_FILES_JDK_25_DISABLED) {
-                System.out.println(MSG_PREFIX + "Loading " + file);
-                loadPropertiesFile(props, file);
-            }
+        try (FileInputStream fin = new FileInputStream(propsFile)) {
+            props.load(fin);
+        } catch (Exception e) {
+            throw new RuntimeException("Test failed!", e);
         }
     }
 
@@ -115,17 +83,3 @@ public class TestSecurityProperties {
     }
 
 }
-
-/*
- * Local Variables:
- * compile-command: "\
- * /usr/lib/jvm/java-25-openjdk/bin/javac TestSecurityProperties.java \
- * && (/usr/lib/jvm/java-25-openjdk/bin/java                                TestSecurityProperties false ; [[ $? == 1 ]]) \
- * && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true  TestSecurityProperties false ; [[ $? == 1 ]]) \
- * && (/usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties true  ; [[ $? == 1 ]]) \
- * &&  /usr/lib/jvm/java-25-openjdk/bin/java                                TestSecurityProperties true                   \
- * &&  /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=true  TestSecurityProperties true                   \
- * &&  /usr/lib/jvm/java-25-openjdk/bin/java -Dredhat.crypto-policies=false TestSecurityProperties false"                 \
- * fill-column: 124
- * End:
- */

TestTranslations.java

@@ -52,9 +52,9 @@ public class TestTranslations {
         map.put(Locale.FRANCE, new String[] { "heure normale des Rocheuses", "UTC\u221207:00", "MST",
                                               "heure d\u2019\u00e9t\u00e9 des Rocheuses", "UTC\u221206:00", "MST",
                                               "heure des Rocheuses", "UTC\u221207:00", "MST"});
-        map.put(Locale.GERMANY, new String[] { "Rocky-Mountains-Normalzeit", "GMT-07:00", "MST",
-                                               "Rocky-Mountains-Sommerzeit", "GMT-06:00", "MST",
-                                               "Rocky-Mountains-Zeit", "GMT-07:00", "MST"});
+        map.put(Locale.GERMANY, new String[] { "Rocky-Mountain-Normalzeit", "GMT-07:00", "MST",
+                                               "Rocky-Mountain-Sommerzeit", "GMT-06:00", "MST",
+                                               "Rocky-Mountain-Zeit", "GMT-07:00", "MST"});
         CIUDAD_JUAREZ = Collections.unmodifiableMap(map);
     }
 

create-redhat-properties-files.bash

@@ -1,168 +0,0 @@
-#!/bin/bash
-#
-# Create Red Hat OpenJDK security properties directory hierarchy.
-#
-# Copyright (C) 2025 IBM Corporation. All rights reserved.
-#
-# Written by:
-#     Francisco Ferrari Bihurriet <fferrari@redhat.com>
-#     Thomas Fitzsimmons <fitzsim@redhat.com>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU Affero General Public License as
-# published by the Free Software Foundation, either version 3 of the
-# License, or (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU Affero General Public License for more details.
-#
-# You should have received a copy of the GNU Affero General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-# Usage:
-#
-# bash create-redhat-properties-files.bash <target directory> <nssadapter path>
-#
-# Example usage in spec file:
-#
-# bash -x create-redhat-properties-files.bash ${installdir}/conf/security \
-#     %{_libdir}/%{sdkdir -- ${suffix}}/libnssadapter.so
-#
-# When you make changes to the file set here, also update the %files
-# section in the spec file, and the JDK_PROPS_FILES_JDK_25 variables
-# in TestSecurityProperties.java.
-
-[[ $# == 2 ]] || exit 1
-
-SECURITY="${1}"
-NSSADAPTER="${2}"
-VENDOR="${SECURITY}"/redhat
-install --directory --mode=755 "${VENDOR}"
-install --directory --mode=755 "${VENDOR}"/true
-install --directory --mode=755 "${VENDOR}"/false
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/SunPKCS11-FIPS.cfg
-install --mode 644 /dev/stdin "${VENDOR}"/SunPKCS11-FIPS.cfg <<EOF
-name = FIPS
-library = ${NSSADAPTER}
-slot = 3
-nssUseSecmod = false
-attributes(*,CKO_SECRET_KEY,*)={ CKA_SIGN=true CKA_ENCRYPT=true }
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/crypto-policies.properties
-install --mode 644 /dev/stdin "${VENDOR}"/false/crypto-policies.properties <<'EOF'
-# Empty on purpose, for ${redhat.crypto-policies}=false
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/crypto-policies.properties
-install --mode 644 /dev/stdin "${VENDOR}"/true/crypto-policies.properties <<'EOF'
-#
-# Apply the system-wide crypto policy
-#
-include /etc/crypto-policies/back-ends/java.config
-
-#
-# Apply the FIPS-specific security properties, if needed
-#
-include ../${__redhat_fips__}/fips.properties
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/crypto-policies.properties
-install --mode 644 /dev/stdin "${VENDOR}"/crypto-policies.properties <<'EOF'
-#
-# Default choice for the crypto-policies setup
-#
-include true/crypto-policies.properties
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/false/fips.properties
-install --mode 644 /dev/stdin "${VENDOR}"/false/fips.properties <<'EOF'
-# Empty on purpose, for when FIPS is disabled.
-EOF
-
-# /usr/lib/jvm/java-25-openjdk/conf/security/redhat/true/fips.properties
-install --mode 644 /dev/stdin "${VENDOR}"/true/fips.properties <<'EOF'
-#
-# Enable the downstream-patch RedHatFIPSFilter code
-#
-__redhat_fips_filter__=true
-
-#
-# FIPS mode Security Providers List
-#
-security.provider.1=SunPKCS11 ${java.home}/conf/security/redhat/SunPKCS11-FIPS.cfg
-security.provider.2=SUN
-security.provider.3=SunEC
-security.provider.4=SunJSSE
-security.provider.5=SunJCE
-security.provider.6=SunRsaSign
-security.provider.7=XMLDSig
-security.provider.8=
-#                   ^ empty on purpose, to finish the Providers List
-
-#
-# FIPS mode default keystore type
-#
-keystore.type=pkcs12
-EOF
-
-# Make sure java.security exists before appending
-test -e "${SECURITY}"/java.security || ( echo "${SECURITY}/java.security not found" && false )
-cat >> "${SECURITY}"/java.security <<'EOF'
-
-#
-# System-wide crypto-policies and FIPS setup
-#
-# The following crypto-policies setup automatically detects when the system
-# is in FIPS mode and configures OpenJDK accordingly. If OpenJDK needs to
-# ignore the system and disable its FIPS setup, just disable the usage of
-# the system crypto-policies, by any of the methods described below.
-#
-# The redhat.crypto-policies system property is a boolean switch that
-# controls the usage on a per-run basis. For example, pass
-# -Dredhat.crypto-policies=false to disable the system crypto-policies.
-#
-# This setup consists of the following files in $JAVA_HOME/conf/security:
-#
-#   'redhat/false/crypto-policies.properties' (policies usage disabled file)
-#      Empty file, applied when the boolean switch is passed as false.
-#
-#   'redhat/true/crypto-policies.properties' (policies usage enabled file)
-#      Performs the crypto-policies and FIPS setup, applied when the boolean
-#      switch is passed as true.
-#
-#   'redhat/crypto-policies.properties' (policies usage default file)
-#      Determines the default choice by including one of the previous files,
-#      applied when the boolean switch is not passed.
-#      The system crypto-policies usage is enabled by default:
-#        include true/crypto-policies.properties
-#
-# To enable or disable the usage of the crypto-policies on a per-deployment
-# basis, edit the policies usage default file, changing the included file.
-# For example, execute the following command to persistently disable the
-# crypto-policies:
-#   sed -i s/true/false/ $JAVA_HOME/conf/security/redhat/crypto-policies.properties
-# Applications can still override this on a per-run basis, for example by
-# passing -Dredhat.crypto-policies=true.
-#
-# To disable the redhat.crypto-policies boolean switch, modify the following
-# include directive as follows. Replace ${redhat.crypto-policies} by true to
-# force-apply the system crypto-policies:
-#   include redhat/true/crypto-policies.properties
-# Remove or comment out the include directive to force-disable the setup:
-#   #include redhat/${redhat.crypto-policies}/crypto-policies.properties
-#
-include redhat/${redhat.crypto-policies}/crypto-policies.properties
-#       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-# WARNING: anything placed after this include directive will apply on top
-# of the described setup. Adding properties below this section is strongly
-# discouraged, as it poses a risk of overriding the system crypto-policies
-# or invalidating the FIPS deployment.
-EOF
-
-# Local Variables:
-# compile-command: "shellcheck create-redhat-properties-files.bash"
-# End:

fips-25u-df044414ef4.patch

@@ -1,92 +0,0 @@
-diff --git a/src/java.base/share/classes/java/security/Provider.java b/src/java.base/share/classes/java/security/Provider.java
-index de2845fb550..b1e416b90f4 100644
---- a/src/java.base/share/classes/java/security/Provider.java
-+++ b/src/java.base/share/classes/java/security/Provider.java
-@@ -1203,6 +1203,39 @@ public Set<Service> getServices() {
-         return serviceSet;
-     }
- 
-+    /* vvvvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvvvv */
-+    private static final class RedHatFIPSFilter {
-+        static final boolean IS_ON = Boolean.parseBoolean(
-+                Security.getProperty("__redhat_fips_filter__"));
-+        private static final Set<String> ANY_SERVICE_TYPE = Set.of();
-+        private static final Map<String, Set<String>> ALLOW_LIST = Map.of(
-+                "SunPKCS11-FIPS", ANY_SERVICE_TYPE,
-+                "SUN", Set.of(
-+                        "AlgorithmParameterGenerator",
-+                        "AlgorithmParameters", "CertificateFactory",
-+                        "CertPathBuilder", "CertPathValidator", "CertStore",
-+                        "Configuration", "KeyStore"),
-+                "SunEC", Set.of(
-+                        "AlgorithmParameters", "KeyFactory"),
-+                "SunJSSE", ANY_SERVICE_TYPE,
-+                "SunJCE", Set.of(
-+                        "AlgorithmParameters",
-+                        "AlgorithmParameterGenerator", "KeyFactory",
-+                        "SecretKeyFactory"),
-+                "SunRsaSign", Set.of(
-+                        "KeyFactory", "AlgorithmParameters"),
-+                "XMLDSig", ANY_SERVICE_TYPE
-+        );
-+
-+        static boolean isAllowed(String provName, String serviceType) {
-+            Set<String> allowedServiceTypes = ALLOW_LIST.get(provName);
-+            return allowedServiceTypes != null &&
-+                    (allowedServiceTypes == ANY_SERVICE_TYPE ||
-+                            allowedServiceTypes.contains(serviceType));
-+        }
-+    }
-+    /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
-+
-     /**
-      * Add a service. If a service of the same type with the same algorithm
-      * name exists, and it was added using {@link #putService putService()},
-@@ -1231,6 +1264,15 @@ protected void putService(Service s) {
-                     ("service.getProvider() must match this Provider object");
-         }
-         String type = s.getType();
-+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
-+        if (RedHatFIPSFilter.IS_ON && !RedHatFIPSFilter.isAllowed(name, type)) {
-+            if (debug != null) {
-+                debug.println("The previous " + name + ".putService() call " +
-+                        "was skipped by " + RedHatFIPSFilter.class.getName());
-+            }
-+            return;
-+        }
-+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
-         String algorithm = s.getAlgorithm();
-         ServiceKey key = new ServiceKey(type, algorithm, true);
-         implRemoveService(serviceMap.get(key));
-diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
-index 6969fe8a8e1..4501d5971c4 100644
---- a/src/java.base/share/classes/java/security/Security.java
-+++ b/src/java.base/share/classes/java/security/Security.java
-@@ -323,7 +323,27 @@ public Properties getInitialProperties() {
-     }
- 
-     private static void initialize() {
-+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
-+        /*   This 'include'-directives-only magic property is an internal     */
-+        /*   implementation detail that could (and probably will!) change.    */
-+        /*   Red Hat customers should NOT rely on this for their own use.     */
-+        String fipsKernelFlag = "/proc/sys/crypto/fips_enabled";
-+        boolean fipsModeOn;
-+        try (InputStream is = new java.io.FileInputStream(fipsKernelFlag)) {
-+            fipsModeOn = is.read() == '1';
-+        } catch (IOException ioe) {
-+            fipsModeOn = false;
-+            if (sdebug != null) {
-+                sdebug.println("Failed to read FIPS kernel file: " + ioe);
-+            }
-+        }
-+        String fipsMagicPropName = "__redhat_fips__";
-+        System.setProperty(fipsMagicPropName, "" + fipsModeOn);
-+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
-         SecPropLoader.loadAll();
-+        /* vvvvvvvvvvvvvvvvvvvvvvvvvvv FIPS PATCH vvvvvvvvvvvvvvvvvvvvvvvvvvv */
-+        System.clearProperty(fipsMagicPropName);
-+        /* ^^^^^^^^^^^^^^^^^^^^^^^^^^^ FIPS PATCH ^^^^^^^^^^^^^^^^^^^^^^^^^^^ */
-         initialSecurityProperties = (Properties) props.clone();
-         if (sdebug != null) {
-             for (String key : props.stringPropertyNames()) {

java-25-openjdk-portable.specfile

@@ -226,7 +226,7 @@
 # other targets since this target is configured to use in-tree
 # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
 # and possibly others
-%global static_libs_target static-libs-graal-image
+%global static_libs_target static-libs-image
 %else
 %global static_libs_target %{nil}
 %endif
@@ -247,13 +247,6 @@
 %global dtsversion 10
 %endif
 
-# Check if pandoc is available to generate docs (including man pages)
-%if 0%{?rhel} == 8
-%global pandoc_available 1
-%else
-%global pandoc_available 0
-%endif
-
 # Filter out flags from the optflags macro that cause problems with the OpenJDK build
 # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
 # We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
@@ -334,7 +327,8 @@
 %endif
 
 # New Version-String scheme-style defines
-%global featurever 25
+%global featurever 22
+%global fakefeaturever 25
 %global interimver 0
 %global updatever 2
 %global patchver 0
@@ -351,6 +345,21 @@
   %global lts_designator ""
   %global lts_designator_zip ""
 %endif
+# JDK to use for bootstrapping
+%global bootjdkpkg java-%{fakefeaturever}-openjdk
+%ifarch %{fastdebug_arches}
+%global bootdebugpkg fastdebug
+%endif
+%global bootjdkzip %{_jvmdir}/%{bootjdkpkg}-*.portable%{?bootdebugpkg:.%{bootdebugpkg}}.jdk.%{_arch}.tar.xz
+%global bootjdk %{_builddir}/%{bootjdkpkg}.boot
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+# This will only work where the bootstrap JDK is the same major version
+# as the JDK being built
+%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
 
 # Define vendor information used by OpenJDK
 %global oj_vendor Red Hat, Inc.
@@ -376,10 +385,11 @@
 # Define IcedTea version used for SystemTap tapsets and desktop file
 %global icedteaver      6.0.0pre00-c848b93a8598
 # Define current Git revision for the FIPS support patches
-%global fipsver df044414ef4
+%global fipsver 9203d50836c
 # Define JDK versions
 %global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
-%global javaver         %{featurever}
+# Force 25 until we are actually ready to build that JDK version
+%global javaver         %{fakefeaturever}
 # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames
 %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn})
 # The tag used to create the OpenJDK tarball
@@ -390,7 +400,7 @@
 %global origin_nice     OpenJDK
 %global top_level_dir_name   %{vcstag}
 %global top_level_dir_name_backup %{top_level_dir_name}-backup
-%global buildver        10
+%global buildver        9
 %global rpmrelease      2
 #%%global tagsuffix     %%{nil}
 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
@@ -426,16 +436,16 @@
 %endif
 
 # parametrized macros are order-sensitive
-%global compatiblename  java-%{featurever}-%{origin}
+%global compatiblename  java-%{fakefeaturever}-%{origin}
 %global fullversion     %{compatiblename}-%{version}-%{release}
 # images directories from upstream build
 %global jdkimage                jdk
-%global static_libs_image       static-libs-graal
+%global static_libs_image       static-libs
 # output dir stub
-%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
-%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
+%define buildoutputdir() %{expand:build/jdk%{fakefeaturever}.build%{?1}}
+%define installoutputdir() %{expand:install/jdk%{fakefeaturever}.install%{?1}}
 %global altjavaoutputdir install/altjava.install
-%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}}
+%define packageoutputdir() %{expand:packages/jdk%{fakefeaturever}.packages%{?1}}
 # we can copy the javadoc to not arched dir, or make it not noarch
 %define uniquejavadocdir()    %{expand:%{fullversion}.%{_arch}%{?1}}
 # main id and dir of this jdk
@@ -458,22 +468,6 @@
 %define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g")
 %define miscportablearchive()  %{miscportablename}.tar.xz
 
-# JDK to use for bootstrapping
-%global bootjdkpkg java-%{featurever}-%{origin}
-%ifarch %{fastdebug_arches}
-%global bootdebugpkg fastdebug
-%endif
-%global bootjdkzip %{_jvmdir}/%{bootjdkpkg}-*.portable%{?bootdebugpkg:.%{bootdebugpkg}}.jdk.%{_arch}.tar.xz
-%global bootjdk %{_builddir}/%{uniquesuffix -- ""}/%{bootjdkpkg}.boot
-# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
-# This will only work where the bootstrap JDK is the same major version
-# as the JDK being built
-%if %{with fresh_libjvm} && %{buildjdkver} == %{featurever}
-%global build_hotspot_first 1
-%else
-%global build_hotspot_first 0
-%endif
-
 #################################################################
 # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
 #         https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
@@ -603,7 +597,7 @@ Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}%{ea_
 # Use 'icedtea_sync.sh' to update the following
 # They are based on code contained in the IcedTea project (6.x).
 # Systemtap tapsets. Zipped up to keep it small.
-Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+Source8: tapsets-icedtea-%%{icedteaver}.tar.xz
 
 # Desktop files. Adapted from IcedTea
 # Disabled in portables
@@ -640,7 +634,7 @@ Source18: TestTranslations.java
 ############################################
 # Crypto policy and FIPS support patches
 # Patch is generated from the fips-25u tree at https://github.com/rh-openjdk/jdk/tree/fips-25u
-# as follows: git diff %%{vcstag} src make test > fips-25u-$(git show -s --format=%h HEAD).patch
+# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
 # Diff is limited to src and make subdirectories to exclude .github changes
 # Fixes currently included:
 # PR3183, RH1340845: Follow system wide crypto policy
@@ -674,7 +668,7 @@ Source18: TestTranslations.java
 # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
 # RH1940064: Enable XML Signature provider in FIPS mode
 # RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
-Patch1001: fips-%{featurever}u-%{fipsver}.patch
+# Disabled until 25: Patch1001: fips-%{featurever}u-%{fipsver}.patch
 
 #############################################
 #
@@ -689,9 +683,8 @@ Patch1001: fips-%{featurever}u-%{fipsver}.patch
 # OpenJDK patches which missed last update
 #
 #############################################
-# JDK-8372534: Update Libpng to 1.6.51
-# Integrated in 25.0.3
-Patch2001: jdk8372534-libpng-1.6.51.patch
+
+# Currently empty
 
 #############################################
 #
@@ -745,14 +738,13 @@ BuildRequires: zip
 BuildRequires: tar
 BuildRequires: unzip
 BuildRequires: javapackages-filesystem
-BuildRequires: %{bootjdkpkg}-portable-devel%{?bootdebugpkg:-%{bootdebugpkg}} >= %{buildjdkver}
 # Zero-assembler build requirement
 %ifarch %{zero_arches}
 BuildRequires: libffi-devel
 %endif
 # Full documentation build requirements
 # pandoc is only available on RHEL/CentOS 8
-%if %{pandoc_available}
+%if 0%{?rhel} == 8
 BuildRequires: graphviz
 BuildRequires: pandoc
 %endif
@@ -784,7 +776,7 @@ Provides: bundled(lcms2) = 2.17.0
 # Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h
 Provides: bundled(libjpeg) = 6b
 # Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h
-Provides: bundled(libpng) = 1.6.51
+Provides: bundled(libpng) = 1.6.47
 # Version in src/java.base/share/native/libzip/zlib/zlib.h
 Provides: bundled(zlib) = 1.3.1
 # We link statically against libstdc++ to increase portability
@@ -1004,17 +996,10 @@ sh %{SOURCE12} %{top_level_dir_name}
 # rpmbuild.
 pushd %{top_level_dir_name}
 # Add crypto policy and FIPS support
-%patch -P1001 -p1
-# Add libpng update ahead of 25.0.3
-%patch -P2001 -p1
+# Disabled until 25
+#%patch -P1001 -p1
 popd # openjdk
 
-echo "Generating %{alt_java_name} man page"
-altjavamanpage=%{top_level_dir_name}/src/java.base/share/man/%{alt_java_name}.md
-altjavatext="Hardened java binary recommended for launching untrusted code from the Web e.g. javaws"
-sed -r -e 's|([^/.])java([^./])|\1alt-java\2|g' %{top_level_dir_name}/src/java.base/share/man/java.md | \
-    sed -e 's|JAVA(|ALT-JAVA(|' | \
-    sed -e "s|java - launch a Java application|alt-java - ${altjavatext}|" >> ${altjavamanpage}
 
 # The OpenJDK version file includes the current
 # upstream version information. For some reason,
@@ -1080,7 +1065,7 @@ pushd %{_jvmdir}
 sha256sum --check %{bootjdkzip}.sha256sum
 popd
 tar -xJf %{bootjdkzip}
-mv java-%{featurever}-openjdk-%{buildjdkver}* %{bootjdk}
+mv java-%{fakefeaturever}-openjdk-%{featurever}* %{bootjdk}
 # Print release information
 echo "Installed boot JDK:"
 cat %{bootjdk}/release
@@ -1375,7 +1360,6 @@ function installjdk() {
     # legacy-jre-image target does not install any man pages for the JRE
     # We copy the jdk man directory and then remove pages for binaries that
     # don't exist in the JRE
-%if %{pandoc_available}
     cp -a ${jdkimagepath}/man ${jreimagepath}
     for manpage in $(find ${jreimagepath}/man -name '*.1'); do
         filename=$(basename ${manpage});
@@ -1385,7 +1369,6 @@ function installjdk() {
             rm -f ${manpage};
         fi;
     done
-%endif
 
     for imagepath in ${jdkimagepath} ${jreimagepath} ${unstripped}; do
 
@@ -1536,7 +1519,7 @@ function packagejdk() {
 %if %{with_systemtap}
         cp -a ${tapsetdir}* ${miscname}
 %endif
-        cp -av ${altjavadir}/%{alt_java_name} ${miscname}
+        cp -av ${altjavadir}/%{alt_java_name}{,.1} ${miscname}
         createtar ${miscname} ${miscarchive}
         genchecksum ${miscarchive}
     fi
@@ -1577,6 +1560,10 @@ function packagejdk() {
 echo "Building %{SOURCE11}"
 mkdir -p %{altjavaoutputdir}
 LD_LIBRARY_PATH="${LIBPATH}" ${GCC} ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11}
+echo "Generating %{alt_java_name} man page"
+altjavamanpage=%{altjavaoutputdir}/%{alt_java_name}.1
+echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > ${altjavamanpage}
+cat %{top_level_dir_name}/src/java.base/share/man/java.1 >> ${altjavamanpage}
 
 echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
 
@@ -1726,23 +1713,18 @@ $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -versi
   $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR
 %endif
 
-  # Check blocked.certs is valid (OPENJDK-4362)
-  jtreg_test=$(pwd)/%{top_level_dir_name}/test/jdk/sun/security/lib/CheckBlockedCerts.java
-  jtreg_dir=$(dirname ${jtreg_test})
-  $JAVA_HOME/bin/java --add-exports java.base/sun.security.util=ALL-UNNAMED -Dtest.src=${jtreg_dir} ${jtreg_test}
-
   # Check src.zip has all sources. See RHBZ#1130490
   unzip -l $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
 
   # Check class files include useful debugging information
-  $JAVA_HOME/bin/javap -c -l java.lang.Object | grep "Compiled from"
-  $JAVA_HOME/bin/javap -c -l java.lang.Object | grep LineNumberTable
-  $JAVA_HOME/bin/javap -c -l java.lang.Object | grep LocalVariableTable
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep LineNumberTable
+  $JAVA_HOME/bin/javap -l java.lang.Object | grep LocalVariableTable
 
   # Check generated class files include useful debugging information
-  $JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep "Compiled from"
-  $JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep LineNumberTable
-  $JAVA_HOME/bin/javap -c -l java.nio.ByteBuffer | grep LocalVariableTable
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep "Compiled from"
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LineNumberTable
+  $JAVA_HOME/bin/javap -l java.nio.ByteBuffer | grep LocalVariableTable
 
 %else
 
@@ -1974,63 +1956,6 @@ done
 %endif
 
 %changelog
-* Mon Jan 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-2
-- Add JDK-8372534 libpng 1.6.51 ahead of 25.0.3
-- Bump libpng version to 1.6.51 following JDK-8372534
-- Add CVEs for 25.0.2 to NEWS
-- Correct version and date for this upcoming release in NEWS
-- Related: OPENJDK-4359
-
-* Mon Jan 12 2026 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.2.0.10-1
-- Update to jdk-25.0.2+10 (GA)
-- Update release notes to 25.0.2+10
-- Add test to ensure blocked.certs is valid (OPENJDK-4362)
-- ** This tarball is embargoed until 2026-01-20 @ 1pm PT. **
-- Resolves: OPENJDK-4359
-- Resolves: OPENJDK-4362
-
-* Tue Dec 02 2025 Severin Gehwolf <sgehwolf@redhat.com> - 1:25.0.1.0.8-2
-- Switch from static-libs-image to static-libs-graal-image to avoid large unneeded libjvm.a
-- Resolves: OPENJDK-4197
-
-* Tue Dec 02 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-2
-- Incorporate new FIPS patch for 25u
-- Resolves: OPENJDK-4184
-
-* Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.1.0.8-1
-- Update to jdk-25.0.1+8 (GA)
-- Update release notes to 25.0.1+8
-- Related: RHELBU-3203
-
-* Mon Nov 10 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.0.0.36-2
-- Drop fakefeaturever and rebuild with ourselves now we have reached OpenJDK 25
-- Related: RHELBU-3203
-
-* Sun Nov 09 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:25.0.0.0.36-1
-- Update to jdk-25.0.0+36 (GA)
-- Update release notes with features of JDK 25
-- Mention finalisation JEP for features finalised in JDK 22, 23 & 24
-- Resolves: RHELBU-3203
-
-* Wed Nov 05 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:24.0.2.0.12-1
-- Update to jdk-24.0.2+12 (GA)
-- Update release notes with features of JDK 24
-- Generate alt-java.md during prep following removal of pre-generated man pages in JDK-8344056
-- Introduce pandoc_available global for conditional handling of both pandoc dependency and manpages
-- Adjust TestTranslations.java with updated German translations from CLDR 46 (JDK-8333582) (Mountain->Mountains)
-- Run javap with the disassembled code (-c) option now required for -l by JDK-8345145
-- Related: RHELBU-3203
-
-* Sat Oct 25 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:23.0.2.0.7-1
-- Update to jdk-23.0.2+7 (GA)
-- Update release notes with features of JDK 23
-- Switch buildjdkver to featurever + 1
-- Use buildjdkver in the path to the extracted bootstrap JDK
-- Move bootstrap declarations later so they can use variables like uniquesuffix
-- Fix bootjdk so it uses our build subdirectory created in setup (_builddir only gives the top-level BUILD)
-- Fix double '%' in specification of IcedTea sources
-- Related: RHELBU-3203
-
 * Mon Sep 22 2025 Andrew Hughes <gnu.andrew@redhat.com> - 1:22.0.2.0.9-2
 - Build using ourselves rather than the system JDK as java-25-openjdk is unavailable on older systems
 - Switch buildjdkver back to featurever temporarily for this rebuild

java-25-openjdk.spec

@@ -0,0 +1 @@
+java-25-openjdk-portable.specfile

nssadapter-ldflags.patch

@@ -1,41 +0,0 @@
-diff --git a/Makefile b/Makefile
-index 5175f21..571748a 100644
---- a/Makefile
-+++ b/Makefile
-@@ -13,12 +13,12 @@ DEVEL_PKGS    = nss nss-softokn
- LIB_DIR       = $(shell pkg-config --variable=libdir nss-softokn)
- SHARED_LIBS   = pthread softokn3 nss3
- STATIC_LIBS   = freebl
--SHR_CFLAGS    = -shared -fPIC -fvisibility=hidden -Wl,--exclude-libs,ALL       \
--                $(addprefix -l,$(SHARED_LIBS))                                 \
-+SHR_CFLAGS    = -shared -fPIC -fvisibility=hidden                              \
-                 $(strip $(shell pkg-config --cflags $(DEVEL_PKGS)))            \
-                 -Wpedantic -Wall -Wextra -Wconversion -Werror
- DBG_CFLAGS    = -Wno-error=unused-variable -Wno-error=unused-parameter -DDEBUG \
-                 -O0 -g
-+SHR_LDFLAGS   = -Wl,--exclude-libs,ALL $(addprefix -l,$(SHARED_LIBS))
- 
- # https://clang.llvm.org/docs/ClangFormatStyleOptions.html
- CLANG_FORMAT_STYLE = {                                                         \
-@@ -53,10 +53,12 @@ endif
- 
- .PHONY: release ## Build the library in RELEASE mode (default)
- release: BLD_CFLAGS = $(SHR_CFLAGS) $(CFLAGS)
-+release: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
- release: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_DEBUG) $(OUTPUT)
- 
- .PHONY: debug ## Build the library in DEBUG mode
- debug: BLD_CFLAGS = $(SHR_CFLAGS) $(DBG_CFLAGS) $(CFLAGS)
-+debug: BLD_LDFLAGS = $(SHR_LDFLAGS) $(LDFLAGS)
- debug: CREATE_DBG_SENTINEL_IF_NEEDED = touch $(DBG_SENTINEL)
- debug: $(CLEAN_IF_PREVIOUS_BUILD_MODE_IS_RELEASE) $(OUTPUT)
- 
-@@ -73,7 +75,7 @@ $(BIN_DIR):
- 
- $(OUTPUT): $(BIN_DIR) $(SRC_FILES)
- 	@$(CREATE_DBG_SENTINEL_IF_NEEDED)
--	$(CC) $(BLD_CFLAGS) $(filter %.c, $+)                                      \
-+	$(CC) $(BLD_CFLAGS) $(filter %.c, $+) $(BLD_LDFLAGS) \
- 	      $(addprefix $(LIB_DIR)/lib,$(addsuffix .a,$(STATIC_LIBS))) -o $@
- 
- 

scripts/openjdk_news.sh

@@ -98,7 +98,7 @@ else
     echo "No apparent backouts.";
 fi
 printf "\nChecking for bundled library updates...";
-if grep -iE ':( \(tz\))? (update|upgrade).*(freetype|gif|harfbuzz|lcms|jpeg|png|timezone|zlib)' "${TMPDIR}/fixes" > "${TMPDIR}/bundles"; then
+if grep -iE ':( \(tz\))? update.*(freetype|gif|harfbuzz|lcms|jpeg|png|timezone|zlib)' "${TMPDIR}/fixes" > "${TMPDIR}/bundles"; then
     printf "found.\nWARNING: Review the following with respect to bundled provides:\n";
     cat "${TMPDIR}/bundles";
     echo "Compare the output of $(dirname "${0}")/get_bundle_versions.sh with the RPM using the JDK source tree"

sources

@@ -1,3 +1,2 @@
 SHA512 (tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz) = 97d026212363b3c83f6a04100ad7f6fdde833d16579717f8756e2b8c2eb70e144a41a330cb9ccde9c3badd37a2d54fdf4650a950ec21d8b686d545ecb2a64d30
-SHA512 (openjdk-25.0.2+10.tar.xz) = 238580373693cb0221f8678df1b1c838b9ae6fc8311c2ece496908444bee640315cba8a3e439866b647021f471b96f011aad35eb3e7ae2369a19d9489c6ddb2d
-SHA512 (nssadapter-0.1.0.tar.xz) = 581f49d1a27550e3a2fa0a9d407f43c507627a8439827904d14daaf24e071d9f73884a2abe4cb3d36d26f1af09ef7d20724b2d40c9bac202e0316fac6c1a636b
+SHA512 (openjdk-22.0.2+9.tar.xz) = 960746381f56cb516a2298f75dbf877554b59e73752dc29b040b8629b153174d2ea2f612d3479b511aaac293e4d336c798a58fd1ba4d2b9d5933899f64d04313