diff --git a/.gitignore b/.gitignore index 401e9bc..93272c4 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ SOURCES/class-rewriter.tar.gz SOURCES/openjdk-icedtea-2.6.10.tar.xz SOURCES/pulseaudio.tar.gz -SOURCES/systemtap-tapset-2016-07-20.tar.xz +SOURCES/systemtap-tapset-2.6.10.tar.xz diff --git a/.java-1.7.0-openjdk.metadata b/.java-1.7.0-openjdk.metadata index e0d125b..dffe924 100644 --- a/.java-1.7.0-openjdk.metadata +++ b/.java-1.7.0-openjdk.metadata @@ -1,4 +1,4 @@ fcc167de17354efb6e52cb387eb3e7dbb0316b53 SOURCES/class-rewriter.tar.gz b0b9dd34ac08e01b48cea8d5bcd8364dbd670b7f SOURCES/openjdk-icedtea-2.6.10.tar.xz fb72b6b1f4735ad9b5799d0b5058b0b1dec67b17 SOURCES/pulseaudio.tar.gz -99b0cc8fa222bc6339374cfb8f8560d911613502 SOURCES/systemtap-tapset-2016-07-20.tar.xz +626624100f67db3d98f1f48ea1a7558e44642aea SOURCES/systemtap-tapset-2.6.10.tar.xz diff --git a/SOURCES/7177216-pr3398-rh1446700.patch b/SOURCES/7177216-pr3398-rh1446700.patch new file mode 100644 index 0000000..e0691d8 --- /dev/null +++ b/SOURCES/7177216-pr3398-rh1446700.patch @@ -0,0 +1,42 @@ +# HG changeset patch +# User asaha +# Date 1496853156 -3600 +# Wed Jun 07 17:32:36 2017 +0100 +# Node ID a1b7baf74b49a4a0889b331980d60a7e3699f583 +# Parent 59204456ee2f82d6d6b84d2e40f78a42c85fa0ec +7177216, PR3398, RH1446700: native2ascii changes file permissions of input file +Reviewed-by: sherman, alanb + +diff --git a/src/share/classes/sun/tools/native2ascii/Main.java b/src/share/classes/sun/tools/native2ascii/Main.java +--- openjdk/jdk/src/share/classes/sun/tools/native2ascii/Main.java ++++ openjdk/jdk/src/share/classes/sun/tools/native2ascii/Main.java +@@ -71,7 +71,6 @@ + import java.nio.charset.CharsetEncoder; + import java.nio.charset.Charset; + import java.nio.charset.IllegalCharsetNameException; +-import java.nio.file.Files; + import java.io.UnsupportedEncodingException; + import java.nio.charset.UnsupportedCharsetException; + import sun.tools.native2ascii.A2NFilter; +@@ -241,7 +240,9 @@ + if (tempDir == null) + tempDir = new File(System.getProperty("user.dir")); + +- tempFile = Files.createTempFile(tempDir.toPath(), "_N2A", ".TMP").toFile(); ++ tempFile = File.createTempFile("_N2A", ++ ".TMP", ++ tempDir); + tempFile.deleteOnExit(); + + try { +@@ -291,7 +292,9 @@ + File tempDir = f.getParentFile(); + if (tempDir == null) + tempDir = new File(System.getProperty("user.dir")); +- tempFile = Files.createTempFile(tempDir.toPath(), "_N2A", ".TMP").toFile(); ++ tempFile = File.createTempFile("_N2A", ++ ".TMP", ++ tempDir); + tempFile.deleteOnExit(); + + try { diff --git a/SOURCES/java-abrt-launcher b/SOURCES/java-abrt-launcher new file mode 100644 index 0000000..681ef43 --- /dev/null +++ b/SOURCES/java-abrt-launcher @@ -0,0 +1,7 @@ +#!/bin/bash +if [ -e @LIB_DIR@ ] ; then + exec -a java @JAVA_PATH@ -agentpath:@LIB_DIR@=abrt=on "$@" +else + exec -a java @JAVA_PATH@ "$@" +fi + diff --git a/SOURCES/java-abrt-luncher b/SOURCES/java-abrt-luncher deleted file mode 100644 index 681ef43..0000000 --- a/SOURCES/java-abrt-luncher +++ /dev/null @@ -1,7 +0,0 @@ -#!/bin/bash -if [ -e @LIB_DIR@ ] ; then - exec -a java @JAVA_PATH@ -agentpath:@LIB_DIR@=abrt=on "$@" -else - exec -a java @JAVA_PATH@ "$@" -fi - diff --git a/SOURCES/pr2809.patch b/SOURCES/pr2809.patch index 5163bd6..d0f0b02 100644 --- a/SOURCES/pr2809.patch +++ b/SOURCES/pr2809.patch @@ -1,3 +1,12 @@ +# HG changeset patch +# User xuelei +# Date 1453868482 0 +# Wed Jan 27 04:21:22 2016 +0000 +# Node ID 8d589911411743fa38badf69c10aa067eaa996b7 +# Parent ceb95f0d38d7ab09762dd7ff33bb855f3088a6b5 +8076221, PR2809: Disable RC4 cipher suites +Reviewed-by: wetmore + diff --git a/src/share/lib/security/java.security-linux b/src/share/lib/security/java.security-linux --- openjdk/jdk/src/share/lib/security/java.security-linux +++ openjdk/jdk/src/share/lib/security/java.security-linux diff --git a/SOURCES/pr3393-rh1273760.patch b/SOURCES/pr3393-rh1273760.patch new file mode 100644 index 0000000..15442f1 --- /dev/null +++ b/SOURCES/pr3393-rh1273760.patch @@ -0,0 +1,206 @@ +diff --git a/src/share/classes/sun/security/pkcs11/P11Signature.java b/src/share/classes/sun/security/pkcs11/P11Signature.java +--- openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/P11Signature.java +@@ -87,8 +87,8 @@ + // name of the key algorithm, currently either RSA or DSA + private final String keyAlgorithm; + +- // mechanism id +- private final long mechanism; ++ // mechanism ++ private final CK_MECHANISM mechanism; + + // digest algorithm OID, if we encode RSA signature ourselves + private final ObjectIdentifier digestOID; +@@ -138,11 +138,62 @@ + super(); + this.token = token; + this.algorithm = algorithm; +- this.mechanism = mechanism; ++ CK_MECHANISM ckMechanism = new CK_MECHANISM(mechanism); ++ final CK_RSA_PKCS_PSS_PARAMS mechParams; + byte[] buffer = null; + ObjectIdentifier digestOID = null; + MessageDigest md = null; + switch ((int)mechanism) { ++ case (int)CKM_SHA1_RSA_PKCS_PSS: ++ mechParams = new CK_RSA_PKCS_PSS_PARAMS(); ++ mechParams.hashAlg = CKM_SHA_1; ++ mechParams.mgf = CKG_MGF1_SHA1; ++ mechParams.sLen = 20; ++ ckMechanism = new CK_MECHANISM(mechanism, mechParams); ++ this.keyAlgorithm = "RSA"; ++ this.type = T_UPDATE; ++ buffer = new byte[1]; ++ break; ++ case (int)CKM_SHA224_RSA_PKCS_PSS: ++ mechParams = new CK_RSA_PKCS_PSS_PARAMS(); ++ mechParams.hashAlg = CKM_SHA224; ++ mechParams.mgf = CKG_MGF1_SHA224; ++ mechParams.sLen = 28; ++ ckMechanism = new CK_MECHANISM(mechanism, mechParams); ++ this.keyAlgorithm = "RSA"; ++ this.type = T_UPDATE; ++ buffer = new byte[1]; ++ break; ++ case (int)CKM_SHA256_RSA_PKCS_PSS: ++ mechParams = new CK_RSA_PKCS_PSS_PARAMS(); ++ mechParams.hashAlg = CKM_SHA256; ++ mechParams.mgf = CKG_MGF1_SHA256; ++ mechParams.sLen = 32; ++ ckMechanism = new CK_MECHANISM(mechanism, mechParams); ++ this.keyAlgorithm = "RSA"; ++ this.type = T_UPDATE; ++ buffer = new byte[1]; ++ break; ++ case (int)CKM_SHA384_RSA_PKCS_PSS: ++ mechParams = new CK_RSA_PKCS_PSS_PARAMS(); ++ mechParams.hashAlg = CKM_SHA384; ++ mechParams.mgf = CKG_MGF1_SHA384; ++ mechParams.sLen = 48; ++ ckMechanism = new CK_MECHANISM(mechanism, mechParams); ++ this.keyAlgorithm = "RSA"; ++ this.type = T_UPDATE; ++ buffer = new byte[1]; ++ break; ++ case (int)CKM_SHA512_RSA_PKCS_PSS: ++ mechParams = new CK_RSA_PKCS_PSS_PARAMS(); ++ mechParams.hashAlg = CKM_SHA512; ++ mechParams.mgf = CKG_MGF1_SHA512; ++ mechParams.sLen = 64; ++ ckMechanism = new CK_MECHANISM(mechanism, mechParams); ++ this.keyAlgorithm = "RSA"; ++ this.type = T_UPDATE; ++ buffer = new byte[1]; ++ break; + case (int)CKM_MD2_RSA_PKCS: + case (int)CKM_MD5_RSA_PKCS: + case (int)CKM_SHA1_RSA_PKCS: +@@ -232,6 +283,7 @@ + default: + throw new ProviderException("Unknown mechanism: " + mechanism); + } ++ this.mechanism = ckMechanism; + this.buffer = buffer; + this.digestOID = digestOID; + this.md = md; +@@ -309,10 +361,10 @@ + } + if (mode == M_SIGN) { + token.p11.C_SignInit(session.id(), +- new CK_MECHANISM(mechanism), p11Key.keyID); ++ mechanism, p11Key.keyID); + } else { + token.p11.C_VerifyInit(session.id(), +- new CK_MECHANISM(mechanism), p11Key.keyID); ++ mechanism, p11Key.keyID); + } + initialized = true; + } catch (PKCS11Exception e) { +@@ -350,7 +402,8 @@ + } else if (algorithm.equals("SHA512withRSA")) { + encodedLength = 83; + } else { +- throw new ProviderException("Unknown signature algo: " + algorithm); ++ encodedLength = 0; ++ //throw new ProviderException("Unknown signature algo: " + algorithm); + } + if (encodedLength > maxDataSize) { + throw new InvalidKeyException +@@ -523,7 +576,7 @@ + if (type == T_DIGEST) { + digest = md.digest(); + } else { // T_RAW +- if (mechanism == CKM_DSA) { ++ if (mechanism.mechanism == CKM_DSA) { + if (bytesProcessed != buffer.length) { + throw new SignatureException + ("Data for RawDSA must be exactly 20 bytes long"); +@@ -543,7 +596,7 @@ + signature = token.p11.C_Sign(session.id(), digest); + } else { // RSA + byte[] data = encodeSignature(digest); +- if (mechanism == CKM_RSA_X_509) { ++ if (mechanism.mechanism == CKM_RSA_X_509) { + data = pkcs1Pad(data); + } + signature = token.p11.C_Sign(session.id(), data); +@@ -578,7 +631,7 @@ + if (type == T_DIGEST) { + digest = md.digest(); + } else { // T_RAW +- if (mechanism == CKM_DSA) { ++ if (mechanism.mechanism == CKM_DSA) { + if (bytesProcessed != buffer.length) { + throw new SignatureException + ("Data for RawDSA must be exactly 20 bytes long"); +@@ -598,7 +651,7 @@ + token.p11.C_Verify(session.id(), digest, signature); + } else { // RSA + byte[] data = encodeSignature(digest); +- if (mechanism == CKM_RSA_X_509) { ++ if (mechanism.mechanism == CKM_RSA_X_509) { + data = pkcs1Pad(data); + } + token.p11.C_Verify(session.id(), data, signature); +diff --git a/src/share/classes/sun/security/pkcs11/SunPKCS11.java b/src/share/classes/sun/security/pkcs11/SunPKCS11.java +--- openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/SunPKCS11.java +@@ -729,6 +729,16 @@ + d(SIG, "SHA512withRSA", P11Signature, + s("1.2.840.113549.1.1.13", "OID.1.2.840.113549.1.1.13"), + m(CKM_SHA512_RSA_PKCS, CKM_RSA_PKCS, CKM_RSA_X_509)); ++ d(SIG, "SHA1withRSAandMGF1", P11Signature, ++ m(CKM_SHA1_RSA_PKCS_PSS)); ++ d(SIG, "SHA224withRSAandMGF1", P11Signature, ++ m(CKM_SHA224_RSA_PKCS_PSS)); ++ d(SIG, "SHA256withRSAandMGF1", P11Signature, ++ m(CKM_SHA256_RSA_PKCS_PSS)); ++ d(SIG, "SHA384withRSAandMGF1", P11Signature, ++ m(CKM_SHA384_RSA_PKCS_PSS)); ++ d(SIG, "SHA512withRSAandMGF1", P11Signature, ++ m(CKM_SHA512_RSA_PKCS_PSS)); + + /* + * TLS 1.2 uses a different hash algorithm than 1.0/1.1 for the +diff --git a/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java b/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +--- openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/CK_MECHANISM.java +@@ -112,6 +112,10 @@ + init(mechanism, params); + } + ++ public CK_MECHANISM(long mechanism, CK_RSA_PKCS_PSS_PARAMS params) { ++ init(mechanism, params); ++ } ++ + public CK_MECHANISM(long mechanism, CK_SSL3_KEY_MAT_PARAMS params) { + init(mechanism, params); + } +diff --git a/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java b/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +--- openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/wrapper/PKCS11Constants.java +@@ -458,6 +458,12 @@ + public static final long CKM_SHA384_RSA_PKCS = 0x00000041L; + public static final long CKM_SHA512_RSA_PKCS = 0x00000042L; + ++ // v2.30 ++ public static final long CKM_SHA256_RSA_PKCS_PSS = 0x00000043L; ++ public static final long CKM_SHA384_RSA_PKCS_PSS = 0x00000044L; ++ public static final long CKM_SHA512_RSA_PKCS_PSS = 0x00000045L; ++ ++ + public static final long CKM_RC2_KEY_GEN = 0x00000100L; + public static final long CKM_RC2_ECB = 0x00000101L; + public static final long CKM_RC2_CBC = 0x00000102L; +@@ -911,6 +917,10 @@ + + /* The following MGFs are defined */ + public static final long CKG_MGF1_SHA1 = 0x00000001L; ++ public static final long CKG_MGF1_SHA256 = 0x00000002L; ++ public static final long CKG_MGF1_SHA384 = 0x00000003L; ++ public static final long CKG_MGF1_SHA512 = 0x00000004L; ++ + // new for v2.20 amendment 3 + public static final long CKG_MGF1_SHA224 = 0x00000005L; + diff --git a/SOURCES/repackReproduciblePolycies.sh b/SOURCES/repackReproduciblePolycies.sh new file mode 100644 index 0000000..271cb74 --- /dev/null +++ b/SOURCES/repackReproduciblePolycies.sh @@ -0,0 +1,37 @@ +#!/bin/sh +# https://bugzilla.redhat.com/show_bug.cgi?id=1142153 +M=META-INF/MANIFEST.MF +#P=/usr/lib/jvm/java/jre/lib/security +P=$1/lib/security +for f in local_policy.jar US_export_policy.jar ; do +ORIG=$P/$f +echo "processing $f ($ORIG)" +if [ ! -f $ORIG ]; then + echo "File not found! $ORIG" + continue +fi +d=`mktemp -d` +NW=$d/$f + pushd $d + jar xf $ORIG + cat $M +# sed -i "s/Created-By.*/Created-By: 1.7.0/g" $M + sed -i "s/Created-By.*/Created-By: $2/g" $M + cat $M + find . -exec touch -t 201401010000 {} + + zip -rX $f * + popd + echo "replacing $ORIG" + touch -t 201401010000 $ORIG + md5sum $ORIG + sha256sum $ORIG + echo "by $NW" + md5sum $NW + sha256sum $NW + touch -t 201401010000 $NW + cp $NW $ORIG + md5sum $ORIG + sha256sum $ORIG + touch -t 201401010000 $ORIG + rm -rfv $d +done diff --git a/SPECS/java-1.7.0-openjdk.spec b/SPECS/java-1.7.0-openjdk.spec index 780180b..e110997 100644 --- a/SPECS/java-1.7.0-openjdk.spec +++ b/SPECS/java-1.7.0-openjdk.spec @@ -29,62 +29,78 @@ %global NSSSOFTOKN_BUILDTIME_VERSION %(if [ "x%{NSSSOFTOKN_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSSSOFTOKN_BUILDTIME_NUMBER}" ;fi) %global NSS_BUILDTIME_VERSION %(if [ "x%{NSS_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSS_BUILDTIME_NUMBER}" ;fi) +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _build_cpu %ifarch x86_64 %global archbuild amd64 %global archinstall amd64 +%global stapinstall x86_64 %endif %ifarch ppc %global archbuild ppc %global archinstall ppc %global archdef PPC +%global stapinstall powerpc %endif %ifarch %{ppc64be} %global archbuild ppc64 %global archinstall ppc64 %global archdef PPC +%global stapinstall powerpc %endif %ifarch %{ppc64le} %global archbuild ppc64le %global archinstall ppc64le %global archdef PPC64 +%global stapinstall powerpc %endif %ifarch %{ix86} %global archbuild i586 %global archinstall i386 +%global stapinstall i386 %endif %ifarch ia64 %global archbuild ia64 %global archinstall ia64 +%global stapinstall ia64 %endif %ifarch s390 %global archbuild s390 %global archinstall s390 %global archdef S390 +%global stapinstall s390 %endif %ifarch s390x %global archbuild s390x %global archinstall s390x %global archdef S390 +%global stapinstall s390 %endif %ifarch %{arm} %global archbuild arm %global archinstall arm %global archdef ARM +%global stapinstall arm %endif %ifarch %{aarch64} %global archbuild aarch64 %global archinstall aarch64 %global archdef AARCH64 +%global stapinstall arm64 %endif # 32 bit sparc, optimized for v9 %ifarch sparcv9 %global archbuild sparc %global archinstall sparc +%global stapinstall %{_build_cpu} %endif # 64 bit sparc %ifarch sparc64 %global archbuild sparcv9 %global archinstall sparcv9 +%global stapinstall %{_build_cpu} %endif %ifnarch %{jit_arches} %global archbuild %{_arch} @@ -170,26 +186,15 @@ # for the primary arch for now). Systemtap uses the machine name # aka build_cpu as architecture specific directory name. %global tapsetroot /usr/share/systemtap - %ifarch %{ix86} - %global tapsetdir %{tapsetroot}/tapset/i386 - %else - %global tapsetdir %{tapsetroot}/tapset/%{_build_cpu} - %endif +%global tapsetdir %{tapsetroot}/tapset/%{stapinstall} %endif -%global check_sum_presented_in_spec() %{expand: -md5sum %1 -currentMd5sum=`md5sum %1 | sed "s;\\s.*;;"` -specfile=%{_specdir}/%{name}.spec -grep -e md5sum -A 20 $specfile | grep $currentMd5sum -} - # Prevent brp-java-repack-jars from being run. %global __jar_repack 0 Name: java-%{javaver}-%{origin} Version: %{javaver}.%{updatever} -Release: %{icedtea_version}.1%{?dist} +Release: %{icedtea_version}.5%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons, # and this change was brought into RHEL-4. java-1.5.0-ibm packages # also included the epoch in their virtual provides. This created a @@ -222,8 +227,8 @@ Source2: README.src Source5: class-rewriter.tar.gz # Systemtap tapsets. Zipped up to keep it small. -# last update from http://icedtea.classpath.org/hg/icedtea7/file/fe313abbf5af/tapset -Source6: systemtap-tapset-2016-07-20.tar.xz +# last update from IcedTea 2.6.10 +Source6: systemtap-tapset-2.6.10.tar.xz # .desktop files. Source7: policytool.desktop @@ -249,7 +254,9 @@ Source11: remove-buildids.sh # Ensure we aren't using the limited crypto policy Source12: TestCryptoLevel.java -Source13: java-abrt-luncher +Source13: java-abrt-launcher + +Source20: repackReproduciblePolycies.sh # RPM/distribution specific patches @@ -295,6 +302,10 @@ Patch400: rh1022017.patch # PR2809: Backport "8076221: Disable RC4 cipher suites" (will appear in 2.7.0) Patch500: pr2809.patch +# PR3393, RH1273760: Support using RSAandMGF1 with the SHA hash algorithms in the PKCS11 provider (will appear in 2.7.0) +Patch501: pr3393-rh1273760.patch +# S7177216, PR3398, RH1446700: native2ascii changes file permissions of input file (will appear in 2.6.11) +Patch502: 7177216-pr3398-rh1446700.patch # End of tmp patches @@ -410,7 +421,7 @@ Requires: tzdata-java Requires: nss %{NSS_BUILDTIME_VERSION} Requires: nss-softokn %{NSSSOFTOKN_BUILDTIME_VERSION} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum eforce it, not rpm transaction and so no configs are persisted when pure rpm -u is run. I t may be consiedered as regression -Requires: copy-jdk-configs >= 1.1-3 +Requires: copy-jdk-configs >= 2.2 OrderWithRequires: copy-jdk-configs # Post requires alternatives to install tool alternatives. Requires(post): %{_sbindir}/alternatives @@ -543,13 +554,15 @@ cp %{SOURCE2} . %patch300 %endif -# ECC fix -%patch400 - # Temporary fixes %patch500 +%patch501 +%patch502 # End of temporary fixes +# ECC fix +%patch400 + # Add systemtap patches if enabled %if %{with_systemtap} %endif @@ -575,7 +588,6 @@ for file in tapset/*.in; do %else sed -e '/@ABS_CLIENT_LIBJVM_SO@/d' $file.1 > $OUTPUT_FILE %endif - sed -i -e s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir}:g $OUTPUT_FILE sed -i -e s:@INSTALL_ARCH_DIR@:%{archinstall}:g $OUTPUT_FILE sed -i -e s:@prefix@:%{_jvmdir}/%{sdkdir $suffix}/:g $OUTPUT_FILE @@ -600,9 +612,6 @@ tar xzf %{SOURCE9} %patch106 %patch200 -# this is check which controls, that latest java.security is included in post(_headless) -%{check_sum_presented_in_spec openjdk/jdk/src/share/lib/security/java.security-linux} - %build # How many cpu's do we have? export NUM_PROC=`/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :` @@ -803,7 +812,7 @@ popd >& /dev/null export JAVA_HOME=$(pwd)/%{buildoutputdir}/j2sdk-image -# Install java-abrt-luncher +# Install java-abrt-launcher mkdir $JAVA_HOME/jre-abrt mkdir $JAVA_HOME/jre-abrt/bin mv $JAVA_HOME/jre/bin/java $JAVA_HOME/jre-abrt/bin/java @@ -844,8 +853,6 @@ sh %{SOURCE11} ${JAVA_HOME} %check export JAVA_HOME=$(pwd)/%{buildoutputdir $suffix}/j2sdk-image -# check java.security in this build is also in this specfile -%{check_sum_presented_in_spec $JAVA_HOME/jre/lib/security/java.security} %install rm -rf $RPM_BUILD_ROOT @@ -1052,6 +1059,11 @@ find $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir}/demo \ echo "" >> accessibility.properties popd +bash %{SOURCE20} $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir} %{javaver} +# https://bugzilla.redhat.com/show_bug.cgi?id=1183793 +touch -t 201401010000 $RPM_BUILD_ROOT/%{_jvmdir}/%{jredir $suffix}/lib/security/java.security + +# intentioanlly only for non-debug %pretrans headless -p -- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue -- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre @@ -1090,43 +1102,16 @@ else end end -- run contetn of included file with fake args -arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}"} +arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} require "copy_jdk_configs.lua" - %post update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : exit 0 -# FIXME: identical binaries are copied, not linked. This needs to be -# fixed upstream. %post headless -# The pretrans lua scriptlet prevents an unmodified java.security -# from being replaced via an update. It gets created as -# java.security.rpmnew instead. This invalidates the patch of -# JDK-8061210 of the January 2015 CPU or JDK-8043201 of the -# July 2015 CPU. We fix this via a post scriptlet which runs on updates. -if [ "$1" -gt 1 ]; then - javasecurity="%{_jvmdir}/%{uniquesuffix}/jre/lib/security/java.security" - sum=$(md5sum "${javasecurity}" | cut -d' ' -f1) - # This is the md5sum of an unmodified java.security file - if [ "${sum}" = '567d9244d9ef1ac0e557d05eb0892413' -o \ - "${sum}" = '034a9bfa527cbdf58f021ce0e47e22db' -o \ - "${sum}" = 'f8a8bd04adae13e632e30622061d4b9f' -o \ - "${sum}" = '9b517554fffe801f6894dfa0e8169cb1' -o \ - "${sum}" = '795b59e52fe426f59d76d43defafabab' -o \ - "${sum}" = 'ec53f8629ce93fd2d8cdb1a143cbefdf' -o \ - "${sum}" = '7969a8d2dbc8db1ee232097cd0375d65' -o \ - "${sum}" = '8576d747a8d0811c3df016b421c38d32' -o \ - "${sum}" = '1f3c5cd32d2afc09d304aea9883648ee' ]; then - if [ -f "${javasecurity}.rpmnew" ]; then - mv -f "${javasecurity}.rpmnew" "${javasecurity}" - fi - fi -fi - %ifarch %{jit_arches} # MetaspaceShared::generate_vtable_methods not implemented for PPC JIT %ifnarch %{power64} @@ -1182,6 +1167,15 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +# see pretrans where this file is declared +# also see that pretrans is only for nondebug +if [ ! "%1" == %{debug_suffix} ]; then + if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then + sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir %%1} + fi +fi + + exit 0 %postun @@ -1473,29 +1467,60 @@ exit 0 %{_jvmdir}/%{jredir}/lib/accessibility.properties %changelog -* Wed May 03 2017 Andrew Hughes - 1:1.7.0.141-2.6.10.1 +* Tue Jun 13 2017 Jiri Vanek - 1:1.7.0.141-2.6.10.5 +- make to use latest c-j-c and so fix persisting issues with java.security and other configfiles +- aligned with this change, applied repackReproduciblePolycies.sh +- 1183793 is missing blocker +- Resolves: rhbz#1448880 + +* Wed Jun 07 2017 Andrew Hughes - 1:1.7.0.141-2.6.10.4 +- Fix merge error with "native2ascii changes file permissions of input file" +- Resolves: rhbz#1446700 + +* Wed May 17 2017 Andrew Hughes - 1:1.7.0.141-2.6.10.3 +- Add support for using RSAandMGF1 with the SHA hash algorithms in the PKCS11 provider +- Resolves: rhbz#1273760 + +* Wed May 03 2017 Andrew Hughes - 1:1.7.0.141-2.6.10.2 - Bump to u141b02 to include S8011123 fix for TCK failure. - Resolves: rhbz#1438751 -* Thu Apr 27 2017 Andrew Hughes - 1:1.7.0.141-2.6.10.0 +* Thu Apr 27 2017 Andrew Hughes - 1:1.7.0.141-2.6.10.1 +- Bump to u141b01 to include S8043723 fix for s390. +- Resolves: rhbz#1438751 + +* Thu Apr 27 2017 Andrew Hughes - 1:1.7.0.141-2.6.10.1 - Bump to 2.6.10 and u141b00. -- Adjust RH1022017 following application of 8173783 - Add more detailed output to fsg.sh and generate_source_tarball.sh. - Update md5sum list with checksum for the new java.security file. -- Bump to u141b01 to include S8043723 fix for s390. +- Drop 8173783 backport which is now applied upstream. - Resolves: rhbz#1438751 -* Tue Feb 07 2017 Andrew Hughes - 1:1.7.0.131-2.6.9.0 -- Add blacklisted.certs to installation file list. -- Resolves: rhbz#1410612 +* Wed Apr 05 2017 Andrew Hughes - 1:1.7.0.131-2.6.9.3 +- Backport "8173783: IllegalArgumentException: jdk.tls.namedGroups" +- Apply backports before local RPM fixes so they will be the same as when applied upstream +- Adjust RH1022017 following application of 8173783 +- Resolves: rhbz#1422738 + +* Tue Apr 04 2017 Andrew Hughes - 1:1.7.0.131-2.6.9.2 +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Update jstack tapset to handle AArch64 +- Handle unsupported architectures by calling the error function rather than a parse failure +- ABS_JAVA_HOME_DIR is no longer used in the updated tapsets +- Resolves: rhbz#1373986 -* Tue Feb 07 2017 Andrew Hughes - 1:1.7.0.131-2.6.9.0 +* Tue Feb 07 2017 Andrew Hughes - 1:1.7.0.131-2.6.9.1 - Bump to 2.6.9 and u131b00. - Remove patch application debris in fsg.sh. - Re-generate PR2809 and RH1022017 against 2.6.9. - Update md5sum list with checksum for the new java.security file. +- Add blacklisted.certs to installation file list. - Resolves: rhbz#1410612 +* Mon Jan 09 2017 Andrew Hughes - 1:1.7.0.121-2.6.8.1 +- Bump release for rhel-7.4 branch. Fix "luncher" typo. +- Resolves: rhbz#1383251 + * Mon Oct 31 2016 Andrew Hughes - 1:1.7.0.121-2.6.8.0 - Turn off HotSpot bootstrap to see if it resolves build issues. - Resolves: rhbz#1381990