diff --git a/.gitignore b/.gitignore
index 09a127e..5f70416 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,2 @@
-SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09-4curve.tar.xz
+SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata
index 03f54ee..dd9d11c 100644
--- a/.java-1.8.0-openjdk.metadata
+++ b/.java-1.8.0-openjdk.metadata
@@ -1,2 +1,2 @@
-a93b3d0fd5da1f95f22c85003fd3d4007e69ab32 SOURCES/openjdk-shenandoah-jdk8u-shenandoah-jdk8u332-b09-4curve.tar.xz
+c54dd40b6deb5defa8d4d7132d650080d0e300f4 SOURCES/openjdk-shenandoah-jdk8u-aarch64-shenandoah-jdk8u322-b06-4curve.tar.xz
7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz
diff --git a/SOURCES/NEWS b/SOURCES/NEWS
index f9af271..e911b13 100644
--- a/SOURCES/NEWS
+++ b/SOURCES/NEWS
@@ -3,70 +3,6 @@ Key:
JDK-X - https://bugs.openjdk.java.net/browse/JDK-X
CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
-New in release OpenJDK 8u332 (2022-04-19):
-===========================================
-Live versions of these release notes can be found at:
- * https://bitly.com/openjdk8u332
- * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u332.txt
-
-* Security fixes
- - JDK-8269938: Enhance XML processing passes redux
- - JDK-8270504, CVE-2022-21426: Better XPath expression handling
- - JDK-8272255: Completely handle MIDI files
- - JDK-8272261: Improve JFR recording file processing
- - JDK-8272594: Better record of recordings
- - JDK-8274221: More definite BER encodings
- - JDK-8275151, CVE-2022-21443: Improved Object Identification
- - JDK-8277227: Better identification of OIDs
- - JDK-8277672, CVE-2022-21434: Better invocation handler handling
- - JDK-8278008, CVE-2022-21476: Improve Santuario processing
- - JDK-8278356: Improve file creation
- - JDK-8278449: Improve keychain support
- - JDK-8278805: Enhance BMP image loading
- - JDK-8278972, CVE-2022-21496: Improve URL supports
- - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo
-* Other changes
- - JDK-8033980: Xerces Update: datatype XMLGregorianCalendarImpl and DurationImpl
- - JDK-8035437: Xerces Update: xml/serialize/DOMSerializerImpl
- - JDK-8035577: Xerces Update: impl/xpath/regex/RangeToken.java
- - JDK-8037259: xerces update: xpointer update
- - JDK-8041523: Xerces Update: Serializer improvements from Xalan
- - JDK-8141508: java.lang.invoke.LambdaConversionException: Invalid receiver type
- - JDK-8162572: Update License Header for all JAXP sources
- - JDK-8167014: jdeps: Missing message: warn.skipped.entry
- - JDK-8198411: [TEST_BUG] Two java2d tests are unstable in mach5
- - JDK-8202822: Add .git to .hgignore
- - JDK-8205540: test/hotspot/jtreg/vmTestbase/nsk/jdb/trace/trace001/trace001.java fails with Debuggee did not exit after 15 <cont> commands
- - JDK-8209178: Proxied HttpsURLConnection doesn't send BODY when retrying POST request
- - JDK-8210283: Support git as an SCM alternative in the build
- - JDK-8218682: [TEST_BUG] DashOffset fails in mach5
- - JDK-8225690: Multiple AttachListener threads can be created
- - JDK-8227738: jvmti/DataDumpRequest/datadumpreq001 failed due to "exit code is 134"
- - JDK-8227815: Minimal VM: set_state is not a member of AttachListener
- - JDK-8240633: Memory leaks in the implementations of FileChooserUI
- - JDK-8241768: git needs .gitattributes
- - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn
- - JDK-8253147: The javax/swing/JPopupMenu/7154841/bug7154841.java fail on big screens
- - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node
- - JDK-8266749: AArch64: Backtracing broken on PAC enabled systems
- - JDK-8270290: NTLM authentication fails if HEAD request is used
- - JDK-8273229: Update OS detection code to recognize Windows Server 2022
- - JDK-8273341: Update Siphash to version 1.0
- - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated
- - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake
- - JDK-8277224: sun.security.pkcs.PKCS9Attributes.toString() throws NPE
- - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022
- - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
- - JDK-8280060: The sun/rmi/server/Activation.java class use Thread.dumpStack()
- - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972
- - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character
- - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException
- - JDK-8284920: Incorrect Token type causes XPath expression to return empty result
- - JDK-8284936: Fix Java 7 bootstrap breakage due to use of Arrays.stream
-* Shenandoah
- - JDK-8260632: Build failures after JDK-8253353
- - JDK-8282458: Update .jcheck/conf file for sh-jdk8u move to git
-
New in release OpenJDK 8u322 (2022-01-18):
===========================================
Live versions of these release notes can be found at:
diff --git a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
index ae48068..0af9d51 100644
--- a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
+++ b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch
@@ -22,7 +22,7 @@ diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/fla
+ # On 32-bit MacOSX the OS requires C-entry points to be 16 byte aligned.
+ # While waiting for a better solution, the current workaround is to use -mstackrealign
+ # This is also required on Linux systems which use libraries compiled with SSE instructions
-+ REALIGN_CFLAG="-mstackrealign"
++ REALIGN_CFLAG="-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4"
+ FLAGS_COMPILER_CHECK_ARGUMENTS([$REALIGN_CFLAG -Werror], [],
+ AC_MSG_ERROR([The selected compiler $CXX does not support -mstackrealign! Try to put another compiler in the path.])
+ )
diff --git a/SOURCES/jdk8257794-remove_broken_assert.patch b/SOURCES/jdk8257794-remove_broken_assert.patch
new file mode 100644
index 0000000..bb88013
--- /dev/null
+++ b/SOURCES/jdk8257794-remove_broken_assert.patch
@@ -0,0 +1,13 @@
+diff --git openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
+--- openjdk.orig/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
++++ openjdk/hotspot/src/share/vm/interpreter/bytecodeInterpreter.cpp
+@@ -493,9 +493,6 @@
+ assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + extra_stack_entries
+ + 1), "bad stack limit");
+ }
+-#ifndef SHARK
+- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
+-#endif // !SHARK
+ }
+ // Verify linkages.
+ interpreterState l = istate;
diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
new file mode 100644
index 0000000..ca3e985
--- /dev/null
+++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
@@ -0,0 +1,26 @@
+diff --git openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+index cf4becb7db..4ab2ac0a31 100644
+--- openjdk.orig/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
++++ openjdk/jdk/src/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+@@ -189,6 +189,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+ ctx = getLdapCtxFromUrl(
+ r.getDomainName(), url, new LdapURL(u), env);
+ return ctx;
++ } catch (AuthenticationException e) {
++ // do not retry on a different endpoint to avoid blocking
++ // the user if authentication credentials are wrong.
++ throw e;
+ } catch (NamingException e) {
+ // try the next element
+ lastException = e;
+@@ -241,6 +245,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+ for (String u : urls) {
+ try {
+ return getUsingURL(u, env);
++ } catch (AuthenticationException e) {
++ // do not retry on a different URL to avoid blocking
++ // the user if authentication credentials are wrong.
++ throw e;
+ } catch (NamingException e) {
+ ex = e;
+ }
diff --git a/SOURCES/jdk8279077-missing_crash_protector_ppc.patch b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch
new file mode 100644
index 0000000..0ab462e
--- /dev/null
+++ b/SOURCES/jdk8279077-missing_crash_protector_ppc.patch
@@ -0,0 +1,23 @@
+# HG changeset patch
+# User zgu
+# Date 1641313782 0
+# Tue Jan 04 16:29:42 2022 +0000
+# Node ID b694a28adaa2a602fedbc4aeba69b9c2350e7409
+# Parent 3177fc2314df6deb4d4771148f27934a597dd1d7
+8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler
+Reviewed-by: phh
+
+diff --git openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
+--- openjdk.orig/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
++++ openjdk/hotspot/src/os_cpu/linux_ppc/vm/os_linux_ppc.cpp
+@@ -176,6 +176,10 @@
+
+ Thread* t = ThreadLocalStorage::get_thread_slow();
+
++ // Must do this before SignalHandlerMark, if crash protection installed we will longjmp away
++ // (no destructors can be run)
++ os::ThreadCrashProtection::check_crash_protection(sig, t);
++
+ SignalHandlerMark shm(t);
+
+ // Note: it's not uncommon that JNI code uses signal/sigset to install
diff --git a/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch b/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
new file mode 100644
index 0000000..774a08e
--- /dev/null
+++ b/SOURCES/jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
@@ -0,0 +1,67 @@
+# HG changeset patch
+# User Andrew John Hughes <gnu_andrew@member.fsf.org>
+# Date 1620365804 -3600
+# Fri May 07 06:36:44 2021 +0100
+# Node ID 39b62f35eca823b4c9a98bc1dc0cb9acb87360f8
+# Parent 723b59ed1afe878c5cd35f080399c8ceec4f776b
+PR3836: Extra compiler flags not passed to adlc build
+
+diff --git openjdk.orig/hotspot/make/aix/makefiles/adlc.make openjdk/hotspot/make/aix/makefiles/adlc.make
+--- openjdk.orig/hotspot/make/aix/makefiles/adlc.make
++++ openjdk/hotspot/make/aix/makefiles/adlc.make
+@@ -69,6 +69,11 @@
+ CFLAGS_WARN = -w
+ CFLAGS += $(CFLAGS_WARN)
+
++# Extra flags from gnumake's invocation or environment
++CFLAGS += $(EXTRA_CFLAGS)
++LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
++ASFLAGS += $(EXTRA_ASFLAGS)
++
+ OBJECTNAMES = \
+ adlparse.o \
+ archDesc.o \
+diff --git openjdk.orig/hotspot/make/bsd/makefiles/adlc.make openjdk/hotspot/make/bsd/makefiles/adlc.make
+--- openjdk.orig/hotspot/make/bsd/makefiles/adlc.make
++++ openjdk/hotspot/make/bsd/makefiles/adlc.make
+@@ -71,6 +71,11 @@
+ endif
+ CFLAGS += $(CFLAGS_WARN)
+
++# Extra flags from gnumake's invocation or environment
++CFLAGS += $(EXTRA_CFLAGS)
++LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
++ASFLAGS += $(EXTRA_ASFLAGS)
++
+ OBJECTNAMES = \
+ adlparse.o \
+ archDesc.o \
+diff --git openjdk.orig/hotspot/make/linux/makefiles/adlc.make openjdk/hotspot/make/linux/makefiles/adlc.make
+--- openjdk.orig/hotspot/make/linux/makefiles/adlc.make
++++ openjdk/hotspot/make/linux/makefiles/adlc.make
+@@ -69,6 +69,11 @@
+ CFLAGS_WARN = $(WARNINGS_ARE_ERRORS)
+ CFLAGS += $(CFLAGS_WARN)
+
++# Extra flags from gnumake's invocation or environment
++CFLAGS += $(EXTRA_CFLAGS)
++LFLAGS += $(EXTRA_CFLAGS) $(EXTRA_LDFLAGS)
++ASFLAGS += $(EXTRA_ASFLAGS)
++
+ OBJECTNAMES = \
+ adlparse.o \
+ archDesc.o \
+diff --git openjdk.orig/hotspot/make/solaris/makefiles/adlc.make openjdk/hotspot/make/solaris/makefiles/adlc.make
+--- openjdk.orig/hotspot/make/solaris/makefiles/adlc.make
++++ openjdk/hotspot/make/solaris/makefiles/adlc.make
+@@ -85,6 +85,10 @@
+ endif
+ CFLAGS += $(CFLAGS_WARN)
+
++# Extra flags from gnumake's invocation or environment
++CFLAGS += $(EXTRA_CFLAGS)
++ASFLAGS += $(EXTRA_ASFLAGS)
++
+ ifeq ("${Platform_compiler}", "sparcWorks")
+ # Enable the following CFLAGS addition if you need to compare the
+ # built ELF objects.
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
index ead27be..1aff153 100644
--- a/SOURCES/nss.fips.cfg.in
+++ b/SOURCES/nss.fips.cfg.in
@@ -1,6 +1,6 @@
name = NSS-FIPS
nssLibraryDirectory = @NSS_LIBDIR@
-nssSecmodDirectory = @NSS_SECMOD@
+nssSecmodDirectory = sql:/etc/pki/nssdb
nssDbMode = readOnly
nssModule = fips
diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
new file mode 100644
index 0000000..e237841
--- /dev/null
+++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
@@ -0,0 +1,98 @@
+commit aaf92165ad1cbb1c9818eb60178c91293e13b053
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date: Mon Jan 24 15:13:14 2022 +0000
+
+ RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+
+diff --git openjdk.orig/jdk/src/share/classes/java/security/Security.java openjdk/jdk/src/share/classes/java/security/Security.java
+index fa494b680f..b5aa5c749d 100644
+--- openjdk.orig/jdk/src/share/classes/java/security/Security.java
++++ openjdk/jdk/src/share/classes/java/security/Security.java
+@@ -57,10 +57,6 @@ public final class Security {
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+- /* System property file*/
+- private static final String SYSTEM_PROPERTIES =
+- "/etc/crypto-policies/back-ends/java.config";
+-
+ /* The java.security properties */
+ private static Properties props;
+
+@@ -202,13 +198,6 @@ public final class Security {
+ }
+ }
+
+- String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+- if (disableSystemProps == null &&
+- "true".equalsIgnoreCase(props.getProperty
+- ("security.useSystemPropertiesFile"))) {
+- loadedProps = loadedProps && SystemConfigurator.configure(props);
+- }
+-
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
+@@ -217,6 +206,28 @@ public final class Security {
+ }
+ }
+
++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
++ if (!SystemConfigurator.configureSysProps(props)) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System properties could not be loaded.");
++ }
++ }
++ }
++
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
++ if (sdebug != null) {
++ if (fipsEnabled) {
++ sdebug.println("FIPS support enabled.");
++ } else {
++ sdebug.println("FIPS support disabled.");
++ }
++ }
++ }
+ }
+
+ /*
+diff --git openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+index d1f677597d..7da65b1d2c 100644
+--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java
++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java
+@@ -76,7 +76,7 @@ final class SystemConfigurator {
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+- static boolean configure(Properties props) {
++ static boolean configureSysProps(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+@@ -96,11 +96,19 @@ final class SystemConfigurator {
+ e.printStackTrace();
+ }
+ }
++ return loadedProps;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+- loadedProps = false;
+ // Remove all security providers
+ Iterator<Entry<Object, Object>> i = props.entrySet().iterator();
+ while (i.hasNext()) {
diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
new file mode 100644
index 0000000..52a7803
--- /dev/null
+++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
@@ -0,0 +1,220 @@
+commit 820d1b1b23be6ea2fd34c687a1be384e7a9830e2
+Author: Andrew John Hughes <andrew@openjdk.org>
+Date: Mon Feb 28 05:50:10 2022 +0000
+
+ RH2051605: Detect NSS at Runtime for FIPS detection
+
+diff --git openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c openjdk/jdk/src/solaris/native/java/security/systemconf.c
+index 34d0ff0ce9..8dcb7d9073 100644
+--- openjdk.orig/jdk/src/solaris/native/java/security/systemconf.c
++++ openjdk/jdk/src/solaris/native/java/security/systemconf.c
+@@ -23,25 +23,99 @@
+ * questions.
+ */
+
+-#include <dlfcn.h>
+ #include <jni.h>
+ #include <jni_util.h>
++#include "jvm_md.h"
+ #include <stdio.h>
+
+ #ifdef SYSCONF_NSS
+ #include <nss3/pk11pub.h>
++#else
++#include <dlfcn.h>
+ #endif //SYSCONF_NSS
+
+ #include "java_security_SystemConfigurator.h"
+
++#define MSG_MAX_SIZE 256
+ #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+-#define MSG_MAX_SIZE 96
+
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+
+-static void throwIOException(JNIEnv *env, const char *msg);
+-static void dbgPrint(JNIEnv *env, const char* msg);
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
+
+ /*
+ * Class: java_security_SystemConfigurator
+@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
+ return (*env)->GetVersion(env);
+ }
+
+@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+ }
+@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+-#ifdef SYSCONF_NSS
+-
+- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+- fips_enabled = SECMOD_GetSystemFIPSEnabled();
+- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+- dbgPrint(env, msg);
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ } else {
+- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+- " SECMOD_GetSystemFIPSEnabled return value");
+- }
+- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+-
+-#else // SYSCONF_NSS
++ FILE *fe;
+
+- FILE *fe;
+-
+- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
+- }
+- fips_enabled = fgetc(fe);
+- fclose(fe);
+- if (fips_enabled == EOF) {
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
+- }
+- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+- " read character is '%c'", fips_enabled);
+- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+- dbgPrint(env, msg);
+- } else {
+- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+- " read character");
+- }
+- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+-
+-#endif // SYSCONF_NSS
+-}
+-
+-static void throwIOException(JNIEnv *env, const char *msg)
+-{
+- jclass cls = (*env)->FindClass(env, "java/io/IOException");
+- if (cls != 0)
+- (*env)->ThrowNew(env, cls, msg);
+-}
+-
+-static void dbgPrint(JNIEnv *env, const char* msg)
+-{
+- jstring jMsg;
+- if (debugObj != NULL) {
+- jMsg = (*env)->NewStringUTF(env, msg);
+- CHECK_NULL(jMsg);
+- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+ }
+ }
diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec
index 11e2a3c..84f7d57 100644
--- a/SPECS/java-1.8.0-openjdk.spec
+++ b/SPECS/java-1.8.0-openjdk.spec
@@ -21,6 +21,15 @@
%bcond_without release
# Remove build artifacts by default
%bcond_with artifacts
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
+
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+%if %{with fresh_libjvm}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
# This fixes detailed NMT and other tools which need minimal debug info.
@@ -58,6 +67,20 @@
%global normal_build %{nil}
%endif
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+
%global aarch64 aarch64 arm64 armv8
# we need to distinguish between big and little endian PPC64
%global ppc64le ppc64le
@@ -69,7 +92,7 @@
# Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler
-%global jit_arches %{debug_arches}
+%global jit_arches %{aarch64} %{ix86} %{power64} sparcv9 sparc64 x86_64
# Set of architectures which use the Zero assembler port (!jit_arches)
%global zero_arches %{arm} ppc s390 s390x
# Set of architectures which run a full bootstrap cycle
@@ -86,6 +109,8 @@
%global jfr_arches %{jit_arches}
# Set of architectures for which alt-java has SSB mitigation
%global ssbd_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+%global gdb_arches %{jit_arches} %{zero_arches}
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
@@ -121,7 +146,7 @@
%global fastdebug_build %{nil}
%endif
-# If you disable both builds, then the build fails
+# If you disable all builds, then the build fails
# Build and test slowdebug first as it provides the best diagnostics
%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
@@ -135,10 +160,22 @@
%global release_targets images docs-zip
# No docs nor bootcycle for debug builds
%global debug_targets images
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# JDK to use for bootstrapping
+# Use OpenJDK 7 where available (on RHEL) to avoid
+# having to use the rhel-7.x-java-unsafe-candidate hack
+%if ! 0%{?fedora} && 0%{?rhel} <= 7
+%global buildjdkver 1.7.0
+%else
+%global buildjdkver 1.8.0
+%endif
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
-# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
@@ -159,17 +196,6 @@
%global NSSSOFTOKN_BUILDTIME_VERSION %(if [ "x%{NSSSOFTOKN_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSSSOFTOKN_BUILDTIME_NUMBER}" ;fi)
%global NSS_BUILDTIME_VERSION %(if [ "x%{NSS_BUILDTIME_NUMBER}" == "x" ] ; then echo "" ;else echo ">= %{NSS_BUILDTIME_NUMBER}" ;fi)
-
-# Fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349.
-# See also https://bugzilla.redhat.com/show_bug.cgi?id=1590796
-# as to why some libraries *cannot* be excluded. In particular,
-# these are:
-# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
-%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
-
-%global __provides_exclude ^(%{_privatelibs})$
-%global __requires_exclude ^(%{_privatelibs})$
-
# In some cases, the arch used by the JDK does
# not match _arch.
# Also, in some cases, the machine name used by SystemTap
@@ -267,7 +293,7 @@
# note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there.
%global shenandoah_project openjdk
%global shenandoah_repo shenandoah-jdk8u
-%global shenandoah_revision shenandoah-jdk8u332-b09
+%global shenandoah_revision aarch64-shenandoah-jdk8u322-b06
# Define old aarch64/jdk8u tree variables for compatibility
%global project %{shenandoah_project}
%global repo %{shenandoah_repo}
@@ -283,7 +309,7 @@
%global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u})
# eg jdk8u60-b27 -> b27
%global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-})
-%global rpmrelease 1
+%global rpmrelease 11
# Define milestone (EA for pre-releases, GA ("fcs") for releases)
# Release will be (where N is usually a number starting at 1):
# - 0.N%%{?extraver}%%{?dist} for EA releases,
@@ -318,6 +344,16 @@
# main id and dir of this jdk
%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+# Fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349.
+# See also https://bugzilla.redhat.com/show_bug.cgi?id=1590796
+# as to why some libraries *cannot* be excluded. In particular,
+# these are:
+# libjsig.so, libjava.so, libjawt.so, libjvm.so and libverify.so
+%global _privatelibs libatk-wrapper[.]so.*|libattach[.]so.*|libawt_headless[.]so.*|libawt[.]so.*|libawt_xawt[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libhprof[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas_unix[.]so.*|libjava_crw_demo[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjli[.]so.*|libjsdt[.]so.*|libjsoundalsa[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libnpt[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsplashscreen[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*|lib[.]so\\(SUNWprivate_.*
+
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+
%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
# Standard JPackage directories and symbolic links.
@@ -339,6 +375,9 @@
%global alternatives_requires %{_sbindir}/alternatives
%endif
+%global family %{name}.%{_arch}
+%global family_noarch %{name}
+
%if %{with_systemtap}
# Where to install systemtap tapset (links)
# We would like these to be in a package specific sub-dir,
@@ -356,6 +395,50 @@
# not-duplicated scriptlets for normal/debug packages
%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+%define save_alternatives() %{expand:
+ # warning! alternatives are localised!
+ # LANG=cs_CZ.UTF-8 alternatives --display java | head
+ # LANG=en_US.UTF-8 alternatives --display java | head
+ function nonLocalisedAlternativesDisplayOfMaster() {
+ LANG=en_US.UTF-8 alternatives --display "$MASTER"
+ }
+ function headOfAbove() {
+ nonLocalisedAlternativesDisplayOfMaster | head -n $1
+ }
+ MASTER="%{?1}"
+ LOCAL_LINK="%{?2}"
+ FAMILY="%{?3}"
+ rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
+ if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
+ if headOfAbove 1 | grep -q manual ; then
+ if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
+ headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
+ fi
+ fi
+ fi
+}
+
+%define save_and_remove_alternatives() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ upgrade1_uninstal0=%{?3}
+ if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
+ %{save_alternatives %{?1} %{?2} %{?4}}
+ fi
+ alternatives --remove "%{?1}" "%{?2}"
+}
+
+%define set_if_needed_alternatives() %{expand:
+ MASTER="%{?1}"
+ FAMILY="%{?2}"
+ ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
+ if [ -e "$ALTERNATIVES_FILE" ] ; then
+ rm "$ALTERNATIVES_FILE"
+ alternatives --set $MASTER $FAMILY
+ fi
+}
+
%define post_script() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || :
@@ -363,20 +446,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || :
exit 0
}
-
-%define post_headless() %{expand:
-%ifarch %{share_arches}
-%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
-%endif
-
+%define alternatives_java_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
ext=.gz
+key=java
alternatives \\
- --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\
+ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\
--slave %{_jvmdir}/jre jre %{_jvmdir}/%{jredir -- %{?1}} \\
--slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
--slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
@@ -414,12 +496,23 @@ alternatives \\
--slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\
%{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext
+%{set_if_needed_alternatives $key %{family}}
+
for X in %{origin} %{javaver} ; do
- alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{jredir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+ key=jre_"$X"
+ alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{jredir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
done
-update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+key=jre_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+%define post_headless() %{expand:
+%ifarch %{share_arches}
+%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+%endif
update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@@ -446,26 +539,34 @@ exit 0
%define postun_headless() %{expand:
- alternatives --remove java %{jrebindir -- %{?1}}/java
- alternatives --remove jre_%{origin} %{_jvmdir}/%{jredir -- %{?1}}
- alternatives --remove jre_%{javaver} %{_jvmdir}/%{jredir -- %{?1}}
- alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}}
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{jredir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{jredir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
}
%define posttrans_script() %{expand:
%{update_desktop_icons}
}
-%define post_devel() %{expand:
+%define alternatives_javac_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
ext=.gz
+key=javac
alternatives \\
- --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\
+ --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\
--slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
--slave %{_bindir}/appletviewer appletviewer %{sdkbindir -- %{?1}}/appletviewer \\
--slave %{_bindir}/clhsdb clhsdb %{sdkbindir -- %{?1}}/clhsdb \\
@@ -559,13 +660,20 @@ alternatives \\
--slave %{_mandir}/man1/xjc.1$ext xjc.1$ext \\
%{_mandir}/man1/xjc-%{uniquesuffix -- %{?1}}.1$ext
+%{set_if_needed_alternatives $key %{family}}
+
for X in %{origin} %{javaver} ; do
- alternatives \\
- --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+ key=java_sdk_"$X"
+ alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
done
-update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch}
+key=java_sdk_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+%define post_devel() %{expand:
update-desktop-database %{_datadir}/applications &> /dev/null || :
/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
@@ -573,10 +681,14 @@ exit 0
}
%define postun_devel() %{expand:
- alternatives --remove javac %{sdkbindir -- %{?1}}/javac
- alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
- alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}}
- alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}}
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
update-desktop-database %{_datadir}/applications &> /dev/null || :
@@ -588,42 +700,54 @@ exit 0
}
%define posttrans_devel() %{expand:
+%{alternatives_javac_install -- %{?1}}
%{update_desktop_icons}
}
-%define post_javadoc() %{expand:
-
+%define alternatives_javadoc_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-alternatives \\
- --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\
- $PRIORITY --family %{name}
+key=javadocdir
+alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
%define postun_javadoc() %{expand:
- alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
exit 0
}
-%define post_javadoc_zip() %{expand:
-
+%define alternatives_javadoczip_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
PRIORITY=%{priority}
if [ "%{?1}" == %{debug_suffix} ]; then
let PRIORITY=PRIORITY-1
fi
-
-alternatives \\
- --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\
- $PRIORITY --family %{name}
+key=javadoczip
+alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
exit 0
}
%define postun_javadoc_zip() %{expand:
- alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
exit 0
}
@@ -744,8 +868,10 @@ exit 0
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnio.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnpt.so
%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsaproc.so
%endif
+%endif
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsunec.so
%{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsystemconf.so
@@ -865,8 +991,10 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jconsole.jar
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/orb.idl
%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/sa-jdi.jar
%endif
+%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/dt.jar
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tools.jar
@@ -983,6 +1111,8 @@ OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
+# for FIPS PKCS11 provider
+Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
@@ -1059,9 +1189,9 @@ Requires(postun): %{alternatives_requires}
Requires(postun): chkconfig >= 1.7
# Standard JPackage javadoc provides
-Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release}
-Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
}
%define java_src_rpo() %{expand:
@@ -1209,6 +1339,10 @@ Patch1011: rh1991003-enable_fips_keys_import.patch
# RH2021263: Resolve outstanding FIPS issues
Patch1014: rh2021263-fips_ensure_security_initialised.patch
Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2052819: Fix FIPS reliance on crypto policies
+Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
+# RH2052829: Detect NSS at Runtime for FIPS detection
+Patch1017: rh2052829-fips_runtime_nss_detection.patch
#############################################
#
@@ -1237,6 +1371,10 @@ Patch400: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
Patch401: pr3655-toggle_system_crypto_policy.patch
# enable build of speculative store bypass hardened alt-java
Patch600: rh1750419-redhat_alt_java.patch
+# JDK-8281098, PR3836: Extra compiler flags not passed to adlc build
+Patch112: jdk8281098-pr3836-pass_compiler_flags_to_adlc.patch
+# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+Patch113: jdk8275535-rh2053256-ldap_auth.patch
#############################################
#
@@ -1281,6 +1419,8 @@ Patch203: jdk8042159-allow_using_system_installed_lcms2-root.patch
Patch204: jdk8042159-allow_using_system_installed_lcms2-jdk.patch
# JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1
Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
+# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
+Patch581: jdk8257794-remove_broken_assert.patch
#############################################
#
@@ -1291,6 +1431,7 @@ Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch
# able to be removed once that release is out
# and used by this RPM.
#############################################
+Patch700: jdk8279077-missing_crash_protector_ppc.patch
#############################################
#
@@ -1349,22 +1490,16 @@ BuildRequires: libXinerama-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
-# Requirements for setting up the nss.cfg and FIPS support
-BuildRequires: nss-devel >= 3.53
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
BuildRequires: unzip
-# Use OpenJDK 7 where available (on RHEL) to avoid
-# having to use the rhel-7.x-java-unsafe-candidate hack
-%if ! 0%{?fedora} && 0%{?rhel} <= 7
# Require a boot JDK which doesn't fail due to RH1482244
-BuildRequires: java-1.7.0-openjdk-devel >= 1.7.0.151-2.6.11.3
-%else
-BuildRequires: java-1.8.0-openjdk-devel
-%endif
+BuildRequires: java-%{buildjdkver}-openjdk-devel >= 1.7.0.151-2.6.11.3
# Zero-assembler build requirement
-%ifnarch %{jit_arches}
+%ifarch %{zero_arches}
BuildRequires: libffi-devel
%endif
# 2021e required as of JDK-8275766 in January 2022 CPU
@@ -1554,7 +1689,8 @@ Requires: javapackages-filesystem
Obsoletes: javadoc-slowdebug < 1:1.8.0.212.b04-4
BuildArch: noarch
-%{java_javadoc_rpo %{nil}}
+%{java_javadoc_rpo -- %{nil} -zip}
+%{java_javadoc_rpo -- %{nil} %{nil}}
%description javadoc
The %{origin_nice} %{majorver} API documentation.
@@ -1566,7 +1702,7 @@ Requires: javapackages-filesystem
Obsoletes: javadoc-zip-slowdebug < 1:1.8.0.212.b04-4
BuildArch: noarch
-%{java_javadoc_rpo %{nil}}
+%{java_javadoc_rpo -- %{nil} %{nil}}
%description javadoc-zip
The %{origin_nice} %{majorver} API documentation compressed in a single archive.
@@ -1635,7 +1771,7 @@ else
exit 13
fi
if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
- echo "You have disabled all builds (normal,fastdebug,debug). That is a no go."
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
exit 14
fi
@@ -1698,12 +1834,16 @@ sh %{SOURCE12}
%patch528
%patch571
%patch574
+%patch112
%patch580
-%patch539
+%patch581
+%patch113
# Upstreamed fixes
+%patch700
# RPM-only fixes
+%patch539
%patch600
%patch1000
%patch1001
@@ -1717,6 +1857,8 @@ sh %{SOURCE12}
%patch1011
%patch1014
%patch1015
+%patch1016
+%patch1017
# RHEL-only patches
%if ! 0%{?fedora} && 0%{?rhel} <= 7
@@ -1777,7 +1919,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
# Setup nss.fips.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
-sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg
%build
# How many CPU's do we have?
@@ -1797,7 +1938,6 @@ export CFLAGS="$CFLAGS -mieee"
# We use ourcppflags because the OpenJDK build seems to
# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
-# Explicitly set the C++ standard as the default has changed on GCC >= 6
EXTRA_CFLAGS="%ourcppflags -Wno-error"
EXTRA_CPP_FLAGS="%ourcppflags"
@@ -1814,10 +1954,9 @@ export EXTRA_CFLAGS EXTRA_ASFLAGS
function buildjdk() {
local outputdir=${1}
- local installdir=${2}
- local buildjdk=${3}
- local maketargets=${4}
- local debuglevel=${5}
+ local buildjdk=${2}
+ local maketargets="${3}"
+ local debuglevel=${4}
local top_srcdir_abs_path=$(pwd)/%{top_level_dir_name}
# Variable used in hs_err hook on build failures
@@ -1830,7 +1969,7 @@ function buildjdk() {
echo "Using debuglevel: ${debuglevel}"
echo "Building 8u%{updatever}-%{buildver}, milestone %{milestone}"
- mkdir -p ${outputdir} ${installdir}
+ mkdir -p ${outputdir}
pushd ${outputdir}
bash ${top_srcdir_abs_path}/configure \
@@ -1839,7 +1978,7 @@ function buildjdk() {
%else
--disable-jfr \
%endif
-%ifnarch %{jit_arches}
+%ifarch %{zero_arches}
--with-jvm-variants=zero \
%endif
--with-native-debug-symbols=internal \
@@ -1852,7 +1991,7 @@ function buildjdk() {
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
- --enable-sysconf-nss \
+ --disable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-libjpeg=system \
@@ -1875,24 +2014,16 @@ function buildjdk() {
SCTP_WERROR= \
${maketargets} || ( pwd; find ${top_srcdir_abs_path} ${top_builddir_abs_path} -name "hs_err_pid*.log" | xargs cat && false )
- # the build (erroneously) removes read permissions from some jars
- # this is a regression in OpenJDK 7 (our compiler):
- # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
- find images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \;
- chmod ugo+r images/%{jdkimage}/lib/ct.sym
-
- # remove redundant *diz and *debuginfo files
- find images/%{jdkimage} -iname '*.diz' -exec rm -v {} \;
- find images/%{jdkimage} -iname '*.debuginfo' -exec rm -v {} \;
-
- # Build screws up permissions on binaries
- # https://bugs.openjdk.java.net/browse/JDK-8173610
- find images/%{jdkimage} -iname '*.so' -exec chmod +x {} \;
- find images/%{jdkimage}/bin/ -exec chmod +x {} \;
+ popd
+}
- popd >& /dev/null
+function installjdk() {
+ local outputdir=${1}
+ local installdir=${2}
+ local imagepath=${installdir}/images/%{jdkimage}
echo "Installing build from ${outputdir} to ${installdir}..."
+ mkdir -p ${installdir}
echo "Installing images..."
mv ${outputdir}/images ${installdir}
if [ -d ${outputdir}/bundles ] ; then
@@ -1908,8 +2039,35 @@ function buildjdk() {
echo "Removing output directory...";
rm -rf ${outputdir}
%endif
+
+ if [ -d ${imagepath} ] ; then
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+ chmod ugo+r ${imagepath}/lib/ct.sym
+
+ # remove redundant *diz and *debuginfo files
+ find ${imagepath} -iname '*.diz' -exec rm -v {} \;
+ find ${imagepath} -iname '*.debuginfo' -exec rm -v {} \;
+
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+ fi
}
+%if %{build_hotspot_first}
+ # Build a fresh libjvm.so first and use it to bootstrap
+ cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+ systemjdk=$(pwd)/newboot
+ buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
+ mv build/newboot/hotspot/dist/jre/lib/%{archinstall}/server/libjvm.so newboot/jre/lib/%{archinstall}/server
+%else
+ systemjdk=%{bootjdk}
+%endif
+
for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
debugbuild=release
@@ -1918,7 +2076,6 @@ else
debugbuild=`echo $suffix | sed "s/-//g"`
fi
-systemjdk=/usr/lib/jvm/java-openjdk
builddir=%{buildoutputdir -- $suffix}
bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- $suffix}
@@ -1936,11 +2093,14 @@ else
fi
if ${run_bootstrap} ; then
- buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
- buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild}
+ installjdk ${bootbuilddir} ${bootinstalldir}
+ buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild}
+ installjdk ${builddir} ${installdir}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
else
- buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild}
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild}
+ installjdk ${builddir} ${installdir}
fi
# Install nss.cfg right away as we will be using the JRE above
@@ -2060,7 +2220,10 @@ quit
end
run -version
EOF
+
+%ifarch %{gdb_arches}
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
+%endif
# Check src.zip has all sources. See RHBZ#1130490
jar -tf $JAVA_HOME/src.zip | grep 'sun.misc.Unsafe'
@@ -2197,7 +2360,7 @@ find $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/demo \
| sed 's|'$RPM_BUILD_ROOT'||' \
| sed 's|^|%doc |' \
>> %{name}-demo.files"$suffix"
-# Find documentation directories.
+# Find demo directories.
find $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/demo \
$RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/sample \
-type d | sort \
@@ -2308,6 +2471,9 @@ cjc.mainProgram(args)
%posttrans
%{posttrans_script %{nil}}
+%posttrans headless
+%{alternatives_java_install %{nil}}
+
%post devel
%{post_devel %{nil}}
@@ -2317,14 +2483,14 @@ cjc.mainProgram(args)
%posttrans devel
%{posttrans_devel %{nil}}
-%post javadoc
-%{post_javadoc %{nil}}
+%posttrans javadoc
+%{alternatives_javadoc_install %{nil}}
%postun javadoc
%{postun_javadoc %{nil}}
-%post javadoc-zip
-%{post_javadoc_zip %{nil}}
+%posttrans javadoc-zip
+%{alternatives_javadoczip_install %{nil}}
%postun javadoc-zip
%{postun_javadoc_zip %{nil}}
@@ -2337,6 +2503,9 @@ cjc.mainProgram(args)
%post headless-slowdebug
%{post_headless -- %{debug_suffix_unquoted}}
+%posttrans headless-slowdebug
+%{alternatives_java_install -- %{debug_suffix_unquoted}}
+
%postun slowdebug
%{postun_script -- %{debug_suffix_unquoted}}
@@ -2373,6 +2542,9 @@ cjc.mainProgram(args)
%posttrans fastdebug
%{posttrans_script -- %{fastdebug_suffix_unquoted}}
+%posttrans headless-fastdebug
+%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
+
%post devel-fastdebug
%{post_devel -- %{fastdebug_suffix_unquoted}}
@@ -2463,31 +2635,73 @@ cjc.mainProgram(args)
%endif
%changelog
-* Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b09-1
-- Update to shenandoah-jdk8u332-b09 (GA)
-- Update release notes for 8u332-b09.
-- Switch to GA mode for final release.
-- This tarball is embargoed until 2022-04-19 @ 1pm PT.
-- Resolves: rhbz#2073422
-
-* Mon Apr 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.332.b06-0.1.ea
-- Update to shenandoah-jdk8u332-b06 (EA)
-- Update release notes for shenandoah-8u332-b06.
-- Switch to EA mode.
-- Remove JDK-8279077 patch now upstream.
-- Related: rhbz#2073422
-
-* Mon Jan 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-2
+* Mon Feb 28 2022 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.322.b06-11
+- Storing and restoring alterntives during update manually
+- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
+-- The move of alternatives creation to posttrans to fix:
+-- Bug 1200302 - dnf reinstall breaks alternatives
+-- Had caused the alternatives to be removed, and then created again,
+-- instead of being added, and then removing the old, and thus persisting
+-- the selection in family
+-- Thus this fix, is storing the family of manually selected master, and if
+-- stored, then it is restoring the family of the master
+- Resolves: rhbz#2008192
+
+* Mon Feb 28 2022 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.322.b06-10
+- Family extracted to globals
+- Resolves: rhbz#2008192
+
+* Mon Feb 28 2022 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.322.b06-9
+- javadoc-zip got its own provides next to plain javadoc ones
+- Resolves: rhbz#2008192
+
+* Mon Feb 28 2022 Jiri Vanek <jvanek@redhat.com> - 1:1.8.0.322.b06-8
+- alternatives creation moved to posttrans
+- Thus fixing the old reisntall issue:
+- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
+- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
+- Resolves: rhbz#2008192
+
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-7
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053285
+
+* Mon Feb 28 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-6
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2052828
+
+* Wed Feb 23 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-5
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+- Resolves: rhbz#2052817
+
+* Mon Feb 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-4
+- Refactor build functions so we can build just HotSpot without any attempt at installation.
+- Introduce architecture restriction logic for the gdb test. (RH2041970)
+- Pass compiler flags to the ADLC build (JDK-8281098)
+- Adjust JDK8199936/PR3533 -mstackrealign patch to instead pass -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
+- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds
+- Sync minor placement differences with Fedora & RHEL 9
+- Resolves: rhbz#2022815
+
+* Mon Jan 24 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-3
- Fix FIPS issues in native code and with initialisation of java.security.Security
-- Related: rhbz#2039366
+- Resolves: rhbz#2021263
-* Fri Jan 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-1
+* Fri Jan 21 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b06-2
- Update to aarch64-shenandoah-jdk8u322-b06 (EA)
- Update release notes for 8u322-b06.
- Switch to GA mode for final release.
+- Resolves: rhbz#2039366
+
+* Thu Jan 20 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b05-0.1.ea
+- Update to aarch64-shenandoah-jdk8u322-b05 (EA)
+- Update release notes for 8u322-b05.
- Require tzdata 2021e as of JDK-8275766.
- Update tarball generation script to use git following shenandoah-jdk8u's move to github
-- Resolves: rhbz#2039366
+- Resolves: rhbz#2022815
* Tue Jan 18 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b04-0.2.ea
- Add backport of JDK-8279077 to fix crash on ppc64
@@ -2497,32 +2711,86 @@ cjc.mainProgram(args)
- Update to aarch64-shenandoah-jdk8u322-b04 (EA)
- Update release notes for 8u322-b04.
- Require tzdata 2021c as of JDK-8274407.
+- Related: rhbz#2022815
+
+* Fri Jan 07 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b03-0.1.ea
+- Update to aarch64-shenandoah-jdk8u322-b03 (EA)
+- Update release notes for 8u322-b03.
+- Related: rhbz#2022815
+
+* Fri Dec 17 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b02-0.1.ea
+- Update to aarch64-shenandoah-jdk8u322-b02 (EA)
+- Update release notes for 8u322-b02.
+- Related: rhbz#2022815
+
+* Tue Dec 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.322.b01-0.1.ea
+- Update to aarch64-shenandoah-jdk8u322-b01 (EA)
+- Update release notes for 8u322-b01.
- Switch to EA mode.
+- Related: rhbz#2022815
+
+* Mon Dec 06 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b07-5
- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
-- Related: rhbz#2039366
+- Related: rhbz#2022815
+
+* Mon Dec 06 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:1.8.0.312.b07-4
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+ secmod.db file as part of nss
+- Resolves: rhbz#2023532
-* Fri Oct 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b07-2
+* Fri Oct 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b07-3
- Update to aarch64-shenandoah-jdk8u312-b07 (EA)
- Update release notes for 8u312-b07.
- Switch to GA mode for final release.
-- This tarball is embargoed until 2021-10-19 @ 1pm PT.
-- Resolves: rhbz#2011826
+- Resolves: rhbz#2012339
-* Thu Oct 14 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.2.ea
+* Tue Oct 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.3.ea
+- Update to aarch64-shenandoah-jdk8u312-b05-shenandoah-merge-2021-10-07
+- Update release notes for 8u312-b05-shenandoah-merge-2021-10-07.
+- Related: rhbz#1999937
+
+* Thu Oct 07 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.2.ea
- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
-- Resolves: rhbz#2014194
+- Resolves: rhbz#1994659
-* Thu Oct 14 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.312.b05-0.2.ea
+* Thu Oct 07 2021 Martin Balao <mbalao@redhat.com> - 1:1.8.0.312.b05-0.2.ea
- Add patch to allow plain key import.
-- Resolves: rhbz#2014194
+- Resolves: rhbz#1994659
-* Tue Oct 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.1.ea
-- Update to aarch64-shenandoah-jdk8u312-b05-shenandoah-merge-2021-10-07
-- Update release notes for 8u312-b05-shenandoah-merge-2021-10-07.
+* Thu Sep 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b05-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b05 (EA)
+- Update release notes for 8u312-b05.
+- Resolves: rhbz#1999937
+
+* Mon Sep 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b04-0.2.ea
- Reduce disk footprint by removing build artifacts by default.
+- Related: rhbz#1999937
+
+* Sun Sep 26 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b04-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b04 (EA)
+- Update release notes for 8u312-b04.
+- Related: rhbz#1999937
+
+* Fri Sep 24 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b03-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b03 (EA)
+- Update release notes for 8u312-b03.
+- Related: rhbz#1999937
+
+* Sun Sep 19 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b02-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b02 (EA)
+- Update release notes for 8u312-b02.
+- Related: rhbz#1999937
+
+* Mon Sep 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.312.b01-0.1.ea
+- Update to aarch64-shenandoah-jdk8u312-b01 (EA)
+- Update release notes for 8u312-b01.
- Switch to EA mode.
+- Remove "-clean" suffix as no 8u312 builds are unclean.
+- Related: rhbz#1999937
+
+* Fri Sep 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-4
- Remove non-Free test and demo files from source tarball.
-- Related: rhbz#2011826
+- Related: rhbz#1999937
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:1.8.0.302.b08-3
- Add patch to login to the NSS software token when in FIPS mode.