diff --git a/.gitignore b/.gitignore index d4c4324..59d2fb2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u232-b09.tar.xz -SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz +SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u262-b03-shenandoah-merge-2020-05-20-4curve.tar.xz +SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-1.8.0-openjdk.metadata b/.java-1.8.0-openjdk.metadata index 03bd636..4c7628f 100644 --- a/.java-1.8.0-openjdk.metadata +++ b/.java-1.8.0-openjdk.metadata @@ -1,2 +1,2 @@ -ca59ed55769893ca7a5bcff04612141f696ea2e9 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u232-b09.tar.xz -cd8bf91753b9eb1401cfc529e78517105fc66011 SOURCES/systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz +57112674fa8d81e4b09c1eec880ed362a7f98a67 SOURCES/aarch64-port-jdk8u-shenandoah-aarch64-shenandoah-jdk8u262-b03-shenandoah-merge-2020-05-20-4curve.tar.xz +7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS new file mode 100644 index 0000000..59f5724 --- /dev/null +++ b/SOURCES/NEWS @@ -0,0 +1,113 @@ +Key: + +JDK-X - https://bugs.openjdk.java.net/browse/JDK-X +CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY + +New in release OpenJDK 8u252 (2020-04-14): +=========================================== +Live versions of these release notes can be found at: + * https://bitly.com/oj8u252 + * https://builds.shipilev.net/backports-monitor/release-notes-openjdk8u252.txt + +* Security fixes + - JDK-8223898, CVE-2020-2754: Forward references to Nashorn + - JDK-8223904, CVE-2020-2755: Improve Nashorn matching + - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs + - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues + - JDK-8225603: Enhancement for big integers + - JDK-8227542: Manifest improved jar headers + - JDK-8231415, CVE-2020-2773: Better signatures in XML + - JDK-8233250: Better X11 rendering + - JDK-8233410: Better Build Scripting + - JDK-8234027: Better JCEKS key support + - JDK-8234408, CVE-2020-2781: Improve TLS session handling + - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers + - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers + - JDK-8235274, CVE-2020-2805: Enhance typing of methods + - JDK-8236201, CVE-2020-2830: Better Scanner conversions + - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap +* Other changes + - JDK-8005819: Support cross-realm MSSFU + - JDK-8022263: use same Clang warnings on BSD as on Linux + - JDK-8038631: Create wrapper for awt.Robot with additional functionality + - JDK-8047212: runtime/ParallelClassLoading/bootstrap/random/inner-complex assert(ObjectSynchronizer::verify_objmon_isinpool(inf)) failed: monitor is invalid + - JDK-8055283: Expand ResourceHashtable with C_HEAP allocation, removal and some unit tests + - JDK-8068184: Fix for JDK-8032832 caused a deadlock + - JDK-8079693: Add support for ECDSA P-384 and P-521 curves to XML Signature + - JDK-8132130: some docs cleanup + - JDK-8135318: CMS wrong max_eden_size for check_gc_overhead_limit + - JDK-8144445: Maximum size checking in Marlin ArrayCache utility methods is not optimal + - JDK-8144446: Automate the Marlin crash test + - JDK-8144526: Remove Marlin logging use of deleted internal API + - JDK-8144630: Use PrivilegedAction to create Thread in Marlin RendererStats + - JDK-8144654: Improve Marlin logging + - JDK-8144718: Pisces / Marlin Strokers may generate invalid curves with huge coordinates and round joins + - JDK-8166976: TestCipherPBECons has wrong @run line + - JDK-8167409: Invalid value passed to critical JNI function + - JDK-8181872: C1: possible overflow when strength reducing integer multiply by constant + - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT + - JDK-8191227: issues with unsafe handle resolution + - JDK-8197441: Signature#initSign/initVerify for an invalid private/public key fails with ClassCastException for SunPKCS11 provider + - JDK-8204152: SignedObject throws NullPointerException for null keys with an initialized Signature object + - JDK-8215756: Memory leaks in the AWT on macOS + - JDK-8216472: (se) Stack overflow during selection operation leads to crash (win) + - JDK-8219244: NMT: Change ThreadSafepointState's allocation type from mtInternal to mtThread + - JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions + - JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts test + - JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test + - JDK-8229022: BufferedReader performance can be improved by using StringBuilder + - JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC + - JDK-8229872: (fs) Increase buffer size used with getmntent + - JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey cause Exception + - JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type + - JDK-8235744: PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64 + - JDK-8235904: Infinite loop when rendering huge lines + - JDK-8236179: C1 register allocation error with T_ADDRESS + - JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read + - JDK-8240521: Revert backport of 8231584: Deadlock with ClassLoader.findLibrary and System.loadLibrary call + - JDK-8241296: Segfault in JNIHandleBlock::oops_do() + - JDK-8241307: Marlin renderer should not be the default in 8u252 + +Notes on individual issues: +=========================== + +hotspot/svc: + +JDK-8174881: Binary format for HPROF updated +============================================ + +When dumping the heap in binary format, HPROF format 1.0.2 is always +used now. Previously, format 1.0.1 was used for heaps smaller than +2GB. HPROF format 1.0.2 is also used by jhsdb jmap for the +serviceability agent. + +security-libs/java.security: + +JDK-8229518: Added Support for PKCS#1 v2.2 Algorithms Including RSASSA-PSS Signature +==================================================================================== + +The SunRsaSign and SunJCE providers have been enhanced with support +for more algorithms defined in PKCS#1 v2.2, such as RSASSA-PSS +signature and OAEP using FIPS 180-4 digest algorithms. New +constructors and methods have been added to relevant JCA/JCE classes +under the `java.security.spec` and `javax.crypto.spec` packages for +supporting additional RSASSA-PSS parameters. + +security-libs/javax.crypto: + +JDK-8205471: RSASSA-PSS Signature Support Added to SunMSCAPI +============================================================ + +The RSASSA-PSS signature algorithm support has been added to the SunMSCAPI provider. + +security-libs/javax.security: + +JDK-8227564: Allow SASL Mechanisms to Be Restricted +=================================================== + +A security property named `jdk.sasl.disabledMechanisms` has been added +that can be used to disable SASL mechanisms. Any disabled mechanism +will be ignored if it is specified in the `mechanisms` argument of +`Sasl.createSaslClient` or the `mechanism` argument of +`Sasl.createSaslServer`. The default value for this security property +is empty, which means that no mechanisms are disabled out-of-the-box. diff --git a/SOURCES/jconsole.desktop.in b/SOURCES/jconsole.desktop.in index a8917c1..8a3b04d 100644 --- a/SOURCES/jconsole.desktop.in +++ b/SOURCES/jconsole.desktop.in @@ -1,8 +1,8 @@ [Desktop Entry] -Name=OpenJDK @JAVA_MAJOR_VERSION@ Monitoring & Management Console @ARCH@ -Comment=Monitor and manage OpenJDK @JAVA_MAJOR_VERSION@ applications for @ARCH@ -Exec=@JAVA_HOME@/jconsole -Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@ +Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@) +Comment=Monitor and manage OpenJDK applications +Exec=_SDKBINDIR_/jconsole +Icon=java-@JAVA_VER@-@JAVA_VENDOR@ Terminal=false Type=Application StartupWMClass=sun-tools-jconsole-JConsole diff --git a/SOURCES/jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch b/SOURCES/jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch index 298bbd3..98d3903 100644 --- a/SOURCES/jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch +++ b/SOURCES/jdk8143245-pr3548-zero_build_requires_disabled_warnings.patch @@ -145,4 +145,4 @@ diff --git openjdk.orig/hotspot/src/os_cpu/linux_zero/vm/thread_linux_zero.hpp o + return false; // silence compile warning } - // These routines are only used on cpu architectures that + bool pd_get_top_frame_for_profiling(frame* fr_addr, diff --git a/SOURCES/jdk8165996-pr3506-rh1760437-nss_sqlite_db.patch b/SOURCES/jdk8165996-pr3506-rh1760437-nss_sqlite_db.patch new file mode 100644 index 0000000..d7afbc6 --- /dev/null +++ b/SOURCES/jdk8165996-pr3506-rh1760437-nss_sqlite_db.patch @@ -0,0 +1,257 @@ +# HG changeset patch +# User weijun +# Date 1513099798 -28800 +# Wed Dec 13 01:29:58 2017 +0800 +# Node ID aa8f2e25f003feddf362892b2820fa2839c854b6 +# Parent 9ebb70cb99a472b5fee9ac08240b7979468c2fa5 +8165996: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite +Reviewed-by: weijun +Contributed-by: Martin Balao + +diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java +@@ -196,13 +196,23 @@ + } + + if (configDir != null) { +- File configBase = new File(configDir); +- if (configBase.isDirectory() == false ) { +- throw new IOException("configDir must be a directory: " + configDir); ++ String configDirPath = null; ++ String sqlPrefix = "sql:/"; ++ if (!configDir.startsWith(sqlPrefix)) { ++ configDirPath = configDir; ++ } else { ++ StringBuilder configDirPathSB = new StringBuilder(configDir); ++ configDirPath = configDirPathSB.substring(sqlPrefix.length()); + } +- File secmodFile = new File(configBase, "secmod.db"); +- if (secmodFile.isFile() == false) { +- throw new FileNotFoundException(secmodFile.getPath()); ++ File configBase = new File(configDirPath); ++ if (configBase.isDirectory() == false ) { ++ throw new IOException("configDir must be a directory: " + configDirPath); ++ } ++ if (!configDir.startsWith(sqlPrefix)) { ++ File secmodFile = new File(configBase, "secmod.db"); ++ if (secmodFile.isFile() == false) { ++ throw new FileNotFoundException(secmodFile.getPath()); ++ } + } + } + +diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/README-SQLITE openjdk/jdk/test/sun/security/pkcs11/Secmod/README-SQLITE +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/test/sun/security/pkcs11/Secmod/README-SQLITE +@@ -0,0 +1,8 @@ ++// How to create key4.db and cert9.db ++cd ++echo "" > 1 ++echo "test12" > 2 ++modutil -create -force -dbdir sql:/$(pwd) ++modutil -list "NSS Internal PKCS #11 Module" -dbdir sql:/$(pwd) ++modutil -changepw "NSS Certificate DB" -force -dbdir sql:/$(pwd) -pwfile $(pwd)/1 -newpwfile $(pwd)/2 ++ +diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/TestNssDbSqlite.java openjdk/jdk/test/sun/security/pkcs11/Secmod/TestNssDbSqlite.java +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/test/sun/security/pkcs11/Secmod/TestNssDbSqlite.java +@@ -0,0 +1,134 @@ ++/* ++ * Copyright (c) 2017, Red Hat, Inc. and/or its affiliates. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++/* ++ * @test ++ * @bug 8165996 ++ * @summary Test NSS DB Sqlite ++ * @library ../ ++ * @modules java.base/sun.security.rsa ++ * java.base/sun.security.provider ++ * java.base/sun.security.jca ++ * java.base/sun.security.tools.keytool ++ * java.base/sun.security.x509 ++ * java.base/com.sun.crypto.provider ++ * jdk.crypto.cryptoki/sun.security.pkcs11:+open ++ * @run main/othervm/timeout=120 TestNssDbSqlite ++ * @author Martin Balao (mbalao@redhat.com) ++ */ ++ ++import java.security.PrivateKey; ++import java.security.cert.Certificate; ++import java.security.KeyStore; ++import java.security.Provider; ++import java.security.Signature; ++ ++import sun.security.rsa.SunRsaSign; ++import sun.security.jca.ProviderList; ++import sun.security.jca.Providers; ++import sun.security.tools.keytool.CertAndKeyGen; ++import sun.security.x509.X500Name; ++ ++public final class TestNssDbSqlite extends SecmodTest { ++ ++ private static final boolean enableDebug = true; ++ ++ private static Provider sunPKCS11NSSProvider; ++ private static Provider sunRsaSignProvider; ++ private static Provider sunJCEProvider; ++ private static KeyStore ks; ++ private static char[] passphrase = "test12".toCharArray(); ++ private static PrivateKey privateKey; ++ private static Certificate certificate; ++ ++ public static void main(String[] args) throws Exception { ++ ++ initialize(); ++ ++ if (enableDebug) { ++ System.out.println("SunPKCS11 provider: " + ++ sunPKCS11NSSProvider); ++ } ++ ++ testRetrieveKeysFromKeystore(); ++ ++ System.out.println("Test PASS - OK"); ++ } ++ ++ private static void testRetrieveKeysFromKeystore() throws Exception { ++ ++ String plainText = "known plain text"; ++ ++ ks.setKeyEntry("root_ca_1", privateKey, passphrase, ++ new Certificate[]{certificate}); ++ PrivateKey k1 = (PrivateKey) ks.getKey("root_ca_1", passphrase); ++ ++ Signature sS = Signature.getInstance( ++ "SHA256withRSA", sunPKCS11NSSProvider); ++ sS.initSign(k1); ++ sS.update(plainText.getBytes()); ++ byte[] generatedSignature = sS.sign(); ++ ++ if (enableDebug) { ++ System.out.println("Generated signature: "); ++ for (byte b : generatedSignature) { ++ System.out.printf("0x%02x, ", (int)(b) & 0xFF); ++ } ++ System.out.println(""); ++ } ++ ++ Signature sV = Signature.getInstance("SHA256withRSA", sunRsaSignProvider); ++ sV.initVerify(certificate); ++ sV.update(plainText.getBytes()); ++ if(!sV.verify(generatedSignature)){ ++ throw new Exception("Couldn't verify signature"); ++ } ++ } ++ ++ private static void initialize() throws Exception { ++ initializeProvider(); ++ } ++ ++ private static void initializeProvider () throws Exception { ++ useSqlite(true); ++ if (!initSecmod()) { ++ return; ++ } ++ ++ sunPKCS11NSSProvider = getSunPKCS11(BASE + SEP + "nss-sqlite.cfg"); ++ sunJCEProvider = new com.sun.crypto.provider.SunJCE(); ++ sunRsaSignProvider = new SunRsaSign(); ++ Providers.setProviderList(ProviderList.newList( ++ sunJCEProvider, sunPKCS11NSSProvider, ++ new sun.security.provider.Sun(), sunRsaSignProvider)); ++ ++ ks = KeyStore.getInstance("PKCS11-NSS-Sqlite", sunPKCS11NSSProvider); ++ ks.load(null, passphrase); ++ ++ CertAndKeyGen gen = new CertAndKeyGen("RSA", "SHA256withRSA"); ++ gen.generate(2048); ++ privateKey = gen.getPrivateKey(); ++ certificate = gen.getSelfCertificate(new X500Name("CN=Me"), 365); ++ } ++} +diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/nss-sqlite.cfg openjdk/jdk/test/sun/security/pkcs11/Secmod/nss-sqlite.cfg +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/test/sun/security/pkcs11/Secmod/nss-sqlite.cfg +@@ -0,0 +1,13 @@ ++# config file for secmod KeyStore access using sqlite backend ++ ++name = NSS-Sqlite ++ ++nssLibraryDirectory = ${pkcs11test.nss.libdir} ++ ++nssDbMode = readWrite ++ ++nssModule = keystore ++ ++nssSecmodDirectory = ${pkcs11test.nss.db} ++ ++attributes = compatibility +diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java +--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java ++++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java +@@ -34,6 +34,11 @@ + static String DBDIR; + static char[] password = "test12".toCharArray(); + static String keyAlias = "mykey"; ++ static boolean useSqlite = false; ++ ++ static void useSqlite(boolean b) { ++ useSqlite = b; ++ } + + static boolean initSecmod() throws Exception { + useNSS(); +@@ -49,14 +54,24 @@ + safeReload(LIBPATH + System.mapLibraryName("nssckbi")); + + DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb"; +- System.setProperty("pkcs11test.nss.db", DBDIR); ++ if (useSqlite) { ++ System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR); ++ } else { ++ System.setProperty("pkcs11test.nss.db", DBDIR); ++ } + File dbdirFile = new File(DBDIR); + if (dbdirFile.exists() == false) { + dbdirFile.mkdir(); + } +- copyFile("secmod.db", BASE, DBDIR); +- copyFile("key3.db", BASE, DBDIR); +- copyFile("cert8.db", BASE, DBDIR); ++ ++ if (useSqlite) { ++ copyFile("key4.db", BASE, DBDIR); ++ copyFile("cert9.db", BASE, DBDIR); ++ } else { ++ copyFile("secmod.db", BASE, DBDIR); ++ copyFile("key3.db", BASE, DBDIR); ++ copyFile("cert8.db", BASE, DBDIR); ++ } + return true; + } + diff --git a/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch b/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch new file mode 100644 index 0000000..ddab642 --- /dev/null +++ b/SOURCES/jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch @@ -0,0 +1,125 @@ +# HG changeset patch +# User mbalao +# Date 1529971845 -28800 +# Tue Jun 26 08:10:45 2018 +0800 +# Node ID e9c20b7250cd98d16a67f2a30b34284c2caa01dc +# Parent 9f1aa2e38d90dd60522237d7414af6bdcf03c4ff +8195607, PR3776: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 +Reviewed-by: valeriep, weijun + +diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs11/Secmod.java ++++ openjdk/jdk/src/share/classes/sun/security/pkcs11/Secmod.java +@@ -197,7 +197,7 @@ + + if (configDir != null) { + String configDirPath = null; +- String sqlPrefix = "sql:/"; ++ String sqlPrefix = "sql:"; + if (!configDir.startsWith(sqlPrefix)) { + configDirPath = configDir; + } else { +diff --git openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c +--- openjdk.orig/jdk/src/share/native/sun/security/pkcs11/j2secmod.c ++++ openjdk/jdk/src/share/native/sun/security/pkcs11/j2secmod.c +@@ -69,9 +69,14 @@ + int res = 0; + FPTR_Initialize initialize = + (FPTR_Initialize)findFunction(env, jHandle, "NSS_Initialize"); ++ #ifdef SECMOD_DEBUG ++ FPTR_GetError getError = ++ (FPTR_GetError)findFunction(env, jHandle, "PORT_GetError"); ++ #endif // SECMOD_DEBUG + unsigned int flags = 0x00; + const char *configDir = NULL; + const char *functionName = NULL; ++ const char *configFile = NULL; + + /* If we cannot initialize, exit now */ + if (initialize == NULL) { +@@ -97,13 +102,18 @@ + flags = 0x20; // NSS_INIT_OPTIMIZESPACE flag + } + ++ configFile = "secmod.db"; ++ if (configDir != NULL && strncmp("sql:", configDir, 4U) == 0) { ++ configFile = "pkcs11.txt"; ++ } ++ + /* + * If the NSS_Init function is requested then call NSS_Initialize to + * open the Cert, Key and Security Module databases, read only. + */ + if (strcmp("NSS_Init", functionName) == 0) { + flags = flags | 0x01; // NSS_INIT_READONLY flag +- res = initialize(configDir, "", "", "secmod.db", flags); ++ res = initialize(configDir, "", "", configFile, flags); + + /* + * If the NSS_InitReadWrite function is requested then call +@@ -111,7 +121,7 @@ + * read/write. + */ + } else if (strcmp("NSS_InitReadWrite", functionName) == 0) { +- res = initialize(configDir, "", "", "secmod.db", flags); ++ res = initialize(configDir, "", "", configFile, flags); + + /* + * If the NSS_NoDB_Init function is requested then call +@@ -137,6 +147,13 @@ + (*env)->ReleaseStringUTFChars(env, jConfigDir, configDir); + } + dprintf1("-res: %d\n", res); ++ #ifdef SECMOD_DEBUG ++ if (res == -1) { ++ if (getError != NULL) { ++ dprintf1("-NSS error: %d\n", getError()); ++ } ++ } ++ #endif // SECMOD_DEBUG + + return (res == 0) ? JNI_TRUE : JNI_FALSE; + } +diff --git openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h +--- openjdk.orig/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h ++++ openjdk/jdk/src/solaris/native/sun/security/pkcs11/j2secmod_md.h +@@ -34,6 +34,10 @@ + const char *certPrefix, const char *keyPrefix, + const char *secmodName, unsigned int flags); + ++#ifdef SECMOD_DEBUG ++typedef int (*FPTR_GetError)(void); ++#endif //SECMOD_DEBUG ++ + // in secmod.h + //extern SECMODModule *SECMOD_LoadModule(char *moduleSpec,SECMODModule *parent, + // PRBool recurse); +diff --git openjdk.orig/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt +new file mode 100644 +--- /dev/null ++++ openjdk/jdk/test/sun/security/pkcs11/Secmod/pkcs11.txt +@@ -0,0 +1,4 @@ ++library= ++name=NSS Internal PKCS #11 Module ++parameters=configdir='sql:./tmpdb' certPrefix='' keyPrefix='' secmod='' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription='' ++NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30}) +diff --git openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java +--- openjdk.orig/jdk/test/sun/security/pkcs11/SecmodTest.java ++++ openjdk/jdk/test/sun/security/pkcs11/SecmodTest.java +@@ -55,7 +55,7 @@ + + DBDIR = System.getProperty("test.classes", ".") + SEP + "tmpdb"; + if (useSqlite) { +- System.setProperty("pkcs11test.nss.db", "sql:/" + DBDIR); ++ System.setProperty("pkcs11test.nss.db", "sql:" + DBDIR); + } else { + System.setProperty("pkcs11test.nss.db", DBDIR); + } +@@ -67,6 +67,7 @@ + if (useSqlite) { + copyFile("key4.db", BASE, DBDIR); + copyFile("cert9.db", BASE, DBDIR); ++ copyFile("pkcs11.txt", BASE, DBDIR); + } else { + copyFile("secmod.db", BASE, DBDIR); + copyFile("key3.db", BASE, DBDIR); diff --git a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch index 533ea2d..ae48068 100644 --- a/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch +++ b/SOURCES/jdk8199936-pr3533-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x.patch @@ -10,7 +10,7 @@ Summary: Enable -mstackrealign on x86 Linux as well as x86 Mac OS X diff --git openjdk.orig///common/autoconf/flags.m4 openjdk///common/autoconf/flags.m4 --- openjdk.orig///common/autoconf/flags.m4 +++ openjdk///common/autoconf/flags.m4 -@@ -389,6 +389,21 @@ +@@ -402,6 +402,21 @@ AC_SUBST($2CXXSTD_CXXFLAG) fi @@ -44,11 +44,11 @@ diff --git openjdk.orig///common/autoconf/hotspot-spec.gmk.in openjdk///common/a + $(REALIGN_CFLAG) EXTRA_CXXFLAGS=@LEGACY_EXTRA_CXXFLAGS@ EXTRA_LDFLAGS=@LEGACY_EXTRA_LDFLAGS@ - + EXTRA_ASFLAGS=@LEGACY_EXTRA_ASFLAGS@ diff --git openjdk.orig///common/autoconf/spec.gmk.in openjdk///common/autoconf/spec.gmk.in --- openjdk.orig///common/autoconf/spec.gmk.in +++ openjdk///common/autoconf/spec.gmk.in -@@ -334,6 +334,7 @@ +@@ -366,6 +366,7 @@ NO_DELETE_NULL_POINTER_CHECKS_CFLAG=@NO_DELETE_NULL_POINTER_CHECKS_CFLAG@ NO_LIFETIME_DSE_CFLAG=@NO_LIFETIME_DSE_CFLAG@ diff --git a/SOURCES/policytool.desktop.in b/SOURCES/policytool.desktop.in index e38c0ec..5f4cb4a 100644 --- a/SOURCES/policytool.desktop.in +++ b/SOURCES/policytool.desktop.in @@ -1,8 +1,8 @@ [Desktop Entry] -Name=OpenJDK @JAVA_MAJOR_VERSION@ Policy Tool @ARCH@ -Comment=Manage OpenJDK @JAVA_MAJOR_VERSION@ policy files @ARCH@ -Exec=@JRE_HOME@/policytool -Icon=java-@JAVA_MAJOR_VERSION@-@JAVA_VENDOR@ +Name=OpenJDK @JAVA_VER@ for @target_cpu@ Policy Tool (@OPENJDK_VER@) +Comment=Manage OpenJDK policy files +Exec=_JREBINDIR_/policytool +Icon=java-@JAVA_VER@-@JAVA_VENDOR@ Terminal=false Type=Application StartupWMClass=sun-security-tools-PolicyTool diff --git a/SOURCES/pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch b/SOURCES/pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch index 4859ca6..06973aa 100644 --- a/SOURCES/pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch +++ b/SOURCES/pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch @@ -7,18 +7,10 @@ PR2974: PKCS#10 certificate requests now use CRLF line endings rather than system line endings Summary: Add -systemlineendings option to keytool to allow system line endings to be used again. -diff --git a/src/share/classes/sun/security/pkcs10/PKCS10.java b/src/share/classes/sun/security/pkcs10/PKCS10.java ---- openjdk/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java +diff --git openjdk.orig/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java openjdk/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java +--- openjdk.orig/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java +++ openjdk/jdk/src/share/classes/sun/security/pkcs10/PKCS10.java -@@ -30,6 +30,7 @@ - import java.io.IOException; - import java.math.BigInteger; - -+import java.security.AccessController; - import java.security.cert.CertificateException; - import java.security.NoSuchAlgorithmException; - import java.security.InvalidKeyException; -@@ -39,6 +40,7 @@ +@@ -35,6 +35,7 @@ import java.util.Base64; @@ -26,7 +18,7 @@ diff --git a/src/share/classes/sun/security/pkcs10/PKCS10.java b/src/share/class import sun.security.util.*; import sun.security.x509.AlgorithmId; import sun.security.x509.X509Key; -@@ -76,6 +78,14 @@ +@@ -74,6 +75,14 @@ * @author Hemma Prafullchandra */ public class PKCS10 { @@ -41,7 +33,7 @@ diff --git a/src/share/classes/sun/security/pkcs10/PKCS10.java b/src/share/class /** * Constructs an unsigned PKCS #10 certificate request. Before this * request may be used, it must be encoded and signed. Then it -@@ -293,13 +303,39 @@ +@@ -303,13 +312,39 @@ */ public void print(PrintStream out) throws IOException, SignatureException { @@ -83,10 +75,10 @@ diff --git a/src/share/classes/sun/security/pkcs10/PKCS10.java b/src/share/class out.println("-----END NEW CERTIFICATE REQUEST-----"); } -diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/classes/sun/security/tools/keytool/Main.java ---- openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java +diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Main.java openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java +--- openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Main.java +++ openjdk/jdk/src/share/classes/sun/security/tools/keytool/Main.java -@@ -124,6 +124,7 @@ +@@ -126,6 +126,7 @@ private String infilename = null; private String outfilename = null; private String srcksfname = null; @@ -94,7 +86,7 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ // User-specified providers are added before any command is called. // However, they are not removed before the end of the main() method. -@@ -186,7 +187,7 @@ +@@ -188,7 +189,7 @@ CERTREQ("Generates.a.certificate.request", ALIAS, SIGALG, FILEOUT, KEYPASS, KEYSTORE, DNAME, STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, @@ -103,7 +95,7 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ CHANGEALIAS("Changes.an.entry.s.alias", ALIAS, DESTALIAS, KEYPASS, KEYSTORE, STOREPASS, STORETYPE, PROVIDERNAME, PROVIDERCLASS, PROVIDERARG, -@@ -319,6 +320,7 @@ +@@ -321,6 +322,7 @@ STARTDATE("startdate", "", "certificate.validity.start.date.time"), STOREPASS("storepass", "", "keystore.password"), STORETYPE("storetype", "", "keystore.type"), @@ -111,7 +103,7 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ TRUSTCACERTS("trustcacerts", null, "trust.certificates.from.cacerts"), V("v", null, "verbose.output"), VALIDITY("validity", "", "validity.number.of.days"); -@@ -559,6 +561,8 @@ +@@ -561,6 +563,8 @@ protectedPath = true; } else if (collator.compare(flags, "-srcprotected") == 0) { srcprotectedPath = true; @@ -120,7 +112,7 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ } else { System.err.println(rb.getString("Illegal.option.") + flags); tinyHelp(); -@@ -1463,7 +1467,7 @@ +@@ -1464,7 +1468,7 @@ // Sign the request and base-64 encode it request.encodeAndSign(subject, signature); @@ -129,13 +121,13 @@ diff --git a/src/share/classes/sun/security/tools/keytool/Main.java b/src/share/ checkWeak(rb.getString("the.generated.certificate.request"), request); } -@@ -4540,4 +4544,3 @@ +@@ -4544,4 +4548,3 @@ return new Pair<>(a,b); } } - -diff --git a/src/share/classes/sun/security/tools/keytool/Resources.java b/src/share/classes/sun/security/tools/keytool/Resources.java ---- openjdk/jdk/src/share/classes/sun/security/tools/keytool/Resources.java +diff --git openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Resources.java openjdk/jdk/src/share/classes/sun/security/tools/keytool/Resources.java +--- openjdk.orig/jdk/src/share/classes/sun/security/tools/keytool/Resources.java +++ openjdk/jdk/src/share/classes/sun/security/tools/keytool/Resources.java @@ -168,6 +168,8 @@ "keystore password"}, //-storepass diff --git a/SOURCES/pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch b/SOURCES/pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch index b52c087..00e3a2e 100644 --- a/SOURCES/pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch +++ b/SOURCES/pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch @@ -35,7 +35,7 @@ diff --git openjdk.orig/jdk/src/share/classes/sun/security/util/ECUtil.java open +++ openjdk/jdk/src/share/classes/sun/security/util/ECUtil.java @@ -41,6 +41,9 @@ - public class ECUtil { + public final class ECUtil { + /* Are we debugging ? */ + private static final Debug debug = Debug.getInstance("ecc"); diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch index 538468a..28060ed 100644 --- a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch +++ b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch @@ -1,22 +1,23 @@ ---- jdk8/jdk/src/share/lib/security/java.security-linux.orig -+++ jdk8/jdk/src/share/lib/security/java.security-linux -@@ -223,7 +223,9 @@ - jdk.nashorn.internal.,\ - jdk.nashorn.tools.,\ - jdk.xml.internal.,\ -- com.sun.activation.registries. -+ com.sun.activation.registries.,\ +diff --git openjdk.orig/jdk/src/share/lib/security/java.security-linux openjdk/jdk/src/share/lib/security/java.security-linux +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux ++++ openjdk/jdk/src/share/lib/security/java.security-linux +@@ -226,7 +226,9 @@ + com.sun.activation.registries.,\ + jdk.jfr.events.,\ + jdk.jfr.internal.,\ +- jdk.management.jfr.internal. ++ jdk.management.jfr.internal.,\ + org.GNOME.Accessibility.,\ + org.GNOME.Bonobo. # # List of comma-separated packages that start with or equal this string -@@ -273,7 +275,9 @@ - jdk.nashorn.internal.,\ - jdk.nashorn.tools.,\ - jdk.xml.internal.,\ -- com.sun.activation.registries. -+ com.sun.activation.registries.,\ +@@ -279,7 +281,9 @@ + com.sun.activation.registries.,\ + jdk.jfr.events.,\ + jdk.jfr.internal.,\ +- jdk.management.jfr.internal. ++ jdk.management.jfr.internal.,\ + org.GNOME.Accessibility.,\ + org.GNOME.Bonobo. diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch index 7987abb..58d77b3 100644 --- a/SOURCES/rh1655466-global_crypto_and_fips.patch +++ b/SOURCES/rh1655466-global_crypto_and_fips.patch @@ -176,7 +176,7 @@ new file mode 100644 + * and the com.redhat.fips property is true. + */ + private static boolean enableFips() throws Exception { -+ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false")); ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true")); + if (fipsEnabled) { + Path configPath = FileSystems.getDefault().getPath(CRYPTO_POLICIES_CONFIG); + String cryptoPoliciesConfig = new String(Files.readAllBytes(configPath)); diff --git a/SOURCES/rh1760838-fips_default_keystore_type.patch b/SOURCES/rh1760838-fips_default_keystore_type.patch new file mode 100644 index 0000000..bedc8ea --- /dev/null +++ b/SOURCES/rh1760838-fips_default_keystore_type.patch @@ -0,0 +1,52 @@ +diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java +--- openjdk.orig/jdk/src/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/jdk/src/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300 +@@ -123,6 +123,33 @@ + } + props.put(fipsProviderKey, fipsProviderValue); + } ++ // Add other security properties ++ String keystoreTypeValue = (String) props.get("fips.keystore.type"); ++ if (keystoreTypeValue != null) { ++ String nonFipsKeystoreType = props.getProperty("keystore.type"); ++ props.put("keystore.type", keystoreTypeValue); ++ if (keystoreTypeValue.equals("PKCS11")) { ++ // If keystore.type is PKCS11, javax.net.ssl.keyStore ++ // must be "NONE". See JDK-8238264. ++ System.setProperty("javax.net.ssl.keyStore", "NONE"); ++ } ++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) { ++ // If no trustStoreType has been set, use the ++ // previous keystore.type under FIPS mode. In ++ // a default configuration, the Trust Store will ++ // be 'cacerts' (JKS type). ++ System.setProperty("javax.net.ssl.trustStoreType", ++ nonFipsKeystoreType); ++ } ++ if (sdebug != null) { ++ sdebug.println("FIPS mode default keystore.type = " + ++ keystoreTypeValue); ++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " + ++ System.getProperty("javax.net.ssl.keyStore", "")); ++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " + ++ System.getProperty("javax.net.ssl.trustStoreType", "")); ++ } ++ } + loadedProps = true; + } + } catch (Exception e) { +diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux +--- openjdk.orig/jdk/src/share/lib/security/java.security-linux Thu Jan 23 18:22:31 2020 -0300 ++++ openjdk/jdk/src/share/lib/security/java.security-linux Mon Mar 02 19:20:17 2020 -0300 +@@ -179,6 +179,11 @@ + keystore.type=jks + + # ++# Default keystore type used when global crypto-policies are set to FIPS. ++# ++fips.keystore.type=PKCS11 ++ ++# + # Controls compatibility mode for the JKS keystore type. + # + # When set to 'true', the JKS keystore type supports loading diff --git a/SPECS/java-1.8.0-openjdk.spec b/SPECS/java-1.8.0-openjdk.spec index 056f322..ec76ef3 100644 --- a/SPECS/java-1.8.0-openjdk.spec +++ b/SPECS/java-1.8.0-openjdk.spec @@ -4,18 +4,17 @@ # # Examples: # -# Produce release *and* slowdebug builds on x86_64 (default): +# Produce release, fastdebug *and* slowdebug builds on x86_64 (default): # $ rpmbuild -ba java-1.8.0-openjdk.spec # -# Produce only release builds (no slowdebug builds) on x86_64: -# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug +# Produce only release builds (no debug builds) on x86_64: +# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug --without fastdebug # # Only produce a release build on x86_64: -# $ fedpkg mockbuild --without slowdebug -# -# Only produce a debug build on x86_64: -# $ fedpkg local --without release +# $ rhpkg mockbuild --without slowdebug --without fastdebug # +# Enable fastdebug builds by default on relevant arches. +%bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. %bcond_without slowdebug # Enable release builds by default on relevant arches. @@ -32,13 +31,16 @@ # See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" # (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) %global debug_suffix_unquoted -slowdebug +%global fastdebug_suffix_unquoted -fastdebug # quoted one for shell operations %global debug_suffix "%{debug_suffix_unquoted}" +%global fastdebug_suffix "%{fastdebug_suffix_unquoted}" %global normal_suffix "" -# if you want only debug build but providing java build only normal build but set normalbuild_parameter -%global debug_warning This package has full debug on. Install only in need and remove asap. +%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. %global debug_on with full debug on +%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. +%global for_fastdebug_on with minimal debug on %global for_debug for packages with debug on %if %{with release} @@ -48,9 +50,9 @@ %endif %if %{include_normal_build} -%global build_loop1 %{normal_suffix} +%global normal_build %{normal_suffix} %else -%global build_loop1 %{nil} +%global normal_build %{nil} %endif %global aarch64 aarch64 arm64 armv8 @@ -60,6 +62,8 @@ %global multilib_arches %{power64} sparc64 x86_64 %global jit_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} +%global jfr_arches x86_64 sparcv9 sparc64 %{aarch64} ${power64} +%global fastdebug_arches x86_64 # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -76,17 +80,32 @@ %global include_debug_build 0 %endif +# By default, we build a fastdebug build during main build only on fastdebug architectures +%if %{with fastdebug} +%ifarch %{fastdebug_arches} +%global include_fastdebug_build 1 +%else +%global include_fastdebug_build 0 +%endif +%endif + %if %{include_debug_build} -%global build_loop2 %{debug_suffix} +%global slowdebug_build %{debug_suffix} +%else +%global slowdebug_build %{nil} +%endif + +%if %{include_fastdebug_build} +%global fastdebug_build %{fastdebug_suffix} %else -%global build_loop2 %{nil} +%global fastdebug_build %{nil} %endif -# if you disable both builds, then the build fails -%global build_loop %{build_loop1} %{build_loop2} -# note: that order: normal_suffix debug_suffix, in case of both enabled -# is expected in one single case at the end of the build -%global rev_build_loop %{build_loop2} %{build_loop1} +# If you disable both builds, then the build fails +# Note that the debug build requires the normal build for docs +%global build_loop %{normal_build} %{fastdebug_build} %{slowdebug_build} +# Test slowdebug first as it provides the best diagnostics +%global rev_build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %ifarch %{jit_arches} %global bootstrap_build 1 @@ -139,47 +158,61 @@ # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap -# does not match that given by _build_cpu +# does not match that given by _target_cpu %ifarch x86_64 %global archinstall amd64 +%global stapinstall x86_64 %endif %ifarch ppc %global archinstall ppc +%global stapinstall powerpc %endif %ifarch %{ppc64be} %global archinstall ppc64 +%global stapinstall powerpc %endif %ifarch %{ppc64le} %global archinstall ppc64le +%global stapinstall powerpc %endif %ifarch %{ix86} %global archinstall i386 +%global stapinstall i386 %endif %ifarch ia64 %global archinstall ia64 +%global stapinstall ia64 %endif %ifarch s390 %global archinstall s390 +%global stapinstall s390 %endif %ifarch s390x %global archinstall s390x +%global stapinstall s390 %endif %ifarch %{arm} %global archinstall arm +%global stapinstall arm %endif %ifarch %{aarch64} %global archinstall aarch64 +%global stapinstall arm64 %endif # 32 bit sparc, optimized for v9 %ifarch sparcv9 %global archinstall sparc +%global stapinstall %{_target_cpu} %endif # 64 bit sparc %ifarch sparc64 %global archinstall sparcv9 +%global stapinstall %{_target_cpu} %endif -%ifnarch %{jit_arches} -%global archinstall %{_arch} +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} %endif %ifarch %{jit_arches} @@ -198,11 +231,13 @@ # note, following three variables are sedded from update_sources if used correctly. Hardcode them rather there. %global shenandoah_project aarch64-port %global shenandoah_repo jdk8u-shenandoah -%global shenandoah_revision aarch64-shenandoah-jdk8u232-b09 +%global shenandoah_revision aarch64-shenandoah-jdk8u262-b03-shenandoah-merge-2020-05-20 # Define old aarch64/jdk8u tree variables for compatibility %global project %{shenandoah_project} %global repo %{shenandoah_repo} %global revision %{shenandoah_revision} +# Define IcedTea version used for SystemTap tapsets and desktop files +%global icedteaver 3.15.0 # e.g. aarch64-shenandoah-jdk8u212-b04-shenandoah-merge-2019-04-30 -> aarch64-shenandoah-jdk8u212-b04 %global version_tag %(VERSION=%{revision}; echo ${VERSION%%-shenandoah-merge*}) @@ -212,12 +247,12 @@ %global updatever %(VERSION=%{whole_update}; echo ${VERSION##*u}) # eg jdk8u60-b27 -> b27 %global buildver %(VERSION=%{version_tag}; echo ${VERSION##*-}) -%global rpmrelease 3 +%global rpmrelease 2 # Define milestone (EA for pre-releases, GA ("fcs") for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, # - N%%{?extraver}{?dist} for GA releases -%global is_ga 1 +%global is_ga 0 %if %{is_ga} %global milestone fcs %global milestone_version %{nil} @@ -266,10 +301,10 @@ # and 32 bit architectures we place the tapsets under the arch # specific dir (note that systemtap will only pickup the tapset # for the primary arch for now). Systemtap uses the machine name -# aka build_cpu as architecture specific directory name. +# aka target_cpu as architecture specific directory name. %global tapsetroot /usr/share/systemtap %global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{_build_cpu} +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif # not-duplicated scriptlets for normal/debug packages @@ -401,6 +436,7 @@ alternatives \\ --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ --slave %{_bindir}/jhat jhat %{sdkbindir -- %{?1}}/jhat \\ --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ @@ -562,6 +598,7 @@ exit 0 %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/ASSEMBLY_EXCEPTION %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/LICENSE %license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/jre/THIRD_PARTY_README +%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS %dir %{_jvmdir}/%{sdkdir -- %{?1}} %{_jvmdir}/%{jrelnk -- %{?1}} %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/security @@ -659,7 +696,7 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnet.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnio.so %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libnpt.so -%ifarch x86_64 %{ix86} %{aarch64} +%ifarch %{sa_arches} %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsaproc.so %endif %{_jvmdir}/%{jredir -- %{?1}}/lib/%{archinstall}/libsctp.so @@ -699,12 +736,20 @@ exit 0 %{_jvmdir}/%{jredir -- %{?1}}/lib/ext/sunjce_provider.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/ext/sunpkcs11.jar %{_jvmdir}/%{jredir -- %{?1}}/lib/ext/zipfs.jar +%ifarch %{jfr_arches} +%{_jvmdir}/%{jredir -- %{?1}}/lib/jfr.jar +%{_jvmdir}/%{jredir -- %{?1}}/lib/jfr/default.jfc +%{_jvmdir}/%{jredir -- %{?1}}/lib/jfr/profile.jfc +%endif %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/images %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/images/cursors %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/management %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/cmm %dir %{_jvmdir}/%{jredir -- %{?1}}/lib/ext +%ifarch %{jfr_arches} +%dir %{_jvmdir}/%{jredir -- %{?1}}/lib/jfr +%endif } %define files_devel() %{expand: @@ -732,6 +777,7 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhat %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs @@ -1025,15 +1071,18 @@ URL: http://openjdk.java.net/ # FILE_NAME_ROOT=%%{shenandoah_project}-%%{shenandoah_repo}-${VERSION} # REPO_ROOT= generate_source_tarball.sh # where the source is obtained from http://hg.openjdk.java.net/%%{project}/%%{repo} -Source0: %{shenandoah_project}-%{shenandoah_repo}-%{shenandoah_revision}.tar.xz +Source0: %{shenandoah_project}-%{shenandoah_repo}-%{shenandoah_revision}-4curve.tar.xz # Custom README for -src subpackage Source2: README.md +# Release notes +Source7: NEWS -# run update_systemtap.sh to regenerate or update systemtap sources -# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives -Source8: systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (3.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz # Desktop files. Adapted from IcedTea Source9: jconsole.desktop.in @@ -1080,6 +1129,8 @@ Patch534: rh1648246-always_instruct_vm_to_assume_multiple_processors_are_availab Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch # RH1655466: Support RHEL FIPS mode using SunPKCS11 provider Patch1001: rh1655466-global_crypto_and_fips.patch +# RH1760838: No ciphersuites available for SSLSocket in FIPS mode +Patch1002: rh1760838-fips_default_keystore_type.patch ############################################# # @@ -1099,18 +1150,18 @@ Patch512: rh1649664-awt2dlibraries_compiled_with_no_strict_overflow.patch Patch523: pr2974-rh1337583-add_systemlineendings_option_to_keytool_and_use_line_separator_instead_of_crlf_in_pkcs10.patch # PR3083, RH1346460: Regression in SSL debug output without an ECC provider Patch528: pr3083-rh1346460-for_ssl_debug_return_null_instead_of_exception_when_theres_no_ecc_provider.patch -# RH1566890: CVE-2018-3639 -Patch529: rh1566890-CVE_2018_3639-speculative_store_bypass.patch -Patch531: rh1566890-CVE_2018_3639-speculative_store_bypass_toggle.patch # PR3601: Fix additional -Wreturn-type issues introduced by 8061651 Patch530: pr3601-fix_additional_Wreturn_type_issues_introduced_by_8061651_for_prims_jvm_cpp.patch # PR2888: OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts) # PR3575, RH1567204: System cacerts database handling should not affect jssecacerts Patch539: pr2888-openjdk_should_check_for_system_cacerts_database_eg_etc_pki_java_cacerts.patch # PR3183, RH1340845: Support Fedora/RHEL8 system crypto policy -Patch300: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch +Patch400: pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch # PR3655: Allow use of system crypto policy to be disabled by the user -Patch301: pr3655-toggle_system_crypto_policy.patch +Patch401: pr3655-toggle_system_crypto_policy.patch +# RH1566890: CVE-2018-3639 +Patch529: rh1566890-CVE_2018_3639-speculative_store_bypass.patch +Patch531: rh1566890-CVE_2018_3639-speculative_store_bypass_toggle.patch ############################################# # @@ -1145,7 +1196,7 @@ Patch107: s390-8214206_fix.patch # This fixes printf warnings that lead to build failure with -Werror=format-security from optflags Patch502: pr2462-resolve_disabled_warnings_for_libunpack_and_the_unpack200_binary.patch # S8154313: Generated javadoc scattered all over the place -Patch400: jdk8154313-generated_javadoc_scattered_all_over_the_place.patch +Patch578: jdk8154313-generated_javadoc_scattered_all_over_the_place.patch # PR3591: Fix for bug 3533 doesn't add -mstackrealign to JDK code Patch571: jdk8199936-pr3591-enable_mstackrealign_on_x86_linux_as_well_as_x86_mac_os_x_jdk.patch # 8143245, PR3548: Zero build requires disabled warnings @@ -1160,6 +1211,11 @@ Patch102: jdk8203030-zero_s390_31_bit_size_t_type_conflicts_in_shared_code.patch Patch202: jdk8035341-allow_using_system_installed_libpng.patch # 8042159: Allow using a system-installed lcms2 Patch203: jdk8042159-allow_using_system_installed_lcms2.patch +# JDK-8165996, PR3506, RH1760437: PKCS11 using NSS throws an error regarding secmod.db when NSS uses sqlite +# RPM version excludes binary diffs and a patch to PKCS11Test.java which creates a lengthy bug trail +Patch579: jdk8165996-pr3506-rh1760437-nss_sqlite_db.patch +# JDK-8195607, PR3776, RH1760437: sun/security/pkcs11/Secmod/TestNssDbSqlite.java failed with "NSS initialization failed" on NSS 3.34.1 +Patch580: jdk8195607-pr3776-rh1760437-nss_sqlite_db_config.patch ############################################# # @@ -1272,6 +1328,17 @@ The %{origin_nice} runtime environment %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package fastdebug +Summary: %{origin_nice} Runtime Environment %{majorver} %{fastdebug_on} +Group: Development/Languages + +%{java_rpo -- %{fastdebug_suffix_unquoted}} +%description fastdebug +The %{origin_nice} runtime environment. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package headless Summary: %{origin_nice} Headless Runtime Environment %{majorver} @@ -1295,6 +1362,18 @@ The %{origin_nice} runtime environment %{majorver} without audio and video suppo %{debug_warning} %endif +%if %{include_fastdebug_build} +%package headless-fastdebug +Summary: %{origin_nice} Runtime Environment %{fastdebug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{fastdebug_suffix_unquoted}} + +%description headless-fastdebug +The %{origin_nice} runtime environment %{majorver} without audio and video support. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package devel Summary: %{origin_nice} Development Environment %{majorver} @@ -1318,6 +1397,18 @@ The %{origin_nice} development tools %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package devel-fastdebug +Summary: %{origin_nice} Development Environment %{majorver} %{fastdebug_on} +Group: Development/Tools + +%{java_devel_rpo -- %{fastdebug_suffix_unquoted}} + +%description devel-fastdebug +The %{origin_nice} development tools %{majorver}. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package demo Summary: %{origin_nice} Demos %{majorver} @@ -1341,6 +1432,18 @@ The %{origin_nice} demos %{majorver}. %{debug_warning} %endif +%if %{include_fastdebug_build} +%package demo-fastdebug +Summary: %{origin_nice} Demos %{majorver} %{fastdebug_on} +Group: Development/Languages + +%{java_demo_rpo -- %{fastdebug_suffix_unquoted}} + +%description demo-fastdebug +The %{origin_nice} demos %{majorver}. +%{fastdebug_warning} +%endif + %if %{include_normal_build} %package src Summary: %{origin_nice} Source Bundle %{majorver} @@ -1365,6 +1468,18 @@ The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice class library source code for use by IDE indexers and debuggers. Debugging %{for_debug}. %endif +%if %{include_fastdebug_build} +%package src-fastdebug +Summary: %{origin_nice} Source Bundle %{majorver} %{for_fastdebug} +Group: Development/Languages + +%{java_src_rpo -- %{fastdebug_suffix_unquoted}} + +%description src-fastdebug +The java-%{origin}-src-fastdebug sub-package contains the complete %{origin_nice} %{majorver} + class library source code for use by IDE indexers and debuggers. Debugging %{for_fastdebug}. +%endif + %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{majorver} API documentation @@ -1377,9 +1492,7 @@ BuildArch: noarch %description javadoc The %{origin_nice} %{majorver} API documentation. -%endif -%if %{include_normal_build} %package javadoc-zip Summary: %{origin_nice} %{majorver} API documentation compressed in single archive Group: Documentation @@ -1390,10 +1503,8 @@ BuildArch: noarch %{java_javadoc_rpo %{nil}} %description javadoc-zip -The %{origin_nice} %{majorver} API documentation compressed in single archive. -%endif +The %{origin_nice} %{majorver} API documentation compressed in a single archive. -%if %{include_normal_build} %package accessibility Summary: %{origin_nice} %{majorver} accessibility connector @@ -1420,23 +1531,51 @@ Summary: %{origin_nice} %{majorver} accessibility connector %{for_debug} See normal java-%{version}-openjdk-accessibility description. %endif +%if %{include_fastdebug_build} +%package accessibility-fastdebug +Summary: %{origin_nice} %{majorver} accessibility connector %{for_fastdebug} + +%{java_accessibility_rpo -- %{fastdebug_suffix_unquoted}} + +%description accessibility-fastdebug +See normal java-%{version}-openjdk-accessibility description. +%endif + %prep + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" else - echo "include_normal_build is %{include_normal_build}, thats invalid. Use 1 for yes or 0 for no" + echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no" exit 11 fi if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then echo "include_debug_build is %{include_debug_build}" else - echo "include_debug_build is %{include_debug_build}, thats invalid. Use 1 for yes or 0 for no" + echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no" exit 12 fi -if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 ] ; then - echo "You have disabled both include_debug_build and include_normal_build. That is a no go." +if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then + echo "include_fastdebug_build is %{include_fastdebug_build}" +else + echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" exit 13 fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then + echo "You have disabled all builds (normal,fastdebug,debug). That is a no go." + exit 14 +fi +if [ %{include_normal_build} -eq 0 ] ; then + echo "You have disabled the normal build, but this is required to provide docs for the debug build." + exit 15 +fi echo "Update version: %{updatever}" echo "Build number: %{buildver}" @@ -1471,8 +1610,8 @@ sh %{SOURCE12} %patch203 # System security policy fixes -%patch300 -%patch301 +%patch400 +%patch401 %patch1 %patch3 @@ -1493,21 +1632,24 @@ sh %{SOURCE12} %patch502 %patch504 %patch512 -%patch400 +%patch578 %patch523 %patch528 +%patch530 %patch529 %patch531 -%patch530 %patch571 %patch574 %patch575 %patch577 +%patch579 +%patch580 # RPM-only fixes %patch539 %patch1000 %patch1001 +%patch1002 # RHEL-only patches %if ! 0%{?fedora} && 0%{?rhel} <= 7 @@ -1522,11 +1664,14 @@ tar --strip-components=1 -x -I xz -f %{SOURCE8} %if %{include_debug_build} cp -r tapset tapset%{debug_suffix} %endif +%if %{include_fastdebug_build} +cp -r tapset tapset%{fastdebug_suffix} +%endif for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do - OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:%{version}-%{release}.%{_arch}.stp:g"` + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/jre/lib/%{archinstall}/server/libjvm.so:g" $file > $file.1 # TODO find out which architectures other than i686 have a client vm %ifarch %{ix86} @@ -1543,16 +1688,19 @@ done %endif # Prepare desktop files +# The _X_ syntax indicates variables that are replaced by make upstream +# The @X@ syntax indicates variables that are replaced by configure upstream for suffix in %{build_loop} ; do for file in %{SOURCE9} %{SOURCE10} ; do FILE=`basename $file | sed -e s:\.in$::g` EXT="${FILE##*.}" NAME="${FILE%.*}" OUTPUT_FILE=$NAME$suffix.$EXT - sed -e "s:@JAVA_HOME@:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE - sed -i -e "s:@JRE_HOME@:%{jrebindir -- $suffix}:g" $OUTPUT_FILE - sed -i -e "s:@ARCH@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE - sed -i -e "s:@JAVA_MAJOR_VERSION@:%{javaver}:g" $OUTPUT_FILE + sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE + sed -i -e "s:_JREBINDIR_:%{jrebindir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE + sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE done done @@ -1590,7 +1738,8 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif -export EXTRA_CFLAGS +EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" +export EXTRA_CFLAGS EXTRA_ASFLAGS (cd %{top_level_dir_name}/common/autoconf bash ./autogen.sh @@ -1611,6 +1760,9 @@ mkdir -p %{buildoutputdir -- $suffix} pushd %{buildoutputdir -- $suffix} bash ../../configure \ +%ifarch %{jfr_arches} + --enable-jfr \ +%endif %ifnarch %{jit_arches} --with-jvm-variants=zero \ %endif @@ -1629,6 +1781,7 @@ bash ../../configure \ --with-stdc++lib=dynamic \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-asflags="$EXTRA_ASFLAGS" \ --with-extra-ldflags="%{ourldflags}" \ --with-num-cores="$NUM_PROC" @@ -1848,10 +2001,15 @@ if ! echo $suffix | grep -q "debug" ; then # Install Javadoc documentation install -d -m 755 $RPM_BUILD_ROOT%{_javadocdir} cp -a %{buildoutputdir -- $suffix}/docs $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix} - built_doc_archive=`echo "jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip" | sed s/slowdebug/debug/` + built_doc_archive=jdk-%{javaver}_%{updatever}%{milestone_version}$suffix-%{buildver}-docs.zip cp -a %{buildoutputdir -- $suffix}/bundles/$built_doc_archive $RPM_BUILD_ROOT%{_javadocdir}/%{uniquejavadocdir -- $suffix}.zip fi +# Install release notes +commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix} +install -d -m 755 ${commondocdir} +cp -a %{SOURCE7} ${commondocdir} + # Install icons and menu entries for s in 16 24 32 48 ; do install -D -p -m 644 \ @@ -2034,6 +2192,33 @@ require "copy_jdk_configs.lua" %endif +%if %{include_fastdebug_build} +%post fastdebug +%{post_script -- %{fastdebug_suffix_unquoted}} + +%post headless-fastdebug +%{post_headless -- %{fastdebug_suffix_unquoted}} + +%postun fastdebug +%{postun_script -- %{fastdebug_suffix_unquoted}} + +%postun headless-fastdebug +%{postun_headless -- %{fastdebug_suffix_unquoted}} + +%posttrans fastdebug +%{posttrans_script -- %{fastdebug_suffix_unquoted}} + +%post devel-fastdebug +%{post_devel -- %{fastdebug_suffix_unquoted}} + +%postun devel-fastdebug +%{postun_devel -- %{fastdebug_suffix_unquoted}} + +%posttrans devel-fastdebug +%{posttrans_devel -- %{fastdebug_suffix_unquoted}} + +%endif + %if %{include_normal_build} %files # main package builds always @@ -2062,9 +2247,8 @@ require "copy_jdk_configs.lua" %files javadoc %{files_javadoc %{nil}} -# this puts huge file to /usr/share -# unluckily ti is really a documentation file -# and unluckily it really is architecture-dependent, as eg. aot and grail are now x86_64 only +# This puts a huge documentation file in /usr/share +# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only # same for debug variant %files javadoc-zip %{files_javadoc_zip %{nil}} @@ -2093,7 +2277,190 @@ require "copy_jdk_configs.lua" %{files_accessibility -- %{debug_suffix_unquoted}} %endif +%if %{include_fastdebug_build} +%files fastdebug +%{files_jre -- %{fastdebug_suffix_unquoted}} + +%files headless-fastdebug +%{files_jre_headless -- %{fastdebug_suffix_unquoted}} + +%files devel-fastdebug +%{files_devel -- %{fastdebug_suffix_unquoted}} + +%files demo-fastdebug -f %{name}-demo.files-fastdebug +%{files_demo -- %{fastdebug_suffix_unquoted}} + +%files src-fastdebug +%{files_src -- %{fastdebug_suffix_unquoted}} + +%files accessibility-fastdebug +%{files_accessibility -- %{fastdebug_suffix_unquoted}} +%endif + %changelog +* Wed Jun 24 2020 Andrew Hughes - 1:1.8.0.262.b03-0.2.ea +- Update to aarch64-shenandoah-jdk8u262-b03-shenandoah-merge-2020-05-20. +- Resolves: rhbz#1838811 + +* Tue Jun 23 2020 Andrew Hughes - 1:1.8.0.262.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b03. +- Resolves: rhbz#1838811 + +* Mon Jun 22 2020 Andrew Hughes - 1:1.8.0.262.b02-0.2.ea +- Introduce jfr_arches for architectures which support JFR. +- Fix path to jfr.jar. +- Use sa_arches for libsaproc.so inclusion. +- Resolves: rhbz#1838811 + +* Mon Jun 22 2020 Andrew Hughes - 1:1.8.0.262.b02-0.2.ea +- Explicitly list jfr.jar, default.jfc & profile.jfc in the spec file. +- Resolves: rhbz#1838811 + +* Sun Jun 21 2020 Andrew Hughes - 1:1.8.0.262.b02-0.2.ea +- Enable JFR in our builds, ahead of upstream default. +- Only enable JFR for JIT builds, as it is not supported with Zero. +- Turn off JFR on x86 for now due to assert(SerializePageShiftCount == count) crash. +- Resolves: rhbz#1838811 + +* Sun Jun 21 2020 Andrew Hughes - 1:1.8.0.262.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b02. +- Resolves: rhbz#1838811 + +* Sat Jun 20 2020 Andrew Hughes - 1:1.8.0.262.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u262-b01. +- Switch to EA mode. +- Adjust JDK-8143245/PR3548 patch following context changes due to JDK-8203287 for JFR +- Adjust RH1648644 following context changes due to introduction of JFR packages +- Add jfr binary to devel package and alternatives set +- Resolves: rhbz#1838811 + +* Tue Jun 02 2020 Andrew John Hughes - 1:1.8.0.252.b09-7 +- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). +- Resolves: rhbz#1655466 + +* Mon Jun 01 2020 Andrew John Hughes - 1:1.8.0.252.b09-6 +- Use appropriate keystore types when in FIPS mode. +- Resolves: rhbz#1760838 + +* Fri May 22 2020 Andrew John Hughes - 1:1.8.0.252.b09-5 +- Add support for fastdebug builds on x86_64 only. +- Drop redundant slowdebug/debug sed invocation on the docs zip filename as it is only now built for non-debug. +- Resolves: rhbz#1836067 + +* Wed Apr 22 2020 Andrew John Hughes - 1:1.8.0.252.b09-4 +- Bump release number for RHEL 8.3.0. +- Resolves: rhbz#1810557 + +* Sun Apr 19 2020 Andrew Hughes - 1:1.8.0.252.b09-3 +- Add release notes. +- Resolves: rhbz#1810557 + +* Sun Apr 19 2020 Andrew Hughes - 1:1.8.0.252.b09-2 +- Make use of --with-extra-asflags introduced in jdk8u252-b01. +- Resolves: rhbz#1810557 + +* Mon Apr 06 2020 Andrew Hughes - 1:1.8.0.252.b09-1 +- Update to aarch64-shenandoah-jdk8u252-b09. +- Switch to GA mode for final release. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b08-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b08. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b07-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b07. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b06-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b06. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b05. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b04-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b04. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b03-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b03. +- Adjust PR2974/RH1337583 & PR3083/RH1346460 following context changes in JDK-8230978 +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b02-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b02. +- Resolves: rhbz#1810557 + +* Wed Apr 01 2020 Andrew Hughes - 1:1.8.0.252.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u252-b01. +- Switch to EA mode. +- Adjust JDK-8199936/PR3533 patch following JDK-8227397 configure change +- Resolves: rhbz#1810557 + +* Fri Mar 27 2020 Andrew John Hughes - 1:1.8.0.242.b08-4 +- Need to support noarch for creating source RPMs for non-scratch builds. +- Resolves: rhbz#1737112 + +* Tue Mar 24 2020 Andrew John Hughes - 1:1.8.0.242.b08-4 +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Resolves: rhbz#1737112 + +* Mon Feb 24 2020 Andrew John Hughes - 1:1.8.0.242.b08-3 +- Add JDK-8165996/PR3506 & JDK-8195607/PR3776 to support NSS SQLite databases. +- Resolves: rhbz#1760437 + +* Sun Feb 23 2020 Andrew John Hughes - 1:1.8.0.242.b08-2 +- Sync SystemTap & desktop files with upstream IcedTea release 3.15.0, removing previous workarounds +- Resolves: rhbz#1737112 + +* Sun Feb 23 2020 Andrew John Hughes - 1:1.8.0.242.b08-2 +- Sync SystemTap & desktop files with upstream IcedTea release 3.11.0 using new script +- Resolves: rhbz#1737112 + +* Wed Jan 15 2020 Andrew Hughes - 1:1.8.0.242.b08-1 +- Update to aarch64-shenandoah-jdk8u242-b08. +- Remove local copies of JDK-8031111 & JDK-8132111 as replaced by upstream versions. +- Resolves: rhbz#1785753 + +* Wed Jan 15 2020 Andrew John Hughes - 1:1.8.0.242.b07-2 +- Add backports of JDK-8031111 & JDK-8132111 to fix TCK issue. +- Resolves: rhbz#1785753 + +* Mon Jan 13 2020 Andrew Hughes - 1:1.8.0.242.b07-1 +- Update to aarch64-shenandoah-jdk8u242-b07. +- Switch to GA mode for final release. +- Remove Shenandoah S390 patch which is now included upstream as JDK-8236829. +- Resolves: rhbz#1785753 + +* Sun Jan 05 2020 Andrew Hughes - 1:1.8.0.242.b05-0.1.ea +- Update to aarch64-shenandoah-jdk8u242-b05. +- Attempt to fix Shenandoah formatting failures on S390, introduced by JDK-8232102. +- Revise b05 snapshot to include JDK-8236178. +- Add additional Shenandoah formatting fixes revealed by successful -Wno-error=format run +- Resolves: rhbz#1785753 + +* Sat Jan 04 2020 Andrew Hughes - 1:1.8.0.242.b01-0.1.ea +- Update to aarch64-shenandoah-jdk8u242-b01. +- Switch to EA mode. +- Resolves: rhbz#1785753 + +* Sat Jan 04 2020 Andrew Hughes - 1:1.8.0.232.b09-6 +- Update generate_source_tarball.sh script to use the PR3756 patch and retain the secp256k1 curve. +- Regenerate source tarball using the updated script and add the -'4curve' suffix. +- Resolves: rhbz#1746879 + +* Thu Jan 02 2020 Andrew Hughes - 1:1.8.0.232.b09-5 +- Revert SSBD removal for now, until appropriate messaging has been decided. +- Resolves: rhbz#1750419 + +* Tue Dec 24 2019 Andrew John Hughes - 1:1.8.0.232.b09-4 +- Remove CVE-2018-3639 mitigation due to performance regression and + OpenJDK position on speculative execution vulnerabilities. + https://mail.openjdk.java.net/pipermail/vuln-announce/2019-July/000002.html +- Resolves: rhbz#1750419 + * Thu Nov 14 2019 Andrew John Hughes - 1:1.8.0.232.b09-3 - Bump release number for RHEL 8.2.0. - Resolves: rhbz#1753423