already exists"
+ - JDK-8238175: CTW: Class.getDeclaredMethods fails with assert(k->is_subclass_of(SystemDictionary::Throwable_klass())) failed: invalid exception class
+ - JDK-8238567: SoftMainMixer.processAudioBuffers(): Wrong handling of stoppedMixers
+ - JDK-8238812: assert(false) failed: bad AD file
+ - JDK-8239312: [macos] javax/swing/JFrame/NSTexturedJFrame/NSTexturedJFrame.java
+ - JDK-8239386: handle ContendedPaddingWidth in vm_version_aarch64
+ - JDK-8239536: Can't use `java.util.List` object after importing `java.awt.List`
+ - JDK-8240487: Cleanup whitespace in .cc, .hh, .m, and .mm files
+ - JDK-8240848: ArrayIndexOutOfBoundsException buf for TextCallbackHandler
+ - JDK-8241082: Upgrade IANA Language Subtag Registry data to 03-16-2020 version
+ - JDK-8241087: Build failure with VS 2019 (16.5.0) due to C2039 and C2873
+ - JDK-8241101: [s390] jtreg test failure after JDK-8238696: not conformant features string
+ - JDK-8241248: NullPointerException in sun.security.ssl.HKDF.extract(HKDF.java:93)
+ - JDK-8241372: Several test failures due to javax.net.ssl.SSLException: Connection reset
+ - JDK-8241475: AArch64: Add missing support for PopCountVI node
+ - JDK-8241829: Cleanup the code for PrinterJob on windows
+ - JDK-8241960: The SHA3 message digests impl of SUN provider are not thread safe after cloned
+ - JDK-8242010: Upgrade IANA Language Subtag Registry to Version 2020-04-01
+ - JDK-8242429: Better implementation for sign extract
+ - JDK-8242557: Add length limit for strings in PNGImageWriter
+ - JDK-8242919: Paste locks up jshell
+ - JDK-8243155: AArch64: Add support for SqrtVF
+ - JDK-8243240: AArch64: Add support for MulVB
+ - JDK-8243452: JFR: Could not create chunk in repository with over 200 recordings
+ - JDK-8243559: Remove root certificates with 1024-bit keys
+ - JDK-8243597: AArch64: Add support for integer vector abs
+ - JDK-8244031: HttpClient should have more tests for HEAD requests
+ - JDK-8244205: HTTP/2 tunnel connections through proxy may be reused regardless of which proxy is selected
+ - JDK-8244847: Linux/PPC: runtime/CompressedOops/CompressedClassPointers: smallHeapTest fails
+ - JDK-8245511: G1 adaptive IHOP does not account for reclamation of humongous objects by young GC
+ - JDK-8246274: G1 old gen allocation tracking is not in a separate class
+ - JDK-8247354: [aarch64] PopFrame causes assert(oopDesc::is_oop(obj)) failed: not an oop
+ - JDK-8247408: IdealGraph bit check expression canonicalization
+ - JDK-8247432: Update IANA Language Subtag Registry to Version 2020-09-29
+ - JDK-8247438: JShell: When FailOverExecutionControlProvider fails the proximal cause is not shown
+ - JDK-8247753: UIManager.getSytemLookAndFeelClassName() returns wrong value on Fedora 32
+ - JDK-8248043: Need to eliminate excessive i2l conversions
+ - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted
+ - JDK-8248568: compiler/c2/TestBit.java failed: test missing from stdout/stderr
+ - JDK-8248870: AARCH64: I2L/L2I conversions can be skipped for masked positive values
+ - JDK-8249142: java/awt/FontClass/CreateFont/DeleteFont.sh is unstable
+ - JDK-8249189: AARCH64: more L2I conversions can be skipped
+ - JDK-8249719: MethodHandle performance suffers from bad ResolvedMethodTable hash function
+ - JDK-8249875: GCC 10 warnings -Wtype-limits with JFR code
+ - JDK-8250635: MethodArityHistogram should use Compile_lock in favour of fancy checks
+ - JDK-8250876: Fix issues with cross-compile on macos
+ - JDK-8251031: Some vmTestbase/nsk/monitoring/RuntimeMXBean tests fail with hostnames starting from digits
+ - JDK-8251525: AARCH64: Faster Math.signum(fp)
+ - JDK-8252259: AArch64: Adjust default value of FLOATPRESSURE
+ - JDK-8252311: AArch64: save two words in itable lookup stub
+ - JDK-8252779: compiler/graalunit/HotspotTest.java failed after 8251525
+ - JDK-8252883: AccessDeniedException caused by delayed file deletion on Windows
+ - JDK-8253167: ARM32 builds fail after JDK-8247910
+ - JDK-8253572: [windows] CDS archive may fail to open with long file names
+ - JDK-8253923: C2 doesn't always run loop opts for compilations that include loops
+ - JDK-8253948: Memory leak in ImageFileReader
+ - JDK-8254631: Better support ALPN byte wire values in SunJSSE
+ - JDK-8254717: isAssignableFrom checks in KeyFactorySpi.engineGetKeySpec appear to be backwards
+ - JDK-8255086: Update the root locale display names
+ - JDK-8255625: AArch64: Implement Base64.encodeBlock accelerator/intrinsic
+ - JDK-8255763: C2: OSR miscompilation caused by invalid memory instruction placement
+ - JDK-8255992: JFR EventWriter does not use first string from StringPool with id 0
+ - JDK-8256037: [TESTBUG] com/sun/jndi/dns/ConfigTests/PortUnreachable.java fails due to the hard coded threshold is small
+ - JDK-8256244: java/lang/ProcessHandle/PermissionTest.java fails with TestNG 7.1
+ - JDK-8256287: [windows] add loop fuse to map_or_reserve_memory_aligned
+ - JDK-8256523: Streamline Java SHA2 implementation
+ - JDK-8257414: Drag n Drop target area is wrong on high DPI systems
+ - JDK-8257569: Failure observed with JfrVirtualMemory::initialize
+ - JDK-8257574: C2: "failed: parsing found no loops but there are some" assert failure
+ - JDK-8257580: Bump update version for OpenJDK: jdk-11.0.12
+ - JDK-8257604: JNI_ArgumentPusherVaArg leaks valist
+ - JDK-8257621: JFR StringPool misses cached items across consecutive recordings
+ - JDK-8257796: [TESTBUG] TestUseSHA512IntrinsicsOptionOnSupportedCPU.java fails on x86_32
+ - JDK-8257822: C2 crashes with SIGFPE due to a division that floats above its zero check
+ - JDK-8257828: SafeFetch may crash if invoked in non-JavaThreads
+ - JDK-8257853: Remove dependencies on JNF's JNI utility functions in AWT and 2D code
+ - JDK-8257858: [macOS]: Remove JNF dependency from libosxsecurity/KeystoreImpl.m
+ - JDK-8257860: [macOS]: Remove JNF dependency from libosxkrb5/SCDynamicStoreConfig.m
+ - JDK-8257988: Remove JNF dependency from libsaproc/MacosxDebuggerLocal.m
+ - JDK-8258414: OldObjectSample events too expensive
+ - JDK-8258505: [TESTBUG] TestDivZeroWithSplitIf.java fails due to missing UnlockDiagnosticVMOptions
+ - JDK-8258753: StartTlsResponse.close() hangs due to synchronization issues
+ - JDK-8259061: C2: assert(found) failed: memory-writing node is not placed in its original loop or an ancestor of it
+ - JDK-8259227: C2 crashes with SIGFPE due to a division that floats above its zero check
+ - JDK-8259232: Bad JNI lookup during printing
+ - JDK-8259276: C2: Empty expression stack when reexecuting tableswitch/lookupswitch instructions after deoptimization
+ - JDK-8259343: [macOS] Update JNI error handling in Cocoa code.
+ - JDK-8259585: Accessible actions do not work on mac os x
+ - JDK-8259651: [macOS] Replace JNF_COCOA_ENTER/EXIT macros
+ - JDK-8259662: Don't wrap SocketExceptions into SSLExceptions in SSLSocketImpl
+ - JDK-8259710: Inlining trace leaks memory
+ - JDK-8259729: Missed JNFInstanceOf -> IsInstanceOf conversion
+ - JDK-8259777: Incorrect predication condition generated by ADLC
+ - JDK-8259786: initialize last parameter of getpwuid_r
+ - JDK-8259843: initialize dli_fname array before calling dll_address_to_library_name
+ - JDK-8259869: [macOS] Remove desktop module dependencies on JNF Reference APIs
+ - JDK-8259886: Improve SSL session cache performance and scalability
+ - JDK-8259983: do not use uninitialized expand_ms value in G1CollectedHeap::expand_heap_after_young_collection
+ - JDK-8260030: Improve stringStream buffer handling
+ - JDK-8260236: better init AnnotationCollector _contended_group
+ - JDK-8260255: C1: LoopInvariantCodeMotion constructor can leave some fields uninitialized
+ - JDK-8260284: C2: assert(_base == Int) failed: Not an Int
+ - JDK-8260380: Upgrade to LittleCMS 2.12
+ - JDK-8260420: C2 compilation fails with assert(found_sfpt) failed: no node in loop that's not input to safepoint
+ - JDK-8260426: awt debug_mem.c DMem_AllocateBlock might leak memory
+ - JDK-8260432: allocateSpaceForGP in freetypeScaler.c might leak memory
+ - JDK-8260616: Removing remaining JNF dependencies in the java.desktop module
+ - JDK-8260653: Unreachable nodes keep speculative types alive
+ - JDK-8260707: java/lang/instrument/PremainClass/InheritAgent0100.java times out
+ - JDK-8260925: HttpsURLConnection does not work with other JSSE provider.
+ - JDK-8260926: Trace resource exhausted events unconditionally
+ - JDK-8261020: Wrong format parameter in create_emergency_chunk_path
+ - JDK-8261027: AArch64: Support for LSE atomics C++ HotSpot code
+ - JDK-8261167: print_process_memory_info add a close call after fopen
+ - JDK-8261170: Upgrade to freetype 2.10.4
+ - JDK-8261198: [macOS] Incorrect JNI parameters in number conversion in A11Y code
+ - JDK-8261235: C1 compilation fails with assert(res->vreg_number() == index) failed: conversion check
+ - JDK-8261261: The version extra fields needs to be overridable in jib-profiles.js
+ - JDK-8261262: Kitchensink24HStress.java crashed with EXCEPTION_ACCESS_VIOLATION
+ - JDK-8261354: SIGSEGV at MethodIteratorHost
+ - JDK-8261355: No data buffering in SunPKCS11 Cipher encryption when the underlying mechanism has no padding
+ - JDK-8261397: try catch Method failing to work when dividing an integer by 0
+ - JDK-8261422: Adjust problematic String.format calls in jdk/internal/util/Preconditions.java outOfBoundsMessage
+ - JDK-8261447: MethodInvocationCounters frequently run into overflow
+ - JDK-8261481: Cannot read Kerberos settings in dynamic store on macOS Big Sur
+ - JDK-8261505: Test test/hotspot/jtreg/gc/parallel/TestDynShrinkHeap.java killed by Linux OOM Killer
+ - JDK-8261601: free memory in early return in Java_sun_nio_ch_sctp_SctpChannelImpl_receive0
+ - JDK-8261649: AArch64: Optimize LSE atomics in C++ code
+ - JDK-8261730: C2 compilation fails with assert(store->find_edge(load) != -1) failed: missing precedence edge
+ - JDK-8261752: Multiple GC test are missing memory requirements
+ - JDK-8261791: (sctp) handleSendFailed in SctpChannelImpl.c potential leaks
+ - JDK-8261812: C2 compilation fails with assert(!had_error) failed: bad dominance
+ - JDK-8261914: IfNode::fold_compares_helper faces non-canonicalized bool when running JRuby JSON workload
+ - JDK-8262093: java/util/concurrent/tck/JSR166TestCase.java failed "assert(false) failed: unexpected node"
+ - JDK-8262110: DST starts from incorrect time in 2038
+ - JDK-8262121: [11u] Redo 8244287: JFR: Methods samples have line number 0
+ - JDK-8262163: Extend settings printout in jcmd VM.metaspace
+ - JDK-8262295: C2: Out-of-Bounds Array Load from Clone Source
+ - JDK-8262298: G1BarrierSetC2::step_over_gc_barrier fails with assert "bad barrier shape"
+ - JDK-8262446: DragAndDrop hangs on Windows
+ - JDK-8262461: handle wcstombsdmp return value correctly in unix awt_InputMethod.c
+ - JDK-8262465: Very long compilation times and high memory consumption in C2 debug builds
+ - JDK-8262726: AArch64: C1 StubAssembler::call_RT can corrupt stack
+ - JDK-8262739: String inflation C2 intrinsic prevents insertion of anti-dependencies
+ - JDK-8262829: Native crash in Win32PrintServiceLookup.getAllPrinterNames()
+ - JDK-8262837: handle split_USE correctly
+ - JDK-8262900: ToolBasicTest fails to access HTTP server it starts
+ - JDK-8263260: [s390] Support latest hardware (z14 and z15)
+ - JDK-8263311: Watch registry changes for remote printers update instead of polling
+ - JDK-8263361: Incorrect arraycopy stub selected by C2 for SATB collectors
+ - JDK-8263404: RsaPrivateKeySpec is always recognized as RSAPrivateCrtKeySpec in RSAKeyFactory.engineGetKeySpec
+ - JDK-8263425: AArch64: two potential bugs in C1 LIRGenerator::generate_address()
+ - JDK-8263448: CTW: fatal error: meet not symmetric
+ - JDK-8263504: Some OutputMachOpcodes fields are uninitialized
+ - JDK-8263557: Possible NULL dereference in Arena::destruct_contents()
+ - JDK-8263558: Possible NULL dereference in fast path arena free if ZapResourceArea is true
+ - JDK-8263676: AArch64: one potential bug in C1 LIRGenerator::generate_address()
+ - JDK-8263729: [test] divert spurious output away from stream under test in ProcessBuilder Basic test
+ - JDK-8263846: Bad JNI lookup getFocusOwner in accessibility code on Mac OS X
+ - JDK-8264047: Duplicate global variable 'jvm' in libjavajpeg and libawt
+ - JDK-8264096: slowdebug jvm crashes when StrInflatedCopy match rule is not supported
+ - JDK-8264151: ciMethod::ensure_method_data() should return false is loading resulted in empty state
+ - JDK-8264173: [s390] Improve Hardware Feature Detection And Reporting
+ - JDK-8264190: Harden TLS interop tests
+ - JDK-8264223: CodeHeap::verify fails extra_hops assertion in fastdebug test
+ - JDK-8264328: Broken license in javax/swing/JComboBox/8072767/bug8072767.java
+ - JDK-8264360: Loop strip mining verification fails with "should be on the backedge"
+ - JDK-8264626: C1 should be able to inline excluded methods
+ - JDK-8264640: CMS ParScanClosure misses a barrier
+ - JDK-8264786: [macos] All Swing/AWT apps cause Allow Notifications prompt to appear when app is launched
+ - JDK-8264821: DirectIOTest fails on a system with large block size
+ - JDK-8264848: [macos] libjvm.dylib linker warning due to macOS version mismatch
+ - JDK-8264923: PNGImageWriter.write_zTXt throws Exception with a typo
+ - JDK-8264958: C2 compilation fails with assert "n is later than its clone"
+ - JDK-8265099: Revert backport to 11u of 8236859: WebSocket over authenticating proxy fails with NPE
+ - JDK-8265154: vinserti128 operand mix up for KNL platforms
+ - JDK-8265239: Shenandoah: Shenandoah heap region count could be off by 1
+ - JDK-8265417: Backport of JDK-8249672 breaks Solaris x86 build
+ - JDK-8265421: java/lang/String/StringRepeat.java test is missing a memory requirement
+ - JDK-8265462: Handle multiple slots in the NSS Internal Module from SunPKCS11's Secmod
+ - JDK-8265537: x86 version string truncated after JDK-8249672 11u backport
+ - JDK-8265666: Enable AIX build platform to make external debug symbols
+ - JDK-8265677: CMS: CardTableBarrierSet::write_ref_array_work() lacks storestore barrier
+ - JDK-8265690: Use the latest Ubuntu base image version in Docker testing
+ - JDK-8265718: Build failure after JDK-8258414 11u backport
+ - JDK-8265750: Fatal error in safepoint.cpp after backport of 8258414
+ - JDK-8265784: [C2] Hoisting of DecodeN leaves MachTemp inputs behind
+ - JDK-8265938: C2's conditional move optimization does not handle top Phi
+ - JDK-8266220: keytool still prompt for store password on a password-less pkcs12 file if -storetype pkcs12 is specified
+ - JDK-8266293: Key protection using PBEWithMD5AndDES fails with "java.security.InvalidAlgorithmParameterException: Salt must be 8 bytes long"
+ - JDK-8266713: [AIX] Build failure after 11u backport of JDK-8247753
+ - JDK-8266802: Shenandoah: Round up region size to page size unconditionally
+ - JDK-8266892: avoid maybe-uninitialized gcc warnings on linux s390x
+ - JDK-8266929: Unable to use algorithms from 3p providers
+ - JDK-8267235: [macos_aarch64] InterpreterRuntime::throw_pending_exception messing up LR results in crash
+ - JDK-8267561: Shenandoah: Reference processing not properly setup for outside of cycle degenerated GC
+ - JDK-8267599: Revert the change to the default PKCS12 macAlgorithm and macIterationCount props for 11u/8u/7u
+ - JDK-8267641: [11u] 8227609 backport typo
+ - JDK-8267721: Enable sun/security/pkcs11 tests for Amazon Linux 2 AArch64
+ - JDK-8268678: LetsEncryptCA.java test fails as Let’s Encrypt Authority X3 is retired
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8215293: Customizing PKCS12 keystore Generation
+===================================================
+New system and security properties have been added to enable users to
+customize the generation of PKCS #12 keystores. This includes
+algorithms and parameters for key protection, certificate protection,
+and MacData. The detailed explanation and possible values for these
+properties can be found in the "PKCS12 KeyStore properties" section of
+the `java.security` file.
+
+Also, support for the following SHA-2 based HmacPBE algorithms has
+been added to the SunJCE provider:
+
+* HmacPBESHA224
+* HmacPBESHA256
+* HmacPBESHA384
+* HmacPBESHA512
+* HmacPBESHA512/224
+* HmacPBESHA512/256
+
+JDK-8256902: Removed Root Certificates with 1024-bit Keys
+=========================================================
+The following root certificates with weak 1024-bit RSA public keys
+have been removed from the `cacerts` keystore:
+
+Alias Name: thawtepremiumserverca [jdk]
+Distinguished Name: EMAILADDRESS=premium-server@thawte.com, CN=Thawte Premium Server CA, OU=Certification Services Division, O=Thawte Consulting cc, L=Cape Town, ST=Western Cape, C=ZA
+
+Alias Name: verisignclass2g2ca [jdk]
+Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+
+Alias Name: verisignclass3ca [jdk]
+Distinguished Name: OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
+
+Alias Name: verisignclass3g2ca [jdk]
+Distinguished Name: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
+
+Alias Name: verisigntsaca [jdk]
+Distinguished Name: CN=Thawte Timestamping CA, OU=Thawte Certification, O=Thawte, L=Durbanville, ST=Western Cape, C=ZA
+
+JDK-8261361: Removed Telia Company's Sonera Class2 CA certificate
+=================================================================
+
+The following root certificate have been removed from the cacerts truststore:
+
+Alias Name: soneraclass2ca
+Distinguished Name: CN=Sonera Class2 CA, O=Sonera, C=FI
+
+JDK-8242069: Upgraded the Default PKCS12 Encryption and MAC Algorithms
+======================================================================
+The default encryption and MAC algorithms used in a PKCS #12 keystore
+have been updated. The new algorithms are based on AES-256 and SHA-256
+and are stronger than the old algorithms that were based on RC2,
+DESede, and SHA-1. See the security properties starting with
+`keystore.pkcs12` in the `java.security` file for detailed
+information.
+
+For compatibility, a new system property named
+`keystore.pkcs12.legacy` is defined that will revert the algorithms to
+use the older, weaker algorithms. There is no value defined for this
+property.
+
+security-libs/javax.net.ssl:
+
+JDK-8257548: Improve Encoding of TLS Application-Layer Protocol Negotiation (ALPN) Values
+=========================================================================================
+Certain TLS ALPN values couldn't be properly read or written by the
+SunJSSE provider. This is due to the choice of Strings as the API
+interface and the undocumented internal use of the UTF-8 Character Set
+which converts characters larger than U+00007F (7-bit ASCII) into
+multi-byte arrays that may not be expected by a peer.
+
+ALPN values are now represented using the network byte representation
+expected by the peer, which should require no modification for
+standard 7-bit ASCII-based character Strings. However, SunJSSE now
+encodes/decodes String characters as 8-bit ISO_8859_1/LATIN-1
+characters. This means applications that used characters above
+U+000007F that were previously encoded using UTF-8 may need to either
+be modified to perform the UTF-8 conversion, or set the Java security
+property `jdk.tls.alpnCharset` to "UTF-8" revert the behavior.
+
+See the updated guide at
+https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/alpn.html
+for more information.
+
+JDK-8244460: Support for certificate_authorities Extension
+==========================================================
+The "certificate_authorities" extension is an optional extension
+introduced in TLS 1.3. It is used to indicate the certificate
+authorities (CAs) that an endpoint supports and should be used by the
+receiving endpoint to guide certificate selection.
+
+With this JDK release, the "certificate_authorities" extension is
+supported for TLS 1.3 in both the client and the server sides. This
+extension is always present for client certificate selection, while it
+is optional for server certificate selection.
+
+Applications can enable this extension for server certificate
+selection by setting the `jdk.tls.client.enableCAExtension` system
+property to `true`. The default value of the property is `false`.
+
+Note that if the client trusts more CAs than the size limit of the
+extension (less than 2^16 bytes), the extension is not enabled. Also,
+some server implementations do not allow handshake messages to exceed
+2^14 bytes. Consequently, there may be interoperability issues when
+`jdk.tls.client.enableCAExtension` is set to `true` and the client
+trusts more CAs than the server implementation limit.
+
+New in release OpenJDK 11.0.11 (2021-04-20):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11011
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.11.txt
+
+* Security fixes
+ - JDK-8244473: Contextualize registration for JNDI
+ - JDK-8244543: Enhanced handling of abstract classes
+ - JDK-8249906, CVE-2021-2163: Enhance opening JARs
+ - JDK-8250568, CVE-2021-2161: Less ambiguous processing
+ - JDK-8253799: Make lists of normal filenames
+ - JDK-8257001: Improve Http Client Support
+* Other changes
+ - JDK-7107012: sun.jvm.hotspot.code.CompressedReadStream readDouble() conversion to long mishandled
+ - JDK-7146776: deadlock between URLStreamHandler.getHostAddress and file.Handler.openconnection
+ - JDK-8086003: Test fails on OSX with java.lang.RuntimeException 'Narrow klass base: 0x0000000000000000, Narrow klass shift: 3' missing
+ - JDK-8168869: jdeps: localized messages don't use proper line breaks
+ - JDK-8180837: SunPKCS11-NSS tests failing with CKR_ATTRIBUTE_READ_ONLY and CKR_MECHANISM_PARAM_INVALID
+ - JDK-8202343: Disable TLS 1.0 and 1.1
+ - JDK-8205992: jhsdb cannot attach to Java processes running in Docker containers
+ - JDK-8209193: Fix aarch64-linux compilation after -Wreorder changes
+ - JDK-8210413: AArch64: Optimize div/rem by constant in C1
+ - JDK-8210578: AArch64: Invalid encoding for fmlsvs instruction
+ - JDK-8211051: jdeps usage of --dot-output doesn't provide valid output for modular jar
+ - JDK-8211057: Gensrc step CompileProperties generates unstable CompilerProperties output
+ - JDK-8211150: G1 Full GC not purging code root memory and hence causing memory leak
+ - JDK-8211825: ModuleLayer.defineModulesWithXXX does not setup delegation when module reads automatic module
+ - JDK-8212043: Add floating-point Math.min/max intrinsics
+ - JDK-8212218: [TESTBUG] runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryErrorInMetaspace.java timed out
+ - JDK-8213116: javax/swing/JComboBox/WindowsComboBoxSize/WindowsComboBoxSizeTest.java fails in Windows
+ - JDK-8213909: jdeps --print-module-deps should report missing dependences
+ - JDK-8214180: Need better granularity for sleeping
+ - JDK-8214223: tools/jdeps/listdeps/ListModuleDeps.java failed due to missing Lib2 file
+ - JDK-8214230: Classes generated by SystemModulesPlugin.java are not reproducable
+ - JDK-8214741: docs/index.html has no title or copyright
+ - JDK-8215687: [Graal] unit test CheckGraalIntrinsics failed after 8212043
+ - JDK-8217848: [Graal] vmTestbase/nsk/jvmti/ResourceExhausted/resexhausted003/TestDescription.java fails
+ - JDK-8218482: sun/security/krb5/auto/ReplayCachePrecise.java failed - no KrbException thrown
+ - JDK-8218550: Add test omitted from JDK-8212043
+ - JDK-8221584: SIGSEGV in os::PlatformEvent::unpark() in JvmtiRawMonitor::raw_exit while posting method exit event
+ - JDK-8221995: AARCH64: problems with CAS instructions encoding
+ - JDK-8222518: Remove unnecessary caching of Parker object in java.lang.Thread
+ - JDK-8222785: aarch64: add necessary masking for immediate shift counts
+ - JDK-8223186: HotSpot compile warnings from GCC 9
+ - JDK-8225773: jdeps --check produces NPE if there are missing module dependences
+ - JDK-8225805: Java Access Bridge does not close the logger
+ - JDK-8226810: Failed to launch JVM because of NullPointerException occured on System.props
+ - JDK-8229396: jdeps ignores multi-release when generate-module-info used on command line
+ - JDK-8229474: Shenandoah: Cleanup CM::update_roots()
+ - JDK-8232225: Rework the fix for JDK-8071483
+ - JDK-8232905: JFR fails with assertion: assert(t->unflushed_size() == 0) failed: invariant
+ - JDK-8233164: C2 fails with assert(phase->C->get_alias_index(t) == phase->C->get_alias_index(t_adr)) failed: correct memory chain
+ - JDK-8233910: java/awt/ColorClass/AlphaColorTest.java is failing intermittently in nightly lnux-x64 system
+ - JDK-8233912: aarch64: minor improvements of atomic operations
+ - JDK-8234508: VM_HeapWalkOperation::iterate_over_object reads non-strong fields with an on-strong load barrier
+ - JDK-8234742: Improve handshake logging
+ - JDK-8234796: Refactor Handshake::execute to take a more complex type than ThreadClosure
+ - JDK-8235324: Dying objects are published from users of CollectedHeap::object_iterate
+ - JDK-8235351: Lookup::unreflect should bind with the original caller independent of Method's accessible flag
+ - JDK-8237369: Shenandoah: failed vmTestbase/nsk/jvmti/AttachOnDemand/attach021/TestDescription.java test
+ - JDK-8237392: Shenandoah: Remove unreliable assertion
+ - JDK-8237483: AArch64 C1 OopMap inserted twice fatal error
+ - JDK-8237495: Java MIDI fails with a dereferenced memory error when asked to send a raw 0xF7
+ - JDK-8239355: (dc) Initial value of SO_SNDBUF should allow sending large datagrams (macOS)
+ - JDK-8240353: AArch64: missing support for -XX:+ExtendedDTraceProbes in C1
+ - JDK-8240704: CheckHandles.java failed "AssertionError: Handle use increased by more than 10 percent."
+ - JDK-8240751: Shenandoah: fold ShenandoahTracer definition
+ - JDK-8240795: [REDO] 8238384 CTW: C2 compilation fails with "assert(store != load->find_exact_control(load->in(0))) failed: dependence cycle found"
+ - JDK-8241598: Upgrade JLine to 3.14.0
+ - JDK-8241649: Optimize Character.toString
+ - JDK-8241770: Module xxxAnnotation() methods throw NCDFE if module-info.class found as resource in unnamed module
+ - JDK-8241911: AArch64: Fix a potential register clash issue in reduce_add2I
+ - JDK-8242030: Wrong package declarations in jline classes after JDK-8241598
+ - JDK-8242565: Policy initialization issues when the denyAfter constraint is enabled
+ - JDK-8243618: compiler/rtm/cli tests can be run w/o WhiteBox
+ - JDK-8243670: Unexpected test result caused by C2 MergeMemNode::Ideal
+ - JDK-8244088: [Regression] Switch of Gnome theme ends up in deadlocked UI
+ - JDK-8244154: Update SunPKCS11 provider with PKCS11 v3.0 header files
+ - JDK-8244340: Handshake processing thread lacks yielding
+ - JDK-8244573: java.lang.ArrayIndexOutOfBoundsException thrown for malformed class file
+ - JDK-8244683: A TSA server used by tests
+ - JDK-8245005: javax/net/ssl/compatibility/BasicConnectTest.java failed with No enum constant
+ - JDK-8245026: PsAdaptiveSizePolicy::_old_gen_policy_is_ready is unused
+ - JDK-8245283: JFR: Can't handle constant dynamic used by Jacoco agent
+ - JDK-8245512: CRC32 optimization using AVX512 instructions
+ - JDK-8245527: LDAP Channel Binding support for Java GSS/Kerberos
+ - JDK-8246707: (sc) SocketChannel.read/write throws AsynchronousCloseException on closed channel
+ - JDK-8246709: sun/security/tools/jarsigner/TsacertOptionTest.java compilation failed after JDK-8244683
+ - JDK-8247200: assert((unsigned)fpargs < 32)
+ - JDK-8247766: [aarch64] guarantee(val < (1U << nbits)) failed: Field too big for insn.
+ - JDK-8248336: AArch64: C2: offset overflow in BoxLockNode::emit
+ - JDK-8248865: Document JNDI/LDAP timeout properties
+ - JDK-8248901: Signed immediate support in .../share/assembler.hpp is broken.
+ - JDK-8249543: Force DirectBufferAllocTest to run with -ExplicitGCInvokesConcurrent
+ - JDK-8249588: libwindowsaccessbridge issues on 64bit Windows
+ - JDK-8249749: modify a primitive array through a stream and a for cycle causes jre crash
+ - JDK-8249787: Make TestGCLocker more resilient with concurrent GCs
+ - JDK-8249867: xml declaration is not followed by a newline
+ - JDK-8250911: [windows] os::pd_map_memory() error detection broken
+ - JDK-8251255: [linux] Add process-memory information to hs-err and VM.info
+ - JDK-8251359: Shenandoah: filter null oops before calling enqueue/SATB barrier
+ - JDK-8251925: C2: RenaissanceStressTest fails with assert(!had_error): bad dominance
+ - JDK-8251944: Add Shenandoah test config to compiler/gcbarriers/UnsafeIntrinsicsTest.java
+ - JDK-8251992: VM crashed running TestComplexAddrExpr.java test with -XX:UseAVX=X
+ - JDK-8253220: Epsilon: clean up unused code/declarations
+ - JDK-8253274: The CycleDMImagetest brokes the system
+ - JDK-8253353: Crash in C2: guarantee(n != NULL) failed: No Node
+ - JDK-8253368: TLS connection always receives close_notify exception
+ - JDK-8255368: Math.exp() gives wrong result for large values on x86 32-bit platforms
+ - JDK-8255401: Shenandoah: Allow oldval and newval registers to overlap in cmpxchg_oop()
+ - JDK-8253404: C2: assert(C->live_nodes() <= C->max_node_limit()) failed: Live Node limit exceeded limit
+ - JDK-8253409: Double-rounding possibility in float fma
+ - JDK-8253476: TestUseContainerSupport.java fails on some Linux kernels w/o swap limit capabilities
+ - JDK-8253524: C2: Refactor code that clones predicates during loop unswitching
+ - JDK-8253644: C2: assert(skeleton_predicate_has_opaque(iff)) failed: unexpected
+ - JDK-8253681: closed java/awt/dnd/MouseEventAfterStartDragTest/MouseEventAfterStartDragTest.html test failed
+ - JDK-8253702: BigSur version number reported as 10.16, should be 11.nn
+ - JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*)
+ - JDK-8254104: MethodCounters must exist before nmethod is installed
+ - JDK-8254734: "dead loop detected" assert failure with patch from 8223051
+ - JDK-8254748: Bad Copyright header format after JDK-8212218
+ - JDK-8254799: runtime/ErrorHandling/TestHeapDumpOnOutOfMemoryError.java fails with release VMs
+ - JDK-8255058: C1: assert(is_virtual()) failed: type check
+ - JDK-8255351: Add detection for Graviton 2 CPUs
+ - JDK-8255387: Japanese characters were printed upside down on AIX
+ - JDK-8255479: [aarch64] assert(src->section_index_of(target) == CodeBuffer::SECT_NONE) failed: sanity
+ - JDK-8255544: Create a checked cast
+ - JDK-8255559: Leak File Descriptors Because of ResolverLocalFilesystem#engineResolveURI()
+ - JDK-8255681: print callstack in error case in runAWTLoopWithApp
+ - JDK-8255734: VM should ignore SIGXFSZ on ppc64, s390 too
+ - JDK-8255742: PrintInlining as compiler directive doesn't print virtual calls
+ - JDK-8255845: Memory leak in imageFile.cpp
+ - JDK-8255880: UI of Swing components is not redrawn after their internal state changed
+ - JDK-8255908: ExceptionInInitializerError due to UncheckedIOException while initializing cgroupv1 subsystem
+ - JDK-8256025: AArch64: MachCallRuntimeNode::ret_addr_offset() is incorrect for stub calls
+ - JDK-8256056: Deoptimization stub doesn't save vector registers on x86
+ - JDK-8256061: RegisterSaver::save_live_registers() omits upper halves of ZMM0-15 registers
+ - JDK-8256187: [TEST_BUG] Automate bug4275046.java test
+ - JDK-8256220: C1: x86_32 fails with -XX:UseSSE=1 after JDK-8210764 due to mishandled lir_neg
+ - JDK-8256258: some missing NULL checks or asserts after CodeCache::find_blob_unsafe
+ - JDK-8256264: Printed GlyphVector outline with low DPI has bad quality on Windows
+ - JDK-8256290: javac/lambda/T8031967.java fails with StackOverflowError on x86_32
+ - JDK-8256359: AArch64: runtime/ReservedStack/ReservedStackTestCompiler.java fails
+ - JDK-8256387: Unexpected result if patching an entire instruction on AArch64
+ - JDK-8256421: Add 2 HARICA roots to cacerts truststore
+ - JDK-8256488: [aarch64] Use ldpq/stpq instead of ld4/st4 for small copies in StubGenerator::copy_memory
+ - JDK-8256489: Make gtest for long path names on Windows more resilient in the presence of virus scanners
+ - JDK-8256501: libTestMainKeyWindow fails to build with Xcode 12.2
+ - JDK-8256633: Fix product build on Windows+Arm64
+ - JDK-8256682: JDK-8202343 is incomplete
+ - JDK-8256751: Incremental rebuild with precompiled header fails when touching a header file
+ - JDK-8256757: Incorrect MachCallRuntimeNode::ret_addr_offset() for CallLeafNoFP on x86_32
+ - JDK-8256806: Shenandoah: optimize shenandoah/jni/TestPinnedGarbage.java test
+ - JDK-8256807: C2: Not marking stores correctly as mismatched in string opts
+ - JDK-8256810: Incremental rebuild broken on Macosx
+ - JDK-8256818: SSLSocket that is never bound or connected leaks socket resources
+ - JDK-8256888: Client manual test problem list update
+ - JDK-8257083: Security infra test failures caused by JDK-8202343
+ - JDK-8257408: Bump update version for OpenJDK: jdk-11.0.11
+ - JDK-8257423: [PPC64] Support -XX:-UseInlineCaches
+ - JDK-8257436: [aarch64] Regressions in ArrayCopyUnalignedDst.testByte/testChar for 65-78 bytes when UseSIMDForMemoryOps is on
+ - JDK-8257513: C2: assert((constant_addr - _masm.code()->consts()->start()) == con.offset())
+ - JDK-8257547: Handle multiple prereqs on the same line in deps files
+ - JDK-8257561: Some code is not vectorized after 8251925 and 8250607
+ - JDK-8257565: epsilonBarrierSet.hpp should not include barrierSetAssembler
+ - JDK-8257575: C2: "failed: only phis" assert failure in loop strip mining verification
+ - JDK-8257594: C2 compiled checkcast of non-null object triggers endless deoptimization/recompilation cycle
+ - JDK-8257633: Missing -mmacosx-version-min=X flag when linking libjvm
+ - JDK-8257670: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java reports leaks
+ - JDK-8257707: Fix incorrect format string in Http1HeaderParser
+ - JDK-8257746: Regression introduced with JDK-8250984 - memory might be null in some machines
+ - JDK-8257798: [PPC64] undefined reference to Klass::vtable_start_offset()
+ - JDK-8257884: Re-enable sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java as automatic test
+ - JDK-8257910: [JVMCI] Set exception_seen accordingly in the runtime.
+ - JDK-8257997: sun/security/ssl/SSLSocketImpl/SSLSocketLeak.java again reports leaks after JDK-8257884
+ - JDK-8257999: Parallel GC crash in gc/parallel/TestDynShrinkHeap.java: new region is not in covered_region
+ - JDK-8258077: Using -Xcheck:jni can lead to a double-free after JDK-8193234
+ - JDK-8258247: Couple of issues in fix for JDK-8249906
+ - JDK-8258373: Update the text handling in the JPasswordField
+ - JDK-8258396: SIGILL in jdk.jfr.internal.PlatformRecorder.rotateDisk()
+ - JDK-8258419: RSA cipher buffer cleanup
+ - JDK-8258471: "search codecache" clhsdb command does not work
+ - JDK-8258534: Epsilon: clean up unused includes
+ - JDK-8258805: Japanese characters not entered by mouse click on Windows 10
+ - JDK-8258833: Cancel multi-part cipher operations in SunPKCS11 after failures
+ - JDK-8258836: JNI local refs exceed capacity getDiagnosticCommandInfo
+ - JDK-8258884: [TEST_BUG] Convert applet-based test open/test/jdk/javax/swing/JMenuItem/8031573/bug8031573.java to a regular java test
+ - JDK-8259007: This test printed a blank page
+ - JDK-8259049: Uninitialized variable after JDK-8257513
+ - JDK-8259451: Zero: skip serviceability/sa tests, set vm.hasSA to false
+ - JDK-8259580: Shenandoah: uninitialized label in VerifyThreadGCState
+ - JDK-8259231: Epsilon: improve performance under contention during virtual space expansion
+ - JDK-8259271: gc/parallel/TestDynShrinkHeap.java still fails "assert(covered_region.contains(new_memregion)) failed: new region is not in covered_region"
+ - JDK-8259312: VerifyCACerts.java fails as soneraclass2ca cert will expire in 90 days
+ - JDK-8259319: Illegal package access when SunPKCS11 requires SunJCE's classes
+ - JDK-8259339: AllocateUninitializedArray C2 intrinsic fails with void.class input
+ - JDK-8259428: AlgorithmId.getEncodedParams() should return copy
+ - JDK-8259446: runtime/jni/checked/TestCheckedReleaseArrayElements.java fails with stderr not empty
+ - JDK-8259949: x86 32-bit build fails when -fcf-protection is passed in the compiler flags
+ - JDK-8259619: C1: 3-arg StubAssembler::call_RT stack-use condition is incorrect
+ - JDK-8259633: compiler/graalunit/CoreTest.java fails with NPE after JDK-8244543
+ - JDK-8259706: C2 compilation fails with assert(vtable_index == Method::invalid_vtable_index) failed: correct sentinel value
+ - JDK-8259707: LDAP channel binding does not work with StartTLS extension
+ - JDK-8259773: Incorrect encoding of AVX-512 kmovq instruction
+ - JDK-8259849: Shenandoah: Rename store-val to IU-barrier
+ - JDK-8259954: gc/shenandoah/mxbeans tests fail with -Xcomp
+ - JDK-8260029: aarch64: fix typo in verify_oop_array
+ - JDK-8260308: Update LogCompilation junit to 4.13.1
+ - JDK-8260338: Some fields in HaltNode is not cloned
+ - JDK-8260349: Cannot programmatically retrieve Metaspace max set via JAVA_TOOL_OPTIONS
+ - JDK-8260356: (tz) Upgrade time-zone data to tzdata2021a
+ - JDK-8260378: [TESTBUG] DcmdMBeanTestCheckJni.java reports false positive
+ - JDK-8260497: Shenandoah: Improve SATB flushing
+ - JDK-8260502: [s390] NativeMovRegMem::verify() fails because it's too strict
+ - JDK-8260632: Build failures after JDK-8253353
+ - JDK-8260704: ParallelGC: oldgen expansion needs release-store for _end
+ - JDK-8261022: Fix incorrect result of Math.abs() with char type
+ - JDK-8261089: [TESTBUG] native library of test TestCheckedReleaseCriticalArray.java fails to compile with gcc 4.x
+ - JDK-8261183: Follow on to Make lists of normal filenames
+ - JDK-8261209: isStandalone property: remove dependency on pretty-print
+ - JDK-8261231: Windows IME was disabled after DnD operation
+ - JDK-8261251: Shenandoah: Use object size for full GC humongous compaction
+ - JDK-8261310: PPC64 Zero build fails with 'VMError::controlled_crash(int)::FunctionDescriptor functionDescriptor' has incomplete type and cannot be defined
+ - JDK-8261334: NMT: tuning statistic shows incorrect hash distribution
+ - JDK-8261413: Shenandoah: Disable class-unloading in I-U mode
+ - JDK-8261522: [PPC64] AES intrinsics write beyond the destination array
+ - JDK-8261534: Test sun/security/pkcs11/KeyAgreement/IllegalPackageAccess.java fails on platforms where no nsslib artifacts are defined
+ - JDK-8261585: Restore HandleArea used in Deoptimization::uncommon_trap
+ - JDK-8261753: Test java/lang/System/OsVersionTest.java still failing on BigSur patch versions after JDK-8253702
+ - JDK-8261829: Exclude tools/jlink/JLinkReproducibleTest.java in 11u
+ - JDK-8261912: Code IfNode::fold_compares_helper more defensively
+ - JDK-8261920: [AIX] jshell command throws java.io.IOError on non English locales
+ - JDK-8262018: Wrong format in SAP copyright header of OsVersionTest
+ - JDK-8263069: Exclude some failing tests from security/infra/java/security/cert/CertPathValidator
+
+Notes on individual issues:
+===========================
+
+core-libs/javax.naming:
+
+JDK-8258824: LDAP Channel Binding Support for Java GSS/Kerberos
+===============================================================
+A new JNDI environment property "com.sun.jndi.ldap.tls.cbtype" has
+been added to enable TLS Channel Binding data in LDAP authentication
+over SSL/TLS protocol to the Windows AD server. The only valid value
+at present is "tls-server-end-point", where channel binding data is
+created on the base of the TLS server certificate. See RFC-5929 [0]
+and the module description of the `java.naming` module for further
+details.
+
+[0] RFC-5929 "Channel Bindings for TLS": https://www.ietf.org/rfc/rfc5929.txt
+
+security-libs/java.security:
+
+JDK-8260597: Added 2 HARICA Root CA Certificates
+================================================
+The following root certificates have been added to the cacerts truststore:
+
+Alias Name: haricarootca2015
+Distinguished Name: CN=Hellenic Academic and Research Institutions RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+
+Alias Name: haricaeccrootca2015
+Distinguished Name: CN=Hellenic Academic and Research Institutions ECC RootCA 2015, O=Hellenic Academic and Research Institutions Cert. Authority, L=Athens, C=GR
+
+security-libs/javax.net.ssl:
+
+JDK-8256490: Disable TLS 1.0 and 1.1
+====================================
+TLS 1.0 and 1.1 are versions of the TLS protocol that are no longer
+considered secure and have been superseded by more secure and modern
+versions (TLS 1.2 and 1.3).
+
+These versions have now been disabled by default. If you encounter
+issues, you can, at your own risk, re-enable the versions by removing
+"TLSv1" and/or "TLSv1.1" from the `jdk.tls.disabledAlgorithms`
+security property in the `java.security` configuration file.
+
+tools:
+
+JDK-8214213: jdeps --print-module-deps Reports Transitive Dependencies
+======================================================================
+`jdeps --print-module-deps`, `--list-deps`, and `--list-reduce-deps`
+options have been enhanced as follows.
+
+1. By default, they perform transitive module dependence analysis on
+libraries on the class path and module path, both directly and
+indirectly, as required by the given input JAR files or
+classes. Previously, they only reported the modules required by the
+given input JAR files or classes. The `--no-recursive` option can be
+used to request non-transitive dependence analysis.
+
+2. By default, they flag any missing dependency, i.e. not found from
+class path and module path, as an error. The `--ignore-missing-deps`
+option can be used to suppress missing dependence errors. Note that a
+custom image is created with the list of modules output by jdeps when
+using the `--ignore-missing-deps` option for a non-modular
+application. Such an application, running on the custom image, might
+fail at runtime when missing dependence errors are suppressed.
+
+xml/jaxp:
+
+JDK-8249867 XML declaration is not followed by a newline
+========================================================
+
+The DOM Load and Save `LSSerializer` does not have an explicit control
+for whether or not the XML Declaration ends with a newline. In this
+release, a JDK implementation specific property
+`http://www.oracle.com/xml/jaxp/properties/isStandalone` and
+corresponding System property `jdk.xml.isStandalone` are added to
+control the addition of a newline and act independently without
+having to set the pretty-print property. This property can be used to
+reverse the incompatible change introduced in Java SE 7 Update 4 with
+an update of Xalan 2.7.1 where a newline is omitted when pretty-print
+is required.
+
+For details, please refer to the bug report and the java.xml module-summary.
+
+Usage:
+
+// to set the property, get an instance of LSSerializer and set it along with pretty-print
+LSSerializer ser = impl.createLSSerializer();
+ser.getDomConfig().setParameter("format-pretty-print", true);
+ser.getDomConfig().setParameter("http://www.oracle.com/xml/jaxp/properties/isStandalone", true);
+
+// to use the System property, set it before initializing a LSSerializer
+System.setProperty("jdk.xml.isStandalone", “true”);
+
+// to clear the property, place the line anywhere after the LSSerializer is initialized
+System.clearProperty("jdk.xml.isStandalone");
+
+New in release OpenJDK 11.0.10 (2021-01-19):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11010
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.10.txt
+
+* Security fixes
+ - JDK-8247619: Improve Direct Buffering of Characters
+* Other changes
+ - JDK-6722928: Support SSPI as a native GSS-API provider
+ - JDK-7185258: [macosx] Deadlock in SunToolKit.realSync()
+ - JDK-8152332: [macosx] JFileChooser cannot be serialized on Mac OS X
+ - JDK-8161684: [testconf] Add VerifyOops' testing into compiler tiers
+ - JDK-8171279: Support X25519 and X448 in TLS
+ - JDK-8173361: various crashes in JvmtiExport::post_compiled_method_load
+ - JDK-8173658: JvmtiExport::post_class_unload() is broken for non-JavaThread initiators
+ - JDK-8191006: hsdis disassembler plugin does not compile with binutils 2.29+
+ - JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8
+ - JDK-8198334: java/awt/FileDialog/8003399/bug8003399.java fails in headless mode
+ - JDK-8200151: Add 8 JNDI tests to com/sun/jndi/dns/ConfigTests/
+ - JDK-8208279: Add 8 JNDI tests to com/sun/jndi/dns/EnvTests/
+ - JDK-8208483: Add 5 JNDI tests to com/sun/jndi/dns/FactoryTests/
+ - JDK-8208542: Add 4 JNDI tests to com/sun/jndi/dns/ListTests/
+ - JDK-8208665: Amend cross-compilation docs with qemu-debootstrap recipe
+ - JDK-8210088: ProblemList gc/epsilon/TestMemoryMXBeans.java
+ - JDK-8210339: Add 10 JNDI tests to com/sun/jndi/dns/FedTests/
+ - JDK-8211450: UndetVar::dup is not copying the kind field to the duplicated instance
+ - JDK-8212160: JVMTI agent crashes with "assert(_value != 0LL) failed: resolving NULL _value"
+ - JDK-8212226: SurfaceManager throws "Invalid Image variant" for MultiResolutionImage (Windows)
+ - JDK-8213400: Support choosing group name in keytool keypair generation
+ - JDK-8213535: Windows HiDPI html lightweight tooltips are truncated
+ - JDK-8213698: Improve devkit creation and add support for linux/ppc64/ppc64le/s390x
+ - JDK-8214025: assert(t->singleton()) failed: must be a constant when ScavengeRootsInCode < 2
+ - JDK-8214242: compiler/arguments/TestScavengeRootsInCode.java fails because of missing UnlockDiagnosticVMOptions
+ - JDK-8214787: Zero builds fail with "undefined JavaThread::thread_state()"
+ - JDK-8215583: Exclude runtime/handshake/HandshakeWalkSuspendExitTest.java
+ - JDK-8216012: Infinite loop in RSA KeyPairGenerator
+ - JDK-8216324: GetClassMethods is confused by the presence of default methods in super interfaces
+ - JDK-8217429: WebSocket over authenticating proxy fails to send Upgrade headers
+ - JDK-8217976: test/jdk/java/net/httpclient/websocket/WebSocketProxyTest.java fails intermittently
+ - JDK-8218021: Have jarsigner preserve posix permission attributes
+ - JDK-8218287: jshell tool: input behavior unstable after 12-ea+24 on Windows
+ - JDK-8218851: JVM crash in custom classloader stress test, JDK 12 & 13
+ - JDK-8220420: Cleanup c1_LinearScan
+ - JDK-8222072: JVMTI GenerateEvents() sends CompiledMethodLoad events to wrong jvmtiEnv
+ - JDK-8222286: Fix for JDK-8213419 is broken on s390
+ - JDK-8222527: HttpClient doesn't send HOST header when tunelling HTTP/1.1 through http proxy
+ - JDK-8222533: jtreg test jdk/internal/platform/cgroup/TestCgroupMetrics.java fails on SLES12.3 linux ppc64le machine
+ - JDK-8224506: [TESTBUG] TestDockerMemoryMetrics.java fails with exitValue = 137
+ - JDK-8224555: vmTestbase/nsk/jvmti/scenarios/contention/TC02/tc02t001/TestDescription.java failed
+ - JDK-8224650: Add tests to support X25519 and X448 in TLS
+ - JDK-8225072: Add LuxTrust certificate that is expiring in March 2021 to list of allowed but expired certs
+ - JDK-8225329: -XX:+PrintBiasedLockingStatistics causes crash during initialization on Windows platforms
+ - JDK-8225687: Newly added sspi.cpp in JDK-6722928 still contains some small errors
+ - JDK-8227006: [linux] Runtime.availableProcessors execution time increased by factor of 100
+ - JDK-8227275: Within native OOM error handling, assertions may hang the process
+ - JDK-8227647: [Graal] Test8009761.java fails due to "RuntimeException: static java.lang.Object compiler.uncommontrap.Test8009761.m3(boolean,boolean) not compiled"
+ - JDK-8229495: SIGILL in C2 generated OSR compilation
+ - JDK-8230910: libsspi_bridge does not build on Windows 32bit
+ - JDK-8232114: JVM crashed at imjpapi.dll in native code
+ - JDK-8234147: Avoid looking up standard charsets in core libraries
+ - JDK-8234393: [macos] printing ignores printer tray
+ - JDK-8234863: Increase default value of MaxInlineLevel
+ - JDK-8235218: Minimal VM is broken after JDK-8173361
+ - JDK-8235456: Minimal VM is broken after JDK-8212160
+ - JDK-8235829: graal crashes with Zombie.java test
+ - JDK-8236124: Minimal VM slowdebug build failed after JDK-8212160
+ - JDK-8236512: PKCS11 Connection closed after Cipher.doFinal and NoPadding
+ - JDK-8236944: The legVecZ operand should be limited to zmm0-zmm15 registers
+ - JDK-8237186: Fix typo in copyright header of java/io/Reader/TransferTo.java
+ - JDK-8237499: JFR: Include stack trace in the ThreadStart event
+ - JDK-8237512: AArch64: aarch64TestHook leaks a BufferBlob
+ - JDK-8237524: AArch64: String.compareTo() may return incorrect result
+ - JDK-8237950: C2 compilation fails with "Live Node limit exceeded limit" during ConvI2L::Ideal optimization
+ - JDK-8238579: HttpsURLConnection drops the timeout and hangs forever in read
+ - JDK-8239105: Add exception for expiring Digicert root certificates to VerifyCACerts test
+ - JDK-8239477: jdk/jfr/jcmd/TestJcmdStartStopDefault.java fails -XX:+VerifyOops with "verify_oop: rsi: broken oop"
+ - JDK-8239497: SEGV in EdgeUtils::field_name_symbol(Edge const&)
+ - JDK-8239886: Minimal VM build fails after JDK-8237499
+ - JDK-8240633: Memory leaks in the implementations of FileChooserUI
+ - JDK-8240690: Race condition between EDT and BasicDirectoryModel.FilesLoader.run0()
+ - JDK-8241234: Unify monitor enter/exit runtime entries.
+ - JDK-8241311: Move some charset mapping tests from closed to open
+ - JDK-8241797: Add some tests to the problem list
+ - JDK-8242029: AArch64: skip G1 array copy pre-barrier if marking not active
+ - JDK-8242335: Additional Tests for RSASSA-PSS
+ - JDK-8242480: Negative value may be returned by getFreeSwapSpaceSize() in the docker
+ - JDK-8242614: cleanup duplicated test ldap server in some com/sun/jndi/ldap/ tests
+ - JDK-8242846: Bring back test/jdk/tools/jlink/plugins/OrderResourcesPluginTest.java
+ - JDK-8243114: Implement montgomery{Multiply,Square}intrinsics on Windows
+ - JDK-8243290: Improve diagnostic messages for class verification and redefinition failures
+ - JDK-8243488: Add tests for set/get SendBufferSize and getReceiveBufferSize in DatagramSocket
+ - JDK-8243549: sun/security/ssl/CipherSuite/NamedGroupsWithCipherSuite.java failed with Unsupported signature algorithm: DSA
+ - JDK-8243617: compiler/onSpinWait/TestOnSpinWaitC1.java test uses wrong class
+ - JDK-8243619: compiler/codecache/CheckSegmentedCodeCache.java test misses -version
+ - JDK-8244142: some hotspot/runtime tests don't check exit code of forked JVM
+ - JDK-8244278: Excessive code cache flushes and sweeps
+ - JDK-8244282: test/hotspot/jtreg/compiler/intrinsics/Test8237524.java fails with --illegal-access=deny
+ - JDK-8244621: [macos10.15] Garbled FX printing plus CoreText warnings on Catalina when building with Xcode 11
+ - JDK-8244819: hsdis does not compile with binutils 2.34+
+ - JDK-8245051: c1 is broken if it is compiled by gcc without -fno-lifetime-dse
+ - JDK-8245168: jlink should not be treated as a "small" tool
+ - JDK-8245400: Upgrade to LittleCMS 2.11
+ - JDK-8246381: VM crashes with "Current BasicObjectLock* below than low_mark"
+ - JDK-8246434: Threads::print_on_error assumes that the heap has been set up
+ - JDK-8246648: issue with OperatingSystemImpl getFreeSwapSpaceSize in docker after 8242480
+ - JDK-8247201: Print potential pointer value of readable stack memory in hs_err file
+ - JDK-8247763: assert(outer->outcnt() == 2) failed: 'only phis' failure in LoopNode::verify_strip_mined()
+ - JDK-8247867: Upgrade to freetype 2.10.2
+ - JDK-8248190: Enable Power10 system and implement new byte-reverse instructions
+ - JDK-8248226: TestCloneAccessStressGCM fails with -XX:-ReduceBulkZeroing
+ - JDK-8248347: windows build broken by JDK-8243114
+ - JDK-8248532: Every time I change keyboard language at my MacBook, Java crashes
+ - JDK-8248552: C2 crashes with SIGFPE due to division by zero
+ - JDK-8248596: [TESTBUG] compiler/loopopts/PartialPeelingUnswitch.java times out with Graal enabled
+ - JDK-8248745: Add jarsigner and keytool tests for restricted algorithms
+ - JDK-8248791: sun/util/resources/cldr/TimeZoneNamesTest.java fails with -XX:-ReduceInitialCardMarks -XX:-ReduceBulkZeroing
+ - JDK-8248845: AArch64: stack corruption after spilling vector register
+ - JDK-8249176: Update GlobalSignR6CA test certificates
+ - JDK-8249183: JVM crash in "AwtFrame::WmSize" method
+ - JDK-8249192: MonitorInfo stores raw oops across safepoints
+ - JDK-8249602: C2: assert(cnt == _outcnt) failed: no insertions allowed
+ - JDK-8249603: C1: assert(has_error == false) failed: register allocation invalid
+ - JDK-8249605: C2: assert(no_dead_loop) failed: dead loop detected
+ - JDK-8249607: C2: assert(!had_error) failed: bad dominance
+ - JDK-8249608: Vector register used by C2 compiled method corrupted at safepoint
+ - JDK-8249672: Include microcode revision in features_string on x86
+ - JDK-8249748: gtest silently ignores bad jvm arguments
+ - JDK-8249821: Separate libharfbuzz from libfontmanager
+ - JDK-8250598: Hyper-V is detected in spite of running on host OS
+ - JDK-8250605: Linux x86_32 builds fail after JDK-8249821
+ - JDK-8250636: iso8601_time returns incorrect offset part on MacOS
+ - JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY
+ - JDK-8250772: Test com/sun/jndi/ldap/NamingExceptionMessageTest.java fails intermittently with javax.naming.ServiceUnavailableException
+ - JDK-8250825: C2 crashes with assert(field != __null) failed: missing field
+ - JDK-8250894: Provide a configure option to build and run against the platform libharfbuzz
+ - JDK-8250928: JFR: Improve hash algorithm for stack traces
+ - JDK-8250968: Symlinks attributes not preserved when using jarsigner on zip files
+ - JDK-8250984: Memory Docker tests fail on some Linux kernels w/o cgroupv1 swap limit capabilities
+ - JDK-8251118: BiasedLocking::preserve_marks should not have a HandleMark
+ - JDK-8251189: com/sun/jndi/ldap/LdapDnsProviderTest.java failed due to timeout
+ - JDK-8251257: NMT: jcmd VM.native_memory scale=1 crashes target VM
+ - JDK-8251365: Build failure on AIX after 8250636
+ - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray
+ - JDK-8251456: [TESTBUG] compiler/vectorization/TestVectorsNotSavedAtSafepoint.java failed OutOfMemoryError
+ - JDK-8251458: Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed"
+ - JDK-8251535: Partial peeling at unsigned test adds incorrect loop exit check
+ - JDK-8251949: ZGC: Set explicit heap size for compiler/gcbarriers tests
+ - JDK-8252090: JFR: StreamWriterHost::write_unbuffered() stucks in an infinite loop OpenJDK (build 13.0.1+9)
+ - JDK-8252415: Bump update version for OpenJDK: jdk-11.0.10
+ - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
+ - JDK-8252497: Incorrect numeric currency code for ROL
+ - JDK-8252660: Shenandoah: support manageable SoftMaxHeapSize option
+ - JDK-8252679: Two windows specific FileDIalog tests may fail on some Windows_Server_2016_Standard
+ - JDK-8252696: Loop unswitching may cause out of bound array load to be executed
+ - JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent
+ - JDK-8253219: Epsilon: clean up unnecessary includes
+ - JDK-8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues()
+ - JDK-8253226: Shenandoah: remove unimplemented ShenandoahStrDedupQueue::verify
+ - JDK-8253269: The CheckCommonColors test should provide more info on failure
+ - JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+ - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209)
+ - JDK-8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads
+ - JDK-8253791: Issue with useAppleColor check in CSystemColors.m
+ - JDK-8254016: Test8237524 fails with -XX:-CompactStrings option
+ - JDK-8254081: java/security/cert/PolicyNode/GetPolicyQualifiers.java fails due to an expired certificate
+ - JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp
+ - JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp
+ - JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+ - JDK-8254185: Fix Code cache sweeper heuristics for JDK 11
+ - JDK-8254190: [s390] interpreter misses exception check after calling monitorenter
+ - JDK-8254790: SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics
+ - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations
+ - JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+ - JDK-8255050: Add pkcs11/KeyStore/ClientAuth.sh to Problem list
+ - JDK-8255065: Zero: accessor_entry misses the IRIW case
+ - JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
+ - JDK-8255269: Unsigned overflow in g1Policy.cpp
+ - JDK-8255365: Problem list failing client manual tests
+ - JDK-8255457: Shenandoah: cleanup ShenandoahMarkTask
+ - JDK-8255466: C2 crashes at ciObject::get_oop() const+0x0
+ - JDK-8255550: x86: Assembler::cmpq(Address dst, Register src) encoding is incorrect
+ - JDK-8255603: Memory/Performance regression after JDK-8210985
+ - JDK-8255760: Shenandoah: match constants style in ShenandoahMarkTask fallback
+ - JDK-8255937: Better cleanup for test/jdk/javax/imageio/stream/StreamFlush.java
+ - JDK-8256427: Test com/sun/jndi/dns/ConfigTests/PortUnreachable.java does not work on AIX
+ - JDK-8256452: Integrate missing part of JDK-8232370 to 11u
+ - JDK-8256483: [TESTBUG] serviceability/jvmti/GetClassMethods/libOverpassMethods.c fails to compile on gcc 4.4.x
+ - JDK-8256557: libharfbuzz fails to link on gcc 4.4.x due to -Wl,-z,defs
+ - JDK-8256618: Zero: Linux x86_32 build still fails
+ - JDK-8256736: Zero: GTest tests fail with "unsuppported vm variant"
+ - JDK-8256809: Annotation processing causes NPE during flow analysis
+ - JDK-8257181: s390x builds are very noisy with gc-sections messages
+ - JDK-8257242: [macOS] Java app crashes while switching input methods
+ - JDK-8257545: SunJSSE FIPS regression in key exchange after JDK-8171279 11u backport
+ - JDK-8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false
+ - JDK-8257701: Shenandoah: objArrayKlass metadata is not marked with chunked arrays
+ - JDK-8258630: Add expiry exception for QuoVadis root certificate
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8213821: -groupname Option Added to keytool Key Pair Generation
+===================================================================
+A new `-groupname` option has been added to `keytool -genkeypair` so
+that a user can specify a named group when generating a key pair. For
+example, `keytool -genkeypair -keyalg EC -groupname secp384r1` will
+generate an EC key pair by using the `secp384r1` curve. Because there
+might be multiple curves with the same size, using the `-groupname`
+option is preferred over the `-keysize` option.
+
+JDK-8248263: jarsigner Preserves POSIX File Permission and symlink Attributes
+=============================================================================
+When signing a file that contains POSIX file permission or symlink
+attributes, `jarsigner` now preserves these attributes in the newly
+signed file but warns that these attributes are unsigned and not
+protected by the signature. The same warning is printed during the
+`jarsigner -verify` operation for such files.
+
+Note that the `jar` tool does not read/write these attributes. This
+change is more visible to tools like `unzip` where these attributes
+are preserved.
+
+security-libs/javax.net.ssl:
+
+JDK-8225764: Support for X25519 and X448 in TLS
+================================================
+
+The named elliptic curve groups `x25519` and `x448` are now available
+for JSSE key agreement in TLS versions 1.0 to 1.3, with `x25519` being
+the most preferred of the default enabled named groups. The default
+ordered list is now:
+
+* x25519
+* secp256r1
+* secp384r1
+* secp521r1
+* x448
+* secp256k1
+* ffdhe2048
+* ffdhe3072
+* ffdhe4096
+* ffdhe6144
+* ffdhe8192
+
+The default list can be overridden using the system property *`jdk.tls.namedGroups`*.
+
+security-libs/org.ietf.jgss:
+
+JDK-8214079: Added a Default Native GSS-API Library on Windows
+==============================================================
+A native GSS-API library has been added to JDK on the Windows
+platform. The library is client-side only and uses the default
+credentials. It will be loaded when the `sun.security.jgss.native`
+system property is set to "true". A user can still load a third-party
+native GSS-API library by setting the system property
+`sun.security.jgss.lib` to its path.
+
+New in release OpenJDK 11.0.9.1 (2020-10-20):
+=============================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk11091
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.1.txt
+
+* Regression fixes
+ - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
+
+New in release OpenJDK 11.0.9 (2020-10-20):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/openjdk1109
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.9.txt
+
+* Security fixes
+ - JDK-8233624: Enhance JNI linkage
+ - JDK-8236196: Improve string pooling
+ - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+ - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+ - JDK-8237995, CVE-2020-14782: Enhance certificate processing
+ - JDK-8240124: Better VM Interning
+ - JDK-8241114, CVE-2020-14792: Better range handling
+ - JDK-8242680, CVE-2020-14796: Improved URI Support
+ - JDK-8242685, CVE-2020-14797: Better Path Validation
+ - JDK-8242695, CVE-2020-14798: Enhanced buffer support
+ - JDK-8243302: Advanced class supports
+ - JDK-8244136, CVE-2020-14803: Improved Buffer supports
+ - JDK-8244479: Further constrain certificates
+ - JDK-8244955: Additional Fix for JDK-8240124
+ - JDK-8245407: Enhance zoning of times
+ - JDK-8245412: Better class definitions
+ - JDK-8245417: Improve certificate chain handling
+ - JDK-8248574: Improve jpeg processing
+ - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+ - JDK-8253019: Enhanced JPEG decoding
+* Other changes
+ - JDK-6532025: GIF reader throws misleading exception with truncated images
+ - JDK-6949753: [TEST BUG]: java/awt/print/PageFormat/PDialogTest.java needs update by removing a infinite loop
+ - JDK-8022535: [TEST BUG] javax/swing/text/html/parser/Test8017492.java fails
+ - JDK-8062947: Fix exception message to correctly represent LDAP connection failure
+ - JDK-8067354: com/sun/jdi/GetLocalVariables4Test.sh failed
+ - JDK-8134599: TEST_BUG: java/rmi/transport/closeServerSocket/CloseServerSocket.java fails intermittently with Address already in use
+ - JDK-8151678: com/sun/jndi/ldap/LdapTimeoutTest.java failed due to timeout on DeadServerNoTimeoutTest is incorrect
+ - JDK-8160768: Add capability to custom resolve host/domain names within the default JNDI LDAP provider
+ - JDK-8172404: Tools should warn if weak algorithms are used before restricting them
+ - JDK-8193367: Annotated type variable bounds crash javac
+ - JDK-8202117: com/sun/jndi/ldap/RemoveNamingListenerTest.java fails intermittently: Connection reset
+ - JDK-8203026: java.rmi.NoSuchObjectException: no such object in table
+ - JDK-8203281: [Windows] JComboBox change in ui when editor.setBorder() is called
+ - JDK-8203382: Rename SystemDictionary::initialize_wk_klass to resolve_wk_klass
+ - JDK-8203393: com/sun/jdi/JdbMethodExitTest.sh and JdbExprTest.sh fail due to timeout
+ - JDK-8203928: [Test] Convert non-JDB scaffolding serviceability shell script tests to java
+ - JDK-8204963: javax.swing.border.TitledBorder has a memory leak
+ - JDK-8204994: SA might fail to attach to process with "Windbg Error: WaitForEvent failed"
+ - JDK-8205534: Remove SymbolTable dependency from serviceability agent
+ - JDK-8206309: Tier1 SA tests fail
+ - JDK-8208281: java/nio/channels/AsynchronousSocketChannel/Basic.java timed out
+ - JDK-8209109: [TEST] rewrite com/sun/jdi shell tests to java version - step1
+ - JDK-8209332: [TEST] test/jdk/com/sun/jdi/CatchPatternTest.sh is incorrect
+ - JDK-8209342: Problemlist SA tests on Solaris due to Error attaching to process: Can't create thread_db agent!
+ - JDK-8209343: Test javax/swing/border/TestTitledBorderLeak.java should be marked as headful
+ - JDK-8209517: com/sun/jdi/BreakpointWithFullGC.java fails with timeout
+ - JDK-8209604: [TEST] rewrite com/sun/jdi shell tests to java version - step2
+ - JDK-8209605: com/sun/jdi/BreakpointWithFullGC.java fails with ZGC
+ - JDK-8209608: Problem list com/sun/jdi/BreakpointWithFullGC.java
+ - JDK-8210131: vmTestbase/nsk/jvmti/scenarios/allocation/AP10/ap10t001/TestDescription.java failed with ObjectFree: GetCurrentThreadCpuTimerInfo returned unexpected error code
+ - JDK-8210243: [TEST] rewrite com/sun/jdi shell tests to java version - step3
+ - JDK-8210527: JShell: NullPointerException in jdk.jshell.Eval.translateExceptionStack
+ - JDK-8210560: [TEST] convert com/sun/jdi redefineClass-related tests
+ - JDK-8210725: com/sun/jdi/RedefineClearBreakpoint.java fails with waitForPrompt timed out after 60 seconds
+ - JDK-8210748: [TESTBUG] lib.jdb.Jdb.waitForPrompt() should clarify which output is the pending reply after a timeout
+ - JDK-8210760: [TEST] rewrite com/sun/jdi shell tests to java version - step4
+ - JDK-8210977: jdk/jfr/event/oldobject/TestThreadLocalLeak.java fails to find ThreadLocalObject
+ - JDK-8211292: [TEST] convert com/sun/jdi/DeferredStepTest.sh test
+ - JDK-8211694: JShell: Redeclared variable should be reset
+ - JDK-8212200: assert when shared java.lang.Object is redefined by JVMTI agent
+ - JDK-8212629: [TEST] wrong breakpoint in test/jdk/com/sun/jdi/DeferredStepTest
+ - JDK-8212665: com/sun/jdi/DeferredStepTest.java: jj1 (line 57) - unexpected. lastLine=52, minLine=52, maxLine=55
+ - JDK-8212807: tools/jar/multiRelease/Basic.java times out
+ - JDK-8213182: Minimal VM build failure after JDK-8212200 (assert when shared java.lang.Object is redefined by JVMTI agent)
+ - JDK-8213214: Set -Djava.io.tmpdir= when running tests
+ - JDK-8213275: ReplaceCriticalClasses.java fails with jdk.internal.vm.PostVMInitHook not found
+ - JDK-8213574: Deadlock in string table expansion when dumping lots of CDS classes
+ - JDK-8213703: LambdaConversionException: Invalid receiver type not a subtype of implementation type interface
+ - JDK-8214074: Ghash optimization using AVX instructions
+ - JDK-8214491: Upgrade to JLine 3.9.0
+ - JDK-8214797: TestJmapCoreMetaspace.java timed out
+ - JDK-8215243: JShell tests failing intermitently with \"Problem cleaning up the following threads:\"
+ - JDK-8215244: jdk/jshell/ToolBasicTest.java testHistoryReference failed
+ - JDK-8215354: x86_32 build failures after JDK-8214074 (Ghash optimization using AVX instructions)
+ - JDK-8215438: jshell tool: Ctrl-D causes EOF
+ - JDK-8216021: RunTest.gmk might set concurrency level to 1 on Windows
+ - JDK-8216974: HttpConnection not returned to the pool after 204 response
+ - JDK-8218948: SimpleDateFormat :: format - Zone Names are not reflected correctly during run time
+ - JDK-8219712: code_size2 (defined in stub_routines_x86.hpp) is too small on new Skylake CPUs
+ - JDK-8220150: macos10.14 Mojave returns anti-aliased glyphs instead of aliased B&W glyphs
+ - JDK-8221658: aarch64: add necessary predicate for ubfx patterns
+ - JDK-8221759: Crash when completing \"java.io.File.path\"
+ - JDK-8221918: runtime/SharedArchiveFile/serviceability/ReplaceCriticalClasses.java fails: Shared archive not found
+ - JDK-8222074: Enhance auto vectorization for x86
+ - JDK-8222079: Don't use memset to initialize fields decode_env constructor in disassembler.cpp
+ - JDK-8222769: [TESTBUG] TestJFRNetworkEvents should not rely on hostname command
+ - JDK-8223688: JShell: crash on the instantiation of raw anonymous class
+ - JDK-8223777: In posix_spawn mode, failing to exec() jspawnhelper does not result in an error
+ - JDK-8223940: Private key not supported by chosen signature algorithm
+ - JDK-8224184: jshell got IOException at exiting with AIX
+ - JDK-8224234: compiler/codegen/TestCharVect2.java fails in test_mulc
+ - JDK-8225037: java.net.JarURLConnection::getJarEntry() throws NullPointerException
+ - JDK-8225625: AES Electronic Codebook (ECB) encryption and decryption optimization using AVX512 + VAES instructions
+ - JDK-8226536: Catch OOM from deopt that fails rematerializing objects
+ - JDK-8226575: OperatingSystemMXBean should be made container aware
+ - JDK-8226697: Several tests which need the @key headful keyword are missing it.
+ - JDK-8226809: Circular reference in printed stack trace is not correctly indented & ambiguous
+ - JDK-8227059: sun/security/tools/keytool/DefaultSignatureAlgorithm.java timed out
+ - JDK-8227269: Slow class loading when running with JDWP
+ - JDK-8227595: keytool/fakegen/DefaultSignatureAlgorithm.java fails due to "exitValue = 6"
+ - JDK-8228448: Jconsole can't connect to itself
+ - JDK-8228967: Trust/Key store and SSL context utilities for tests
+ - JDK-8229378: jdwp library loader in linker_md.c quietly truncates on buffer overflow
+ - JDK-8229815: Upgrade Jline to 3.12.1
+ - JDK-8230000: some httpclients testng tests run zero test
+ - JDK-8230002: javax/xml/jaxp/unittest/transform/SecureProcessingTest.java runs zero test
+ - JDK-8230010: Remove jdk8037819/BasicTest1.java
+ - JDK-8230094: CCE in createXMLEventWriter(Result) over an arbitrary XMLStreamWriter
+ - JDK-8230402: Allocation of compile task fails with assert: "Leaking compilation tasks?"
+ - JDK-8230767: FlightRecorderListener returns null recording
+ - JDK-8230870: (zipfs) Add a ZIP FS test that is similar to test/jdk/java/util/zip/EntryCount64k.java
+ - JDK-8231209: [REDO] ThreadMXBean::getThreadAllocatedBytes() can be quicker for self thread
+ - JDK-8231586: enlarge encoding space for OopMapValue offsets
+ - JDK-8231953: Wrong assumption in assertion in oop::register_oop
+ - JDK-8231968: getCurrentThreadAllocatedBytes default implementation s/b getThreadAllocatedBytes
+ - JDK-8232083: Minimal VM is broken after JDK-8231586
+ - JDK-8232161: Align some one-way conversion in MS950 charset with Windows
+ - JDK-8232855: jshell missing word in /help help
+ - JDK-8233027: OopMapSet::all_do does oms.next() twice during iteration
+ - JDK-8233228: Disable weak named curves by default in TLS, CertPath, and Signed JAR
+ - JDK-8233386: Initialize NULL fields for unused decorations
+ - JDK-8233452: java.math.BigDecimal.sqrt() with RoundingMode.FLOOR results in incorrect result
+ - JDK-8233686: XML transformer uses excessive amount of memory
+ - JDK-8233741: AES Countermode (AES-CTR) optimization using AVX512 + VAES instructions
+ - JDK-8233829: javac cannot find non-ASCII module name under non-UTF8 environment
+ - JDK-8233958: Memory retention due to HttpsURLConnection finalizer that serves no purpose
+ - JDK-8234011: (zipfs) Memory leak in ZipFileSystem.releaseDeflater()
+ - JDK-8234058: runtime/CompressedOops/CompressedClassPointers.java fails with 'Narrow klass base: 0x0000000000000000' missing from stdout/stderr
+ - JDK-8234149: Several regression tests do not dispose Frame at end
+ - JDK-8234347: "Turkey" meta time zone does not generate composed localized names
+ - JDK-8234385: [TESTBUG] java/awt/EventQueue/6980209/bug6980209.java fails in linux nightly
+ - JDK-8234535: Cross compilation fails due to missing CFLAGS for the BUILD_CC
+ - JDK-8234541: C1 emits an empty message when it inlines successfully
+ - JDK-8234687: change javap reporting on unknown attributes
+ - JDK-8236464: SO_LINGER option is ignored by SSLSocket in JDK 11
+ - JDK-8236548: Localized time zone name inconsistency between English and other locales
+ - JDK-8236617: jtreg test containers/docker/TestMemoryAwareness.java fails after 8226575
+ - JDK-8237182: Update copyright header for shenandoah and epsilon files
+ - JDK-8237888: security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java fails when checking validity interval
+ - JDK-8237977: Further update javax/net/ssl/compatibility/Compatibility.java
+ - JDK-8238270: java.net HTTP/2 client does not decrease stream count when receives 204 response
+ - JDK-8238284: [macos] Zero VM build fails due to an obvious typo
+ - JDK-8238380: java.base/unix/native/libjava/childproc.c "multiple definition" link errors with GCC10
+ - JDK-8238386: (sctp) jdk.sctp/unix/native/libsctp/SctpNet.c "multiple definition" link errors with GCC10
+ - JDK-8238388: libj2gss/NativeFunc.o "multiple definition" link errors with GCC10
+ - JDK-8238448: RSASSA-PSS signature verification fail when using certain odd key sizes
+ - JDK-8238710: LingeredApp doesn't log stdout/stderr if exits with non-zero code
+ - JDK-8239083: C1 assert(known_holder == NULL || (known_holder->is_instance_klass() && (!known_holder->is_interface() || ((ciInstanceKlass*)known_holder)->has_nonstatic_concrete_methods())), "should be non-static concrete method");
+ - JDK-8239385: KerberosTicket client name refers wrongly to sAMAccountName in AD
+ - JDK-8240169: javadoc fails to link to non-modular api docs
+ - JDK-8240295: hs_err elapsed time in seconds is not accurate enough
+ - JDK-8240360: NativeLibraryEvent has wrong library name on Linux
+ - JDK-8240676: Meet not symmetric failure when running lucene on jdk8
+ - JDK-8241007: Shenandoah: remove ShenandoahCriticalControlThreadPriority support
+ - JDK-8241065: Shenandoah: remove leftover code after JDK-8231086
+ - JDK-8241086: Test runtime/NMT/HugeArenaTracking.java is failing on 32bit Windows
+ - JDK-8241130: com.sun.jndi.ldap.EventSupport.removeDeadNotifier: java.lang.NullPointerException
+ - JDK-8241138: http.nonProxyHosts=* causes StringIndexOutOfBoundsException in DefaultProxySelector
+ - JDK-8241319: WB_GetCodeBlob doesn't have ResourceMark
+ - JDK-8241478: vmTestbase/gc/gctests/Steal/steal001/steal001.java fails with OOME
+ - JDK-8241574: Shenandoah: remove ShenandoahAssertToSpaceClosure
+ - JDK-8241750: x86_32 build failure after JDK-8227269
+ - JDK-8242184: CRL generation error with RSASSA-PSS
+ - JDK-8242283: Can't start JVM when java home path includes non-ASCII character
+ - JDK-8242556: Cannot load RSASSA-PSS public key with non-null params from byte array
+ - JDK-8243029: Rewrite javax/net/ssl/compatibility/Compatibility.java with a flexible interop test framework
+ - JDK-8243138: Enhance BaseLdapServer to support starttls extended request
+ - JDK-8243320: Add SSL root certificates to Oracle Root CA program
+ - JDK-8243321: Add Entrust root CA - G4 to Oracle Root CA program
+ - JDK-8243389: enhance os::pd_print_cpu_info on linux
+ - JDK-8243453: java --describe-module failed with non-ASCII module name under non-UTF8 environment
+ - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
+ - JDK-8243489: Thread CPU Load event may contain wrong data for CPU time under certain conditions
+ - JDK-8243925: Toolkit#getScreenInsets() returns wrong value on HiDPI screens (Windows)
+ - JDK-8244087: 2020-04-24 public suffix list update
+ - JDK-8244151: Update MUSCLE PC/SC-Lite headers to the latest release 1.8.26
+ - JDK-8244164: AArch64: jaotc generates incorrect code for compressed OOPs with non-zero heap base
+ - JDK-8244196: adjust output in os_linux
+ - JDK-8244225: stringop-overflow warning on strncpy call from compile_the_world_in
+ - JDK-8244287: JFR: Methods samples have line number 0
+ - JDK-8244703: "platform encoding not initialized" exceptions with debugger, JNI
+ - JDK-8244719: CTW: C2 compilation fails with "assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it"
+ - JDK-8244729: Shenandoah: remove resolve paths from SBSA::generate_shenandoah_lrb
+ - JDK-8244763: Update --release 8 symbol information after JSR 337 MR3
+ - JDK-8244818: Java2D Queue Flusher crash while moving application window to external monitor
+ - JDK-8245151: jarsigner should not raise duplicate warnings on verification
+ - JDK-8245616: Bump update version for OpenJDK: jdk-11.0.9
+ - JDK-8245714: "Bad graph detected in build_loop_late" when loads are pinned on loop limit check uncommon branch
+ - JDK-8245801: StressRecompilation triggers assert "redundunt OSR recompilation detected. memory leak in CodeCache!"
+ - JDK-8245832: JDK build make-static-libs should build all JDK libraries
+ - JDK-8245880: Shenandoah: check class unloading flag early in concurrent code root scan
+ - JDK-8245981: Upgrade to jQuery 3.5.1
+ - JDK-8246027: Minimal fastdebug build broken after JDK-8245801
+ - JDK-8246094: [macos] Sound Recording and playback is not working
+ - JDK-8246153: TestEliminateArrayCopy fails with -XX:+StressReflectiveCode
+ - JDK-8246193: Possible NPE in ENC-PA-REP search in AS-REQ
+ - JDK-8246196: javax/management/MBeanServer/OldMBeanServerTest fails with AssertionError
+ - JDK-8246203: Segmentation fault in verification due to stack overflow with -XX:+VerifyIterativeGVN
+ - JDK-8246330: Add TLS Tests for Legacy ECDSA curves
+ - JDK-8246453: TestClone crashes with "all collected exceptions must come from the same place"
+ - JDK-8247246: Add explicit ResolvedJavaType.link and expose presence of default methods
+ - JDK-8247350: [aarch64] assert(false) failed: wrong size of mach node
+ - JDK-8247502: PhaseStringOpts crashes while optimising effectively dead code
+ - JDK-8247615: Initialize the bytes left for the heap sampler
+ - JDK-8247824: CTW: C2 (Shenandoah) compilation fails with SEGV in SBC2Support::pin_and_expand
+ - JDK-8247874: Replacement in VersionProps.java.template not working when --with-vendor-bug-url contains '&'
+ - JDK-8247979: aarch64: missing side effect of killing flags for clearArray_reg_reg
+ - JDK-8248214: Add paddings for TaskQueueSuper to reduce false-sharing cache contention
+ - JDK-8248219: aarch64: missing memory barrier in fast_storefield and fast_accessfield
+ - JDK-8248348: Regression caused by the update to BCEL 6.0
+ - JDK-8248385: [testbug][11u] Adapt TestInitiExceptions to jtreg 5.1
+ - JDK-8248495: [macos] zerovm is broken due to libffi headers location
+ - JDK-8248851: CMS: Missing memory fences between free chunk check and klass read
+ - JDK-8248987: AOT's Linker.java seems to eagerly fail-fast on Windows
+ - JDK-8249159: Downport test rework for SSLSocketTemplate from 8224650
+ - JDK-8249215: JFrame::setVisible crashed with -Dfile.encoding=UTF-8 on Japanese Windows.
+ - JDK-8249251: [dark_mode ubuntu 20.04] The selected menu is not highlighted in GTKLookAndFeel
+ - JDK-8249255: Build fails if source code in cygwin home dir
+ - JDK-8249277: TestVerifyIterativeGVN.java is failing with timeout in OpenJDK 11
+ - JDK-8249278: Revert JDK-8226253 which breaks the spec of AccessibleState.SHOWING for JList
+ - JDK-8249560: Shenandoah: Fix racy GC request handling
+ - JDK-8249801: Shenandoah: Clear soft-refs on requested GC cycle
+ - JDK-8249953: Shenandoah: gc/shenandoah/mxbeans tests should account for corner cases
+ - JDK-8250582: Revert Principal Name type to NT-UNKNOWN when requesting TGS Kerberos tickets
+ - JDK-8250609: C2 crash in IfNode::fold_compares
+ - JDK-8250627: Use -XX:+/-UseContainerSupport for enabling/disabling Java container metrics
+ - JDK-8250755: Better cleanup for jdk/test/javax/imageio/plugins/shared/CanWriteSequence.java
+ - JDK-8250787: Provider.put no longer registering aliases in FIPS env
+ - JDK-8250826: jhsdb does not work with coredump which comes from Substrate VM
+ - JDK-8250827: Shenandoah: needs to reset/finish StringTable's dead count before/after parallel walk
+ - JDK-8250844: Make sure {type,obj}ArrayOopDesc accessors check the bounds
+ - JDK-8251117: Cannot check P11Key size in P11Cipher and P11AEADCipher
+ - JDK-8251354: Shenandoah: Fix jdk/jfr/tool/TestPrintJSON.java test failure
+ - JDK-8251451: Shenandoah: Remark ObjectSynchronizer roots with I-U
+ - JDK-8251469: Better cleanup for test/jdk/javax/imageio/SetOutput.java
+ - JDK-8251487: Shenandoah: missing detail timing tracking for final mark cleaning phase
+ - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured"
+ - JDK-8252157: JDK-8231209 11u backport breaks jmm binary compatibility
+ - JDK-8252258: [11u] JDK-8242154 changes the default vendor
+ - JDK-8252804: [test] Fix 'ReleaseDeflater.java' test after downport of 8234011
+ - JDK-8253134: JMM_VERSION should remain at 0x20020000 (JDK 10) in JDK 11
+ - JDK-8253283: [11u] Test build/translations/VerifyTranslations.java failing after JDK-8252258
+ - JDK-8253813: Backout JDK-8244287 from 11u: it causes several crashes
+
+Notes on individual issues:
+===========================
+
+core-libs/java.nio.charsets:
+
+JDK-8240196: Modified the MS950 charset Encoder's Conversion Table
+==================================================================
+In this release, some of the one-way byte-to-char mappings have been
+aligned with the preferred mappings provided by the Unicode Consortium
+(https://unicode.org/Public/MAPPINGS/VENDORS/MICSFT/WindowsBestFit/bestfit950.txt).
+
+core-libs/java.util:i18n:
+
+JDK-8238914: Localized Time Zone Name Inconsistency Between English and Other Locales
+=====================================================================================
+English time zone names provided by the CLDR locale provider are now
+correctly synthesized following the CLDR spec, rather than substituted
+from the COMPAT provider. For example, SHORT style names are no longer
+synthesized abbreviations of LONG style names, but instead produce GMT
+offset formats.
+
+core-svc/java.lang.management:
+
+JDK-8236876: OperatingSystemMXBean Methods Inside a Container Return Container Specific Data
+============================================================================================
+When executing in a container, or other virtualized operating
+environment, the following `OperatingSystemMXBean` methods in this
+release return container specific information, if
+available. Otherwise, they return host specific data:
+
+* getFreePhysicalMemorySize()
+* getTotalPhysicalMemorySize()
+* getFreeSwapSpaceSize()
+* getTotalSwapSpaceSize()
+* getSystemCpuLoad()
+
+security-libs/java.security:
+
+JDK-8250756: Added Entrust Root Certification Authority - G4 certificate
+========================================================================
+The Entrust root certificate has been added to the cacerts truststore:
+
+Alias Name: entrustrootcag4
+Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
+
+JDK-8250860: Added 3 SSL Corporation Root CA Certificates
+=========================================================
+The following root certificates have been added to the cacerts truststore for the SSL Corporation:
+
+Alias Name: sslrootrsaca
+Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrootevrsaca
+Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrooteccca
+Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+JDK-8236730: Weak Named Curves in TLS, CertPath, and Signed JAR Disabled by Default
+===================================================================================
+Weak named curves are disabled by default by adding them to the
+following `disabledAlgorithms` security properties:
+
+* jdk.tls.disabledAlgorithms
+* jdk.certpath.disabledAlgorithms
+* jdk.jar.disabledAlgorithms
+
+Red Hat has always disabled many of the curves provided by upstream,
+so the only addition in this release is:
+
+* secp256k1
+
+The curves that remain enabled are:
+
+* secp256r1
+* secp384r1
+* secp521r1
+* X25519
+* X448
+
+When large numbers of weak named curves need to be disabled, adding
+individual named curves to each `disabledAlgorithms` property would be
+overwhelming. To relieve this, a new security property,
+`jdk.disabled.namedCurves`, is implemented that can list the named
+curves common to all of the `disabledAlgorithms` properties. To use
+the new property in the `disabledAlgorithms` properties, precede the
+full property name with the keyword `include`. Users can still add
+individual named curves to `disabledAlgorithms` properties separate
+from this new property. No other properties can be included in the
+`disabledAlgorithms` properties.
+
+To restore the named curves, remove the `include
+jdk.disabled.namedCurves` either from specific or from all
+`disabledAlgorithms` security properties. To restore one or more
+curves, remove the specific named curve(s) from the
+`jdk.disabled.namedCurves` property.
+
+JDK-8244286: Tools Warn If Weak Algorithms Are Used Before Restricting Them
+===========================================================================
+The `keytool` and `jarsigner` tools have been updated to warn users
+about weak cryptographic algorithms being used before they are
+disabled. In this release, the tools issue warnings for the SHA-1 hash
+algorithm and 1024-bit RSA/DSA keys.
+
+security-libs/javax.net.ssl:
+
+JDK-8242147: New System Properties to Configure the TLS Signature Schemes
+=========================================================================
+Two new system properties have been added to customize the TLS
+signature schemes in JDK. `jdk.tls.client.SignatureSchemes` has been
+added for the TLS client side, and `jdk.tls.server.SignatureSchemes`
+has been added for the server side.
+
+Each system property contains a comma-separated list of supported
+signature scheme names specifying the signature schemes that could be
+used for the TLS connections.
+
+The names are described in the "Signature Schemes" section of the
+*Java Security Standard Algorithm Names Specification*.
+
+security-libs/javax.security:
+
+JDK-8242059: Support for canonicalize in krb5.conf
+==================================================
+
+The 'canonicalize' flag in the [krb5.conf file][0] is now supported by
+the JDK Kerberos implementation. When set to *true*, RFC 6806 [1] name
+canonicalization is requested by clients in TGT requests to KDC
+services (AS protocol). Otherwise, and by default, it is not
+requested.
+
+The new default behavior is different from previous releases where
+name canonicalization was always requested by clients in TGT requests
+to KDC services (provided that support for RFC 6806[1] was not
+explicitly disabled with the *sun.security.krb5.disableReferrals*
+system or security properties).
+
+[0]: https://web.mit.edu/kerberos/krb5-devel/doc/admin/conf_files/krb5_conf.html
+[1]: https://tools.ietf.org/html/rfc6806
+
+JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b
+====================================================================
+Following JDK's update to tzdata2020b, the long-obsolete files
+pacificnew and systemv have been removed. As a result, the
+"US/Pacific-New" zone name declared in the pacificnew data file is no
+longer available for use.
+
+Information regarding the update can be viewed at
+https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
+
+New in release OpenJDK 11.0.8 (2020-07-14):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/oj1108
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.8.txt
+
+* Security fixes
+ - JDK-8230613: Better ASCII conversions
+ - JDK-8231800: Better listing of arrays
+ - JDK-8232014: Expand DTD support
+ - JDK-8233234: Better Zip Naming
+ - JDK-8233239, CVE-2020-14562: Enhance TIFF support
+ - JDK-8233255: Better Swing Buttons
+ - JDK-8234032: Improve basic calendar services
+ - JDK-8234042: Better factory production of certificates
+ - JDK-8234418: Better parsing with CertificateFactory
+ - JDK-8234836: Improve serialization handling
+ - JDK-8236191: Enhance OID processing
+ - JDK-8236867, CVE-2020-14573: Enhance Graal interface handling
+ - JDK-8237117, CVE-2020-14556: Better ForkJoinPool behavior
+ - JDK-8237592, CVE-2020-14577: Enhance certificate verification
+ - JDK-8238002, CVE-2020-14581: Better matrix operations
+ - JDK-8238013: Enhance String writing
+ - JDK-8238804: Enhance key handling process
+ - JDK-8238842: AIOOBE in GIFImageReader.initializeStringTable
+ - JDK-8238843: Enhanced font handing
+ - JDK-8238920, CVE-2020-14583: Better Buffer support
+ - JDK-8238925: Enhance WAV file playback
+ - JDK-8240119, CVE-2020-14593: Less Affine Transformations
+ - JDK-8240482: Improved WAV file playback
+ - JDK-8241379: Update JCEKS support
+ - JDK-8241522: Manifest improved jar headers redux
+ - JDK-8242136, CVE-2020-14621: Better XML namespace handling
+* Other changes
+ - JDK-6933331: (d3d/ogl) java.lang.IllegalStateException: Buffers have not been created
+ - JDK-7124307: JSpinner and changing value by mouse
+ - JDK-8022574: remove HaltNode code after uncommon trap calls
+ - JDK-8039082: [TEST_BUG] Test java/awt/dnd/BadSerializationTest/BadSerializationTest.java fails
+ - JDK-8040630: Popup menus and tooltips flicker with previous popup contents when first shown
+ - JDK-8044365: (dc) MulticastSendReceiveTests.java failing with ENOMEM when joining group (OS X 10.9)
+ - JDK-8048215: [TESTBUG] java/lang/management/ManagementFactory/ThreadMXBeanProxy.java Expected non-null LockInfo
+ - JDK-8051349: nsk/jvmti/scenarios/sampling/SP06/sp06t003 fails in nightly
+ - JDK-8080353: JShell: Better error message on attempting to add default method
+ - JDK-8139876: Exclude hanging nsk/stress/stack from execution with deoptimization enabled
+ - JDK-8146090: java/lang/ref/ReachabilityFenceTest.java fails with -XX:+DeoptimizeALot
+ - JDK-8153430: jdk regression test MletParserLocaleTest, ParserInfiniteLoopTest reduce default timeout
+ - JDK-8156207: Resource allocated BitMaps are often cleared unnecessarily
+ - JDK-8159740: JShell: corralled declarations do not have correct source to wrapper mapping
+ - JDK-8175984: ICC_Profile has un-needed, not-empty finalize method
+ - JDK-8176359: Frame#setMaximizedbounds not working properly in multi screen environments
+ - JDK-8183369: RFC unconformity of HttpURLConnection with proxy
+ - JDK-8187078: -XX:+VerifyOops finds numerous problems when running JPRT
+ - JDK-8191169: java/net/Authenticator/B4769350.java failed intermittently
+ - JDK-8191930: [Graal] emits unparseable XML into compile log
+ - JDK-8193879: Java debugger hangs on method invocation
+ - JDK-8196019: java/awt/Window/Grab/GrabTest.java fails on Windows
+ - JDK-8196181: sun/java2d/GdiRendering/InsetClipping.java fails
+ - JDK-8198000: java/awt/List/EmptyListEventTest/EmptyListEventTest.java debug assert on Windows
+ - JDK-8198001: java/awt/Menu/WrongParentAfterRemoveMenu/WrongParentAfterRemoveMenu.java debug assert on Windows
+ - JDK-8198339: Test javax/swing/border/Test6981576.java is unstable
+ - JDK-8200701: jdk/jshell/ExceptionsTest.java fails on Windows, after JDK-8198801
+ - JDK-8203264: JNI exception pending in PlainDatagramSocketImpl.c:740
+ - JDK-8203672: JNI exception pending in PlainSocketImpl.c
+ - JDK-8203673: JNI exception pending in DualStackPlainDatagramSocketImpl.c:398
+ - JDK-8204834: Fix confusing "allocate" naming in OopStorage
+ - JDK-8205399: Set node color on pinned HashMap.TreeNode deletion
+ - JDK-8205653: test/jdk/sun/management/jmxremote/bootstrap/RmiRegistrySslTest.java and RmiSslBootstrapTest.sh fail with handshake_failure
+ - JDK-8206179: com/sun/management/OperatingSystemMXBean/GetCommittedVirtualMemorySize.java fails with Committed virtual memory size illegal value
+ - JDK-8207334: VM times out in VM_HandshakeAllThreads::doit() with RunThese30M
+ - JDK-8208277: Code cache heap (-XX:ReservedCodeCacheSize) doesn't work with 1GB LargePages
+ - JDK-8209113: Use WeakReference for lastFontStrike for created Fonts
+ - JDK-8209333: Socket reset issue for TLS 1.3 socket close
+ - JDK-8209439: C2 library_call can potentially ignore Math.pow intrinsic or use null pointer
+ - JDK-8209534: [TESTBUG]runtime/appcds/cacheObject/ArchivedModuleCompareTest.java fails with EnableJVMCI.
+ - JDK-8210147: adjust some WSAGetLastError usages in windows network coding
+ - JDK-8210284: "assert((av & 0x00000001) == 0) failed: unsupported V8" on Solaris 11.4
+ - JDK-8210303: VM_HandshakeAllThreads fails assert with "failed: blocked and not walkable"
+ - JDK-8210515: [TESTBUG]CheckArchivedModuleApp.java needs to check if EnableJVMCI is set.
+ - JDK-8210788: Javadoc for Thread.join(long, int) should specify that it waits forever when both arguments are zero
+ - JDK-8211301: [macos] support full window content options
+ - JDK-8211332: Space for stub routines (code_size2) is too small on new Skylake CPUs
+ - JDK-8211339: NPE during SSL handshake caused by HostnameChecker
+ - JDK-8211392: compiler/profiling/spectrapredefineclass_classloaders/Launcher.java times out in JDK12 CI
+ - JDK-8211743: [AOT] crash in ScopeDesc::decode_body() when JVMTI walks AOT frames
+ - JDK-8212154: [TESTBUG] CheckArchivedModuleApp fails with NPE when JVMCI is absent
+ - JDK-8212167: JShell : Stack trace of exception has wrong line number
+ - JDK-8212933: Thread-SMR: requesting a VM operation whilst holding a ThreadsListHandle can cause deadlocks
+ - JDK-8212986: Make Visual Studio compiler check less strict
+ - JDK-8213250: CDS archive creation aborts due to metaspace object allocation failure
+ - JDK-8213516: jck test api/javax_accessibility/AccessibleState/fields.html fails intermittent
+ - JDK-8213947: ARM32: failed check_simd should set UsePopCountInstruction to false
+ - JDK-8214418: half-closed SSLEngine status may cause application dead loop
+ - JDK-8214440: ldap over a TLS connection negotiate failed with "javax.net.ssl.SSLPeerUnverifiedException: hostname of the server '' does not match the hostname in the server's certificate"
+ - JDK-8214444: Wrong strncat limits in dfa.cpp
+ - JDK-8214481: freetype path does not disable TrueType hinting with AA+FM hints
+ - JDK-8214571: -Xdoclint of array serialField gives "error: array type not allowed here"
+ - JDK-8214856: Errors with JSZip in web console after upgrade to 3.1.5
+ - JDK-8214862: assert(proj != __null) at compile.cpp:3251
+ - JDK-8215369: Jcstress pollute /var/tmp with temporary files.
+ - JDK-8215551: Missing case label in nmethod::reloc_string_for()
+ - JDK-8215555: TieredCompilation C2 threads can excessively block handshakes
+ - JDK-8215711: Missing key_share extension for (EC)DHE key exchange should alert missing_extension
+ - JDK-8216151: [Graal] Module jdk.internal.vm.compiler.management has not been granted accessClassInPackage.org.graalvm.compiler.debug
+ - JDK-8216154: C4819 warnings at HotSpot sources on Windows
+ - JDK-8216541: CompiledICHolders of VM locked unloaded nmethods are released too late
+ - JDK-8217230: assert(t == t_no_spec) failure in NodeHash::check_no_speculative_types()
+ - JDK-8217404: --with-jvm-features doesn't work when multiple features are explicitly disabled
+ - JDK-8217447: Develop flag TraceICs is broken
+ - JDK-8217606: LdapContext#reconnect always opens a new connection
+ - JDK-8218807: Compilation database (compile_commands.json) may contain obsolete items
+ - JDK-8219214: Infinite Loop in CodeSection::dump()
+ - JDK-8219904: ClassCastException when calling FlightRecorderMXBean#getRecordings()
+ - JDK-8219991: New fix of the deadlock in sun.security.ssl.SSLSocketImpl
+ - JDK-8221121: applications/microbenchmarks are encountering crashes in tier5
+ - JDK-8221445: FastSysexMessage constructor crashes MIDI receiption thread
+ - JDK-8221482: Initialize VMRegImpl::regName[] earlier to prevent assert during PrintStubCode
+ - JDK-8221741: ClassCastException can happen when fontconfig.properties is used
+ - JDK-8221823: Requested JDialog width is ignored
+ - JDK-8223108: Test java/awt/EventQueue/NonComponentSourcePost.java is unstable
+ - JDK-8223935: PIT: java/awt/font/WindowsIndicFonts.java fails on windows10
+ - JDK-8224109: Text spaced incorrectly by drawString under rotation with fractional metric
+ - JDK-8224632: testbug: java/awt/dnd/RemoveDropTargetCrashTest/RemoveDropTargetCrashTest.java fails on MacOS
+ - JDK-8224793: os::die() does not honor CreateCoredumpOnCrash option
+ - JDK-8224847: gc/stress/TestReclaimStringsLeaksMemory.java fails with reserved greater than expected
+ - JDK-8224931: disable JAOTC invokedynamic support until 8223533 is fixed
+ - JDK-8224997: ChaCha20-Poly1305 TLS cipher suite decryption throws ShortBufferException
+ - JDK-8225068: Remove DocuSign root certificate that is expiring in May 2020
+ - JDK-8225069: Remove Comodo root certificate that is expiring in May 2020
+ - JDK-8225126: Test SetBoundsPaintTest.html faild on Windows when desktop is scaled
+ - JDK-8225325: Add tests for redefining a class' private method during resolution of the bootstrap specifier
+ - JDK-8225622: [AOT] runtime/SharedArchiveFile/TestInterpreterMethodEntries.java crashed with AOTed java.base
+ - JDK-8225653: Provide more information when hitting SIGILL from HaltNode
+ - JDK-8225783: Incorrect use of binary operators on booleans in type.cpp
+ - JDK-8225789: Empty method parameter type should generate ClassFormatError
+ - JDK-8226198: use of & instead of && in LibraryCallKit::arraycopy_restore_alloc_state
+ - JDK-8226253: JAWS reports wrong number of radio buttons when buttons are hidden.
+ - JDK-8226653: [accessibility] Can edit text cell correctly, but Accessibility Tool reads nothing about editor
+ - JDK-8226806: [macOS 10.14] Methods of Java Robot should be called from appropriate thread
+ - JDK-8226879: Memory leak in Type::hashcons
+ - JDK-8227632: Incorrect PrintCompilation message: made not compilable on levels 0 1 2 3 4
+ - JDK-8228407: JVM crashes with shared archive file mismatch
+ - JDK-8228482: fix xlc16/xlclang comparison of distinct pointer types and string literal conversion warnings
+ - JDK-8228757: Fail fast if the handshake type is unknown
+ - JDK-8229158: make UseSwitchProfiling non-experimental or false by-default
+ - JDK-8229421: The logic of java/net/ipv6tests/TcpTest.java is flawed
+ - JDK-8229855: C2 fails with assert(false) failed: bad AD file
+ - JDK-8230591: AArch64: Missing intrinsics for Math.ceil, floor, rint
+ - JDK-8231118: ARM32: Math tests failures
+ - JDK-8231213: Migrate SimpleDateFormatConstTest to JDK Repo
+ - JDK-8231243: [TESTBUG] CustomFont.java cannot find font file
+ - JDK-8231438: [macOS] Dark mode for the desktop is not supported
+ - JDK-8231550: C2: ShouldNotReachHere() in verify_strip_mined_scheduling
+ - JDK-8231564: setMaximizedBounds is broken with large display scale and multiple monitors
+ - JDK-8231572: Use -lobjc instead of -fobjc-link-runtime in libosxsecurity
+ - JDK-8231631: sun/net/ftp/FtpURLConnectionLeak.java fails intermittently with NPE
+ - JDK-8231671: Fix copyright headers in hotspot (missing comma after year)
+ - JDK-8231720: Some perf regressions after 8225653
+ - JDK-8231779: crash HeapWord*ParallelScavengeHeap::failed_mem_allocate
+ - JDK-8231863: Crash if classpath is read from @argument file and the main gets option argument
+ - JDK-8232080: jlink plugins for vendor information and run-time options
+ - JDK-8232106: [x86] C2: SIGILL due to usage of SSSE3 instructions on processors which don't support it
+ - JDK-8232134: Change to Visual Studio 2017 15.9.16 for building on Windows at Oracle
+ - JDK-8232226: [macos 10.15] test/jdk/java/awt/color/EqualityTest/EqualityTest.java may fail
+ - JDK-8232357: Compare version info of Santuario to legal notice
+ - JDK-8232572: Add hooks for custom output dir in Bundles.gmk
+ - JDK-8232634: Problem List ICMColorDataTest.java
+ - JDK-8232748: Build static versions of certain JDK libraries
+ - JDK-8232846: ProcessHandle.Info command with non-English shows question marks
+ - JDK-8233033: C2 produces wrong result while unswitching a loop due to lost control dependencies
+ - JDK-8233137: runtime/ErrorHandling/VeryEarlyAssertTest.java fails after 8232080
+ - JDK-8233197: Invert JvmtiExport::post_vm_initialized() and Jfr:on_vm_start() start-up order for correct option parsing
+ - JDK-8233291: [TESTBUG] tools/jlink/plugins/VendorInfoPluginsTest.java fails with debug or non-server VMs
+ - JDK-8233364: Fix undefined behavior in Canonicalizer::do_ShiftOp
+ - JDK-8233573: Toolkit.getScreenInsets(GraphicsConfiguration) may throw ClassCastException
+ - JDK-8233608: Minimal build broken after JDK-8233494
+ - JDK-8233621: Mismatch in jsse.enableMFLNExtension property name
+ - JDK-8233696: [TESTBUG]Some jtreg tests fail when CAPS_LOCK is ON
+ - JDK-8233707: systemScale.cpp could not compile with VS2019
+ - JDK-8233801: GCMEmptyIv.java test fails on Solaris 11.4
+ - JDK-8233880: Support compilers with multi-digit major version numbers
+ - JDK-8233920: MethodHandles::tryFinally generates illegal bytecode for long/double return type
+ - JDK-8234137: The "AutoTestOnTop.java" test may run external applications
+ - JDK-8234146: compiler/jsr292/ContinuousCallSiteTargetChange.java times out on SPARC
+ - JDK-8234184: [TESTBUG] java/awt/Mouse/EnterExitEvents/ModalDialogEnterExitEventsTest.java fails in Windows
+ - JDK-8234270: [REDO] JDK-8204128 NMT might report incorrect numbers for Compiler area
+ - JDK-8234332: [TESTBUG] java/awt/Focus/DisposedWindow/DisposeDialogNotActivateOwnerTest/DisposeDialogNotActivateOwnerTest.java fails on linux-x64 nightly
+ - JDK-8234398: Replace ID2D1Factory::GetDesktopDpi with GetDeviceCaps
+ - JDK-8234522: [macos] Crash with use of native file dialog
+ - JDK-8234691: Potential double-free in ParallelSPCleanupTask constructor
+ - JDK-8234696: tools/jlink/plugins/VendorInfoPluginsTest.java times out
+ - JDK-8234727: sun/security/ssl/X509TrustManagerImpl tests support TLSv1.3
+ - JDK-8234728: Some security tests should support TLSv1.3
+ - JDK-8234779: Provide idiom for declaring classes noncopyable
+ - JDK-8234968: check calloc rv in libinstrument InvocationAdapter
+ - JDK-8235153: [TESTBUG] [macos 10.15] java/awt/Graphics/DrawImageBG/SystemBgColorTest.java fails
+ - JDK-8235183: Remove the "HACK CODE" in comment
+ - JDK-8235263: Revert TLS 1.3 change that wrapped IOExceptions
+ - JDK-8235311: Tag mismatch may alert bad_record_mac
+ - JDK-8235332: TestInstanceCloneAsLoadsStores.java fails with -XX:+StressGCM
+ - JDK-8235452: Strip mined loop verification fails with assert(is_OuterStripMinedLoop()) failed: invalid node class
+ - JDK-8235584: UseProfiledLoopPredicate fails with assert(_phase->get_loop(c) == loop) failed: have to be in the same loop
+ - JDK-8235620: Broken merge between JDK-8006406 and JDK-8003559
+ - JDK-8235638: NPE in LWWindowPeer.getOnscreenGraphics()
+ - JDK-8235686: Add more custom hooks in Bundles.gmk
+ - JDK-8235739: Rare NPE at WComponentPeer.getGraphics()
+ - JDK-8235762: JVM crash in SWPointer during C2 compilation
+ - JDK-8235834: IBM-943 charset encoder needs updating
+ - JDK-8235874: The ordering of Cipher Suites is not maintained provided through jdk.tls.client.cipherSuites and jdk.tls.server.cipherSuites system property.
+ - JDK-8235908: omit ThreadPriorityPolicy warning when value is set from image
+ - JDK-8235984: C2: assert(out->in(PhiNode::Region) == head || out->in(PhiNode::Region) == slow_head) failed: phi must be either part of the slow or the fast loop
+ - JDK-8236211: [Graal] compiler/graalunit/GraphTest.java is skipped in all testing
+ - JDK-8236470: Deal with ECDSA using ecdsa-with-SHA2 plus hash algorithm as AlgorithmId
+ - JDK-8236545: Compilation error in mach5 java/awt/FileDialog/MacOSGoToFolderCrash.java
+ - JDK-8236700: Upgrading JSZip from v3.1.5 to v3.2.2
+ - JDK-8236759: ShouldNotReachHere in PhaseIdealLoop::verify_strip_mined_scheduling
+ - JDK-8236897: Fix the copyright header for pkcs11gcm2.h
+ - JDK-8236921: Add build target to produce a JDK image suitable for a Graal/SVM build
+ - JDK-8236953: [macos] JavaFX SwingNode is not rendered on macOS
+ - JDK-8236996: Incorrect Roboto font rendering on Windows with subpixel antialiasing
+ - JDK-8237045: JVM uses excessive memory with -XX:+EnableJVMCI -XX:JVMCICounterSize=2147483648
+ - JDK-8237055: [TESTBUG] compiler/c2/TestJumpTable.java fails with release VMs
+ - JDK-8237086: assert(is_MachReturn()) running CTW with fix for JDK-8231291
+ - JDK-8237192: Generate stripped/public pdbs on Windows for jdk images
+ - JDK-8237396: JvmtiTagMap::weak_oops_do() should not trigger barriers
+ - JDK-8237474: Default SSLEngine should create in server role
+ - JDK-8237859: C2: Crash when loads float above range check
+ - JDK-8237951: CTW: C2 compilation fails with "malformed control flow"
+ - JDK-8237962: give better error output for invalid OCSP response intervals in CertPathValidator checks
+ - JDK-8238190: [JVMCI] Fix single implementor speculation for diamond shapes.
+ - JDK-8238356: CodeHeap::blob_count() overestimates the number of blobs
+ - JDK-8238452: Keytool generates wrong expiration date if validity is set to 2050/01/01
+ - JDK-8238555: Allow Initialization of SunPKCS11 with NSS when there are external FIPS modules in the NSSDB
+ - JDK-8238575: DragSourceEvent.getLocation() returns wrong value on HiDPI screens (Windows)
+ - JDK-8238676: jni crashes on accessing it from process exit hook
+ - JDK-8238721: Add failing client jtreg tests to the Problem List
+ - JDK-8238738: AudioSystem.getMixerInfo() takes about 30 sec to report a gone audio device
+ - JDK-8238756: C2: assert(((n) == __null || !VerifyIterativeGVN || !((n)->is_dead()))) failed: can not use dead node
+ - JDK-8238765: PhaseCFG::schedule_pinned_nodes cannot handle precedence edges from unmatched CFG nodes correctly
+ - JDK-8238898: Missing hash characters for header on license file
+ - JDK-8238942: Rendering artifacts with LCD text and fractional metrics
+ - JDK-8238985: [TESTBUG] The arrow image is blue instead of green
+ - JDK-8239000: handle ContendedPaddingWidth in vm_version_ppc
+ - JDK-8239055: Wrong implementation of VMState.hasListener
+ - JDK-8239091: Reversed arguments in call to strstr in freetype "debug" code.
+ - JDK-8239142: C2's UseUniqueSubclasses optimization is broken for array accesses
+ - JDK-8239224: libproc_impl.c previous_thr may be used uninitialized warning
+ - JDK-8239351: Give more meaningful InternalError messages in Deflater.c
+ - JDK-8239365: ProcessBuilder test modifications for AIX execution
+ - JDK-8239456: vtable stub generation: assert failure (code size estimate)
+ - JDK-8239457: call ReleaseStringUTFChars before early returns in Java_sun_security_pkcs11_wrapper_PKCS11_connect
+ - JDK-8239462: jdk.hotspot.agent misses some ReleaseStringUTFChars calls in case of early returns
+ - JDK-8239557: [TESTBUG] VeryEarlyAssertTest.java validating "END." marker at lastline is not always true
+ - JDK-8239787: AArch64: String.indexOf may incorrectly handle empty strings
+ - JDK-8239792: Bump update version for OpenJDK: jdk-11.0.8
+ - JDK-8239798: SSLSocket closes socket both socket endpoints on a SocketTimeoutException
+ - JDK-8239819: XToolkit: Misread of screen information memory
+ - JDK-8239852: java/util/concurrent tests fail with -XX:+VerifyGraphEdges: assert(!VerifyGraphEdges) failed: verification should have failed
+ - JDK-8239893: Windows handle Leak when starting processes using ProcessBuilder
+ - JDK-8239915: Zero VM crashes when handling dynamic constant
+ - JDK-8239931: [win][x86] vtable stub generation: assert failure (code size estimate) follow-up
+ - JDK-8239976: Put JDK-8239965 on the ProblemList.txt
+ - JDK-8240073: Fix 'test-make' build target in 11u
+ - JDK-8240197: Cannot start JVM when $JAVA_HOME includes CJK characters
+ - JDK-8240202: A few client tests leave mouse buttons pressed
+ - JDK-8240220: IdealLoopTree::dump_head predicate printing is broken
+ - JDK-8240223: Use consistent predicate order in and with PhaseIdealLoop::find_predicate
+ - JDK-8240227: Loop predicates should be copied to unswitched loops
+ - JDK-8240286: [TESTBUG] Test command error in hotspot/jtreg/compiler/loopopts/superword/SumRedAbsNeg_Float.java
+ - JDK-8240518: Incorrect JNU_ReleaseStringPlatformChars in Windows Print
+ - JDK-8240529: CheckUnhandledOops breaks NULL check in Modules::define_module
+ - JDK-8240576: JVM crashes after transformation in C2 IdealLoopTree::merge_many_backedges
+ - JDK-8240603: Windows 32bit compile error after 8238676
+ - JDK-8240629: argfiles parsing broken for argfiles with comment cross 4096 bytes chunk
+ - JDK-8240711: TestJstatdPort.java failed due to "ExportException: Port already in use:"
+ - JDK-8240786: [TESTBUG] The test java/awt/Window/GetScreenLocation/GetScreenLocationTest.java fails on HiDPI screen
+ - JDK-8240824: enhance print_full_memory_info on Linux by THP related information
+ - JDK-8240827: Downport SSLSocketImpl.java from "8221882: Use fiber-friendly java.util.concurrent.locks in JSSE"
+ - JDK-8240905: assert(mem == (Node*)1 || mem == mem2) failed: multiple Memories being matched at once?
+ - JDK-8240972: macOS codesign fail on macOS 10.13.5 or older
+ - JDK-8241445: Fix copyright in test/jdk/tools/launcher/ArgFileSyntax.java
+ - JDK-8241458: [JVMCI] add mark value to expose CodeOffsets::Frame_Complete
+ - JDK-8241464: [11u] Backport: make rehashing be a needed guaranteed safepoint cleanup action
+ - JDK-8241556: Memory leak if -XX:CompileCommand is set
+ - JDK-8241568: (fs) UserPrincipalLookupService.lookupXXX failure with IOE "Operation not permitted"
+ - JDK-8241586: compiler/cpuflags/TestAESIntrinsicsOnUnsupportedConfig.java fails on aarch64
+ - JDK-8241638: launcher time metrics always report 1 on Linux when _JAVA_LAUNCHER_DEBUG set
+ - JDK-8241660: Add virtualization information output to hs_err file on macOS
+ - JDK-8241808: [TESTBUG] The JDK-8039467 bug appeared on macOS
+ - JDK-8241888: Mirror jdk.security.allowNonCaAnchor system property with a security one
+ - JDK-8241900: Loop unswitching may cause dependence on null check to be lost
+ - JDK-8241948: enhance list of environment variables printed in hs_err file
+ - JDK-8241996: on linux set full relro in the linker flags
+ - JDK-8242108: Performance regression after fix for JDK-8229496
+ - JDK-8242141: New System Properties to configure the TLS signature schemes
+ - JDK-8242154: Backport parts of JDK-4947890 to OpenJDK 11u
+ - JDK-8242174: [macos] The NestedModelessDialogTest test make the macOS unstable
+ - JDK-8242239: [Graal] javax/management/generified/GenericTest.java fails: FAILED: queryMBeans sets same
+ - JDK-8242294: JSSE Client does not throw SSLException when an alert occurs during handshaking
+ - JDK-8242379: [TESTBUG] compiler/loopopts/TestLoopUnswitchingLostCastDependency.java fails with release VMs
+ - JDK-8242470: Update Xerces to Version 2.12.1
+ - JDK-8242498: Invalid "sun.awt.TimedWindowEvent" object leads to JVM crash
+ - JDK-8242541: Small charset issues (ISO8859-16, x-eucJP-Open, x-IBM834 and x-IBM949C)
+ - JDK-8242626: enhance posix print_rlimit_info
+ - JDK-8243059: Build fails when --with-vendor-name contains a comma
+ - JDK-8243539: Copyright info (Year) should be updated for fix of 8241638
+ - JDK-8243541: (tz) Upgrade time-zone data to tzdata2020a
+ - JDK-8244407: JVM crashes after transformation in C2 IdealLoopTree::split_fall_in
+ - JDK-8244520: problemlist java/awt/font/Rotate/RotatedFontTest.java on linux
+ - JDK-8244777: ClassLoaderStats VM Op uses constant hash value
+ - JDK-8244853: The static build of libextnet is missing the JNI_OnLoad_extnet function
+ - JDK-8244951: Missing entitlements for hardened runtime
+ - JDK-8245047: [PPC64] C2: ReverseBytes + Load always match to unordered Load (acquire semantics missing)
+ - JDK-8245649: Revert 8245397 backport of 8230591
+ - JDK-8246031: SSLSocket.getSession() doesn't close connection for timeout/ interrupts
+ - JDK-8246613: Choose the default SecureRandom algo based on registration ordering
+ - JDK-8248505: Unexpected NoSuchAlgorithmException when using secure random impl from BCFIPS provider
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8244167: Removal of Comodo Root CA Certificate
+==================================================
+The following expired Comodo root CA certificate was removed from the `cacerts` keystore: +
+alias name "addtrustclass1ca [jdk]"
+
+Distinguished Name: CN=AddTrust Class 1 CA Root, OU=AddTrust TTP Network, O=AddTrust AB, C=SE
+
+JDK-8244166: Removal of DocuSign Root CA Certificate
+====================================================
+The following expired DocuSign root CA certificate was removed from the `cacerts` keystore: +
+alias name "keynectisrootca [jdk]"
+
+Distinguished Name: CN=KEYNECTIS ROOT CA, OU=ROOT, O=KEYNECTIS, C=FR
+
+security-libs/javax.crypto:pkcs11:
+
+JDK-8240191: Allow SunPKCS11 initialization with NSS when external FIPS modules are present in the Security Modules Database
+============================================================================================================================
+The SunPKCS11 security provider can now be initialized with NSS when
+FIPS-enabled external modules are configured in the Security Modules
+Database (NSSDB). Prior to this change, the SunPKCS11 provider would
+throw a RuntimeException with the message: "FIPS flag set for
+non-internal module" when such a library was configured for NSS in
+non-FIPS mode.
+
+This change allows the JDK to work properly with recent NSS releases
+in GNU/Linux operating systems when the system-wide FIPS policy is
+turned on.
+
+Further information can be found in JDK-8238555.
+
+security-libs/javax.net.ssl:
+
+JDK-8245077: Default SSLEngine Should Create in Server Role
+===========================================================
+In JDK 11 and later, `javax.net.ssl.SSLEngine` by default used client
+mode when handshaking. As a result, the set of default enabled
+protocols may differ to what is expected. `SSLEngine` would usually be
+used in server mode. From this JDK release onwards, `SSLEngine` will
+default to server mode. The
+`javax.net.ssl.SSLEngine.setUseClientMode(boolean mode)` method may
+be used to configure the mode.
+
+JDK-8242147: New System Properties to Configure the TLS Signature Schemes
+=========================================================================
+
+Two new System Properties are added to customize the TLS signature
+schemes in JDK. `jdk.tls.client.SignatureSchemes` is added for TLS
+client side, and `jdk.tls.server.SignatureSchemes` is added for server
+side.
+
+Each System Property contains a comma-separated list of supported
+signature scheme names specifying the signature schemes that could be
+used for the TLS connections.
+
+The names are described in the "Signature Schemes" section of the
+*Java Security Standard Algorithm Names Specification*.
+
+New in release OpenJDK 11.0.7 (2020-04-14):
+===========================================
+Live versions of these release notes can be found at:
+ * https://bitly.com/oj1107
+ * https://builds.shipilev.net/backports-monitor/release-notes-11.0.7.txt
+
+* Security fixes
+ - JDK-8223898, CVE-2020-2754: Forward references to Nashorn
+ - JDK-8223904, CVE-2020-2755: Improve Nashorn matching
+ - JDK-8224541, CVE-2020-2756: Better mapping of serial ENUMs
+ - JDK-8224549, CVE-2020-2757: Less Blocking Array Queues
+ - JDK-8225603: Enhancement for big integers
+ - JDK-8226346: Build better binary builders
+ - JDK-8227467: Better class method invocations
+ - JDK-8227542: Manifest improved jar headers
+ - JDK-8229733: TLS message handling improvements
+ - JDK-8231415, CVE-2020-2773: Better signatures in XML
+ - JDK-8231785: Improved socket permissions
+ - JDK-8232424, CVE-2020-2778: More constrained algorithms
+ - JDK-8232581, CVE-2020-2767: Improve TLS verification
+ - JDK-8233250: Better X11 rendering
+ - JDK-8233410: Better Build Scripting
+ - JDK-8234027: Better JCEKS key support
+ - JDK-8234408, CVE-2020-2781: Improve TLS session handling
+ - JDK-8234825, CVE-2020-2800: Better Headings for HTTP Servers
+ - JDK-8234841, CVE-2020-2803: Enhance buffering of byte buffers
+ - JDK-8235274, CVE-2020-2805: Enhance typing of methods
+ - JDK-8235691, CVE-2020-2816: Enhance TLS connectivity
+ - JDK-8236201, CVE-2020-2830: Better Scanner conversions
+ - JDK-8238960: linux-i586 builds are inconsistent as the newly build jdk is not able to reserve enough space for object heap
+* Other changes
+ - JDK-4919790: Errors in alert ssl message does not reflect the actual certificate status
+ - JDK-4949105: Access Bridge lacks html tags parsing
+ - JDK-7092821: java.security.Provider.getService() is synchronized and became scalability bottleneck
+ - JDK-7143743: Potential memory leak with zip provider
+ - JDK-8005819: Support cross-realm MSSFU
+ - JDK-8042383: [TEST_BUG] Test javax/swing/plaf/basic/BasicMenuUI/4983388/bug4983388.java fails with shortcuts on menus do not work
+ - JDK-8068184: Fix for JDK-8032832 caused a deadlock
+ - JDK-8145845: [AOT] NullPointerException in compiler/whitebox/GetCodeHeapEntriesTest.java
+ - JDK-8152988: [AOT] Update test batch definitions to include aot-ed java.base module mode into hs-comp testing
+ - JDK-8160926: FLAGS_COMPILER_CHECK_ARGUMENTS doesn't handle cross-compilation
+ - JDK-8163083: SocketListeningConnector does not allow invocations with port 0
+ - JDK-8163251: Hard coded loop limit prevents reading of smart card data greater than 8k
+ - JDK-8167276: jvmci/compilerToVM/MaterializeVirtualObjectTest.java fails with -XX:-EliminateAllocations
+ - JDK-8169718: nsk/jdb/locals/locals002: ERROR: Cannot find boolVar with expected value: false
+ - JDK-8176556: java/awt/dnd/ImageTransferTest/ImageTransferTest.java fails for JFIF
+ - JDK-8178798: Two compiler/aot/verification/vmflags tests fail by timeout with UseAVX=3
+ - JDK-8183107: PKCS11 regression regarding checkKeySize
+ - JDK-8185005: Improve performance of ThreadMXBean.getThreadInfo(long ids[], int maxDepth)
+ - JDK-8189633: Missing -Xcheck:jni checking for DeleteWeakGlobalRef
+ - JDK-8189861: Refactor CacheFind
+ - JDK-8193042: NativeLookup::lookup_critical_entry() should only load shared library once
+ - JDK-8193596: java/net/DatagramPacket/ReuseBuf.java failed due to timeout
+ - JDK-8194944: Regression automated test 'open/test/jdk/javax/swing/JInternalFrame/8145896/TestJInternalFrameMaximize.java' fails
+ - JDK-8196467: javax/swing/JInternalFrame/Test6325652.java fails
+ - JDK-8196969: JTreg Failure: serviceability/sa/ClhsdbJstack.java causes NPE
+ - JDK-8198321: javax/swing/JEditorPane/5076514/bug5076514.java fails
+ - JDK-8198398: Test javax/swing/JColorChooser/Test6199676.java fails in mach5
+ - JDK-8199072: Test javax/swing/GroupLayout/6613904/bug6613904.java is unstable
+ - JDK-8200432: javadoc fails with ClassCastException on {@link byte[]}
+ - JDK-8201349: build broken when configured with --with-zlib=bundled on gcc 7.3
+ - JDK-8201355: Avoid native memory allocation in sun.security.mscapi.PRNG.generateSeed
+ - JDK-8201513: nsk/jvmti/IterateThroughHeap/filter-* are broken
+ - JDK-8203364: Some serviceability/sa/ tests intermittently fail with java.io.IOException: LingeredApp terminated with non-zero exit code 3
+ - JDK-8203687: javax/net/ssl/compatibility/Compatibility.java supports TLS 1.3
+ - JDK-8203904: javax/swing/JSplitPane/4816114/bug4816114.java: The divider location is wrong
+ - JDK-8203911: Test runtime/modules/getModuleJNI/GetModule fails with -Xcheck:jni
+ - JDK-8204525: [TESTBUG] runtime/NMT/MallocStressTest.java ran out of java heap
+ - JDK-8204529: gc/TestAllocateHeapAtMultiple.java fail with Agent 7 timed out
+ - JDK-8204551: Event descriptions are truncated in logs
+ - JDK-8206963: [AOT] bug with multiple class loaders
+ - JDK-8207367: 10 vmTestbase/nsk/jdi tests timed out when running with jtreg
+ - JDK-8207832: serviceability/sa/ClhsdbCDSCore.java failed with "Couldn't find core file location"
+ - JDK-8207938: At step6,Click Add button,case failed automatically.
+ - JDK-8208157: requires.VMProps throws NPE for missing properties in "release" file
+ - JDK-8208379: compiler/jvmci/events/JvmciNotifyInstallEventTest.java failed with "Got unexpected event count after 2nd install attempt: expected 9 to equal 2"
+ - JDK-8208658: Make CDS archived heap regions usable even if compressed oop encoding has changed
+ - JDK-8208715: Conversion of milliseconds to nanoseconds in UNIXProcess contains bug
+ - JDK-8209361: [AOT] Unexpected number of references for JVMTI_HEAP_REFERENCE_CONSTANT_POOL [111-->111]: 0 (expected at least 1)
+ - JDK-8209385: CDS runtime classpath checking is too strict when only classes from the system modules are archived
+ - JDK-8209389: SIGSEGV in WalkOopAndArchiveClosure::do_oop_work.
+ - JDK-8209418: Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2
+ - JDK-8209494: Create a test for SwingSet InternalFrameDemo
+ - JDK-8209499: Create test for SwingSet EditorPaneDemo
+ - JDK-8209574: [AOT] breakpoint events are generated in different threads does not meet expected count
+ - JDK-8209686: cleanup arguments to PhaseIdealLoop() constructor
+ - JDK-8209789: Synchronize test/jdk/sanity/client/lib/jemmy with code-tools/jemmy/v2
+ - JDK-8209802: Garbage collectors should register JFR types themselves to avoid build errors.
+ - JDK-8209807: improve handling exception in requires.VMProps
+ - JDK-8209817: stack is executable when building with Clang on Linux
+ - JDK-8209824: Improve the code coverage for ThreadLocal
+ - JDK-8209826: Undefined reference to os::write after JDK-8209657 (filemap.hpp cleanup)
+ - JDK-8209850: Allow NamedThreads to use GlobalCounter critical sections
+ - JDK-8209976: Improve iteration over non-JavaThreads
+ - JDK-8209993: Create a test for SwingSet3 ToolTipDemo
+ - JDK-8210024: JFR calls virtual is_Java_thread from ~Thread()
+ - JDK-8210052: Enable testing for all the available look and feels in SwingSet3 demo tests
+ - JDK-8210055: Enable different look and feel tests in SwingSet3 demo tests
+ - JDK-8210057: Enable different look and feels in SwingSet3 demo test InternalFrameDemoTest
+ - JDK-8210058: Algorithmic Italic font leans opposite angle in Printing
+ - JDK-8210220: [AOT] jdwp test cases are failing with error # ERROR: TEST FAILED: Cought IOException while receiving event packet
+ - JDK-8210289: ArchivedKlassSubGraphInfoRecord is incomplete
+ - JDK-8210459: Add support for generating compile_commands.json
+ - JDK-8210476: sun/security/mscapi/PrngSlow.java fails with Still too slow
+ - JDK-8210512: [Testbug] vmTestbase/nsk/jdi/ObjectReference/referringObjects/referringObjects002/referringObjects002.java fails with unexpected size of ClassLoaderReference.referringObjects
+ - JDK-8210523: runtime/appcds/cacheObject/DifferentHeapSizes.java crash
+ - JDK-8210632: Add key exchange algorithm to javax/net/ssl/TLSCommon/CipherSuite.java
+ - JDK-8210699: Problem list tests which times out in Xcomp mode
+ - JDK-8210793: [JVMCI] AllocateCompileIdTest.java failed to find DiagnosticCommand.class
+ - JDK-8210910: Create test for FileChooserDemo
+ - JDK-8210994: Create test for SwingSet3 FrameDemo
+ - JDK-8211139: Increase timeout value in all tests under jdk/sanity/client/SwingSet/src
+ - JDK-8211160: Handle different look and feels in JInternalFrameOperator
+ - JDK-8211211: vmTestbase/metaspace/stressDictionary/StressDictionary.java timeout
+ - JDK-8211322: Reduce the timeout of tooltip in SwingSet2DemoTest
+ - JDK-8211443: Enable different look and feels in SwingSet3 demo test SplitPaneDemoTest
+ - JDK-8211703: JInternalFrame : java.lang.AssertionError: cannot find the internal frame
+ - JDK-8211781: re-building fails after changing Graal sources
+ - JDK-8212897: Some improvements in the EditorPaneDemotest
+ - JDK-8212903: [TestBug] Tests test/jdk/javax/swing/LookAndFeel/8145547/DemandGTK2.sh and DemandGTK3.sh fail on Ubuntu 18.04 LTS
+ - JDK-8213009: Refactoring existing SunMSCAPI classes
+ - JDK-8213010: Supporting keys created with certmgr.exe
+ - JDK-8213168: Enable different look and feel tests in SwingSet3 demo test FileChooserDemoTest
+ - JDK-8213348: jdk.internal.vm.compiler.management service providers missing in module descriptor
+ - JDK-8213906: Update arm devkits with libXrandr headers
+ - JDK-8213908: AssertionError in DeferredAttr at setOverloadKind
+ - JDK-8214124: [TESTBUG] Bugs in runtime/NMT/MallocStressTest.java
+ - JDK-8214344: C2: assert(con.basic_type() != T_ILLEGAL) failed: elembt=byte; loadbt=void; unsigned=0
+ - JDK-8214345: infinite recursion while checking super class
+ - JDK-8214471: Enable different look and feel tests in SwingSet3 demo test ToolTipDemoTest
+ - JDK-8214534: Setting of THIS_FILE in the build is broken
+ - JDK-8214557: Filter out VM flags which don't affect AOT code generation
+ - JDK-8214578: [macos] Problem with backslashes on macOS/JIS keyboard: Java ignores system settings
+ - JDK-8214840: runtime/NMT/MallocStressTest.java timed out
+ - JDK-8214850: Rename vm_operations.?pp files to vmOperations.?pp files
+ - JDK-8214904: Test8004741.java failed due to "Too few ThreadDeath hits; expected at least 6 but saw only 5"
+ - JDK-8215322: add @file support to jaotc
+ - JDK-8215355: Object monitor deadlock with no threads holding the monitor (using jemalloc 5.1)
+ - JDK-8215396: JTabbedPane preferred size calculation is wrong for SCROLL_TAB_LAYOUT
+ - JDK-8216180: [AOT] compiler/intrinsics/bigInteger/TestMulAdd.java crashed with AOT enabled
+ - JDK-8216353: Use utility APIs introduced in org/netbeans/jemmy/util/LookAndFeel class in client sanity test cases
+ - JDK-8216354: Syntax error in toolchain_windows.m4
+ - JDK-8216472: (se) Stack overflow during selection operation leads to crash (win)
+ - JDK-8216535: tools/jimage/JImageExtractTest.java timed out
+ - JDK-8217235: Create automated test for SwingSet ColorChooserDemoTest
+ - JDK-8217297: Add support for multiple look and feel for SwingSet SliderDemoTest
+ - JDK-8217338: [Containers] Improve systemd slice memory limit support
+ - JDK-8217613: [AOT] TEST_OPTS_AOT_MODULES doesn't work on mac
+ - JDK-8217634: RunTest documentation and usability update
+ - JDK-8217717: ZGC: Broken oop map in C1 load barrier stub
+ - JDK-8217728: Speed up incremental rerun of "make hotspot"
+ - JDK-8218268: Javac treats Manifest Class-Path entries as Paths instead of URLs
+ - JDK-8218662: Allow 204 responses with Content-Length:0
+ - JDK-8218882: NET_Writev is declared, NET_WriteV is defined
+ - JDK-8218889: Improperly use of the Optional API
+ - JDK-8219205: JFR file without license header
+ - JDK-8219597: (bf) Heap buffer state changes could provoke unexpected exceptions
+ - JDK-8219723: javax/net/ssl/compatibility/Compatibility.java failed on some SNI cases
+ - JDK-8220348: [ntintel] asserts about copying unaligned array
+ - JDK-8220451: jdi/EventQueue/remove/remove004 failed due to "ERROR: thread2 is not alive"
+ - JDK-8220456: jdi/EventQueue/remove_l/remove_l004 failed due to "TIMEOUT while waiting for event"
+ - JDK-8220479: java/nio/channels/Selector/SelectWithConsumer.java failed at testTwoChannels()
+ - JDK-8220613: java/util/Arrays/TimSortStackSize2.java times out with fastdebug build
+ - JDK-8220688: [TESTBUG] runtime/NMT/MallocStressTest.java timed out
+ - JDK-8220786: Create new switch to redirect error reporting output to stdout or stderr
+ - JDK-8221270: Duplicated synchronized keywords in SSLSocketImpl
+ - JDK-8221312: test/jdk/sanity/client/SwingSet/src/ColorChooserDemoTest.java failed
+ - JDK-8221851: Use of THIS_FILE in hotspot invalidates precompiled header on Linux/GCC
+ - JDK-8221885: Add intermittent test in the JavaSound to the ProblemList
+ - JDK-8222264: Windows incremental build is broken with JDK-8217728
+ - JDK-8222391: javax/net/ssl/compatibility/Compatibility.java should be more flexible
+ - JDK-8222448: java/lang/reflect/PublicMethods/PublicMethodsTest.java times out
+ - JDK-8222519: ButtonDemoScreenshotTest fails randomly with "still state to be reached"
+ - JDK-8222741: jdi/EventQueue/remove/remove004 fails due to VMDisconnectedException
+ - JDK-8223003: SunMSCAPI keys are not cleaned up
+ - JDK-8223063: Support CNG RSA keys
+ - JDK-8223158: Docked MacBook cannot start any Java Swing applications
+ - JDK-8223260: NamingManager should cache InitialContextFactory
+ - JDK-8223464: Improve version string for Oracle CI builds
+ - JDK-8223558: Java does not render Myanmar script correctly
+ - JDK-8223627: jdk-13+20 bundle name contains null instead of ea
+ - JDK-8223638: Replace wildcard address with loopback or local host in tests - part 6
+ - JDK-8223678: Add Visual Studio Code workspace generation support (for native code)
+ - JDK-8223727: com/sun/jndi/ldap/privconn/RunTest.java failed due to hang in LdapRequest.getReplyBer
+ - JDK-8223769: Assert triggers with -XX:+StressReflectiveCode
+ - JDK-8224187: Refactor arraycopy_prologue to allow ZGC read barriers on arraycopy
+ - JDK-8224475: JTextPane does not show images in HTML rendering
+ - JDK-8224673: Adjust permission for delayed starting of debugging
+ - JDK-8224705: Tests that need to be problem-listed or have printer resources
+ - JDK-8224778: test/jdk/demo/jfc/J2Ddemo/J2DdemoTest.java cannot find J2Ddemo.jar
+ - JDK-8224821: java/awt/Focus/NoAutotransferToDisabledCompTest/NoAutotransferToDisabledCompTest.java fails linux-x64
+ - JDK-8224830: test/jdk/java/awt/Focus/ModalExcludedWindowClickTest/ModalExcludedWindowClickTest.java fails on linux-x64
+ - JDK-8224851: AArch64: fix warnings and errors with Clang and GCC 8.3
+ - JDK-8224905: java/lang/ProcessBuilder/Basic.java#id1 failed with stream closed
+ - JDK-8225007: java/awt/print/PrinterJob/LandscapeStackOverflow.java may hang
+ - JDK-8225105: java/awt/Focus/ShowFrameCheckForegroundTest/ShowFrameCheckForegroundTest.java fails in Windows 10
+ - JDK-8225117: java/math/BigInteger/SymmetricRangeTests.java fails with ParseException
+ - JDK-8225128: Add exception for expiring DocuSign root to VerifyCACerts test
+ - JDK-8225130: Add exception for expiring Comodo roots to VerifyCACerts test
+ - JDK-8225144: [macos] In Aqua L&F backspace key does not delete when Shift is pressed
+ - JDK-8225180: SignedObject with invalid Key not throwing the InvalidKeyException in Windows
+ - JDK-8225182: JNI exception pending in DestroyXIMCallback of awt_InputMethod.c:1327
+ - JDK-8225199: [Graal] compiler/jvmci/compilerToVM/IsMatureVsReprofileTest.java fails with -XX:CompileThresholdScaling=0.1
+ - JDK-8225305: ProblemList java/lang/invoke/VarHandles tests
+ - JDK-8225350: compiler/jvmci/compilerToVM/IsCompilableTest.java timed out
+ - JDK-8225430: Replace wildcard address with loopback or local host in tests - part 14
+ - JDK-8225435: Upgrade IANA Language Subtag Registry to the latest for JDK14
+ - JDK-8225487: giflib legal file is missing attribution for openbsd-reallocarray.c
+ - JDK-8225567: Wrong file headers with 8202414 fix changeset
+ - JDK-8225684: [AOT] vmTestbase/vm/oom/production/AlwaysOOMProduction tests fail with AOTed java.base
+ - JDK-8225766: Curve in certificate should not affect signature scheme when using TLSv1.3
+ - JDK-8225797: OldObjectSample event creates unexpected amount of checkpoint data
+ - JDK-8226381: ProblemList java/lang/reflect/PublicMethods/PublicMethodsTest.java
+ - JDK-8226406: JVM fails to detect mismatched or corrupt CDS archive
+ - JDK-8226608: Hide the onjcmd option from the help output
+ - JDK-8226892: ActionListeners on JRadioButtons don't get notified when selection is changed with arrow keys
+ - JDK-8227112: exclude compiler/intrinsics/sha/sanity tests from AOT runs
+ - JDK-8227324: Upgrade to freetype 2.10.1
+ - JDK-8227528: TestAbortVMOnSafepointTimeout.java failed due to "RuntimeException: 'Safepoint sync time longer than' missing from stdout/stderr"
+ - JDK-8227645: Some tests in serviceability/sa run with fixed -Xmx values and risk running out of memory
+ - JDK-8227646: [TESTBUG] appcds/SharedArchiveConsistency timed out
+ - JDK-8227662: freetype seeks to index at the end of the font data
+ - JDK-8228479: Correct the format of ColorChooserDemoTest
+ - JDK-8228613: java.security.Provider#getServices order is no longer deterministic
+ - JDK-8228969: 2019-09-28 public suffix list update
+ - JDK-8229236: CriticalJNINatives: dll handling should be done in native thread state
+ - JDK-8229345: Memory leak due to vtable stubs not being shared on SPARC
+ - JDK-8229888: (zipfs) Updating an existing zip file does not preserve original permissions
+ - JDK-8229994: assert(false) failed: Bad graph detected in get_early_ctrl_for_expensive
+ - JDK-8230004: jdk/internal/jimage/JImageOpenTest.java runs no test
+ - JDK-8230235: Rendering HTML with empty img attribute and documentBaseKey cause Exception
+ - JDK-8230390: Problemlist SA tests with AOT
+ - JDK-8230400: Missing constant pool entry for a method in stacktrace
+ - JDK-8230459: Test failed to resume JVMCI CompilerThread
+ - JDK-8230480: check malloc/calloc results in java.desktop
+ - JDK-8230597: Update GIFlib library to the 5.2.1
+ - JDK-8230611: infinite loop in LogOutputList::wait_until_no_readers()
+ - JDK-8230624: [TESTBUG] Problemlist JFR compiler/TestCodeSweeper.java
+ - JDK-8230677: Should disable Escape Analysis if JVMTI capability can_get_owned_monitor_info was taken
+ - JDK-8230926: [macosx] Two apostrophes are entered instead of one with "U.S. International - PC" layout
+ - JDK-8231025: Incorrect method tag offset for big endian platform
+ - JDK-8231081: TestMetadataRetention fails due to missing symbol id
+ - JDK-8231387: java.security.Provider.getService returns random result due to race condition with mutating methods in the same class
+ - JDK-8231430: C2: Memory stomp in max_array_length() for T_ILLEGAL type
+ - JDK-8231445: check ZALLOC return values in awt coding
+ - JDK-8231507: Update Apache Santuario (XML Signature) to version 2.1.4
+ - JDK-8231584: Deadlock with ClassLoader.findLibrary and System.loadLibrary call
+ - JDK-8231753: use more Posix functionality in aix os::print_os_info
+ - JDK-8231810: javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java fails intermittently with "java.lang.Exception: Unexpected EOF"
+ - JDK-8232003: (fs) Files.write can leak file descriptor in the exception case
+ - JDK-8232056: GetOwnedMonitorInfoWithEATest.java fails with ZGC: Heap too small
+ - JDK-8232060: add some initializations using sigemptyset in os_aix.cpp
+ - JDK-8232154: Update Mesa 3-D Headers to version 19.2.1
+ - JDK-8232167: Visual Studio install found through --with-tools-dir value is discarded
+ - JDK-8232170: FSInfo#getJarClassPath throws an exception not declared in its throws clause
+ - JDK-8232200: [macos 10.15] Windows in fullscreen tests jumps around the screen
+ - JDK-8232207: Linux os::available_memory re-reads cgroup configuration on every invocation
+ - JDK-8232224: [TESTBUG] problemlist JFR TestLargeRootSet.java
+ - JDK-8232370: Refactor some com.sun.jdi tests to enable IDE integration
+ - JDK-8232433: [macos 10.15] java/awt/Window/LocationAtScreenCorner/LocationAtScreenCorner.java may fail
+ - JDK-8232571: Add missing SIGINFO signal
+ - JDK-8232692: [TESTBUG] compiler/aot/fingerprint/SelfChangedCDS.java fails when cds is disabled
+ - JDK-8232713: Update BCEL version to 6.3.1 in license file
+ - JDK-8232806: Introduce a system property to disable eager lambda initialization
+ - JDK-8232834: RunTest sometimes fails to produce valid exitcode.txt
+ - JDK-8232880: Update test documentation with additional settings for client UI tooltip tests
+ - JDK-8232950: SUNPKCS11 Provider incorrectly check key length for PSS Signatures.
+ - JDK-8233018: Add a new test to verify that DatagramSocket is not interruptible
+ - JDK-8233019: java.lang.Class.isPrimitive() (C1) returns wrong result if Klass* is aligned to 32bit
+ - JDK-8233032: assert(in_bb(n)) failed: must be
+ - JDK-8233078: fix minimal VM build on Linux ppc64(le)
+ - JDK-8233328: fix minimal VM build on Linux s390x
+ - JDK-8233383: Various minor fixes
+ - JDK-8233466: aarch64: remove unnecessary load of mdo when profiling return and parameters type
+ - JDK-8233491: Crash in AdapterHandlerLibrary::get_adapter with CDS due to code cache exhaustion
+ - JDK-8233529: loopTransform.cpp:2984: Error: assert(p_f->Opcode() == Op_IfFalse) failed
+ - JDK-8233548: Update CUP to v0.11b
+ - JDK-8233649: Update ProblemList.txt to exclude failing headful tests on macos
+ - JDK-8233656: assert(d->is_CFG() && n->is_CFG()) failed: must have CFG nodes
+ - JDK-8233657: Intermittent NPE in Component.validate()
+ - JDK-8234288: Turkey Time Zone returns incorrect time zone name
+ - JDK-8234323: NULL-check return value of SurfaceData_InitOps on macosx
+ - JDK-8234339: replace JLI_StrTok in java_md_solinux.c
+ - JDK-8234340: Bump update version for OpenJDK: jdk-11.0.7
+ - JDK-8234350: assert(mode == ControlAroundStripMined && (use == sfpt || !use->is_reachable_from_root())) failed: missed a node
+ - JDK-8234386: [macos] NPE was thrown at expanding Choice from maximized frame
+ - JDK-8234397: add OS uptime information to os::print_os_info output
+ - JDK-8234423: Modifying ArrayList.subList().subList() resets modCount of subList
+ - JDK-8234466: Class loading deadlock involving X509Factory#commitEvent()
+ - JDK-8234501: remove obsolete NET_ReadV
+ - JDK-8234525: enable link-time section-gc for linux s390x to remove unused code
+ - JDK-8234610: MaxVectorSize set wrongly when UseAVX=3 is specified after JDK-8221092
+ - JDK-8234617: C1: Incorrect result of field load due to missing narrowing conversion
+ - JDK-8234723: javax/net/ssl/TLS tests support TLSv1.3
+ - JDK-8234724: javax/net/ssl/templates/SSLSocketSSLEngineTemplate.java supports TLSv1.3
+ - JDK-8234741: enhance os::get_core_path on macOS
+ - JDK-8234769: Duplicate attribution in freetype.md
+ - JDK-8234786: Fix for JDK-8214578 breaks OS X 10.12 compatibility
+ - JDK-8234809: set relro in linker flags when building with gcc
+ - JDK-8234824: java/nio/channels/SocketChannel/AdaptSocket.java fails on Windows 10
+ - JDK-8235243: handle VS2017 15.9 and VS2019 in abstract_vm_version
+ - JDK-8235288: AVX 512 instructions inadvertently used on Xeon for small vector width operations
+ - JDK-8235325: build failure on Linux after 8235243
+ - JDK-8235383: C1 compilation fails with -XX:+PrintIRDuringConstruction -XX:+Verbose
+ - JDK-8235489: handle return values of sscanf calls in hotspot
+ - JDK-8235509: Backport for JDK-8209657 Refactor filemap.hpp to simplify integration with Serviceability Agent.
+ - JDK-8235510: java.util.zip.CRC32 performance drop after 8200067
+ - JDK-8235563: [TESTBUG] appcds/CommandLineFlagComboNegative.java does not handle archive mapping failure
+ - JDK-8235637: jhsdb jmap from OpenJDK 11.0.5 doesn't work if prelink is enabled
+ - JDK-8235671: enhance print_rlimit_info in os_posix
+ - JDK-8235744: PIT: test/jdk/javax/swing/text/html/TestJLabelWithHTMLText.java times out in linux-x64
+ - JDK-8235904: Infinite loop when rendering huge lines
+ - JDK-8235998: [c2] Memory leaks during tracing after '8224193: stringStream should not use Resource Area'.
+ - JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3
+ - JDK-8236140: assert(!VerifyHashTableKeys || _hash_lock == 0) failed: remove node from hash table before modifying it
+ - JDK-8236179: C1 register allocation error with T_ADDRESS
+ - JDK-8236488: Support for configure option --with-native-debug-symbols=internal is impossible on Windows
+ - JDK-8236500: Windows ucrt.dll should be looked up in versioned WINSDK subdirectory
+ - JDK-8236709: struct SwitchRange in HS violates C++ One Definition Rule
+ - JDK-8236848: [JDK 11u] make run-test-tier1 fails after backport of JDK-8232834
+ - JDK-8236873: Worker has a deadlock bug
+ - JDK-8237217: Incorrect G1StringDedupEntry type used in StringDedupTable destructor
+ - JDK-8237368: Problem with NullPointerException in RMI TCPEndpoint.read
+ - JDK-8237375: SimpleThresholdPolicy misses CounterDecay timestamp initialization
+ - JDK-8237508: Simplify JarFile.isInitializing
+ - JDK-8237540: Missing files in backport of JDK-8210910
+ - JDK-8237541: Missing files in backport of JDK-8236528
+ - JDK-8237600: Test SunJSSEFIPSInit fails on Ubuntu
+ - JDK-8237819: s390x - remove unused pd_zero_to_words_large
+ - JDK-8237869: exclude jtreg test security/infra/java/security/cert/CertPathValidator/certification/LuxTrustCA.java because of instabilities
+ - JDK-8237879: make 4.3 breaks build
+ - JDK-8237945: CTW: C2 compilation fails with assert(just_allocated_object(alloc_ctl) == ptr) failed: most recent allo
+ - JDK-8238225: Issues reported after replacing symlink at Contents/MacOS/libjli.dylib with binary
+ - JDK-8238247: CTW runner should sweep nmethods more aggressively
+ - JDK-8238366: CTW runner closes standard output on exit
+ - JDK-8238438: SuperWord::co_locate_pack picks memory state of first instead of last load
+ - JDK-8238502: sunmscapi.dll causing EXCEPTION_ACCESS_VIOLATION
+ - JDK-8238534: Deep sign macOS bundles before bundle archive is being created
+ - JDK-8238591: CTW: Split applications/ctw/modules/jdk_localedata.java
+ - JDK-8238596: AVX enabled by default for Skylake even when unsupported
+ - JDK-8238811: C2: assert(i >= req() || i == 0 || is_Region() || is_Phi()) with -XX:+VerifyGraphEdges
+ - JDK-8239005: [TESTBUG] test/hotspot/jtreg/runtime/StackGuardPages/TestStackGuardPages.java: exeinvoke.c: must initialize static state before calling do_overflow()
+ - JDK-8239466: Loss of precision in counter decay calculation in 11u backport of JDK-8237375
+ - JDK-8239856: [ntintel] asserts about copying unaligned array element
+ - JDK-8240724: [test] jdk11 downport of 8224475 misses binary file test/jdk/javax/swing/JTextPane/arrow.png
+ - JDK-8241296: Segfault in JNIHandleBlock::oops_do()
+
+Notes on individual issues:
+===========================
+
+security-libs/javax.xml.crypto:
+
+JDK-8239467: Apache Santuario Library Updated to Version 2.1.4
+==============================================================
+The Apache Santuario library has been upgraded to version 2.1.4. As a
+result, a new system property
+`com.sun.org.apache.xml.internal.security.parser.pool-size` has been
+introduced.
+
+This new system property sets the pool size of the internal
+`DocumentBuilder` cache used when processing XML Signatures. The
+function is equivalent to the
+`org.apache.xml.security.parser.pool-size` system property used in
+Apache Santuario and has the same default value of 20.
diff --git a/SOURCES/TestCryptoLevel.java b/SOURCES/TestCryptoLevel.java
new file mode 100644
index 0000000..b32b7ae
--- /dev/null
+++ b/SOURCES/TestCryptoLevel.java
@@ -0,0 +1,72 @@
+/* TestCryptoLevel -- Ensure unlimited crypto policy is in use.
+ Copyright (C) 2012 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.lang.reflect.Field;
+import java.lang.reflect.Method;
+import java.lang.reflect.InvocationTargetException;
+
+import java.security.Permission;
+import java.security.PermissionCollection;
+
+public class TestCryptoLevel
+{
+ public static void main(String[] args)
+ throws NoSuchFieldException, ClassNotFoundException,
+ IllegalAccessException, InvocationTargetException
+ {
+ Class cls = null;
+ Method def = null, exempt = null;
+
+ try
+ {
+ cls = Class.forName("javax.crypto.JceSecurity");
+ }
+ catch (ClassNotFoundException ex)
+ {
+ System.err.println("Running a non-Sun JDK.");
+ System.exit(0);
+ }
+ try
+ {
+ def = cls.getDeclaredMethod("getDefaultPolicy");
+ exempt = cls.getDeclaredMethod("getExemptPolicy");
+ }
+ catch (NoSuchMethodException ex)
+ {
+ System.err.println("Running IcedTea with the original crypto patch.");
+ System.exit(0);
+ }
+ def.setAccessible(true);
+ exempt.setAccessible(true);
+ PermissionCollection defPerms = (PermissionCollection) def.invoke(null);
+ PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null);
+ Class apCls = Class.forName("javax.crypto.CryptoAllPermission");
+ Field apField = apCls.getDeclaredField("INSTANCE");
+ apField.setAccessible(true);
+ Permission allPerms = (Permission) apField.get(null);
+ if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms)))
+ {
+ System.err.println("Running with the unlimited policy.");
+ System.exit(0);
+ }
+ else
+ {
+ System.err.println("WARNING: Running with a restricted crypto policy.");
+ System.exit(-1);
+ }
+ }
+}
diff --git a/SOURCES/TestECDSA.java b/SOURCES/TestECDSA.java
new file mode 100644
index 0000000..6eb9cb2
--- /dev/null
+++ b/SOURCES/TestECDSA.java
@@ -0,0 +1,49 @@
+/* TestECDSA -- Ensure ECDSA signatures are working.
+ Copyright (C) 2016 Red Hat, Inc.
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see .
+*/
+
+import java.math.BigInteger;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.Signature;
+
+/**
+ * @test
+ */
+public class TestECDSA {
+
+ public static void main(String[] args) throws Exception {
+ KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC");
+ KeyPair key = keyGen.generateKeyPair();
+
+ byte[] data = "This is a string to sign".getBytes("UTF-8");
+
+ Signature dsa = Signature.getInstance("NONEwithECDSA");
+ dsa.initSign(key.getPrivate());
+ dsa.update(data);
+ byte[] sig = dsa.sign();
+ System.out.println("Signature: " + new BigInteger(1, sig).toString(16));
+
+ Signature dsaCheck = Signature.getInstance("NONEwithECDSA");
+ dsaCheck.initVerify(key.getPublic());
+ dsaCheck.update(data);
+ boolean success = dsaCheck.verify(sig);
+ if (!success) {
+ throw new RuntimeException("Test failed. Signature verification error");
+ }
+ System.out.println("Test passed.");
+ }
+}
diff --git a/SOURCES/TestSecurityProperties.java b/SOURCES/TestSecurityProperties.java
new file mode 100644
index 0000000..06a0b07
--- /dev/null
+++ b/SOURCES/TestSecurityProperties.java
@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+ // JDK 11
+ private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+ // JDK 8
+ private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+ public static void main(String[] args) {
+ Properties jdkProps = new Properties();
+ loadProperties(jdkProps);
+ for (Object key: jdkProps.keySet()) {
+ String sKey = (String)key;
+ String securityVal = Security.getProperty(sKey);
+ String jdkSecVal = jdkProps.getProperty(sKey);
+ if (!securityVal.equals(jdkSecVal)) {
+ String msg = "Expected value '" + jdkSecVal + "' for key '" +
+ sKey + "'" + " but got value '" + securityVal + "'";
+ throw new RuntimeException("Test failed! " + msg);
+ } else {
+ System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+ }
+ }
+ System.out.println("TestSecurityProperties PASSED!");
+ }
+
+ private static void loadProperties(Properties props) {
+ String javaVersion = System.getProperty("java.version");
+ System.out.println("Debug: Java version is " + javaVersion);
+ String propsFile = JDK_PROPS_FILE_JDK_11;
+ if (javaVersion.startsWith("1.8.0")) {
+ propsFile = JDK_PROPS_FILE_JDK_8;
+ }
+ try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+ props.load(fin);
+ } catch (Exception e) {
+ throw new RuntimeException("Test failed!", e);
+ }
+ }
+}
diff --git a/SOURCES/jconsole.desktop.in b/SOURCES/jconsole.desktop.in
new file mode 100644
index 0000000..8a3b04d
--- /dev/null
+++ b/SOURCES/jconsole.desktop.in
@@ -0,0 +1,10 @@
+[Desktop Entry]
+Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@)
+Comment=Monitor and manage OpenJDK applications
+Exec=_SDKBINDIR_/jconsole
+Icon=java-@JAVA_VER@-@JAVA_VENDOR@
+Terminal=false
+Type=Application
+StartupWMClass=sun-tools-jconsole-JConsole
+Categories=Development;Profiling;Java;
+Version=1.0
diff --git a/SOURCES/jdk8257794-remove_broken_assert.patch b/SOURCES/jdk8257794-remove_broken_assert.patch
new file mode 100644
index 0000000..1bfc571
--- /dev/null
+++ b/SOURCES/jdk8257794-remove_broken_assert.patch
@@ -0,0 +1,12 @@
+diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
+index d18d70b5f9..30ab380e40 100644
+--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
++++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp
+@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) {
+ #ifdef ASSERT
+ if (istate->_msg != initialize) {
+ assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit");
+- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong"));
+ }
+ // Verify linkages.
+ interpreterState l = istate;
diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
new file mode 100644
index 0000000..7a25e4b
--- /dev/null
+++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch
@@ -0,0 +1,26 @@
+diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+index 300f3682655..6f3eb6c450b 100644
+--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java
+@@ -226,6 +226,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+ ctx = getLdapCtxFromUrl(
+ r.getDomainName(), url, new LdapURL(u), env);
+ return ctx;
++ } catch (AuthenticationException e) {
++ // do not retry on a different endpoint to avoid blocking
++ // the user if authentication credentials are wrong.
++ throw e;
+ } catch (NamingException e) {
+ // try the next element
+ lastException = e;
+@@ -278,6 +282,10 @@ final public class LdapCtxFactory implements ObjectFactory, InitialContextFactor
+ for (String u : urls) {
+ try {
+ return getUsingURL(u, env);
++ } catch (AuthenticationException e) {
++ // do not retry on a different URL to avoid blocking
++ // the user if authentication credentials are wrong.
++ throw e;
+ } catch (NamingException e) {
+ ex = e;
+ }
diff --git a/SOURCES/nss.cfg.in b/SOURCES/nss.cfg.in
new file mode 100644
index 0000000..377a39c
--- /dev/null
+++ b/SOURCES/nss.cfg.in
@@ -0,0 +1,5 @@
+name = NSS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssDbMode = noDb
+attributes = compatibility
+handleStartupErrors = ignoreMultipleInitialisation
diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in
new file mode 100644
index 0000000..1aff153
--- /dev/null
+++ b/SOURCES/nss.fips.cfg.in
@@ -0,0 +1,6 @@
+name = NSS-FIPS
+nssLibraryDirectory = @NSS_LIBDIR@
+nssSecmodDirectory = sql:/etc/pki/nssdb
+nssDbMode = readOnly
+nssModule = fips
+
diff --git a/SOURCES/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/SOURCES/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
new file mode 100644
index 0000000..97f276f
--- /dev/null
+++ b/SOURCES/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
@@ -0,0 +1,88 @@
+
+# HG changeset patch
+# User andrew
+# Date 1478057514 0
+# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c
+# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a
+PR3694: Support Fedora/RHEL system crypto policy
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000
+@@ -43,6 +43,9 @@
+ * implementation-specific location, which is typically the properties file
+ * {@code conf/security/java.security} in the Java installation directory.
+ *
++ * Additional default values of security properties are read from a
++ * system-specific location, if available.
++ *
+ * @author Benjamin Renaud
+ * @since 1.1
+ */
+@@ -52,6 +55,10 @@
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
++ /* System property file*/
++ private static final String SYSTEM_PROPERTIES =
++ "/etc/crypto-policies/back-ends/java.config";
++
+ /* The java.security properties */
+ private static Properties props;
+
+@@ -93,6 +100,7 @@
+ if (sdebug != null) {
+ sdebug.println("reading security properties file: " +
+ propFile);
++ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+@@ -114,6 +122,31 @@
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ SYSTEM_PROPERTIES);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ SYSTEM_PROPERTIES);
++ e.printStackTrace();
++ }
++ }
++ }
++
++ if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+
+ String extraPropFile = System.getProperty
+diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security
+--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100
++++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000
+@@ -276,6 +276,13 @@
+ security.overridePropertiesFile=true
+
+ #
++# Determines whether this properties file will be appended to
++# using the system properties file stored at
++# /etc/crypto-policies/back-ends/java.config
++#
++security.useSystemPropertiesFile=true
++
++#
+ # Determines the default key and trust manager factory algorithms for
+ # the javax.net.ssl package.
+ #
diff --git a/SOURCES/pr3695-toggle_system_crypto_policy.patch b/SOURCES/pr3695-toggle_system_crypto_policy.patch
new file mode 100644
index 0000000..3799237
--- /dev/null
+++ b/SOURCES/pr3695-toggle_system_crypto_policy.patch
@@ -0,0 +1,78 @@
+# HG changeset patch
+# User andrew
+# Date 1545198926 0
+# Wed Dec 19 05:55:26 2018 +0000
+# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776
+# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c
+PR3695: Allow use of system crypto policy to be disabled by the user
+Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile
+
+diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java
+--- a/src/java.base/share/classes/java/security/Security.java
++++ b/src/java.base/share/classes/java/security/Security.java
+@@ -125,31 +125,6 @@
+ }
+
+ if ("true".equalsIgnoreCase(props.getProperty
+- ("security.useSystemPropertiesFile"))) {
+-
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
+- loadedProps = true;
+-
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- SYSTEM_PROPERTIES);
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- SYSTEM_PROPERTIES);
+- e.printStackTrace();
+- }
+- }
+- }
+-
+- if ("true".equalsIgnoreCase(props.getProperty
+ ("security.overridePropertiesFile"))) {
+
+ String extraPropFile = System.getProperty
+@@ -215,6 +190,33 @@
+ }
+ }
+
++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
++ if (disableSystemProps == null &&
++ "true".equalsIgnoreCase(props.getProperty
++ ("security.useSystemPropertiesFile"))) {
++
++ // now load the system file, if it exists, so its values
++ // will win if they conflict with the earlier values
++ try (BufferedInputStream bis =
++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
++ props.load(bis);
++ loadedProps = true;
++
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ SYSTEM_PROPERTIES);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println
++ ("unable to load security properties from " +
++ SYSTEM_PROPERTIES);
++ e.printStackTrace();
++ }
++ }
++ }
++
+ if (!loadedProps) {
+ initializeStatic();
+ if (sdebug != null) {
diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh
new file mode 100644
index 0000000..d475909
--- /dev/null
+++ b/SOURCES/remove-intree-libraries.sh
@@ -0,0 +1,159 @@
+#!/bin/sh
+
+# Arguments:
+TREE=${1}
+TYPE=${2}
+
+ZIP_SRC=src/java.base/share/native/libzip/zlib/
+JPEG_SRC=src/java.desktop/share/native/libjavajpeg/
+GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/
+PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/
+LCMS_SRC=src/java.desktop/share/native/liblcms/
+
+if test "x${TREE}" = "x"; then
+ echo "$0 (MINIMAL|FULL)";
+ exit 1;
+fi
+
+if test "x${TYPE}" = "x"; then
+ TYPE=minimal;
+fi
+
+if test "x${TYPE}" != "xminimal" -a "x${TYPE}" != "xfull"; then
+ echo "Type must be minimal or full";
+ exit 2;
+fi
+
+echo "Removing in-tree libraries from ${TREE}"
+echo "Cleansing operation: ${TYPE}";
+
+cd ${TREE}
+
+echo "Removing built-in libs (they will be linked)"
+
+# On full runs, allow for zlib having already been deleted by minimal
+echo "Removing zlib"
+if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then
+ echo "${ZIP_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${ZIP_SRC}
+
+# Minimal is limited to just zlib so finish here
+if test "x${TYPE}" = "xminimal"; then
+ echo "Finished.";
+ exit 0;
+fi
+
+echo "Removing libjpeg"
+if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that should definitely exist
+ echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed."
+ exit 1
+fi
+
+rm -vf ${JPEG_SRC}/jcomapi.c
+rm -vf ${JPEG_SRC}/jdapimin.c
+rm -vf ${JPEG_SRC}/jdapistd.c
+rm -vf ${JPEG_SRC}/jdcoefct.c
+rm -vf ${JPEG_SRC}/jdcolor.c
+rm -vf ${JPEG_SRC}/jdct.h
+rm -vf ${JPEG_SRC}/jddctmgr.c
+rm -vf ${JPEG_SRC}/jdhuff.c
+rm -vf ${JPEG_SRC}/jdhuff.h
+rm -vf ${JPEG_SRC}/jdinput.c
+rm -vf ${JPEG_SRC}/jdmainct.c
+rm -vf ${JPEG_SRC}/jdmarker.c
+rm -vf ${JPEG_SRC}/jdmaster.c
+rm -vf ${JPEG_SRC}/jdmerge.c
+rm -vf ${JPEG_SRC}/jdphuff.c
+rm -vf ${JPEG_SRC}/jdpostct.c
+rm -vf ${JPEG_SRC}/jdsample.c
+rm -vf ${JPEG_SRC}/jerror.c
+rm -vf ${JPEG_SRC}/jerror.h
+rm -vf ${JPEG_SRC}/jidctflt.c
+rm -vf ${JPEG_SRC}/jidctfst.c
+rm -vf ${JPEG_SRC}/jidctint.c
+rm -vf ${JPEG_SRC}/jidctred.c
+rm -vf ${JPEG_SRC}/jinclude.h
+rm -vf ${JPEG_SRC}/jmemmgr.c
+rm -vf ${JPEG_SRC}/jmemsys.h
+rm -vf ${JPEG_SRC}/jmemnobs.c
+rm -vf ${JPEG_SRC}/jmorecfg.h
+rm -vf ${JPEG_SRC}/jpegint.h
+rm -vf ${JPEG_SRC}/jpeglib.h
+rm -vf ${JPEG_SRC}/jquant1.c
+rm -vf ${JPEG_SRC}/jquant2.c
+rm -vf ${JPEG_SRC}/jutils.c
+rm -vf ${JPEG_SRC}/jcapimin.c
+rm -vf ${JPEG_SRC}/jcapistd.c
+rm -vf ${JPEG_SRC}/jccoefct.c
+rm -vf ${JPEG_SRC}/jccolor.c
+rm -vf ${JPEG_SRC}/jcdctmgr.c
+rm -vf ${JPEG_SRC}/jchuff.c
+rm -vf ${JPEG_SRC}/jchuff.h
+rm -vf ${JPEG_SRC}/jcinit.c
+rm -vf ${JPEG_SRC}/jconfig.h
+rm -vf ${JPEG_SRC}/jcmainct.c
+rm -vf ${JPEG_SRC}/jcmarker.c
+rm -vf ${JPEG_SRC}/jcmaster.c
+rm -vf ${JPEG_SRC}/jcparam.c
+rm -vf ${JPEG_SRC}/jcphuff.c
+rm -vf ${JPEG_SRC}/jcprepct.c
+rm -vf ${JPEG_SRC}/jcsample.c
+rm -vf ${JPEG_SRC}/jctrans.c
+rm -vf ${JPEG_SRC}/jdtrans.c
+rm -vf ${JPEG_SRC}/jfdctflt.c
+rm -vf ${JPEG_SRC}/jfdctfst.c
+rm -vf ${JPEG_SRC}/jfdctint.c
+rm -vf ${JPEG_SRC}/jversion.h
+rm -vf ${JPEG_SRC}/README
+
+echo "Removing giflib"
+if [ ! -d ${GIF_SRC} ]; then
+ echo "${GIF_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${GIF_SRC}
+
+echo "Removing libpng"
+if [ ! -d ${PNG_SRC} ]; then
+ echo "${PNG_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -rvf ${PNG_SRC}
+
+echo "Removing lcms"
+if [ ! -d ${LCMS_SRC} ]; then
+ echo "${LCMS_SRC} does not exist. Refusing to proceed."
+ exit 1
+fi
+rm -vf ${LCMS_SRC}/cmscam02.c
+rm -vf ${LCMS_SRC}/cmscgats.c
+rm -vf ${LCMS_SRC}/cmscnvrt.c
+rm -vf ${LCMS_SRC}/cmserr.c
+rm -vf ${LCMS_SRC}/cmsgamma.c
+rm -vf ${LCMS_SRC}/cmsgmt.c
+rm -vf ${LCMS_SRC}/cmshalf.c
+rm -vf ${LCMS_SRC}/cmsintrp.c
+rm -vf ${LCMS_SRC}/cmsio0.c
+rm -vf ${LCMS_SRC}/cmsio1.c
+rm -vf ${LCMS_SRC}/cmslut.c
+rm -vf ${LCMS_SRC}/cmsmd5.c
+rm -vf ${LCMS_SRC}/cmsmtrx.c
+rm -vf ${LCMS_SRC}/cmsnamed.c
+rm -vf ${LCMS_SRC}/cmsopt.c
+rm -vf ${LCMS_SRC}/cmspack.c
+rm -vf ${LCMS_SRC}/cmspcs.c
+rm -vf ${LCMS_SRC}/cmsplugin.c
+rm -vf ${LCMS_SRC}/cmsps2.c
+rm -vf ${LCMS_SRC}/cmssamp.c
+rm -vf ${LCMS_SRC}/cmssm.c
+rm -vf ${LCMS_SRC}/cmstypes.c
+rm -vf ${LCMS_SRC}/cmsvirt.c
+rm -vf ${LCMS_SRC}/cmswtpnt.c
+rm -vf ${LCMS_SRC}/cmsxform.c
+rm -vf ${LCMS_SRC}/lcms2.h
+rm -vf ${LCMS_SRC}/lcms2_internal.h
+rm -vf ${LCMS_SRC}/lcms2_plugin.h
+
+
diff --git a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
new file mode 100644
index 0000000..a877506
--- /dev/null
+++ b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
@@ -0,0 +1,18 @@
+diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/src/java.desktop/share/classes/java/awt/Toolkit.java
+--- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
++++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
+@@ -883,9 +883,13 @@
+ return null;
+ }
+ });
+ if (!GraphicsEnvironment.isHeadless()) {
+- loadAssistiveTechnologies();
++ try {
++ loadAssistiveTechnologies();
++ } catch (AWTError error) {
++ // ignore silently
++ }
+ }
+ }
+ return toolkit;
+ }
diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
new file mode 100644
index 0000000..1b92ddc
--- /dev/null
+++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
@@ -0,0 +1,11 @@
+diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
+--- openjdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700
++++ openjdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200
+@@ -83,6 +83,7 @@
+ #ifndef solaris
+ security.provider.tbd=SunPKCS11
+ #endif
++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
+ # A list of preferred providers for specific algorithms. These providers will
diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
new file mode 100644
index 0000000..53026ad
--- /dev/null
+++ b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch
@@ -0,0 +1,20 @@
+--- openjdk/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -304,6 +304,8 @@
+ #
+ package.access=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # List of comma-separated packages that start with or equal this string
+@@ -316,6 +318,8 @@
+ #
+ package.definition=sun.misc.,\
+ sun.reflect.,\
++ org.GNOME.Accessibility.,\
++ org.GNOME.Bonobo.,\
+
+ #
+ # Determines whether this properties file can be appended to
diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch
new file mode 100644
index 0000000..8bf1ced
--- /dev/null
+++ b/SOURCES/rh1655466-global_crypto_and_fips.patch
@@ -0,0 +1,205 @@
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -196,26 +196,8 @@
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+-
+- // now load the system file, if it exists, so its values
+- // will win if they conflict with the earlier values
+- try (BufferedInputStream bis =
+- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) {
+- props.load(bis);
++ if (SystemConfigurator.configure(props)) {
+ loadedProps = true;
+-
+- if (sdebug != null) {
+- sdebug.println("reading system security properties file " +
+- SYSTEM_PROPERTIES);
+- sdebug.println(props.toString());
+- }
+- } catch (IOException e) {
+- if (sdebug != null) {
+- sdebug.println
+- ("unable to load security properties from " +
+- SYSTEM_PROPERTIES);
+- e.printStackTrace();
+- }
+ }
+ }
+
+diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java
+new file mode 100644
+--- /dev/null
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -0,0 +1,151 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc.
++ *
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package java.security;
++
++import java.io.BufferedInputStream;
++import java.io.FileInputStream;
++import java.io.IOException;
++
++import java.nio.file.Files;
++import java.nio.file.Path;
++
++import java.util.Iterator;
++import java.util.Map.Entry;
++import java.util.Properties;
++import java.util.function.Consumer;
++import java.util.regex.Matcher;
++import java.util.regex.Pattern;
++
++import sun.security.util.Debug;
++
++/**
++ * Internal class to align OpenJDK with global crypto-policies.
++ * Called from java.security.Security class initialization,
++ * during startup.
++ *
++ */
++
++class SystemConfigurator {
++
++ private static final Debug sdebug =
++ Debug.getInstance("properties");
++
++ private static final String CRYPTO_POLICIES_BASE_DIR =
++ "/etc/crypto-policies";
++
++ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
++
++ private static final String CRYPTO_POLICIES_CONFIG =
++ CRYPTO_POLICIES_BASE_DIR + "/config";
++
++ private static final class SecurityProviderInfo {
++ int number;
++ String key;
++ String value;
++ SecurityProviderInfo(int number, String key, String value) {
++ this.number = number;
++ this.key = key;
++ this.value = value;
++ }
++ }
++
++ /*
++ * Invoked when java.security.Security class is initialized, if
++ * java.security.disableSystemPropertiesFile property is not set and
++ * security.useSystemPropertiesFile is true.
++ */
++ static boolean configure(Properties props) {
++ boolean loadedProps = false;
++
++ try (BufferedInputStream bis =
++ new BufferedInputStream(
++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) {
++ props.load(bis);
++ loadedProps = true;
++ if (sdebug != null) {
++ sdebug.println("reading system security properties file " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ sdebug.println(props.toString());
++ }
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties from " +
++ CRYPTO_POLICIES_JAVA_CONFIG);
++ e.printStackTrace();
++ }
++ }
++
++ try {
++ if (enableFips()) {
++ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
++ loadedProps = false;
++ // Remove all security providers
++ Iterator> i = props.entrySet().iterator();
++ while (i.hasNext()) {
++ Entry e = i.next();
++ if (((String) e.getKey()).startsWith("security.provider")) {
++ if (sdebug != null) { sdebug.println("Removing provider: " + e); }
++ i.remove();
++ }
++ }
++ // Add FIPS security providers
++ String fipsProviderValue = null;
++ for (int n = 1;
++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) {
++ String fipsProviderKey = "security.provider." + n;
++ if (sdebug != null) {
++ sdebug.println("Adding provider " + n + ": " +
++ fipsProviderKey + "=" + fipsProviderValue);
++ }
++ props.put(fipsProviderKey, fipsProviderValue);
++ }
++ loadedProps = true;
++ }
++ } catch (Exception e) {
++ if (sdebug != null) {
++ sdebug.println("unable to load FIPS configuration");
++ e.printStackTrace();
++ }
++ }
++ return loadedProps;
++ }
++
++ /*
++ * FIPS is enabled only if crypto-policies are set to "FIPS"
++ * and the com.redhat.fips property is true.
++ */
++ private static boolean enableFips() throws Exception {
++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++ if (fipsEnabled) {
++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
++ return pattern.matcher(cryptoPoliciesConfig).find();
++ } else {
++ return false;
++ }
++ }
++}
+diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security
+--- openjdk.orig/src/java.base/share/conf/security/java.security
++++ openjdk/src/java.base/share/conf/security/java.security
+@@ -87,6 +87,14 @@
+ #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
+
+ #
++# Security providers used when global crypto-policies are set to FIPS.
++#
++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg
++fips.provider.2=SUN
++fips.provider.3=SunEC
++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS
++
++#
+ # A list of preferred providers for specific algorithms. These providers will
+ # be searched for matching algorithms before the list of registered providers.
+ # Entries containing errors (parsing, etc) will be ignored. Use the
diff --git a/SOURCES/rh1750419-redhat_alt_java.patch b/SOURCES/rh1750419-redhat_alt_java.patch
new file mode 100644
index 0000000..e6355f2
--- /dev/null
+++ b/SOURCES/rh1750419-redhat_alt_java.patch
@@ -0,0 +1,116 @@
+diff -r 1356affa5e44 make/launcher/Launcher-java.base.gmk
+--- openjdk/make/launcher/Launcher-java.base.gmk Wed Nov 25 08:27:15 2020 +0100
++++ openjdk/make/launcher/Launcher-java.base.gmk Tue Dec 01 12:29:30 2020 +0100
+@@ -41,6 +41,16 @@
+ OPTIMIZATION := HIGH, \
+ ))
+
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++ LDFLAGS_solaris := -R$(OPENWIN_HOME)/lib$(OPENJDK_TARGET_CPU_ISADIR), \
++ LIBS_windows := user32.lib comctl32.lib, \
++ EXTRA_RC_FLAGS := $(JAVA_RC_FLAGS), \
++ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++ OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(OPENJDK_TARGET_OS), windows)
+ $(eval $(call SetupBuildLauncher, javaw, \
+ CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+
+diff -r 25e94aa812b2 src/share/bin/alt_main.h
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/src/java.base/share/native/launcher/alt_main.h Tue Jun 02 17:15:28 2020 +0100
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL 52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL 53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS 0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED 0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++ if ( prctl(PR_SET_SPECULATION_CTRL,
++ PR_SPEC_STORE_BYPASS,
++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++ return;
++ }
++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff -r 25e94aa812b2 src/share/bin/main.c
+--- openjdk/src/java.base/share/native/launcher/main.c Wed Feb 05 12:20:36 2020 -0300
++++ openjdk/src/java.base/share/native/launcher/main.c Tue Jun 02 17:15:28 2020 +0100
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+
diff --git a/SOURCES/rh1818909-fips_default_keystore_type.patch b/SOURCES/rh1818909-fips_default_keystore_type.patch
new file mode 100644
index 0000000..ff34f3e
--- /dev/null
+++ b/SOURCES/rh1818909-fips_default_keystore_type.patch
@@ -0,0 +1,52 @@
+diff -r 6efbd7b35a10 src/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Mon Mar 02 19:20:17 2020 -0300
+@@ -123,6 +123,33 @@
+ }
+ props.put(fipsProviderKey, fipsProviderValue);
+ }
++ // Add other security properties
++ String keystoreTypeValue = (String) props.get("fips.keystore.type");
++ if (keystoreTypeValue != null) {
++ String nonFipsKeystoreType = props.getProperty("keystore.type");
++ props.put("keystore.type", keystoreTypeValue);
++ if (keystoreTypeValue.equals("PKCS11")) {
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
++ }
++ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
++ // If no trustStoreType has been set, use the
++ // previous keystore.type under FIPS mode. In
++ // a default configuration, the Trust Store will
++ // be 'cacerts' (JKS type).
++ System.setProperty("javax.net.ssl.trustStoreType",
++ nonFipsKeystoreType);
++ }
++ if (sdebug != null) {
++ sdebug.println("FIPS mode default keystore.type = " +
++ keystoreTypeValue);
++ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
++ System.getProperty("javax.net.ssl.keyStore", ""));
++ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
++ System.getProperty("javax.net.ssl.trustStoreType", ""));
++ }
++ }
+ loadedProps = true;
+ }
+ } catch (Exception e) {
+diff -r 6efbd7b35a10 src/share/lib/security/java.security-linux
+--- openjdk.orig/src/java.base/share/conf/security/java.security Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/conf/security/java.security Mon Mar 02 19:20:17 2020 -0300
+@@ -299,6 +299,11 @@
+ keystore.type=pkcs12
+
+ #
++# Default keystore type used when global crypto-policies are set to FIPS.
++#
++fips.keystore.type=PKCS11
++
++#
+ # Controls compatibility mode for JKS and PKCS12 keystore types.
+ #
+ # When set to 'true', both JKS and PKCS12 keystore types support loading
diff --git a/SOURCES/rh1842572-rsa_default_for_keytool.patch b/SOURCES/rh1842572-rsa_default_for_keytool.patch
new file mode 100644
index 0000000..9f1dabc
--- /dev/null
+++ b/SOURCES/rh1842572-rsa_default_for_keytool.patch
@@ -0,0 +1,12 @@
+diff --git openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+--- openjdk.orig/src/java.base/share/classes/sun/security/tools/keytool/Main.java
++++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
+@@ -1135,7 +1135,7 @@
+ }
+ } else if (command == GENKEYPAIR) {
+ if (keyAlgName == null) {
+- keyAlgName = "DSA";
++ keyAlgName = "RSA";
+ }
+ doGenKeyPair(alias, dname, keyAlgName, keysize, groupName, sigAlgName);
+ kssave = true;
diff --git a/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
new file mode 100644
index 0000000..0a76cad
--- /dev/null
+++ b/SOURCES/rh1860986-disable_tlsv1.3_in_fips_mode.patch
@@ -0,0 +1,311 @@
+diff -r bbc65dfa59d1 src/java.base/share/classes/java/security/SystemConfigurator.java
+--- openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java Sat Aug 01 23:16:51 2020 -0300
+@@ -1,11 +1,13 @@
+ /*
+- * Copyright (c) 2019, Red Hat, Inc.
++ * Copyright (c) 2019, 2020, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+- * published by the Free Software Foundation.
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+@@ -34,10 +36,10 @@
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.function.Consumer;
+-import java.util.regex.Matcher;
+ import java.util.regex.Pattern;
+
++import jdk.internal.misc.SharedSecrets;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import sun.security.util.Debug;
+
+ /**
+@@ -47,7 +49,7 @@
+ *
+ */
+
+-class SystemConfigurator {
++final class SystemConfigurator {
+
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+@@ -61,15 +63,16 @@
+ private static final String CRYPTO_POLICIES_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/config";
+
+- private static final class SecurityProviderInfo {
+- int number;
+- String key;
+- String value;
+- SecurityProviderInfo(int number, String key, String value) {
+- this.number = number;
+- this.key = key;
+- this.value = value;
+- }
++ private static boolean systemFipsEnabled = false;
++
++ static {
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ });
+ }
+
+ /*
+@@ -128,9 +131,9 @@
+ String nonFipsKeystoreType = props.getProperty("keystore.type");
+ props.put("keystore.type", keystoreTypeValue);
+ if (keystoreTypeValue.equals("PKCS11")) {
+- // If keystore.type is PKCS11, javax.net.ssl.keyStore
+- // must be "NONE". See JDK-8238264.
+- System.setProperty("javax.net.ssl.keyStore", "NONE");
++ // If keystore.type is PKCS11, javax.net.ssl.keyStore
++ // must be "NONE". See JDK-8238264.
++ System.setProperty("javax.net.ssl.keyStore", "NONE");
+ }
+ if (System.getProperty("javax.net.ssl.trustStoreType") == null) {
+ // If no trustStoreType has been set, use the
+@@ -144,12 +147,13 @@
+ sdebug.println("FIPS mode default keystore.type = " +
+ keystoreTypeValue);
+ sdebug.println("FIPS mode javax.net.ssl.keyStore = " +
+- System.getProperty("javax.net.ssl.keyStore", ""));
++ System.getProperty("javax.net.ssl.keyStore", ""));
+ sdebug.println("FIPS mode javax.net.ssl.trustStoreType = " +
+ System.getProperty("javax.net.ssl.trustStoreType", ""));
+ }
+ }
+ loadedProps = true;
++ systemFipsEnabled = true;
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+@@ -160,13 +164,30 @@
+ return loadedProps;
+ }
+
++ /**
++ * Returns whether or not global system FIPS alignment is enabled.
++ *
++ * Value is always 'false' before java.security.Security class is
++ * initialized.
++ *
++ * Call from out of this package through SharedSecrets:
++ * SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ * .isSystemFipsEnabled();
++ *
++ * @return a boolean value indicating whether or not global
++ * system FIPS alignment is enabled.
++ */
++ static boolean isSystemFipsEnabled() {
++ return systemFipsEnabled;
++ }
++
+ /*
+ * FIPS is enabled only if crypto-policies are set to "FIPS"
+ * and the com.redhat.fips property is true.
+ */
+ private static boolean enableFips() throws Exception {
+- boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+- if (fipsEnabled) {
++ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
++ if (shouldEnable) {
+ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+--- /dev/null Thu Jan 01 00:00:00 1970 +0000
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java Sat Aug 01 23:16:51 2020 -0300
+@@ -0,0 +1,30 @@
++/*
++ * Copyright (c) 2020, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package jdk.internal.misc;
++
++public interface JavaSecuritySystemConfiguratorAccess {
++ boolean isSystemFipsEnabled();
++}
+diff -r bbc65dfa59d1 src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+--- openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java Sat Aug 01 23:16:51 2020 -0300
+@@ -76,6 +76,7 @@
+ private static JavaIORandomAccessFileAccess javaIORandomAccessFileAccess;
+ private static JavaSecuritySignatureAccess javaSecuritySignatureAccess;
+ private static JavaxCryptoSealedObjectAccess javaxCryptoSealedObjectAccess;
++ private static JavaSecuritySystemConfiguratorAccess javaSecuritySystemConfiguratorAccess;
+
+ public static JavaUtilJarAccess javaUtilJarAccess() {
+ if (javaUtilJarAccess == null) {
+@@ -361,4 +362,12 @@
+ }
+ return javaxCryptoSealedObjectAccess;
+ }
++
++ public static void setJavaSecuritySystemConfiguratorAccess(JavaSecuritySystemConfiguratorAccess jssca) {
++ javaSecuritySystemConfiguratorAccess = jssca;
++ }
++
++ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ return javaSecuritySystemConfiguratorAccess;
++ }
+ }
+diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SSLContextImpl.java Sat Aug 01 23:16:51 2020 -0300
+@@ -31,6 +31,7 @@
+ import java.security.cert.*;
+ import java.util.*;
+ import javax.net.ssl.*;
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.action.GetPropertyAction;
+ import sun.security.provider.certpath.AlgorithmChecker;
+ import sun.security.validator.Validator;
+@@ -542,20 +543,38 @@
+
+ static {
+ if (SunJSSE.isFIPS()) {
+- supportedProtocols = Arrays.asList(
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- );
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
+
+- serverDefaultProtocols = getAvailableProtocols(
+- new ProtocolVersion[] {
+- ProtocolVersion.TLS13,
+- ProtocolVersion.TLS12,
+- ProtocolVersion.TLS11,
+- ProtocolVersion.TLS10
+- });
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ } else {
++ supportedProtocols = Arrays.asList(
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ );
++
++ serverDefaultProtocols = getAvailableProtocols(
++ new ProtocolVersion[] {
++ ProtocolVersion.TLS13,
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ });
++ }
+ } else {
+ supportedProtocols = Arrays.asList(
+ ProtocolVersion.TLS13,
+@@ -620,6 +639,16 @@
+
+ static ProtocolVersion[] getSupportedProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[] {
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+@@ -949,6 +978,16 @@
+
+ static ProtocolVersion[] getProtocols() {
+ if (SunJSSE.isFIPS()) {
++ if (SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ return new ProtocolVersion[] {
++ ProtocolVersion.TLS12,
++ ProtocolVersion.TLS11,
++ ProtocolVersion.TLS10
++ };
++ }
+ return new ProtocolVersion[]{
+ ProtocolVersion.TLS13,
+ ProtocolVersion.TLS12,
+diff -r bbc65dfa59d1 src/java.base/share/classes/sun/security/ssl/SunJSSE.java
+--- openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Thu Jan 23 18:22:31 2020 -0300
++++ openjdk/src/java.base/share/classes/sun/security/ssl/SunJSSE.java Sat Aug 01 23:16:51 2020 -0300
+@@ -27,6 +27,8 @@
+
+ import java.security.*;
+ import java.util.*;
++
++import jdk.internal.misc.SharedSecrets;
+ import sun.security.rsa.SunRsaSignEntries;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+ import static sun.security.provider.SunEntries.createAliases;
+@@ -195,8 +197,13 @@
+ "sun.security.ssl.SSLContextImpl$TLS11Context", null, null);
+ ps("SSLContext", "TLSv1.2",
+ "sun.security.ssl.SSLContextImpl$TLS12Context", null, null);
+- ps("SSLContext", "TLSv1.3",
+- "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ if (!SharedSecrets.getJavaSecuritySystemConfiguratorAccess()
++ .isSystemFipsEnabled()) {
++ // RH1860986: TLSv1.3 key derivation not supported with
++ // the Security Providers available in system FIPS mode.
++ ps("SSLContext", "TLSv1.3",
++ "sun.security.ssl.SSLContextImpl$TLS13Context", null, null);
++ }
+ ps("SSLContext", "TLS",
+ "sun.security.ssl.SSLContextImpl$TLSContext",
+ (isfips? null : createAliases("SSL")), null);
diff --git a/SOURCES/rh1915071-always_initialise_configurator_access.patch b/SOURCES/rh1915071-always_initialise_configurator_access.patch
new file mode 100644
index 0000000..21ced06
--- /dev/null
+++ b/SOURCES/rh1915071-always_initialise_configurator_access.patch
@@ -0,0 +1,68 @@
+diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -32,6 +32,7 @@
+
+ import jdk.internal.event.EventHelper;
+ import jdk.internal.event.SecurityPropertyModificationEvent;
++import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import jdk.internal.misc.SharedSecrets;
+ import jdk.internal.util.StaticProperty;
+ import sun.security.util.Debug;
+@@ -74,6 +75,15 @@
+ }
+
+ static {
++ // Initialise here as used by code with system properties disabled
++ SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
++ new JavaSecuritySystemConfiguratorAccess() {
++ @Override
++ public boolean isSystemFipsEnabled() {
++ return SystemConfigurator.isSystemFipsEnabled();
++ }
++ });
++
+ // doPrivileged here because there are multiple
+ // things in initialize that might require privs.
+ // (the FileInputStream call and the File.exists call,
+@@ -193,9 +203,8 @@
+ }
+
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+- if (disableSystemProps == null &&
+- "true".equalsIgnoreCase(props.getProperty
+- ("security.useSystemPropertiesFile"))) {
++ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
++ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+ if (SystemConfigurator.configure(props)) {
+ loadedProps = true;
+ }
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -38,8 +38,6 @@
+ import java.util.Properties;
+ import java.util.regex.Pattern;
+
+-import jdk.internal.misc.SharedSecrets;
+-import jdk.internal.misc.JavaSecuritySystemConfiguratorAccess;
+ import sun.security.util.Debug;
+
+ /**
+@@ -65,16 +63,6 @@
+
+ private static boolean systemFipsEnabled = false;
+
+- static {
+- SharedSecrets.setJavaSecuritySystemConfiguratorAccess(
+- new JavaSecuritySystemConfiguratorAccess() {
+- @Override
+- public boolean isSystemFipsEnabled() {
+- return SystemConfigurator.isSystemFipsEnabled();
+- }
+- });
+- }
+-
+ /*
+ * Invoked when java.security.Security class is initialized, if
+ * java.security.disableSystemPropertiesFile property is not set and
diff --git a/SOURCES/rh1929465-improve_system_FIPS_detection.patch b/SOURCES/rh1929465-improve_system_FIPS_detection.patch
new file mode 100644
index 0000000..2cdf6f7
--- /dev/null
+++ b/SOURCES/rh1929465-improve_system_FIPS_detection.patch
@@ -0,0 +1,430 @@
+diff --git openjdk.orig/make/autoconf/libraries.m4 openjdk/make/autoconf/libraries.m4
+--- openjdk.orig/make/autoconf/libraries.m4
++++ openjdk/make/autoconf/libraries.m4
+@@ -101,6 +101,7 @@
+ LIB_SETUP_LIBFFI
+ LIB_SETUP_BUNDLED_LIBS
+ LIB_SETUP_MISC_LIBS
++ LIB_SETUP_SYSCONF_LIBS
+ LIB_SETUP_SOLARIS_STLPORT
+ LIB_TESTS_SETUP_GRAALUNIT
+
+@@ -223,3 +224,62 @@
+ fi
+ ])
+
++################################################################################
++# Setup system configuration libraries
++################################################################################
++AC_DEFUN_ONCE([LIB_SETUP_SYSCONF_LIBS],
++[
++ ###############################################################################
++ #
++ # Check for the NSS library
++ #
++
++ AC_MSG_CHECKING([whether to use the system NSS library with the System Configurator (libsysconf)])
++
++ # default is not available
++ DEFAULT_SYSCONF_NSS=no
++
++ AC_ARG_ENABLE([sysconf-nss], [AS_HELP_STRING([--enable-sysconf-nss],
++ [build the System Configurator (libsysconf) using the system NSS library if available @<:@disabled@:>@])],
++ [
++ case "${enableval}" in
++ yes)
++ sysconf_nss=yes
++ ;;
++ *)
++ sysconf_nss=no
++ ;;
++ esac
++ ],
++ [
++ sysconf_nss=${DEFAULT_SYSCONF_NSS}
++ ])
++ AC_MSG_RESULT([$sysconf_nss])
++
++ USE_SYSCONF_NSS=false
++ if test "x${sysconf_nss}" = "xyes"; then
++ PKG_CHECK_MODULES(NSS, nss >= 3.53, [NSS_FOUND=yes], [NSS_FOUND=no])
++ if test "x${NSS_FOUND}" = "xyes"; then
++ AC_MSG_CHECKING([for system FIPS support in NSS])
++ saved_libs="${LIBS}"
++ saved_cflags="${CFLAGS}"
++ CFLAGS="${CFLAGS} ${NSS_CFLAGS}"
++ LIBS="${LIBS} ${NSS_LIBS}"
++ AC_LANG_PUSH([C])
++ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]],
++ [[SECMOD_GetSystemFIPSEnabled()]])],
++ [AC_MSG_RESULT([yes])],
++ [AC_MSG_RESULT([no])
++ AC_MSG_ERROR([System NSS FIPS detection unavailable])])
++ AC_LANG_POP([C])
++ CFLAGS="${saved_cflags}"
++ LIBS="${saved_libs}"
++ USE_SYSCONF_NSS=true
++ else
++ dnl NSS 3.53 is the one that introduces the SECMOD_GetSystemFIPSEnabled API
++ dnl in nss3/pk11pub.h.
++ AC_MSG_ERROR([--enable-sysconf-nss specified, but NSS 3.53 or above not found.])
++ fi
++ fi
++ AC_SUBST(USE_SYSCONF_NSS)
++])
+diff --git openjdk.orig/make/autoconf/spec.gmk.in openjdk/make/autoconf/spec.gmk.in
+--- openjdk.orig/make/autoconf/spec.gmk.in
++++ openjdk/make/autoconf/spec.gmk.in
+@@ -828,6 +828,10 @@
+ # Libraries
+ #
+
++USE_SYSCONF_NSS:=@USE_SYSCONF_NSS@
++NSS_LIBS:=@NSS_LIBS@
++NSS_CFLAGS:=@NSS_CFLAGS@
++
+ USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
+ LCMS_CFLAGS:=@LCMS_CFLAGS@
+ LCMS_LIBS:=@LCMS_LIBS@
+diff --git openjdk.orig/make/lib/Lib-java.base.gmk openjdk/make/lib/Lib-java.base.gmk
+--- openjdk.orig/make/lib/Lib-java.base.gmk
++++ openjdk/make/lib/Lib-java.base.gmk
+@@ -179,6 +179,31 @@
+ endif
+
+ ################################################################################
++# Create the systemconf library
++
++LIBSYSTEMCONF_CFLAGS :=
++LIBSYSTEMCONF_CXXFLAGS :=
++
++ifeq ($(USE_SYSCONF_NSS), true)
++ LIBSYSTEMCONF_CFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++ LIBSYSTEMCONF_CXXFLAGS += $(NSS_CFLAGS) -DSYSCONF_NSS
++endif
++
++ifeq ($(OPENJDK_BUILD_OS), linux)
++ $(eval $(call SetupJdkLibrary, BUILD_LIBSYSTEMCONF, \
++ NAME := systemconf, \
++ OPTIMIZATION := LOW, \
++ CFLAGS := $(CFLAGS_JDKLIB) $(LIBSYSTEMCONF_CFLAGS), \
++ CXXFLAGS := $(CXXFLAGS_JDKLIB) $(LIBSYSTEMCONF_CXXFLAGS), \
++ LDFLAGS := $(LDFLAGS_JDKLIB) \
++ $(call SET_SHARED_LIBRARY_ORIGIN), \
++ LIBS_unix := $(LIBDL) $(NSS_LIBS), \
++ ))
++
++ TARGETS += $(BUILD_LIBSYSTEMCONF)
++endif
++
++################################################################################
+ # Create the symbols file for static builds.
+
+ ifeq ($(STATIC_BUILD), true)
+diff --git openjdk.orig/make/nb_native/nbproject/configurations.xml openjdk/make/nb_native/nbproject/configurations.xml
+--- openjdk.orig/make/nb_native/nbproject/configurations.xml
++++ openjdk/make/nb_native/nbproject/configurations.xml
+@@ -2950,6 +2950,9 @@
+ LinuxWatchService.c
+
+
++
++ systemconf.c
++
+
+
+
+@@ -29301,6 +29304,11 @@
+ tool="0"
+ flavor2="0">
+
++ -
++
+ -
++#include
++#include
++#include
++
++#ifdef SYSCONF_NSS
++#include
++#endif //SYSCONF_NSS
++
++#include "java_security_SystemConfigurator.h"
++
++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
++#define MSG_MAX_SIZE 96
++
++static jmethodID debugPrintlnMethodID = NULL;
++static jobject debugObj = NULL;
++
++static void throwIOException(JNIEnv *env, const char *msg);
++static void dbgPrint(JNIEnv *env, const char* msg);
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnLoad
++ */
++JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++ jclass sysConfCls, debugCls;
++ jfieldID sdebugFld;
++
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return JNI_EVERSION; /* JNI version not supported */
++ }
++
++ sysConfCls = (*env)->FindClass(env,"java/security/SystemConfigurator");
++ if (sysConfCls == NULL) {
++ printf("libsystemconf: SystemConfigurator class not found\n");
++ return JNI_ERR;
++ }
++ sdebugFld = (*env)->GetStaticFieldID(env, sysConfCls,
++ "sdebug", "Lsun/security/util/Debug;");
++ if (sdebugFld == NULL) {
++ printf("libsystemconf: SystemConfigurator::sdebug field not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->GetStaticObjectField(env, sysConfCls, sdebugFld);
++ if (debugObj != NULL) {
++ debugCls = (*env)->FindClass(env,"sun/security/util/Debug");
++ if (debugCls == NULL) {
++ printf("libsystemconf: Debug class not found\n");
++ return JNI_ERR;
++ }
++ debugPrintlnMethodID = (*env)->GetMethodID(env, debugCls,
++ "println", "(Ljava/lang/String;)V");
++ if (debugPrintlnMethodID == NULL) {
++ printf("libsystemconf: Debug::println(String) method not found\n");
++ return JNI_ERR;
++ }
++ debugObj = (*env)->NewGlobalRef(env, debugObj);
++ }
++
++ return (*env)->GetVersion(env);
++}
++
++/*
++ * Class: java_security_SystemConfigurator
++ * Method: JNI_OnUnload
++ */
++JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
++{
++ JNIEnv *env;
++
++ if (debugObj != NULL) {
++ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
++ return; /* Should not happen */
++ }
++ (*env)->DeleteGlobalRef(env, debugObj);
++ }
++}
++
++JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEnabled
++ (JNIEnv *env, jclass cls)
++{
++ int fips_enabled;
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++
++#ifdef SYSCONF_NSS
++
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = SECMOD_GetSystemFIPSEnabled();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " SECMOD_GetSystemFIPSEnabled return value");
++ }
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
++
++#else // SYSCONF_NSS
++
++ FILE *fe;
++
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
++ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
++ " read character");
++ }
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
++
++#endif // SYSCONF_NSS
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -1,5 +1,5 @@
+ /*
+- * Copyright (c) 2019, 2020, Red Hat, Inc.
++ * Copyright (c) 2019, 2021, Red Hat, Inc.
+ *
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+@@ -30,13 +30,9 @@
+ import java.io.FileInputStream;
+ import java.io.IOException;
+
+-import java.nio.file.Files;
+-import java.nio.file.Path;
+-
+ import java.util.Iterator;
+ import java.util.Map.Entry;
+ import java.util.Properties;
+-import java.util.regex.Pattern;
+
+ import sun.security.util.Debug;
+
+@@ -58,10 +54,21 @@
+ private static final String CRYPTO_POLICIES_JAVA_CONFIG =
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+- private static final String CRYPTO_POLICIES_CONFIG =
+- CRYPTO_POLICIES_BASE_DIR + "/config";
++ private static boolean systemFipsEnabled = false;
++
++ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
++
++ private static native boolean getSystemFIPSEnabled()
++ throws IOException;
+
+- private static boolean systemFipsEnabled = false;
++ static {
++ AccessController.doPrivileged(new PrivilegedAction() {
++ public Void run() {
++ System.loadLibrary(SYSTEMCONF_NATIVE_LIB);
++ return null;
++ }
++ });
++ }
+
+ /*
+ * Invoked when java.security.Security class is initialized, if
+@@ -170,16 +177,34 @@
+ }
+
+ /*
+- * FIPS is enabled only if crypto-policies are set to "FIPS"
+- * and the com.redhat.fips property is true.
++ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
++ * system property is true (default) and the system is in FIPS mode.
++ *
++ * There are 2 possible ways in which OpenJDK detects that the system
++ * is in FIPS mode: 1) if the NSS SECMOD_GetSystemFIPSEnabled API is
++ * available at OpenJDK's built-time, it is called; 2) otherwise, the
++ * /proc/sys/crypto/fips_enabled file is read.
+ */
+ private static boolean enableFips() throws Exception {
+ boolean shouldEnable = Boolean.valueOf(System.getProperty("com.redhat.fips", "true"));
+ if (shouldEnable) {
+- String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG)));
+- if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); }
+- Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE);
+- return pattern.matcher(cryptoPoliciesConfig).find();
++ if (sdebug != null) {
++ sdebug.println("Calling getSystemFIPSEnabled (libsystemconf)...");
++ }
++ try {
++ shouldEnable = getSystemFIPSEnabled();
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) returned: "
++ + shouldEnable);
++ }
++ return shouldEnable;
++ } catch (IOException e) {
++ if (sdebug != null) {
++ sdebug.println("Call to getSystemFIPSEnabled (libsystemconf) failed:");
++ sdebug.println(e.getMessage());
++ }
++ throw e;
++ }
+ } else {
+ return false;
+ }
diff --git a/SOURCES/rh1991003-enable_fips_keys_import.patch b/SOURCES/rh1991003-enable_fips_keys_import.patch
new file mode 100644
index 0000000..ac9bdb5
--- /dev/null
+++ b/SOURCES/rh1991003-enable_fips_keys_import.patch
@@ -0,0 +1,590 @@
+diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+index 53f32d12cc..28ab184617 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -82,6 +82,10 @@ public final class Security {
+ public boolean isSystemFipsEnabled() {
+ return SystemConfigurator.isSystemFipsEnabled();
+ }
++ @Override
++ public boolean isPlainKeySupportEnabled() {
++ return SystemConfigurator.isPlainKeySupportEnabled();
++ }
+ });
+
+ // doPrivileged here because there are multiple
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 5565acb7c6..874c6221eb 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -55,6 +55,7 @@ final class SystemConfigurator {
+ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config";
+
+ private static boolean systemFipsEnabled = false;
++ private static boolean plainKeySupportEnabled = false;
+
+ private static final String SYSTEMCONF_NATIVE_LIB = "systemconf";
+
+@@ -149,6 +150,16 @@ final class SystemConfigurator {
+ }
+ loadedProps = true;
+ systemFipsEnabled = true;
++ String plainKeySupport = System.getProperty("com.redhat.fips.plainKeySupport",
++ "true");
++ plainKeySupportEnabled = !"false".equals(plainKeySupport);
++ if (sdebug != null) {
++ if (plainKeySupportEnabled) {
++ sdebug.println("FIPS support enabled with plain key support");
++ } else {
++ sdebug.println("FIPS support enabled without plain key support");
++ }
++ }
+ }
+ } catch (Exception e) {
+ if (sdebug != null) {
+@@ -176,6 +187,19 @@ final class SystemConfigurator {
+ return systemFipsEnabled;
+ }
+
++ /**
++ * Returns {@code true} if system FIPS alignment is enabled
++ * and plain key support is allowed. Plain key support is
++ * enabled by default but can be disabled with
++ * {@code -Dcom.redhat.fips.plainKeySupport=false}.
++ *
++ * @return a boolean indicating whether plain key support
++ * should be enabled.
++ */
++ static boolean isPlainKeySupportEnabled() {
++ return plainKeySupportEnabled;
++ }
++
+ /*
+ * OpenJDK FIPS mode will be enabled only if the com.redhat.fips
+ * system property is true (default) and the system is in FIPS mode.
+diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+index d8caa5640c..21bc6d0b59 100644
+--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/JavaSecuritySystemConfiguratorAccess.java
+@@ -27,4 +27,5 @@ package jdk.internal.misc;
+
+ public interface JavaSecuritySystemConfiguratorAccess {
+ boolean isSystemFipsEnabled();
++ boolean isPlainKeySupportEnabled();
+ }
+diff --git openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+index ffee2c1603..ff3d5e0e4a 100644
+--- openjdk.orig/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
++++ openjdk/src/java.base/share/classes/sun/security/ssl/KeyManagerFactoryImpl.java
+@@ -33,8 +33,13 @@ import java.security.KeyStore.*;
+
+ import javax.net.ssl.*;
+
++import jdk.internal.misc.SharedSecrets;
++
+ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
+ X509ExtendedKeyManager keyManager;
+ boolean isInitialized;
+
+@@ -62,7 +67,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ KeyStoreException, NoSuchAlgorithmException,
+ UnrecoverableKeyException {
+ if ((ks != null) && SunJSSE.isFIPS()) {
+- if (ks.getProvider() != SunJSSE.cryptoProvider) {
++ if (ks.getProvider() != SunJSSE.cryptoProvider &&
++ !plainKeySupportEnabled) {
+ throw new KeyStoreException("FIPS mode: KeyStore must be "
+ + "from provider " + SunJSSE.cryptoProvider.getName());
+ }
+@@ -91,8 +97,8 @@ abstract class KeyManagerFactoryImpl extends KeyManagerFactorySpi {
+ keyManager = new X509KeyManagerImpl(
+ Collections.emptyList());
+ } else {
+- if (SunJSSE.isFIPS() &&
+- (ks.getProvider() != SunJSSE.cryptoProvider)) {
++ if (SunJSSE.isFIPS() && (ks.getProvider() != SunJSSE.cryptoProvider)
++ && !plainKeySupportEnabled) {
+ throw new KeyStoreException(
+ "FIPS mode: KeyStore must be " +
+ "from provider " + SunJSSE.cryptoProvider.getName());
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+new file mode 100644
+index 0000000000..b848a1fd78
+--- /dev/null
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/FIPSKeyImporter.java
+@@ -0,0 +1,290 @@
++/*
++ * Copyright (c) 2021, Red Hat, Inc.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation. Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++package sun.security.pkcs11;
++
++import java.math.BigInteger;
++import java.security.KeyFactory;
++import java.security.Provider;
++import java.security.Security;
++import java.util.HashMap;
++import java.util.Map;
++import java.util.concurrent.locks.ReentrantLock;
++
++import javax.crypto.Cipher;
++import javax.crypto.spec.DHPrivateKeySpec;
++import javax.crypto.spec.IvParameterSpec;
++
++import sun.security.jca.JCAUtil;
++import sun.security.pkcs11.TemplateManager;
++import sun.security.pkcs11.wrapper.CK_ATTRIBUTE;
++import sun.security.pkcs11.wrapper.CK_MECHANISM;
++import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
++import sun.security.pkcs11.wrapper.PKCS11Exception;
++import sun.security.rsa.RSAUtil.KeyType;
++import sun.security.util.Debug;
++import sun.security.util.ECUtil;
++
++final class FIPSKeyImporter {
++
++ private static final Debug debug =
++ Debug.getInstance("sunpkcs11");
++
++ private static P11Key importerKey = null;
++ private static final ReentrantLock importerKeyLock = new ReentrantLock();
++ private static CK_MECHANISM importerKeyMechanism = null;
++ private static Cipher importerCipher = null;
++
++ private static Provider sunECProvider = null;
++ private static final ReentrantLock sunECProviderLock = new ReentrantLock();
++
++ private static KeyFactory DHKF = null;
++ private static final ReentrantLock DHKFLock = new ReentrantLock();
++
++ static Long importKey(SunPKCS11 sunPKCS11, long hSession, CK_ATTRIBUTE[] attributes)
++ throws PKCS11Exception {
++ long keyID = -1;
++ Token token = sunPKCS11.getToken();
++ if (debug != null) {
++ debug.println("Private or Secret key will be imported in" +
++ " system FIPS mode.");
++ }
++ if (importerKey == null) {
++ importerKeyLock.lock();
++ try {
++ if (importerKey == null) {
++ if (importerKeyMechanism == null) {
++ // Importer Key creation has not been tried yet. Try it.
++ createImporterKey(token);
++ }
++ if (importerKey == null || importerCipher == null) {
++ if (debug != null) {
++ debug.println("Importer Key could not be" +
++ " generated.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ if (debug != null) {
++ debug.println("Importer Key successfully" +
++ " generated.");
++ }
++ }
++ } finally {
++ importerKeyLock.unlock();
++ }
++ }
++ long importerKeyID = importerKey.getKeyID();
++ try {
++ byte[] keyBytes = null;
++ byte[] encKeyBytes = null;
++ long keyClass = 0L;
++ long keyType = 0L;
++ Map attrsMap = new HashMap<>();
++ for (CK_ATTRIBUTE attr : attributes) {
++ if (attr.type == CKA_CLASS) {
++ keyClass = attr.getLong();
++ } else if (attr.type == CKA_KEY_TYPE) {
++ keyType = attr.getLong();
++ }
++ attrsMap.put(attr.type, attr);
++ }
++ BigInteger v = null;
++ if (keyClass == CKO_PRIVATE_KEY) {
++ if (keyType == CKK_RSA) {
++ if (debug != null) {
++ debug.println("Importing an RSA private key...");
++ }
++ keyBytes = sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(
++ KeyType.RSA,
++ null,
++ ((v = attrsMap.get(CKA_MODULUS).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PUBLIC_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIVATE_EXPONENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_1).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_EXPONENT_2).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_COEFFICIENT).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ } else if (keyType == CKK_DSA) {
++ if (debug != null) {
++ debug.println("Importing a DSA private key...");
++ }
++ keyBytes = new sun.security.provider.DSAPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_SUBPRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO
++ ).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_EC) {
++ if (debug != null) {
++ debug.println("Importing an EC private key...");
++ }
++ if (sunECProvider == null) {
++ sunECProviderLock.lock();
++ try {
++ if (sunECProvider == null) {
++ sunECProvider = Security.getProvider("SunEC");
++ }
++ } finally {
++ sunECProviderLock.unlock();
++ }
++ }
++ keyBytes = ECUtil.generateECPrivateKey(
++ ((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ECUtil.getECParameterSpec(sunECProvider,
++ attrsMap.get(CKA_EC_PARAMS).getByteArray()))
++ .getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else if (keyType == CKK_DH) {
++ if (debug != null) {
++ debug.println("Importing a Diffie-Hellman private key...");
++ }
++ if (DHKF == null) {
++ DHKFLock.lock();
++ try {
++ if (DHKF == null) {
++ DHKF = KeyFactory.getInstance(
++ "DH", P11Util.getSunJceProvider());
++ }
++ } finally {
++ DHKFLock.unlock();
++ }
++ }
++ DHPrivateKeySpec spec = new DHPrivateKeySpec
++ (((v = attrsMap.get(CKA_VALUE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_PRIME).getBigInteger()) != null)
++ ? v : BigInteger.ZERO,
++ ((v = attrsMap.get(CKA_BASE).getBigInteger()) != null)
++ ? v : BigInteger.ZERO);
++ keyBytes = DHKF.generatePrivate(spec).getEncoded();
++ if (token.config.getNssNetscapeDbWorkaround() &&
++ attrsMap.get(CKA_NETSCAPE_DB) == null) {
++ attrsMap.put(CKA_NETSCAPE_DB,
++ new CK_ATTRIBUTE(CKA_NETSCAPE_DB, BigInteger.ZERO));
++ }
++ } else {
++ if (debug != null) {
++ debug.println("Unrecognized private key type.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ } else if (keyClass == CKO_SECRET_KEY) {
++ if (debug != null) {
++ debug.println("Importing a secret key...");
++ }
++ keyBytes = attrsMap.get(CKA_VALUE).getByteArray();
++ }
++ if (keyBytes == null || keyBytes.length == 0) {
++ if (debug != null) {
++ debug.println("Private or secret key plain bytes could" +
++ " not be obtained. Import failed.");
++ }
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ importerCipher.init(Cipher.ENCRYPT_MODE, importerKey,
++ new IvParameterSpec((byte[])importerKeyMechanism.pParameter),
++ null);
++ attributes = new CK_ATTRIBUTE[attrsMap.size()];
++ attrsMap.values().toArray(attributes);
++ encKeyBytes = importerCipher.doFinal(keyBytes);
++ attributes = token.getAttributes(TemplateManager.O_IMPORT,
++ keyClass, keyType, attributes);
++ keyID = token.p11.C_UnwrapKey(hSession,
++ importerKeyMechanism, importerKeyID, encKeyBytes, attributes);
++ if (debug != null) {
++ debug.println("Imported key ID: " + keyID);
++ }
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ } finally {
++ importerKey.releaseKeyID();
++ }
++ return Long.valueOf(keyID);
++ }
++
++ private static void createImporterKey(Token token) {
++ if (debug != null) {
++ debug.println("Generating Importer Key...");
++ }
++ byte[] iv = new byte[16];
++ JCAUtil.getSecureRandom().nextBytes(iv);
++ importerKeyMechanism = new CK_MECHANISM(CKM_AES_CBC_PAD, iv);
++ try {
++ CK_ATTRIBUTE[] attributes = token.getAttributes(TemplateManager.O_GENERATE,
++ CKO_SECRET_KEY, CKK_AES, new CK_ATTRIBUTE[] {
++ new CK_ATTRIBUTE(CKA_CLASS, CKO_SECRET_KEY),
++ new CK_ATTRIBUTE(CKA_VALUE_LEN, 256 >> 3)});
++ Session s = null;
++ try {
++ s = token.getObjSession();
++ long keyID = token.p11.C_GenerateKey(
++ s.id(), new CK_MECHANISM(CKM_AES_KEY_GEN),
++ attributes);
++ if (debug != null) {
++ debug.println("Importer Key ID: " + keyID);
++ }
++ importerKey = (P11Key)P11Key.secretKey(s, keyID, "AES",
++ 256 >> 3, null);
++ } catch (PKCS11Exception e) {
++ // best effort
++ } finally {
++ token.releaseSession(s);
++ }
++ if (importerKey != null) {
++ importerCipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
++ }
++ } catch (Throwable t) {
++ // best effort
++ importerKey = null;
++ importerCipher = null;
++ // importerKeyMechanism value is kept initialized to indicate that
++ // Importer Key creation has been tried and failed.
++ }
++ }
++}
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 1eca1f8f0a..72674a7330 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -26,6 +26,9 @@
+ package sun.security.pkcs11;
+
+ import java.io.*;
++import java.lang.invoke.MethodHandle;
++import java.lang.invoke.MethodHandles;
++import java.lang.invoke.MethodType;
+ import java.util.*;
+
+ import java.security.*;
+@@ -64,6 +67,26 @@ public final class SunPKCS11 extends AuthProvider {
+ private static final boolean systemFipsEnabled = SharedSecrets
+ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
+
++ private static final boolean plainKeySupportEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isPlainKeySupportEnabled();
++
++ private static final MethodHandle fipsImportKey;
++ static {
++ MethodHandle fipsImportKeyTmp = null;
++ if (plainKeySupportEnabled) {
++ try {
++ fipsImportKeyTmp = MethodHandles.lookup().findStatic(
++ FIPSKeyImporter.class, "importKey",
++ MethodType.methodType(Long.class, SunPKCS11.class,
++ long.class, CK_ATTRIBUTE[].class));
++ } catch (Throwable t) {
++ throw new SecurityException("FIPS key importer initialization" +
++ " failed", t);
++ }
++ }
++ fipsImportKey = fipsImportKeyTmp;
++ }
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -319,10 +342,15 @@ public final class SunPKCS11 extends AuthProvider {
+ // request multithreaded access first
+ initArgs.flags = CKF_OS_LOCKING_OK;
+ PKCS11 tmpPKCS11;
++ MethodHandle fipsKeyImporter = null;
++ if (plainKeySupportEnabled) {
++ fipsKeyImporter = MethodHandles.insertArguments(
++ fipsImportKey, 0, this);
++ }
+ try {
+ tmpPKCS11 = PKCS11.getInstance(
+ library, functionList, initArgs,
+- config.getOmitInitialize());
++ config.getOmitInitialize(), fipsKeyImporter);
+ } catch (PKCS11Exception e) {
+ if (debug != null) {
+ debug.println("Multi-threaded initialization failed: " + e);
+@@ -338,7 +366,7 @@ public final class SunPKCS11 extends AuthProvider {
+ initArgs.flags = 0;
+ }
+ tmpPKCS11 = PKCS11.getInstance(library,
+- functionList, initArgs, config.getOmitInitialize());
++ functionList, initArgs, config.getOmitInitialize(), fipsKeyImporter);
+ }
+ p11 = tmpPKCS11;
+
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+index 04a369f453..8d2081abaa 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/wrapper/PKCS11.java
+@@ -49,6 +49,7 @@ package sun.security.pkcs11.wrapper;
+
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.invoke.MethodHandle;
+ import java.util.*;
+
+ import java.security.AccessController;
+@@ -150,16 +151,28 @@ public class PKCS11 {
+
+ public static synchronized PKCS11 getInstance(String pkcs11ModulePath,
+ String functionList, CK_C_INITIALIZE_ARGS pInitArgs,
+- boolean omitInitialize) throws IOException, PKCS11Exception {
++ boolean omitInitialize, MethodHandle fipsKeyImporter)
++ throws IOException, PKCS11Exception {
+ // we may only call C_Initialize once per native .so/.dll
+ // so keep a cache using the (non-canonicalized!) path
+ PKCS11 pkcs11 = moduleMap.get(pkcs11ModulePath);
+ if (pkcs11 == null) {
++ boolean nssFipsMode = fipsKeyImporter != null;
+ if ((pInitArgs != null)
+ && ((pInitArgs.flags & CKF_OS_LOCKING_OK) != 0)) {
+- pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new FIPSPKCS11(pkcs11ModulePath, functionList,
++ fipsKeyImporter);
++ } else {
++ pkcs11 = new PKCS11(pkcs11ModulePath, functionList);
++ }
+ } else {
+- pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ if (nssFipsMode) {
++ pkcs11 = new SynchronizedFIPSPKCS11(pkcs11ModulePath,
++ functionList, fipsKeyImporter);
++ } else {
++ pkcs11 = new SynchronizedPKCS11(pkcs11ModulePath, functionList);
++ }
+ }
+ if (omitInitialize == false) {
+ try {
+@@ -1909,4 +1922,69 @@ static class SynchronizedPKCS11 extends PKCS11 {
+ super.C_GenerateRandom(hSession, randomData);
+ }
+ }
++
++// PKCS11 subclass that allows using plain private or secret keys in
++// FIPS-configured NSS Software Tokens. Only used when System FIPS
++// is enabled.
++static class FIPSPKCS11 extends PKCS11 {
++ private MethodHandle fipsKeyImporter;
++ FIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // Creating sensitive key objects from plain key material in a
++ // FIPS-configured NSS Software Token is not allowed. We apply
++ // a key-unwrapping scheme to achieve so.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++// FIPSPKCS11 synchronized counterpart.
++static class SynchronizedFIPSPKCS11 extends SynchronizedPKCS11 {
++ private MethodHandle fipsKeyImporter;
++ SynchronizedFIPSPKCS11(String pkcs11ModulePath, String functionListName,
++ MethodHandle fipsKeyImporter) throws IOException {
++ super(pkcs11ModulePath, functionListName);
++ this.fipsKeyImporter = fipsKeyImporter;
++ }
++
++ public synchronized long C_CreateObject(long hSession,
++ CK_ATTRIBUTE[] pTemplate) throws PKCS11Exception {
++ // See FIPSPKCS11::C_CreateObject.
++ if (FIPSPKCS11Helper.isSensitiveObject(pTemplate)) {
++ try {
++ return ((Long)fipsKeyImporter.invoke(hSession, pTemplate))
++ .longValue();
++ } catch (Throwable t) {
++ throw new PKCS11Exception(CKR_GENERAL_ERROR);
++ }
++ }
++ return super.C_CreateObject(hSession, pTemplate);
++ }
++}
++
++private static class FIPSPKCS11Helper {
++ static boolean isSensitiveObject(CK_ATTRIBUTE[] pTemplate) {
++ for (CK_ATTRIBUTE attr : pTemplate) {
++ if (attr.type == CKA_CLASS &&
++ (attr.getLong() == CKO_PRIVATE_KEY ||
++ attr.getLong() == CKO_SECRET_KEY)) {
++ return true;
++ }
++ }
++ return false;
++ }
++}
+ }
diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch
new file mode 100644
index 0000000..10c5666
--- /dev/null
+++ b/SOURCES/rh1996182-login_to_nss_software_token.patch
@@ -0,0 +1,66 @@
+commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e
+Author: Martin Balao
+Date: Fri Aug 27 19:42:07 2021 +0100
+
+ RH1996182: Login to the NSS Software Token in FIPS Mode
+
+diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java
+index 5460efcf8c..f08dc2fafc 100644
+--- openjdk.orig/src/java.base/share/classes/module-info.java
++++ openjdk/src/java.base/share/classes/module-info.java
+@@ -182,6 +182,7 @@ module java.base {
+ java.security.jgss,
+ java.sql,
+ java.xml,
++ jdk.crypto.cryptoki,
+ jdk.jartool,
+ jdk.attach,
+ jdk.charsets,
+diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+index 5e227f4531..164de8ff08 100644
+--- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
++++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java
+@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler;
+ import javax.security.auth.callback.PasswordCallback;
+
+ import jdk.internal.misc.InnocuousThread;
++import jdk.internal.misc.SharedSecrets;
++
+ import sun.security.util.Debug;
+ import sun.security.util.ResourcesMgr;
+ import static sun.security.util.SecurityConstants.PROVIDER_VER;
+@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*;
+ */
+ public final class SunPKCS11 extends AuthProvider {
+
++ private static final boolean systemFipsEnabled = SharedSecrets
++ .getJavaSecuritySystemConfiguratorAccess().isSystemFipsEnabled();
++
+ private static final long serialVersionUID = -1354835039035306505L;
+
+ static final Debug debug = Debug.getInstance("sunpkcs11");
+@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider {
+ if (nssModule != null) {
+ nssModule.setProvider(this);
+ }
++ if (systemFipsEnabled) {
++ // The NSS Software Token in FIPS 140-2 mode requires a user
++ // login for most operations. See sftk_fipsCheck. The NSS DB
++ // (/etc/pki/nssdb) PIN is empty.
++ Session session = null;
++ try {
++ session = token.getOpSession();
++ p11.C_Login(session.id(), CKU_USER, new char[] {});
++ } catch (PKCS11Exception p11e) {
++ if (debug != null) {
++ debug.println("Error during token login: " +
++ p11e.getMessage());
++ }
++ throw p11e;
++ } finally {
++ token.releaseSession(session);
++ }
++ }
+ } catch (Exception e) {
+ if (config.getHandleStartupErrors() == Config.ERR_IGNORE_ALL) {
+ throw new UnsupportedOperationException
diff --git a/SOURCES/rh2021263-fips_ensure_security_initialised.patch b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
new file mode 100644
index 0000000..9490624
--- /dev/null
+++ b/SOURCES/rh2021263-fips_ensure_security_initialised.patch
@@ -0,0 +1,28 @@
+commit 8a8452b9ae862755210a9a2f4e34b1aa3ec7343d
+Author: Andrew Hughes
+Date: Tue Jan 18 02:00:55 2022 +0000
+
+ RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
+
+diff --git openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+index 2ec51d57806..8489b940c43 100644
+--- openjdk.orig/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
++++ openjdk/src/java.base/share/classes/jdk/internal/misc/SharedSecrets.java
+@@ -36,6 +36,7 @@ import java.io.FilePermission;
+ import java.io.ObjectInputStream;
+ import java.io.RandomAccessFile;
+ import java.security.ProtectionDomain;
++import java.security.Security;
+ import java.security.Signature;
+
+ /** A repository of "shared secrets", which are a mechanism for
+@@ -368,6 +369,9 @@ public class SharedSecrets {
+ }
+
+ public static JavaSecuritySystemConfiguratorAccess getJavaSecuritySystemConfiguratorAccess() {
++ if (javaSecuritySystemConfiguratorAccess == null) {
++ unsafe.ensureClassInitialized(Security.class);
++ }
+ return javaSecuritySystemConfiguratorAccess;
+ }
+ }
diff --git a/SOURCES/rh2021263-fips_missing_native_returns.patch b/SOURCES/rh2021263-fips_missing_native_returns.patch
new file mode 100644
index 0000000..b8c8ba5
--- /dev/null
+++ b/SOURCES/rh2021263-fips_missing_native_returns.patch
@@ -0,0 +1,24 @@
+commit 1b5bd349bdfa7b9627ea58d819bc250a55112de2
+Author: Fridrich Strba
+Date: Mon Jan 17 19:44:03 2022 +0000
+
+ RH2021263: Return in C code after having generated Java exception
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index 6f4656bfcb6..34d0ff0ce91 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -131,11 +131,13 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
+ }
+ fips_enabled = fgetc(fe);
+ fclose(fe);
+ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
++ return JNI_FALSE;
+ }
+ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+ " read character is '%c'", fips_enabled);
diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
new file mode 100644
index 0000000..b5351a8
--- /dev/null
+++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch
@@ -0,0 +1,99 @@
+commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07
+Author: Andrew Hughes
+Date: Tue Jan 18 02:09:27 2022 +0000
+
+ RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
+
+diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java
+index 28ab1846173..f9726741afd 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/Security.java
++++ openjdk/src/java.base/share/classes/java/security/Security.java
+@@ -61,10 +61,6 @@ public final class Security {
+ private static final Debug sdebug =
+ Debug.getInstance("properties");
+
+- /* System property file*/
+- private static final String SYSTEM_PROPERTIES =
+- "/etc/crypto-policies/back-ends/java.config";
+-
+ /* The java.security properties */
+ private static Properties props;
+
+@@ -206,22 +202,36 @@ public final class Security {
+ }
+ }
+
++ if (!loadedProps) {
++ initializeStatic();
++ if (sdebug != null) {
++ sdebug.println("unable to load security properties " +
++ "-- using defaults");
++ }
++ }
++
+ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile");
+ if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) &&
+ "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) {
+- if (SystemConfigurator.configure(props)) {
+- loadedProps = true;
++ if (!SystemConfigurator.configureSysProps(props)) {
++ if (sdebug != null) {
++ sdebug.println("WARNING: System properties could not be loaded.");
++ }
+ }
+ }
+
+- if (!loadedProps) {
+- initializeStatic();
++ // FIPS support depends on the contents of java.security so
++ // ensure it has loaded first
++ if (loadedProps) {
++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props);
+ if (sdebug != null) {
+- sdebug.println("unable to load security properties " +
+- "-- using defaults");
++ if (fipsEnabled) {
++ sdebug.println("FIPS support enabled.");
++ } else {
++ sdebug.println("FIPS support disabled.");
++ }
+ }
+ }
+-
+ }
+
+ /*
+diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+index 874c6221ebe..b7ed41acf0f 100644
+--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java
++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java
+@@ -76,7 +76,7 @@ final class SystemConfigurator {
+ * java.security.disableSystemPropertiesFile property is not set and
+ * security.useSystemPropertiesFile is true.
+ */
+- static boolean configure(Properties props) {
++ static boolean configureSysProps(Properties props) {
+ boolean loadedProps = false;
+
+ try (BufferedInputStream bis =
+@@ -96,11 +96,19 @@ final class SystemConfigurator {
+ e.printStackTrace();
+ }
+ }
++ return loadedProps;
++ }
++
++ /*
++ * Invoked at the end of java.security.Security initialisation
++ * if java.security properties have been loaded
++ */
++ static boolean configureFIPS(Properties props) {
++ boolean loadedProps = false;
+
+ try {
+ if (enableFips()) {
+ if (sdebug != null) { sdebug.println("FIPS mode detected"); }
+- loadedProps = false;
+ // Remove all security providers
+ Iterator> i = props.entrySet().iterator();
+ while (i.hasNext()) {
diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
new file mode 100644
index 0000000..dd30384
--- /dev/null
+++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch
@@ -0,0 +1,220 @@
+commit e2be09f982af1cc05f5e6556d51900bca4757416
+Author: Andrew Hughes
+Date: Mon Feb 28 05:30:32 2022 +0000
+
+ RH2051605: Detect NSS at Runtime for FIPS detection
+
+diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+index 34d0ff0ce91..8dcb7d9073f 100644
+--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c
++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c
+@@ -23,25 +23,99 @@
+ * questions.
+ */
+
+-#include
+ #include
+ #include
++#include "jvm_md.h"
+ #include
+
+ #ifdef SYSCONF_NSS
+ #include
++#else
++#include
+ #endif //SYSCONF_NSS
+
+ #include "java_security_SystemConfigurator.h"
+
++#define MSG_MAX_SIZE 256
+ #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled"
+-#define MSG_MAX_SIZE 96
+
++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void);
++
++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled;
+ static jmethodID debugPrintlnMethodID = NULL;
+ static jobject debugObj = NULL;
+
+-static void throwIOException(JNIEnv *env, const char *msg);
+-static void dbgPrint(JNIEnv *env, const char* msg);
++static void dbgPrint(JNIEnv *env, const char* msg)
++{
++ jstring jMsg;
++ if (debugObj != NULL) {
++ jMsg = (*env)->NewStringUTF(env, msg);
++ CHECK_NULL(jMsg);
++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++}
++
++static void throwIOException(JNIEnv *env, const char *msg)
++{
++ jclass cls = (*env)->FindClass(env, "java/io/IOException");
++ if (cls != 0)
++ (*env)->ThrowNew(env, cls, msg);
++}
++
++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes)
++{
++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
++ dbgPrint(env, msg);
++ } else {
++ dbgPrint(env, "systemconf: cannot render message");
++ }
++}
++
++// Only used when NSS is not linked at build time
++#ifndef SYSCONF_NSS
++
++static void *nss_handle;
++
++static jboolean loadNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY);
++ if (nss_handle == NULL) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ dlerror(); /* Clear errors */
++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled");
++ if ((errmsg = dlerror()) != NULL) {
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ return JNI_FALSE;
++ }
++ return JNI_TRUE;
++}
++
++static void closeNSS(JNIEnv *env)
++{
++ char msg[MSG_MAX_SIZE];
++ int msg_bytes;
++ const char* errmsg;
++
++ if (dlclose(nss_handle) != 0) {
++ errmsg = dlerror();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n",
++ errmsg);
++ handle_msg(env, msg, msg_bytes);
++ }
++}
++
++#endif
+
+ /*
+ * Class: java_security_SystemConfigurator
+@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved)
+ debugObj = (*env)->NewGlobalRef(env, debugObj);
+ }
+
++#ifdef SYSCONF_NSS
++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled;
++#else
++ if (loadNSS(env) == JNI_FALSE) {
++ dbgPrint(env, "libsystemconf: Failed to load NSS library.");
++ }
++#endif
++
+ return (*env)->GetVersion(env);
+ }
+
+@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved)
+ if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) {
+ return; /* Should not happen */
+ }
++#ifndef SYSCONF_NSS
++ closeNSS(env);
++#endif
+ (*env)->DeleteGlobalRef(env, debugObj);
+ }
+ }
+@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn
+ char msg[MSG_MAX_SIZE];
+ int msg_bytes;
+
+-#ifdef SYSCONF_NSS
+-
+- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
+- fips_enabled = SECMOD_GetSystemFIPSEnabled();
+- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
+- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+- dbgPrint(env, msg);
++ if (getSystemFIPSEnabled != NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled");
++ fips_enabled = (*getSystemFIPSEnabled)();
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+ } else {
+- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+- " SECMOD_GetSystemFIPSEnabled return value");
+- }
+- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE);
+-
+-#else // SYSCONF_NSS
++ FILE *fe;
+
+- FILE *fe;
+-
+- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
+- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH);
++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) {
+ throwIOException(env, "Cannot open " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
+- }
+- fips_enabled = fgetc(fe);
+- fclose(fe);
+- if (fips_enabled == EOF) {
++ }
++ fips_enabled = fgetc(fe);
++ fclose(fe);
++ if (fips_enabled == EOF) {
+ throwIOException(env, "Cannot read " FIPS_ENABLED_PATH);
+ return JNI_FALSE;
+- }
+- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
+- " read character is '%c'", fips_enabled);
+- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) {
+- dbgPrint(env, msg);
+- } else {
+- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \
+- " read character");
+- }
+- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+-
+-#endif // SYSCONF_NSS
+-}
+-
+-static void throwIOException(JNIEnv *env, const char *msg)
+-{
+- jclass cls = (*env)->FindClass(env, "java/io/IOException");
+- if (cls != 0)
+- (*env)->ThrowNew(env, cls, msg);
+-}
+-
+-static void dbgPrint(JNIEnv *env, const char* msg)
+-{
+- jstring jMsg;
+- if (debugObj != NULL) {
+- jMsg = (*env)->NewStringUTF(env, msg);
+- CHECK_NULL(jMsg);
+- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg);
++ }
++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \
++ " read character is '%c'", fips_enabled);
++ handle_msg(env, msg, msg_bytes);
++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE);
+ }
+ }
diff --git a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
new file mode 100644
index 0000000..1b706a1
--- /dev/null
+++ b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
@@ -0,0 +1,19 @@
+Remove uses of FAR in jpeg code
+
+Upstream libjpeg-trubo removed the (empty) FAR macro:
+http://sourceforge.net/p/libjpeg-turbo/code/1312/
+
+Adjust our code to not use the undefined FAR macro anymore.
+
+diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+@@ -1385,7 +1385,7 @@
+ /* and fill it in */
+ dst_ptr = icc_data;
+ for (seq_no = first; seq_no < last; seq_no++) {
+- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+ unsigned int length =
+ icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;
+
diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec
new file mode 100644
index 0000000..7746312
--- /dev/null
+++ b/SPECS/java-11-openjdk.spec
@@ -0,0 +1,3477 @@
+# RPM conditionals so as to be able to dynamically produce
+# slowdebug/release builds. See:
+# http://rpm.org/user_doc/conditional_builds.html
+#
+# Examples:
+#
+# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
+# $ rpmbuild -ba java-11-openjdk.spec
+#
+# Produce only release builds (no slowdebug builds) on x86_64:
+# $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug
+#
+# Only produce a release build on x86_64:
+# $ fedpkg mockbuild --without slowdebug --without fastdebug
+
+# Enable fastdebug builds by default on relevant arches.
+%bcond_without fastdebug
+# Enable slowdebug builds by default on relevant arches.
+%bcond_without slowdebug
+# Enable release builds by default on relevant arches.
+%bcond_without release
+# Enable static library builds by default.
+%bcond_without staticlibs
+# Remove build artifacts by default
+%bcond_with artifacts
+# Build a fresh libjvm.so for use in a copy of the bootstrap JDK
+%bcond_without fresh_libjvm
+
+# Workaround for stripping of debug symbols from static libraries
+%if %{with staticlibs}
+%define __brp_strip_static_archive %{nil}
+%global include_staticlibs 1
+%else
+%global include_staticlibs 0
+%endif
+
+# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so
+%if %{with fresh_libjvm}
+%global build_hotspot_first 1
+%else
+%global build_hotspot_first 0
+%endif
+
+# The -g flag says to use strip -g instead of full strip on DSOs or EXEs.
+# This fixes detailed NMT and other tools which need minimal debug info.
+# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879
+%global _find_debuginfo_opts -g
+
+# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros
+# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch
+# see the difference between global and define:
+# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017"
+# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192)
+%global debug_suffix_unquoted -slowdebug
+%global fastdebug_suffix_unquoted -fastdebug
+%global main_suffix_unquoted -main
+%global staticlibs_suffix_unquoted -staticlibs
+# quoted one for shell operations
+%global debug_suffix "%{debug_suffix_unquoted}"
+%global fastdebug_suffix "%{fastdebug_suffix_unquoted}"
+%global normal_suffix ""
+%global main_suffix "%{main_suffix_unquoted}"
+%global staticlibs_suffix "%{staticlibs_suffix_unquoted}"
+
+%global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP.
+%global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP.
+%global debug_on unoptimised with full debugging on
+%global fastdebug_on optimised with full debugging on
+%global for_fastdebug for packages with debugging on and optimisation
+%global for_debug for packages with debugging on and no optimisation
+
+%if %{with release}
+%global include_normal_build 1
+%else
+%global include_normal_build 0
+%endif
+
+%if %{include_normal_build}
+%global normal_build %{normal_suffix}
+%else
+%global normal_build %{nil}
+%endif
+
+# We have hardcoded list of files, which is appearing in alternatives, and in files
+# in alternatives those are slaves and master, very often triplicated by man pages
+# in files all masters and slaves are ghosted
+# the ghosts are here to allow installation via query like `dnf install /usr/bin/java`
+# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives
+# TODO - fix those hardcoded lists via single list
+# Those files must *NOT* be ghosted for *slowdebug* packages
+# FIXME - if you are moving jshell or jlink or similar, always modify all three sections
+# you can check via headless and devels:
+# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin
+# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip}
+%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" -o "%{?1}" == "%{fastdebug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi )
+
+# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1
+# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...)
+%global is_system_jdk 1
+
+%global aarch64 aarch64 arm64 armv8
+# we need to distinguish between big and little endian PPC64
+%global ppc64le ppc64le
+%global ppc64be ppc64 ppc64p7
+# Set of architectures which support multiple ABIs
+%global multilib_arches %{power64} sparc64 x86_64
+# Set of architectures for which we build slowdebug builds
+%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
+# Set of architectures for which we build fastdebug builds
+%global fastdebug_arches x86_64 ppc64le aarch64
+# Set of architectures with a Just-In-Time (JIT) compiler
+%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64
+# Set of architectures which use the Zero assembler port (!jit_arches)
+%global zero_arches ppc s390
+# Set of architectures which run a full bootstrap cycle
+%global bootstrap_arches %{jit_arches}
+# Set of architectures which support SystemTap tapsets
+%global systemtap_arches %{jit_arches}
+# Set of architectures with a Ahead-Of-Time (AOT) compiler
+%global aot_arches x86_64 %{aarch64}
+# Set of architectures which support the serviceability agent
+%global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm}
+# Set of architectures which support class data sharing
+# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific
+# However, it does segfault on the Zero assembler port, so currently JIT only
+%global share_arches %{jit_arches}
+# Set of architectures for which we build the Shenandoah garbage collector
+%global shenandoah_arches x86_64 %{aarch64}
+# Set of architectures for which we build the Z garbage collector
+%global zgc_arches x86_64
+# Set of architectures for which alt-java has SSB mitigation
+%global ssbd_arches x86_64
+# Set of architectures where we verify backtraces with gdb
+%global gdb_arches %{jit_arches} %{zero_arches}
+
+# By default, we build a slowdebug build during main build on JIT architectures
+%if %{with slowdebug}
+%ifarch %{debug_arches}
+%global include_debug_build 1
+%else
+%global include_debug_build 0
+%endif
+%else
+%global include_debug_build 0
+%endif
+
+# On certain architectures, we compile the Shenandoah GC
+%ifarch %{shenandoah_arches}
+%global use_shenandoah_hotspot 1
+%global shenandoah_feature shenandoahgc
+%else
+%global use_shenandoah_hotspot 0
+%global shenandoah_feature -shenandoahgc
+%endif
+
+# On certain architectures, we compile the ZGC
+%ifarch %{zgc_arches}
+%global use_zgc_hotspot 1
+%global zgc_feature zgc
+%else
+%global use_zgc_hotspot 0
+%global zgc_feature -zgc
+%endif
+
+# By default, we build a fastdebug build during main build only on fastdebug architectures
+%if %{with fastdebug}
+%ifarch %{fastdebug_arches}
+%global include_fastdebug_build 1
+%else
+%global include_fastdebug_build 0
+%endif
+%else
+%global include_fastdebug_build 0
+%endif
+
+%if %{include_debug_build}
+%global slowdebug_build %{debug_suffix}
+%else
+%global slowdebug_build %{nil}
+%endif
+
+%if %{include_fastdebug_build}
+%global fastdebug_build %{fastdebug_suffix}
+%else
+%global fastdebug_build %{nil}
+%endif
+
+# If you disable all builds, then the build fails
+# Build and test slowdebug first as it provides the best diagnostics
+%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build}
+
+%if %{include_staticlibs}
+%global staticlibs_loop %{staticlibs_suffix}
+%else
+%global staticlibs_loop %{nil}
+%endif
+
+%if 0%{?flatpak}
+%global bootstrap_build false
+%else
+%ifarch %{bootstrap_arches}
+%global bootstrap_build true
+%else
+%global bootstrap_build false
+%endif
+%endif
+
+%if %{include_staticlibs}
+# Extra target for producing the static-libraries. Separate from
+# other targets since this target is configured to use in-tree
+# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
+# and possibly others
+%global static_libs_target static-libs-image
+%else
+%global static_libs_target %{nil}
+%endif
+
+# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
+%global debug_symbols internal
+
+# unlike portables,the rpms have to use static_libs_target very dynamically
+%global bootstrap_targets images
+%global release_targets images docs-zip
+# No docs nor bootcycle for debug builds
+%global debug_targets images
+# Target to use to just build HotSpot
+%global hotspot_target hotspot
+
+# JDK to use for bootstrapping
+%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk
+
+# Disable LTO as this causes build failures at the moment.
+# See RHBZ#1861401
+%define _lto_cflags %{nil}
+
+# Filter out flags from the optflags macro that cause problems with the OpenJDK build
+# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
+# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs)
+# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings
+# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++
+%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||')
+%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
+%global ourldflags %{__global_ldflags}
+
+# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
+# the initialization must be here. Later the pkg-config have buggy behavior
+# looks like openjdk RPM specific bug
+# Always set this so the nss.cfg file is not broken
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
+
+# In some cases, the arch used by the JDK does
+# not match _arch.
+# Also, in some cases, the machine name used by SystemTap
+# does not match that given by _target_cpu
+%ifarch x86_64
+%global archinstall amd64
+%global stapinstall x86_64
+%endif
+%ifarch ppc
+%global archinstall ppc
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64be}
+%global archinstall ppc64
+%global stapinstall powerpc
+%endif
+%ifarch %{ppc64le}
+%global archinstall ppc64le
+%global stapinstall powerpc
+%endif
+%ifarch %{ix86}
+%global archinstall i686
+%global stapinstall i386
+%endif
+%ifarch ia64
+%global archinstall ia64
+%global stapinstall ia64
+%endif
+%ifarch s390
+%global archinstall s390
+%global stapinstall s390
+%endif
+%ifarch s390x
+%global archinstall s390x
+%global stapinstall s390
+%endif
+%ifarch %{arm}
+%global archinstall arm
+%global stapinstall arm
+%endif
+%ifarch %{aarch64}
+%global archinstall aarch64
+%global stapinstall arm64
+%endif
+# 32 bit sparc, optimized for v9
+%ifarch sparcv9
+%global archinstall sparc
+%global stapinstall %{_target_cpu}
+%endif
+# 64 bit sparc
+%ifarch sparc64
+%global archinstall sparcv9
+%global stapinstall %{_target_cpu}
+%endif
+# Need to support noarch for srpm build
+%ifarch noarch
+%global archinstall %{nil}
+%global stapinstall %{nil}
+%endif
+
+%ifarch %{systemtap_arches}
+%global with_systemtap 1
+%else
+%global with_systemtap 0
+%endif
+
+# New Version-String scheme-style defines
+%global featurever 11
+%global interimver 0
+%global updatever 14
+%global patchver 1
+# If you bump featurever, you must bump also vendor_version_string
+# Used via new version scheme. JDK 11 was
+# GA'ed in September 2018 => 18.9
+%global vendor_version_string 18.9
+# buildjdkver is usually same as %%{featurever},
+# but in time of bootstrap of next jdk, it is featurever-1,
+# and this it is better to change it here, on single place
+%global buildjdkver %{featurever}
+# Add LTS designator for RHEL builds
+%if 0%{?rhel}
+ %global lts_designator "LTS"
+ %global lts_designator_zip -%{lts_designator}
+%else
+ %global lts_designator ""
+ %global lts_designator_zip ""
+%endif
+
+# Define vendor information used by OpenJDK
+%global oj_vendor Red Hat, Inc.
+%global oj_vendor_url https://www.redhat.com/
+# Define what url should JVM offer in case of a crash report
+# order may be important, epel may have rhel declared
+%if 0%{?epel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora%20EPEL&component=%{name}&version=epel%{epel}
+%else
+%if 0%{?fedora}
+# Does not work for rawhide, keeps the version field empty
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=%{name}&version=%{fedora}
+%else
+%if 0%{?rhel}
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%20%{rhel}&component=%{name}
+%else
+%global oj_vendor_bug_url https://bugzilla.redhat.com/enter_bug.cgi
+%endif
+%endif
+%endif
+
+# Define IcedTea version used for SystemTap tapsets and desktop file
+%global icedteaver 6.0.0pre00-c848b93a8598
+
+# Standard JPackage naming and versioning defines
+%global origin openjdk
+%global origin_nice OpenJDK
+%global top_level_dir_name %{origin}
+%global top_level_dir_name_backup %{top_level_dir_name}-backup
+%global buildver 1
+%global rpmrelease 6
+#%%global tagsuffix %%{nil}
+# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
+%if %is_system_jdk
+# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
+# It is very unlikely we will ever have a patch version > 4 or a build version > 20, so we combine as (patch * 20) + build.
+# This means 11.0.9.0+11 would have had a priority of 11000911 as before
+# A 11.0.9.1+1 would have had a priority of 11000921 (20 * 1 + 1), thus ensuring it is bigger than 11.0.9.0+11
+%global combiver $( expr 20 '*' %{patchver} + %{buildver} )
+%global priority %( printf '%02d%02d%02d%02d' %{featurever} %{interimver} %{updatever} %{combiver} )
+%else
+# for techpreview, using 1, so slowdebugs can have 0
+%global priority %( printf '%08d' 1 )
+%endif
+%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
+
+# Omit trailing 0 in filenames when the patch version is 0
+%if 0%{?patchver} > 0
+%global filever %{newjavaver}
+%else
+%global filever %{featurever}.%{interimver}.%{updatever}
+%endif
+
+%global javaver %{featurever}
+
+# Define milestone (EA for pre-releases, GA for releases)
+# Release will be (where N is usually a number starting at 1):
+# - 0.N%%{?extraver}%%{?dist} for EA releases,
+# - N%%{?extraver}{?dist} for GA releases
+%global is_ga 1
+%if %{is_ga}
+%global ea_designator ""
+%global ea_designator_zip ""
+%global extraver %{nil}
+%global eaprefix %{nil}
+%else
+%global ea_designator ea
+%global ea_designator_zip -%{ea_designator}
+%global extraver .%{ea_designator}
+%global eaprefix 0.
+%endif
+
+# parametrized macros are order-sensitive
+%global compatiblename java-%{featurever}-%{origin}
+%global fullversion %{compatiblename}-%{version}-%{release}
+# images directories from upstream build
+%global jdkimage jdk
+%global static_libs_image static-libs
+# output dir stub
+%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
+%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}}
+# we can copy the javadoc to not arched dir, or make it not noarch
+%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
+# main id and dir of this jdk
+%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}}
+
+#################################################################
+# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
+# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
+# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
+%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|libunpack[.]so.*|libzip[.]so.*
+%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
+%if %is_system_jdk
+%global __provides_exclude ^(%{_privatelibs})$
+%global __requires_exclude ^(%{_privatelibs})$
+# Never generate lib-style provides/requires for any debug packages
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$
+%global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%global __requires_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$
+%else
+# Don't generate provides/requires for JDK provided shared libraries at all.
+%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$
+%endif
+
+
+%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin}
+%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}}
+# Standard JPackage directories and symbolic links.
+%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}}
+%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}}
+
+%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin}
+
+%global alt_java_name alt-java
+
+%global rpm_state_dir %{_localstatedir}/lib/rpm-state/
+
+# For flatpack builds hard-code /usr/sbin/alternatives,
+# otherwise use %%{_sbindir} relative path.
+%if 0%{?flatpak}
+%global alternatives_requires /usr/sbin/alternatives
+%else
+%global alternatives_requires %{_sbindir}/alternatives
+%endif
+
+%global family %{name}.%{_arch}
+%global family_noarch %{name}
+
+%if %{with_systemtap}
+# Where to install systemtap tapset (links)
+# We would like these to be in a package specific sub-dir,
+# but currently systemtap doesn't support that, so we have to
+# use the root tapset dir for now. To distinguish between 64
+# and 32 bit architectures we place the tapsets under the arch
+# specific dir (note that systemtap will only pickup the tapset
+# for the primary arch for now). Systemtap uses the machine name
+# aka target_cpu as architecture specific directory name.
+%global tapsetroot /usr/share/systemtap
+%global tapsetdirttapset %{tapsetroot}/tapset/
+%global tapsetdir %{tapsetdirttapset}/%{stapinstall}
+%endif
+
+# not-duplicated scriptlets for normal/debug packages
+%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
+
+%define save_alternatives() %{expand:
+ # warning! alternatives are localised!
+ # LANG=cs_CZ.UTF-8 alternatives --display java | head
+ # LANG=en_US.UTF-8 alternatives --display java | head
+ function nonLocalisedAlternativesDisplayOfMaster() {
+ LANG=en_US.UTF-8 alternatives --display "$MASTER"
+ }
+ function headOfAbove() {
+ nonLocalisedAlternativesDisplayOfMaster | head -n $1
+ }
+ MASTER="%{?1}"
+ LOCAL_LINK="%{?2}"
+ FAMILY="%{?3}"
+ rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null
+ if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then
+ if headOfAbove 1 | grep -q manual ; then
+ if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then
+ headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY"
+ fi
+ fi
+ fi
+}
+
+%define save_and_remove_alternatives() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ upgrade1_uninstal0=%{?3}
+ if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall
+ %{save_alternatives %{?1} %{?2} %{?4}}
+ fi
+ alternatives --remove "%{?1}" "%{?2}"
+}
+
+%define set_if_needed_alternatives() %{expand:
+ MASTER="%{?1}"
+ FAMILY="%{?2}"
+ ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY"
+ if [ -e "$ALTERNATIVES_FILE" ] ; then
+ rm "$ALTERNATIVES_FILE"
+ alternatives --set $MASTER $FAMILY
+ fi
+}
+
+
+%define post_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+exit 0
+}
+
+%define alternatives_java_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+key=java
+alternatives \\
+ --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\
+ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\
+ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\
+ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\
+ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\
+ --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\
+ --slave %{_bindir}/rmid rmid %{jrebindir -- %{?1}}/rmid \\
+ --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\
+ --slave %{_bindir}/unpack200 unpack200 %{jrebindir -- %{?1}}/unpack200 \\
+ --slave %{_mandir}/man1/java.1$ext java.1$ext \\
+ %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/%{alt_java_name}.1$ext %{alt_java_name}.1$ext \\
+ %{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\
+ %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\
+ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/pack200.1$ext pack200.1$ext \\
+ %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/rmid.1$ext rmid.1$ext \\
+ %{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\
+ %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\
+ %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives $key %{family}}
+
+for X in %{origin} %{javaver} ; do
+ key=jre_"$X"
+ alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
+done
+
+key=jre_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+
+%define post_headless() %{expand:
+%ifarch %{share_arches}
+%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null
+%endif
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+# see pretrans where this file is declared
+# also see that pretrans is only for non-debug
+if [ ! "%{?1}" == %{debug_suffix} ]; then
+ if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then
+ sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}}
+ fi
+fi
+
+exit 0
+}
+
+%define postun_script() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+fi
+exit 0
+}
+
+
+%define postun_headless() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}}
+}
+
+%define posttrans_script() %{expand:
+%{update_desktop_icons}
+}
+
+
+%define alternatives_javac_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+ext=.gz
+key=javac
+alternatives \\
+ --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\
+ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\
+%ifarch %{aot_arches}
+ --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\
+%endif
+ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\
+ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+ --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\
+%endif
+%endif
+ --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\
+ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\
+ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\
+ --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\
+ --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\
+ --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\
+ --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\
+ --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\
+ --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\
+ --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\
+ --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\
+ --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\
+ --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\
+ --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\
+ --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\
+ --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\
+ --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\
+ --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\
+ --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\
+ --slave %{_bindir}/rmic rmic %{sdkbindir -- %{?1}}/rmic \\
+ --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\
+ --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\
+ %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\
+ %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\
+ %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\
+ %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\
+ %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\
+ %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\
+ %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\
+ %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\
+ %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\
+ %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\
+ %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\
+ %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\
+ %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\
+ %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\
+ %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\
+ %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\
+ %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\
+ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\
+ %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext
+
+%{set_if_needed_alternatives $key %{family}}
+
+for X in %{origin} %{javaver} ; do
+ key=java_sdk_"$X"
+ alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+ %{set_if_needed_alternatives $key %{family}}
+done
+
+key=java_sdk_%{javaver}_%{origin}
+alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family}
+%{set_if_needed_alternatives $key %{family}}
+}
+
+%define post_devel() %{expand:
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || :
+
+exit 0
+}
+
+%define postun_devel() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+ %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}}
+
+update-desktop-database %{_datadir}/applications &> /dev/null || :
+
+if [ $1 -eq 0 ] ; then
+ /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null
+ %{update_desktop_icons}
+fi
+exit 0
+}
+
+%define posttrans_devel() %{expand:
+%{alternatives_javac_install -- %{?1}}
+%{update_desktop_icons}
+}
+
+%define alternatives_javadoc_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+
+key=javadocdir
+alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
+exit 0
+}
+
+%define postun_javadoc() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}}
+exit 0
+}
+
+%define alternatives_javadoczip_install() %{expand:
+if [ "x$debug" == "xtrue" ] ; then
+ set -x
+fi
+PRIORITY=%{priority}
+if [ "%{?1}" == %{debug_suffix} ]; then
+ let PRIORITY=PRIORITY-1
+fi
+key=javadoczip
+alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch}
+%{set_if_needed_alternatives $key %{family_noarch}}
+exit 0
+}
+
+%define postun_javadoc_zip() %{expand:
+ if [ "x$debug" == "xtrue" ] ; then
+ set -x
+ fi
+ post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax
+ %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}}
+exit 0
+}
+
+%define files_jre() %{expand:
+%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so
+}
+
+
+%define files_jre_headless() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%doc %{_defaultdocdir}/%{uniquejavadocdir -- %{?1}}/NEWS
+%dir %{_sysconfdir}/.java/.systemPrefs
+%dir %{_sysconfdir}/.java
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}
+%{_jvmdir}/%{sdkdir -- %{?1}}/release
+%{_jvmdir}/%{jrelnk -- %{?1}}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/%{alt_java_name}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmid
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/unpack200
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib
+%ifarch %{jit_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jli
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jli/libjli.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so
+%endif
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc
+%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/%{alt_java_name}-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1*
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/
+%ifarch %{share_arches}
+%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa
+%endif
+%dir %{etcjavasubdir}
+%dir %{etcjavadir -- %{?1}}
+%dir %{etcjavadir -- %{?1}}/lib
+%dir %{etcjavadir -- %{?1}}/lib/security
+%{etcjavadir -- %{?1}}/lib/security/cacerts
+%dir %{etcjavadir -- %{?1}}/conf
+%dir %{etcjavadir -- %{?1}}/conf/management
+%dir %{etcjavadir -- %{?1}}/conf/security
+%dir %{etcjavadir -- %{?1}}/conf/security/policy
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited
+%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blocked.certs
+%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy
+ %{etcjavadir -- %{?1}}/conf/security/policy/README.txt
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access
+# This is a configuration template and thus not config-noreplace
+%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties
+%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties
+%{_jvmdir}/%{sdkdir -- %{?1}}/conf
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/java
+%ghost %{_bindir}/%{alt_java_name}
+%ghost %{_jvmdir}/jre
+# https://bugzilla.redhat.com/show_bug.cgi?id=1312019
+%ghost %{_bindir}/jjs
+%ghost %{_bindir}/keytool
+%ghost %{_bindir}/pack200
+%ghost %{_bindir}/rmid
+%ghost %{_bindir}/rmiregistry
+%ghost %{_bindir}/unpack200
+%ghost %{_jvmdir}/jre-%{origin}
+%ghost %{_jvmdir}/jre-%{javaver}
+%ghost %{_jvmdir}/jre-%{javaver}-%{origin}
+%endif
+%endif
+# https://bugzilla.redhat.com/show_bug.cgi?id=1820172
+# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved
+%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved
+}
+
+%define files_devel() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage
+# Some architectures don't have the serviceability agent
+%ifarch %{sa_arches}
+%ifnarch %{zero_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb
+%endif
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmic
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver
+%ifarch %{aot_arches}
+%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jaotc
+%endif
+%{_jvmdir}/%{sdkdir -- %{?1}}/include
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym
+%if %{with_systemtap}
+%{_jvmdir}/%{sdkdir -- %{?1}}/tapset
+%endif
+%{_datadir}/applications/*jconsole%{?1}.desktop
+%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1*
+%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1*
+%if %{with_systemtap}
+%dir %{tapsetroot}
+%dir %{tapsetdirttapset}
+%dir %{tapsetdir}
+%{tapsetdir}/*%{_arch}%{?1}.stp
+%endif
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_bindir}/javac
+%ghost %{_jvmdir}/java
+%ghost %{_jvmdir}/%{alt_java_name}
+%ghost %{_bindir}/jaotc
+%ghost %{_bindir}/jlink
+%ghost %{_bindir}/jmod
+%ghost %{_bindir}/jhsdb
+%ghost %{_bindir}/jar
+%ghost %{_bindir}/jarsigner
+%ghost %{_bindir}/javadoc
+%ghost %{_bindir}/javap
+%ghost %{_bindir}/jcmd
+%ghost %{_bindir}/jconsole
+%ghost %{_bindir}/jdb
+%ghost %{_bindir}/jdeps
+%ghost %{_bindir}/jdeprscan
+%ghost %{_bindir}/jimage
+%ghost %{_bindir}/jinfo
+%ghost %{_bindir}/jmap
+%ghost %{_bindir}/jps
+%ghost %{_bindir}/jrunscript
+%ghost %{_bindir}/jshell
+%ghost %{_bindir}/jstack
+%ghost %{_bindir}/jstat
+%ghost %{_bindir}/jstatd
+%ghost %{_bindir}/rmic
+%ghost %{_bindir}/serialver
+%ghost %{_jvmdir}/java-%{origin}
+%ghost %{_jvmdir}/java-%{javaver}
+%ghost %{_jvmdir}/java-%{javaver}-%{origin}
+%endif
+%endif
+}
+
+%define files_jmods() %{expand:
+%{_jvmdir}/%{sdkdir -- %{?1}}/jmods
+}
+
+%define files_demo() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/demo
+%{_jvmdir}/%{sdkdir -- %{?1}}/sample
+}
+
+%define files_src() %{expand:
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip
+}
+
+%define files_static_libs() %{expand:
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}
+%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc
+%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a
+}
+
+%define files_javadoc() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java
+%endif
+%endif
+}
+
+%define files_javadoc_zip() %{expand:
+%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip
+%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal
+%if %is_system_jdk
+%if %{is_release_build -- %{?1}}
+%ghost %{_javadocdir}/java-zip
+%endif
+%endif
+}
+
+# not-duplicated requires/provides/obsoletes for normal/debug packages
+%define java_rpo() %{expand:
+Requires: fontconfig%{?_isa}
+Requires: xorg-x11-fonts-Type1
+# Require libXcomposite explicitly since it's only dynamically loaded
+# at runtime. Fixes screenshot issues. See JDK-8150954.
+Requires: libXcomposite%{?_isa}
+# Requires rest of java
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# for java-X-openjdk package's desktop binding
+%if 0%{?rhel} >= 8
+Recommends: gtk3%{?_isa}
+%endif
+
+Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_headless_rpo() %{expand:
+# Require /etc/pki/java/cacerts
+Requires: ca-certificates
+# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros
+Requires: javapackages-filesystem
+# Require zone-info data provided by tzdata-java sub-package
+# 2021e required as of JDK-8275766 in January 2022 CPU
+Requires: tzdata-java >= 2021e
+# for support of kernel stream control
+# libsctp.so.1 is being `dlopen`ed on demand
+Requires: lksctp-tools%{?_isa}
+%if ! 0%{?flatpak}
+# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
+# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
+# considered as regression
+Requires: copy-jdk-configs >= 3.3
+OrderWithRequires: copy-jdk-configs
+%endif
+# for printing support
+Requires: cups-libs
+# for FIPS PKCS11 provider
+Requires: nss
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+# for optional support of kernel stream control, card reader and printing bindings
+%if 0%{?rhel} >= 8
+Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa}
+%endif
+
+# Standard JPackage base provides
+Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-headless%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_devel_rpo() %{expand:
+# Requires base package
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install tool alternatives
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall tool alternatives
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage devel provides
+Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-devel%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_static_libs_rpo() %{expand:
+Requires: %{name}-devel%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+}
+
+%define java_jmods_rpo() %{expand:
+# Requires devel package
+# as jmods are bytecode, they should be OK without any _isa
+Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_demo_rpo() %{expand:
+Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_javadoc_rpo() %{expand:
+OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+# Post requires alternatives to install javadoc alternative
+Requires(post): %{alternatives_requires}
+# Postun requires alternatives to uninstall javadoc alternative
+Requires(postun): %{alternatives_requires}
+
+# Standard JPackage javadoc provides
+Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+%define java_src_rpo() %{expand:
+Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
+
+# Standard JPackage sources provides
+Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%if %is_system_jdk
+Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
+Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
+%endif
+}
+
+# Prevent brp-java-repack-jars from being run
+%global __jar_repack 0
+
+Name: java-%{javaver}-%{origin}
+Version: %{newjavaver}.%{buildver}
+Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
+# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons
+# and this change was brought into RHEL-4. java-1.5.0-ibm packages
+# also included the epoch in their virtual provides. This created a
+# situation where in-the-wild java-1.5.0-ibm packages provided "java =
+# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is
+# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be
+# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in
+# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual
+# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0".
+
+Epoch: 1
+Summary: %{origin_nice} %{featurever} Runtime Environment
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+# HotSpot code is licensed under GPLv2
+# JDK library code is licensed under GPLv2 with the Classpath exception
+# The Apache license is used in code taken from Apache projects (primarily xalan & xerces)
+# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License
+# The JSR166 concurrency code is in the public domain
+# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO)
+# The OpenJDK source tree includes:
+# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC),
+# - freetype (FTL), jline (BSD) and LCMS (MIT)
+# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA)
+# - public_suffix_list.dat from publicsuffix.org (MPLv2.0)
+# The test code includes copies of NSS under the Mozilla Public License v2.0
+# The PCSClite headers are under a BSD with advertising license
+# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version
+License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA
+URL: http://openjdk.java.net/
+
+
+# to regenerate source0 (jdk) run update_package.sh
+# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives
+Source0: jdk-updates-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz
+
+# Use 'icedtea_sync.sh' to update the following
+# They are based on code contained in the IcedTea project (6.x).
+# Systemtap tapsets. Zipped up to keep it small.
+Source8: tapsets-icedtea-%{icedteaver}.tar.xz
+
+# Desktop files. Adapted from IcedTea
+Source9: jconsole.desktop.in
+
+# Release notes
+Source10: NEWS
+
+# nss configuration file
+Source11: nss.cfg.in
+
+# Removed libraries that we link instead
+Source12: remove-intree-libraries.sh
+
+# Ensure we aren't using the limited crypto policy
+Source13: TestCryptoLevel.java
+
+# Ensure ECDSA is working
+Source14: TestECDSA.java
+
+# Verify system crypto (policy) can be disabled via a property
+Source15: TestSecurityProperties.java
+
+# Ensure vendor settings are correct
+Source16: CheckVendor.java
+
+# nss fips configuration file
+Source17: nss.fips.cfg.in
+
+############################################
+#
+# RPM/distribution specific patches
+#
+############################################
+
+# Ignore AWTError when assistive technologies are loaded
+Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
+# Restrict access to java-atk-wrapper classes
+Patch2: rh1648644-java_access_bridge_privileged_security.patch
+# NSS via SunPKCS11 Provider (disabled due to memory leak).
+Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
+# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
+Patch600: rh1750419-redhat_alt_java.patch
+# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
+Patch1003: rh1842572-rsa_default_for_keytool.patch
+
+# FIPS support patches
+# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
+Patch1001: rh1655466-global_crypto_and_fips.patch
+# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
+Patch1002: rh1818909-fips_default_keystore_type.patch
+# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
+Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
+# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
+Patch1007: rh1915071-always_initialise_configurator_access.patch
+# RH1929465: Improve system FIPS detection
+Patch1008: rh1929465-improve_system_FIPS_detection.patch
+# RH1996182: Login to the NSS software token in FIPS mode
+Patch1009: rh1996182-login_to_nss_software_token.patch
+# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
+Patch1011: rh1991003-enable_fips_keys_import.patch
+# RH2021263: Resolve outstanding FIPS issues
+Patch1014: rh2021263-fips_ensure_security_initialised.patch
+Patch1015: rh2021263-fips_missing_native_returns.patch
+# RH2052819: Fix FIPS reliance on crypto policies
+Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch
+# RH2052829: Detect NSS at Runtime for FIPS detection
+Patch1017: rh2052829-fips_runtime_nss_detection.patch
+
+#############################################
+#
+# Shenandoah specific patches
+#
+#############################################
+
+# Currently empty
+
+#############################################
+#
+# Upstreamable patches
+#
+# This section includes patches which need to
+# be reviewed & pushed to the current development
+# tree of OpenJDK.
+#############################################
+
+Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
+# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy
+Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+# PR3695: Allow use of system crypto policy to be disabled by the user
+Patch7: pr3695-toggle_system_crypto_policy.patch
+# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked
+Patch8: jdk8275535-rh2053256-ldap_auth.patch
+
+#############################################
+#
+# Backportable patches
+#
+# This section includes patches which are
+# present in the current development tree, but
+# need to be reviewed & pushed to the appropriate
+# updates tree of OpenJDK.
+#############################################
+# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32
+Patch101: jdk8257794-remove_broken_assert.patch
+
+#############################################
+#
+# Patches appearing in 11.0.13
+#
+# This section includes patches which are present
+# in the listed OpenJDK 11u release and should be
+# able to be removed once that release is out
+# and used by this RPM.
+#############################################
+
+BuildRequires: autoconf
+BuildRequires: automake
+BuildRequires: alsa-lib-devel
+BuildRequires: binutils
+BuildRequires: cups-devel
+BuildRequires: desktop-file-utils
+# elfutils only are OK for build without AOT
+BuildRequires: elfutils-devel
+BuildRequires: fontconfig-devel
+BuildRequires: freetype-devel
+BuildRequires: giflib-devel
+BuildRequires: gcc-c++
+BuildRequires: gdb
+BuildRequires: harfbuzz-devel
+BuildRequires: lcms2-devel
+BuildRequires: libjpeg-devel
+BuildRequires: libpng-devel
+BuildRequires: libxslt
+BuildRequires: libX11-devel
+BuildRequires: libXi-devel
+BuildRequires: libXinerama-devel
+BuildRequires: libXrandr-devel
+BuildRequires: libXrender-devel
+BuildRequires: libXt-devel
+BuildRequires: libXtst-devel
+# Requirement for setting up nss.cfg and nss.fips.cfg
+BuildRequires: nss-devel
+BuildRequires: pkgconfig
+BuildRequires: xorg-x11-proto-devel
+BuildRequires: zip
+BuildRequires: unzip
+BuildRequires: javapackages-filesystem
+BuildRequires: java-%{buildjdkver}-openjdk-devel
+# Zero-assembler build requirement
+%ifarch %{zero_arches}
+BuildRequires: libffi-devel
+%endif
+# 2021e required as of JDK-8275766 in January 2022 CPU
+BuildRequires: tzdata-java >= 2021e
+# Earlier versions have a bug in tree vectorization on PPC
+BuildRequires: gcc >= 4.8.3-8
+
+%if %{with_systemtap}
+BuildRequires: systemtap-sdt-devel
+%endif
+BuildRequires: make
+
+# this is always built, also during debug-only build
+# when it is built in debug-only this package is just placeholder
+%{java_rpo %{nil}}
+
+%description
+The %{origin_nice} %{featurever} runtime environment.
+
+%if %{include_debug_build}
+%package slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{debug_suffix_unquoted}}
+%description slowdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_rpo -- %{fastdebug_suffix_unquoted}}
+%description fastdebug
+The %{origin_nice} %{featurever} runtime environment.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package headless
+Summary: %{origin_nice} %{featurever} Headless Runtime Environment
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_headless_rpo %{nil}}
+
+%description headless
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%endif
+
+%if %{include_debug_build}
+%package headless-slowdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
+Group: Development/Languages
+
+%{java_headless_rpo -- %{debug_suffix_unquoted}}
+
+%description headless-slowdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package headless-fastdebug
+Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
+Group: Development/Languages
+
+%{java_headless_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description headless-fastdebug
+The %{origin_nice} %{featurever} runtime environment without audio and video support.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package devel
+Summary: %{origin_nice} %{featurever} Development Environment
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo %{nil}}
+
+%description devel
+The %{origin_nice} %{featurever} development tools.
+%endif
+
+%if %{include_debug_build}
+%package devel-slowdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_devel_rpo -- %{debug_suffix_unquoted}}
+
+%description devel-slowdebug
+The %{origin_nice} %{featurever} development tools.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package devel-fastdebug
+Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on}
+Group: Development/Tools
+
+%{java_devel_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description devel-fastdebug
+The %{origin_nice} %{featurever} development tools.
+%{fastdebug_warning}
+%endif
+
+%if %{include_staticlibs}
+
+%if %{include_normal_build}
+%package static-libs
+Summary: %{origin_nice} %{featurever} libraries for static linking
+
+%{java_static_libs_rpo %{nil}}
+
+%description static-libs
+The %{origin_nice} %{featurever} libraries for static linking.
+%endif
+
+%if %{include_debug_build}
+%package static-libs-slowdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{debug_on}
+
+%{java_static_libs_rpo -- %{debug_suffix_unquoted}}
+
+%description static-libs-slowdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package static-libs-fastdebug
+Summary: %{origin_nice} %{featurever} libraries for static linking %{fastdebug_on}
+
+%{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description static-libs-fastdebug
+The %{origin_nice} %{featurever} libraries for static linking.
+%{fastdebug_warning}
+%endif
+
+# staticlibs
+%endif
+
+%if %{include_normal_build}
+%package jmods
+Summary: JMods for %{origin_nice} %{featurever}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_jmods_rpo %{nil}}
+
+%description jmods
+The JMods for %{origin_nice} %{featurever}.
+%endif
+
+%if %{include_debug_build}
+%package jmods-slowdebug
+Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_jmods_rpo -- %{debug_suffix_unquoted}}
+
+%description jmods-slowdebug
+The JMods for %{origin_nice} %{featurever}.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package jmods-fastdebug
+Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on}
+Group: Development/Tools
+
+%{java_jmods_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description jmods-fastdebug
+The JMods for %{origin_nice} %{featurever}.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package demo
+Summary: %{origin_nice} %{featurever} Demos
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_demo_rpo %{nil}}
+
+%description demo
+The %{origin_nice} %{featurever} demos.
+%endif
+
+%if %{include_debug_build}
+%package demo-slowdebug
+Summary: %{origin_nice} %{featurever} Demos %{debug_on}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_demo_rpo -- %{debug_suffix_unquoted}}
+
+%description demo-slowdebug
+The %{origin_nice} %{featurever} demos.
+%{debug_warning}
+%endif
+
+%if %{include_fastdebug_build}
+%package demo-fastdebug
+Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on}
+Group: Development/Languages
+
+%{java_demo_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description demo-fastdebug
+The %{origin_nice} %{featurever} demos.
+%{fastdebug_warning}
+%endif
+
+%if %{include_normal_build}
+%package src
+Summary: %{origin_nice} %{featurever} Source Bundle
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_src_rpo %{nil}}
+
+%description src
+The %{compatiblename}-src sub-package contains the complete %{origin_nice} %{featurever}
+class library source code for use by IDE indexers and debuggers.
+%endif
+
+%if %{include_debug_build}
+%package src-slowdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
+%if 0%{?rhel} <= 8
+Group: Development/Languages
+%endif
+
+%{java_src_rpo -- %{debug_suffix_unquoted}}
+
+%description src-slowdebug
+The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_debug}.
+%endif
+
+%if %{include_fastdebug_build}
+%package src-fastdebug
+Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug}
+Group: Development/Languages
+
+%{java_src_rpo -- %{fastdebug_suffix_unquoted}}
+
+%description src-fastdebug
+The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_nice} %{featurever}
+ class library source code for use by IDE indexers and debuggers, %{for_fastdebug}.
+%endif
+
+%if %{include_normal_build}
+%package javadoc
+Summary: %{origin_nice} %{featurever} API documentation
+%if 0%{?rhel} <= 8
+Group: Documentation
+%endif
+Requires: javapackages-filesystem
+Obsoletes: javadoc-slowdebug < 1:11.0.3.7-4
+
+%{java_javadoc_rpo -- %{nil} %{nil}}
+
+%description javadoc
+The %{origin_nice} %{featurever} API documentation.
+
+%package javadoc-zip
+Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
+%if 0%{?rhel} <= 8
+Group: Documentation
+%endif
+Requires: javapackages-filesystem
+Obsoletes: javadoc-zip-slowdebug < 1:11.0.3.7-4
+
+%{java_javadoc_rpo -- %{nil} -zip}
+%{java_javadoc_rpo -- %{nil} %{nil}}
+
+%description javadoc-zip
+The %{origin_nice} %{featurever} API documentation compressed in a single archive.
+%endif
+
+%prep
+
+# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-(
+%if 0%{?stapinstall:1}
+ echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}"
+%else
+ %{error:Unrecognised architecture %{_target_cpu}}
+%endif
+
+if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then
+ echo "include_normal_build is %{include_normal_build}"
+else
+ echo "include_normal_build is %{include_normal_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 11
+fi
+if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then
+ echo "include_debug_build is %{include_debug_build}"
+else
+ echo "include_debug_build is %{include_debug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 12
+fi
+if [ %{include_fastdebug_build} -eq 0 -o %{include_fastdebug_build} -eq 1 ] ; then
+ echo "include_fastdebug_build is %{include_fastdebug_build}"
+else
+ echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no"
+ exit 13
+fi
+if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then
+ echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go."
+ exit 14
+fi
+%setup -q -c -n %{uniquesuffix ""} -T -a 0
+# https://bugzilla.redhat.com/show_bug.cgi?id=1189084
+prioritylength=`expr length %{priority}`
+if [ $prioritylength -ne 8 ] ; then
+ echo "priority must be 8 digits in total, violated"
+ exit 14
+fi
+
+# OpenJDK patches
+# Remove libraries that are linked by both static and dynamic builds
+sh %{SOURCE12} %{top_level_dir_name}
+
+# Patch the JDK
+pushd %{top_level_dir_name}
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch7 -p1
+popd # openjdk
+
+%patch101
+
+%patch1000
+%patch600
+%patch1001
+%patch1002
+%patch1003
+%patch1004
+%patch1007
+%patch1008
+%patch1009
+%patch1011
+%patch1014
+%patch1015
+%patch1016
+%patch1017
+
+%patch8
+
+# Extract systemtap tapsets
+%if %{with_systemtap}
+tar --strip-components=1 -x -I xz -f %{SOURCE8}
+%if %{include_debug_build}
+cp -r tapset tapset%{debug_suffix}
+%endif
+%if %{include_fastdebug_build}
+cp -r tapset tapset%{fastdebug_suffix}
+%endif
+
+for suffix in %{build_loop} ; do
+ for file in "tapset"$suffix/*.in; do
+ OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
+ sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1
+ sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2
+# TODO find out which architectures other than i686 have a client vm
+%ifarch %{ix86}
+ sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.2 > $OUTPUT_FILE
+%else
+ sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.2 > $OUTPUT_FILE
+%endif
+ sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE
+ sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE
+ sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE
+ done
+done
+# systemtap tapsets ends
+%endif
+
+# Prepare desktop files
+# The _X_ syntax indicates variables that are replaced by make upstream
+# The @X@ syntax indicates variables that are replaced by configure upstream
+for suffix in %{build_loop} ; do
+for file in %{SOURCE9}; do
+ FILE=`basename $file | sed -e s:\.in$::g`
+ EXT="${FILE##*.}"
+ NAME="${FILE%.*}"
+ OUTPUT_FILE=$NAME$suffix.$EXT
+ sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE
+ sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE
+ sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE
+ sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE
+done
+done
+
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
+
+# Setup nss.fips.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
+
+%build
+# How many CPU's do we have?
+export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
+export NUM_PROC=${NUM_PROC:-1}
+%if 0%{?_smp_ncpus_max}
+# Honor %%_smp_ncpus_max
+[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max}
+%endif
+
+%ifarch s390x sparc64 alpha %{power64} %{aarch64}
+export ARCH_DATA_MODEL=64
+%endif
+%ifarch alpha
+export CFLAGS="$CFLAGS -mieee"
+%endif
+
+# We use ourcppflags because the OpenJDK build seems to
+# pass EXTRA_CFLAGS to the HotSpot C++ compiler...
+EXTRA_CFLAGS="%ourcppflags -Wno-error"
+EXTRA_CPP_FLAGS="%ourcppflags"
+
+%ifarch %{power64} ppc
+# fix rpmlint warnings
+EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
+%endif
+%ifarch %{ix86}
+# Align stack boundary on x86_32
+EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')"
+%endif
+# Fixes annocheck warnings in assembler files due to missing build notes
+EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes"
+export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS
+
+function buildjdk() {
+ local outputdir=${1}
+ local buildjdk=${2}
+ local maketargets="${3}"
+ local debuglevel=${4}
+ local link_opt=${5}
+
+ local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
+ local top_dir_abs_build_path=$(pwd)/${outputdir}
+
+ echo "Using output directory: ${outputdir}";
+ echo "Checking build JDK ${buildjdk} is operational..."
+ ${buildjdk}/bin/java -version
+ echo "Using make targets: ${maketargets}"
+ echo "Using debuglevel: ${debuglevel}"
+ echo "Using link_opt: ${link_opt}"
+ echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
+
+ mkdir -p ${outputdir}
+ pushd ${outputdir}
+
+ bash ${top_dir_abs_src_path}/configure \
+%ifarch %{zero_arches}
+ --with-jvm-variants=zero \
+%endif
+%ifarch %{ppc64le}
+ --with-jobs=1 \
+%endif
+ --with-version-build=%{buildver} \
+ --with-version-pre="%{ea_designator}" \
+ --with-version-opt=%{lts_designator} \
+ --with-vendor-version-string="%{vendor_version_string}" \
+ --with-vendor-name="%{oj_vendor}" \
+ --with-vendor-url="%{oj_vendor_url}" \
+ --with-vendor-bug-url="%{oj_vendor_bug_url}" \
+ --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
+ --with-boot-jdk=${buildjdk} \
+ --with-debug-level=${debuglevel} \
+ --with-native-debug-symbols="%{debug_symbols}" \
+ --disable-sysconf-nss \
+ --enable-unlimited-crypto \
+ --with-zlib=system \
+ --with-libjpeg=${link_opt} \
+ --with-giflib=${link_opt} \
+ --with-libpng=${link_opt} \
+ --with-lcms=${link_opt} \
+ --with-harfbuzz=${link_opt} \
+ --with-stdc++lib=dynamic \
+ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \
+ --with-extra-cflags="$EXTRA_CFLAGS" \
+ --with-extra-asflags="$EXTRA_ASFLAGS" \
+ --with-extra-ldflags="%{ourldflags}" \
+ --with-num-cores="$NUM_PROC" \
+ --disable-javac-server \
+ --with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \
+ --disable-warnings-as-errors
+
+ cat spec.gmk
+
+ make \
+ JAVAC_FLAGS=-g \
+ LOG=trace \
+ WARNINGS_ARE_ERRORS="-Wno-error" \
+ CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
+ $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
+
+ popd
+}
+
+function installjdk() {
+ local outputdir=${1}
+ local installdir=${2}
+ local imagepath=${installdir}/images/%{jdkimage}
+
+ echo "Installing build from ${outputdir} to ${installdir}..."
+ mkdir -p ${installdir}
+ echo "Installing images..."
+ mv ${outputdir}/images ${installdir}
+ if [ -d ${outputdir}/bundles ] ; then
+ echo "Installing bundles...";
+ mv ${outputdir}/bundles ${installdir} ;
+ fi
+ if [ -d ${outputdir}/docs ] ; then
+ echo "Installing docs...";
+ mv ${outputdir}/docs ${installdir} ;
+ fi
+
+%if !%{with artifacts}
+ echo "Removing output directory...";
+ rm -rf ${outputdir}
+%endif
+
+ if [ -d ${imagepath} ] ; then
+ # the build (erroneously) removes read permissions from some jars
+ # this is a regression in OpenJDK 7 (our compiler):
+ # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
+ find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
+
+ # Build screws up permissions on binaries
+ # https://bugs.openjdk.java.net/browse/JDK-8173610
+ find ${imagepath} -iname '*.so' -exec chmod +x {} \;
+ find ${imagepath}/bin/ -exec chmod +x {} \;
+
+ # Install nss.cfg right away as we will be using the JRE above
+ install -m 644 nss.cfg ${imagepath}/conf/security/
+
+ # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
+ install -m 644 nss.fips.cfg ${imagepath}/conf/security/
+
+ # Use system-wide tzdata
+ rm ${imagepath}/lib/tzdb.dat
+ ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
+
+ # Create fake alt-java as a placeholder for future alt-java
+ pushd ${imagepath}
+ # add alt-java man page
+ echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
+ cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
+ popd
+ fi
+}
+
+%if %{build_hotspot_first}
+ # Build a fresh libjvm.so first and use it to bootstrap
+ cp -LR --preserve=mode,timestamps %{bootjdk} newboot
+ systemjdk=$(pwd)/newboot
+ buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled"
+ mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server
+%else
+ systemjdk=%{bootjdk}
+%endif
+
+for suffix in %{build_loop} ; do
+
+ if [ "x$suffix" = "x" ] ; then
+ debugbuild=release
+ else
+ # change --something to something
+ debugbuild=`echo $suffix | sed "s/-//g"`
+ fi
+
+
+ for loop in %{main_suffix} %{staticlibs_loop} ; do
+
+ builddir=%{buildoutputdir -- ${suffix}${loop}}
+ bootbuilddir=boot${builddir}
+ installdir=%{installoutputdir -- ${suffix}${loop}}
+ bootinstalldir=boot${installdir}
+
+ if test "x${loop}" = "x%{main_suffix}" ; then
+ # Copy the source tree so we can remove all in-tree libraries
+ cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
+ # Remove all libraries that are linked
+ sh %{SOURCE12} %{top_level_dir_name} full
+ # Use system libraries
+ link_opt="system"
+ # Debug builds don't need same targets as release for
+ # build speed-up. We also avoid bootstrapping these
+ # slower builds.
+ if echo $debugbuild | grep -q "debug" ; then
+ maketargets="%{debug_targets}"
+ run_bootstrap=false
+ else
+ maketargets="%{release_targets}"
+ run_bootstrap=%{bootstrap_build}
+ fi
+ if ${run_bootstrap} ; then
+ buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
+ installjdk ${bootbuilddir} ${bootinstalldir}
+ buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
+ installjdk ${builddir} ${installdir}
+ %{!?with_artifacts:rm -rf ${bootinstalldir}}
+ else
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+ installjdk ${builddir} ${installdir}
+ fi
+ # Restore original source tree we modified by removing full in-tree sources
+ rm -rf %{top_level_dir_name}
+ mv %{top_level_dir_name_backup} %{top_level_dir_name}
+ else
+ # Use bundled libraries for building statically
+ link_opt="bundled"
+ # Static library cycle only builds the static libraries
+ maketargets="%{static_libs_target}"
+ # Always just do the one build for the static libraries
+ buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
+ installjdk ${builddir} ${installdir}
+ fi
+
+ done # end of main / staticlibs loop
+
+# build cycles
+done # end of release / debug cycle loop
+
+%check
+
+# We test debug first as it will give better diagnostics on a crash
+for suffix in %{build_loop} ; do
+
+top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
+%if %{include_staticlibs}
+top_dir_abs_staticlibs_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{staticlibs_loop}}
+%endif
+
+export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
+
+#check Shenandoah is enabled
+%if %{use_shenandoah_hotspot}
+$JAVA_HOME//bin/java -XX:+UseShenandoahGC -version
+%endif
+
+# Check unlimited policy has been used
+$JAVA_HOME/bin/javac -d . %{SOURCE13}
+$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel
+
+# Check ECC is working
+$JAVA_HOME/bin/javac -d . %{SOURCE14}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||")
+
+# Check system crypto (policy) can be disabled
+$JAVA_HOME/bin/javac -d . %{SOURCE15}
+$JAVA_HOME/bin/java -Djava.security.disableSystemPropertiesFile=true $(echo $(basename %{SOURCE15})|sed "s|\.java||")
+
+# Check correct vendor values have been set
+$JAVA_HOME/bin/javac -d . %{SOURCE16}
+$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}"
+
+# Check java launcher has no SSB mitigation
+if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
+
+# Check alt-java launcher has SSB mitigation on supported architectures
+%ifarch %{ssbd_arches}
+nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
+%else
+if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
+%endif
+
+%if %{include_staticlibs}
+# Check debug symbols in static libraries (smoke test)
+export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
+readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
+%endif
+
+so_suffix="so"
+# Check debug symbols are present and can identify code
+find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
+do
+ if [ -f "$lib" ] ; then
+ echo "Testing $lib for debug symbols"
+ # All these tests rely on RPM failing the build if the exit code of any set
+ # of piped commands is non-zero.
+
+ # Test for .debug_* sections in the shared object. This is the main test
+ # Stripped objects will not contain these
+ eu-readelf -S "$lib" | grep "] .debug_"
+ test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
+
+ # Test FILE symbols. These will most likely be removed by anything that
+ # manipulates symbol tables because it's generally useless. So a nice test
+ # that nothing has messed with symbols
+ old_IFS="$IFS"
+ IFS=$'\n'
+ for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
+ do
+ # We expect to see .cpp files, except for architectures like aarch64 and
+ # s390 where we expect .o and .oS files
+ echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
+ done
+ IFS="$old_IFS"
+
+ # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
+ if [ "`basename $lib`" = "libjvm.so" ]; then
+ eu-readelf -s "$lib" | \
+ grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
+ fi
+
+ # Test that there are no .gnu_debuglink sections pointing to another
+ # debuginfo file. There shouldn't be any debuginfo files, so the link makes
+ # no sense either
+ eu-readelf -S "$lib" | grep 'gnu'
+ if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
+ echo "bad .gnu_debuglink section."
+ eu-readelf -x .gnu_debuglink "$lib"
+ false
+ fi
+ fi
+done
+
+# Make sure gdb can do a backtrace based on line numbers on libjvm.so
+# javaCalls.cpp:58 should map to:
+# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
+# Using line number 1 might cause build problems. See:
+# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
+# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
+gdb -q "$JAVA_HOME/bin/java" <
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre
+-- if copy-jdk-configs is in transaction, it installs in pretrans to temp
+-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is
+-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends
+-- whether copy-jdk-configs is installed or not. If so, then configs are copied
+-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
+local posix = require "posix"
+local debug = false
+
+SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
+SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
+
+local stat1 = posix.stat(SOURCE1, "type");
+local stat2 = posix.stat(SOURCE2, "type");
+
+ if (stat1 ~= nil) then
+ if (debug) then
+ print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.")
+ end;
+ package.path = package.path .. ";" .. SOURCE1
+else
+ if (stat2 ~= nil) then
+ if (debug) then
+ print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.")
+ end;
+ package.path = package.path .. ";" .. SOURCE2
+ else
+ if (debug) then
+ print(SOURCE1 .." does NOT exists")
+ print(SOURCE2 .." does NOT exists")
+ print("No config files will be copied")
+ end
+ return
+ end
+end
+-- run content of included file with fake args
+arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
+require "copy_jdk_configs.lua"
+
+%post
+%{post_script %{nil}}
+
+%post headless
+%{post_headless %{nil}}
+
+%postun
+%{postun_script %{nil}}
+
+%postun headless
+%{postun_headless %{nil}}
+
+%posttrans
+%{posttrans_script %{nil}}
+
+%posttrans headless
+%{alternatives_java_install %{nil}}
+
+%post devel
+%{post_devel %{nil}}
+
+%postun devel
+%{postun_devel %{nil}}
+
+%posttrans devel
+%{posttrans_devel %{nil}}
+
+%posttrans javadoc
+%{alternatives_javadoc_install %{nil}}
+
+%postun javadoc
+%{postun_javadoc %{nil}}
+
+%posttrans javadoc-zip
+%{alternatives_javadoczip_install %{nil}}
+
+%postun javadoc-zip
+%{postun_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%post slowdebug
+%{post_script -- %{debug_suffix_unquoted}}
+
+%post headless-slowdebug
+%{post_headless -- %{debug_suffix_unquoted}}
+
+%posttrans headless-slowdebug
+%{alternatives_java_install -- %{debug_suffix_unquoted}}
+
+%postun slowdebug
+%{postun_script -- %{debug_suffix_unquoted}}
+
+%postun headless-slowdebug
+%{postun_headless -- %{debug_suffix_unquoted}}
+
+%posttrans slowdebug
+%{posttrans_script -- %{debug_suffix_unquoted}}
+
+%post devel-slowdebug
+%{post_devel -- %{debug_suffix_unquoted}}
+
+%postun devel-slowdebug
+%{postun_devel -- %{debug_suffix_unquoted}}
+
+%posttrans devel-slowdebug
+%{posttrans_devel -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%post fastdebug
+%{post_script -- %{fastdebug_suffix_unquoted}}
+
+%post headless-fastdebug
+%{post_headless -- %{fastdebug_suffix_unquoted}}
+
+%postun fastdebug
+%{postun_script -- %{fastdebug_suffix_unquoted}}
+
+%postun headless-fastdebug
+%{postun_headless -- %{fastdebug_suffix_unquoted}}
+
+%posttrans fastdebug
+%{posttrans_script -- %{fastdebug_suffix_unquoted}}
+
+%posttrans headless-fastdebug
+%{alternatives_java_install -- %{fastdebug_suffix_unquoted}}
+
+%post devel-fastdebug
+%{post_devel -- %{fastdebug_suffix_unquoted}}
+
+%postun devel-fastdebug
+%{postun_devel -- %{fastdebug_suffix_unquoted}}
+
+%posttrans devel-fastdebug
+%{posttrans_devel -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%if %{include_normal_build}
+%files
+# main package builds always
+%{files_jre %{nil}}
+%else
+%files
+# placeholder
+%endif
+
+
+%if %{include_normal_build}
+%files headless
+# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue
+# all config/noreplace files (and more) have to be declared in pretrans. See pretrans
+%{files_jre_headless %{nil}}
+
+%files devel
+%{files_devel %{nil}}
+
+%if %{include_staticlibs}
+%files static-libs
+%{files_static_libs %{nil}}
+%endif
+
+%files jmods
+%{files_jmods %{nil}}
+
+%files demo
+%{files_demo %{nil}}
+
+%files src
+%{files_src %{nil}}
+
+%files javadoc
+%{files_javadoc %{nil}}
+
+# This puts a huge documentation file in /usr/share
+# It is now architecture-dependent, as eg. AOT and Graal are now x86_64 only
+# same for debug variant
+%files javadoc-zip
+%{files_javadoc_zip %{nil}}
+%endif
+
+%if %{include_debug_build}
+%files slowdebug
+%{files_jre -- %{debug_suffix_unquoted}}
+
+%files headless-slowdebug
+%{files_jre_headless -- %{debug_suffix_unquoted}}
+
+%files devel-slowdebug
+%{files_devel -- %{debug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-slowdebug
+%{files_static_libs -- %{debug_suffix_unquoted}}
+%endif
+
+%files jmods-slowdebug
+%{files_jmods -- %{debug_suffix_unquoted}}
+
+%files demo-slowdebug
+%{files_demo -- %{debug_suffix_unquoted}}
+
+%files src-slowdebug
+%{files_src -- %{debug_suffix_unquoted}}
+%endif
+
+%if %{include_fastdebug_build}
+%files fastdebug
+%{files_jre -- %{fastdebug_suffix_unquoted}}
+
+%files headless-fastdebug
+%{files_jre_headless -- %{fastdebug_suffix_unquoted}}
+
+%files devel-fastdebug
+%{files_devel -- %{fastdebug_suffix_unquoted}}
+
+%if %{include_staticlibs}
+%files static-libs-fastdebug
+%{files_static_libs -- %{fastdebug_suffix_unquoted}}
+%endif
+
+%files jmods-fastdebug
+%{files_jmods -- %{fastdebug_suffix_unquoted}}
+
+%files demo-fastdebug
+%{files_demo -- %{fastdebug_suffix_unquoted}}
+
+%files src-fastdebug
+%{files_src -- %{fastdebug_suffix_unquoted}}
+
+%endif
+
+%changelog
+* Mon Feb 28 2022 Andrew Hughes - 1:11.0.14.1.1-6
+- Detect NSS at runtime for FIPS detection
+- Turn off build-time NSS linking and go back to an explicit Requires on NSS
+- Resolves: rhbz#2052831
+
+* Sun Feb 27 2022 Andrew Hughes - 1:11.0.14.1.1-5
+- Introduce tests/tests.yml, based on the one in RHEL 8
+- Resolves: rhbz#2058489
+
+* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-4
+- Storing and restoring alterntives during update manually
+- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE
+-- The move of alternatives creation to posttrans to fix:
+-- Bug 1200302 - dnf reinstall breaks alternatives
+-- Had caused the alternatives to be removed, and then created again,
+-- instead of being added, and then removing the old, and thus persisting
+-- the selection in family
+-- Thus this fix, is storing the family of manually selected master, and if
+-- stored, then it is restoring the family of the master
+- Resolves: rhbz#2008205
+
+* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-3
+- Family extracted to globals
+- Resolves: rhbz#2008205
+
+* Wed Feb 23 2022 Andrew Hughes - 1:11.0.14.1.1-2
+- Add JDK-8275535 patch to fix LDAP authentication issue.
+- Resolves: rhbz#2053523
+
+* Fri Feb 18 2022 Andrew Hughes - 1:11.0.14.1.1-1
+- Update to jdk-11.0.14.1+1
+- Update release notes to 11.0.14.1+1
+- Require tzdata 2021e as of JDK-8275766.
+- Resolves: rhbz#2052834
+
+* Thu Feb 17 2022 Andrew Hughes - 1:11.0.14.0.9-2
+- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent
+- Resolves: rhbz#2052820
+
+* Wed Feb 16 2022 Andrew Hughes - 1:11.0.14.0.9-1
+- Update to jdk-11.0.14.0+9
+- Update release notes to 11.0.14.0+9
+- Switch to GA mode for final release.
+- Resolves: rhbz#2039395
+
+* Tue Feb 15 2022 Andrew Hughes - 1:11.0.14.0.8-0.3.ea
+- Fix FIPS issues in native code and with initialisation of java.security.Security
+- Resolves: rhbz#2023530
+
+* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.8-0.2.ea
+- Refactor build functions so we can build just HotSpot without any attempt at installation.
+- Sync gdb test with java-1.8.0-openjdk.
+- Improve architecture restrictions for the gdb test.
+- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment
+- Explicitly list JIT architectures rather than relying on those with slowdebug builds
+- Disable the serviceability agent on Zero architectures even when the architecture itself is supported
+- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds
+- Related: rhbz#2052834
+
+* Fri Feb 11 2022 Jiri Vanek - 1:11.0.14.0.8-0.2.ea
+- Give javadoc-zip its own Provides, next to the plain javadoc ones
+- Related: rhbz#2052834
+
+* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.8-0.1.ea
+- Update to jdk-11.0.14.0+8
+- Update release notes to 11.0.14.0+8
+- Switch to EA mode for 11.0.14 pre-release builds.
+- Rename blacklisted.certs to blocked.certs following JDK-8253866
+- Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034
+- Resolves: rhbz#2022825
+
+* Thu Jan 13 2022 Andrew Hughes - 1:11.0.13.0.8-5
+- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le.
+- Related: rhbz#2022825
+
+* Thu Dec 02 2021 Severin Gehwolf - 1:11.0.13.0.8-4
+- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy
+ secmod.db file as part of NSS
+- Resolves: rhbz#2023535
+
+* Wed Dec 01 2021 Jiri Vanek - 1:11.0.13.0.8-3
+- Replaced hardcoded 11 by featurever where appropriate
+- Fixed comment of `for slowdebug` to correct `any debug`
+- Related: rhbz#2022825
+
+* Tue Nov 09 2021 Jiri Vanek - 1:11.0.13.0.8-2
+- alternatives creation moved to posttrans
+- Thus fixing the old reisntall issue:
+- https://bugzilla.redhat.com/show_bug.cgi?id=1200302
+- https://bugzilla.redhat.com/show_bug.cgi?id=1976053
+- Resolves: rhbz#2008205
+
+* Wed Oct 13 2021 Andrew Hughes - 1:11.0.13.0.8-1
+- Update to jdk-11.0.13.0+8
+- Update release notes to 11.0.13.0+8
+- Update tarball generation script to use git following OpenJDK 11u's move to github
+- Remove "-clean" suffix as no 11.0.13 builds are unclean.
+- Drop JDK-8269668 patch which is now applied upstream.
+- Resolves: rhbz#2013845
+
+* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-6
+- Reduce disk footprint by removing build artifacts by default.
+- Related: rhbz#1999940
+
+* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-5
+- Restructure the build so a minimal initial build is then used for the final build (with docs)
+- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
+- Related: rhbz#1999940
+
+* Tue Oct 05 2021 Andrew Hughes - 1:11.0.12.0.7-4
+- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false
+- Resolves: rhbz#1994681
+
+* Tue Oct 05 2021 Martin Balao - 1:11.0.12.0.7-4
+- Add patch to allow plain key import.
+- Resolves: rhbz#1994681
+
+* Thu Sep 02 2021 Jiri Vanek - 1:11.0.12.0.7-3
+- Minor cosmetic improvements to make spec more comparable between variants
+- Related: rhbz#1999940
+
+* Mon Aug 30 2021 Andrew Hughes - 1:11.0.12.0.7-2
+- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
+- Resolves: rhbz#1997360
+
+* Fri Aug 27 2021 Andrew Hughes - 1:11.0.12.0.7-1
+- Add patch to login to the NSS software token when in FIPS mode.
+- Resolves: rhbz#1997360
+
+* Mon Aug 09 2021 Mohan Boddu - 1:11.0.12.0.7-0.1
+- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
+ Related: rhbz#1991688
+
+* Mon Aug 09 2021 Andrew Hughes - 1:11.0.12.0.7-0
+- Update to jdk-11.0.12.0+7
+- Update release notes to 11.0.12.0+7
+- Switch to GA mode for final release.
+- Remove non-Free test from source tarball.
+- Resolves: rhbz#1967815
+
+* Wed Jul 28 2021 Severin Gehwolf - 1:11.0.12.0.7-0
+- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
+- Resolves: rhbz#1967815
+
+* Tue Jul 20 2021 Andrew Hughes - 1:11.0.12.0.6-0.0.ea
+- Update to jdk-11.0.12.0+6
+- Update release notes to 11.0.12.0+6
+- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
+- Switch to EA mode for 11.0.12 pre-release builds.
+- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
+- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
+- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
+- Resolves: rhbz#1967815
+
+* Tue Jul 20 2021 Andrew Hughes - 1:11.0.11.0.9-2
+- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
+- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
+- Resolves: rhbz#1971689
+
+* Tue Jul 20 2021 Martin Balao - 1:11.0.11.0.9-2
+- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
+- Resolves: rhbz#1971689
+
+* Tue Jul 06 2021 Andrew John Hughes - 1:11.0.11.0.9-1
+- Update RH1655466 FIPS patch with changes in OpenJDK 8 version.
+- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file.
+- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg.
+- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable.
+- Disable FIPS mode support unless com.redhat.fips is set to "true".
+- Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable).
+- Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode
+- Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071)
+- Resolves: rhbz#1971689
+
+* Tue Jul 06 2021 Martin Balao - 1:11.0.11.0.9-1
+- Support the FIPS mode crypto policy (RH1655466)
+- Use appropriate keystore types when in FIPS mode (RH1818909)
+- Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986)
+- Resolves: rhbz#1971689
+
+* Mon Jul 05 2021 Andrew Hughes - 1:11.0.11.0.9-0
+- Update to jdk-11.0.11.0+9
+- Update release notes to 11.0.11.0+9
+- Remove upstreamed patch JDK-8259949
+- Require tzdata 2020f to match upstream change JDK-8259048
+- Require tzdata 2021a to match upstream change JDK-8260356
+- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps)
+- Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository
+- Perform static library build on a separate source tree with bundled image libraries
+- Make static library build optional
+- Resolves: rhbz#1967815
+
+* Mon Jul 05 2021 Severin Gehwolf - 1:11.0.11.0.9-0
+- Remove -fcommon work-around as the OpenJDK 11 code has been fixed.
+- Resolves: rhbz#1967815
+
+* Mon Jul 05 2021 Stephan Bergmann - 1:11.0.11.0.9-0
+- Hardcode /usr/sbin/alternatives for Flatpak builds
+- Disable copy-jdk-configs for Flatpak builds
+- Resolves: rhbz#1967815
+
+* Mon Jul 05 2021 Jayashree Huttanagoudar - 1:11.0.11.0.9-0
+- Fix issue where CheckVendor.java test erroneously passes when it should fail.
+- Add proper quoting so '&' is not treated as a special character by the shell.
+- Resolves: rhbz#1967815
+
+* Fri Apr 16 2021 Mohan Boddu - 1:11.0.10.0.9-0.1
+- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
+
+* Mon Feb 1 2021 Andrew Hughes - 1:11.0.10.0.9-0
+- Update to jdk-11.0.10.0+9
+- Update release notes to 11.0.10.0+9
+- Switch to GA mode for final release.
+
+* Tue Jan 26 2021 Fedora Release Engineering - 1:11.0.10.0.8-0.5.ea.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
+
+* Mon Jan 25 2021 Andrew Hughes - 1:11.0.10.0.8-0.5.ea
+- Fix location and comment differences from RHEL.
+
+* Mon Jan 25 2021 Andrew Hughes - 1:11.0.10.0.8-0.5.ea
+- Following JDK-8005165, class data sharing can be enabled on all JIT architectures
+
+* Sun Jan 24 2021 Andrew Hughes - 1:11.0.10.0.8-0.4.ea
+- Include a test in the RPM to check the build has the correct vendor information.
+
+* Sun Jan 24 2021 Andrew Hughes - 1:11.0.10.0.8-0.4.ea
+- Update build documentation to reflect this is java-11-openjdk, not java-1.8.0-openjdk
+- Remove redundant closure and immediate reopening of include_normal_build block.
+
+* Sun Jan 24 2021 Andrew Hughes - 1:11.0.10.0.8-0.3.ea
+- Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
+- Adjust RH1842572 patch due to context change from JDK-8213400
+
+* Sat Jan 23 2021 Andrew Hughes - 1:11.0.10.0.8-0.2.ea
+- Need to support noarch for creating source RPMs for non-scratch builds.
+
+* Mon Jan 18 2021 Andrew Hughes - 1:11.0.10.0.8-0.2.ea
+- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64)
+
+* Mon Jan 18 2021 Andrew Hughes - 1:11.0.10.0.8-0.1.ea
+- Use -march=i686 for x86 builds if -fcf-protection is detected (needs CMOV)
+
+* Thu Jan 14 2021 Andrew Hughes - 1:11.0.10.0.8-0.0.ea
+- Update to jdk-11.0.10.0+8
+- Update release notes to 11.0.10.0+8.
+- Update tarball generation script to use PR3818 which handles JDK-8171279 changes
+- Drop JDK-8250861 as applied upstream.
+
+* Tue Dec 22 2020 Andrew John Hughes - 1:11.0.10.0.1-0.0.ea
+- Update to jdk-11.0.10.0+1
+- Update release notes to 11.0.10.0+1
+- Use JEP-322 Time-Based Versioning so we can handle a future 11.0.9.1-like release correctly.
+- Still use 11.0.x rather than 11.0.x.0 for file naming, as the trailing zero is omitted from tags.
+- Revert configure and built_doc_archive hacks to build 11.0.9.1 from 11.0.9.0 sources, and synced with RHEL version.
+- Cleanup debug package descriptions and version number placement.
+- Switch to EA mode for 11.0.10 pre-release builds.
+- Drop JDK-8222286 & JDK-8254177 as applied upstream
+- Use system harfbuzz now this is supported.
+
+* Tue Dec 22 2020 Jiri Vanek - 1:11.0.9.11-9
+- fixed missing condition for fastdebug packages being counted as debug ones
+
+* Sat Dec 19 2020 Jiri Vanek - 1:11.0.9.11-8
+- removed lib-style provides for fastdebug_suffix_unquoted
+
+* Thu Dec 17 2020 Andrew Hughes - 1:11.0.9.11-6
+- introduced nm based check to verify alt-java on x86_64 is patched, and no other alt-java or java is patched
+- patch600 rh1750419-redhat_alt_java.patch amended to die, if it is used wrongly
+- introduced ssbd_arches with currently only valid arch of x86_64 to separate real alt-java architectures
+
+* Tue Dec 01 2020 Jiri Vanek - 1:11.0.9.11-5
+- removed patch6, rh1566890-CVE_2018_3639-speculative_store_bypass.patch, surpassed by new patch
+- added patch600, rh1750419-redhat_alt_java.patch, suprassing removed patch
+- no longer copying of java->alt-java as it is created by patch600
+
+* Mon Nov 23 2020 Jiri Vanek - 1:11.0.9.11-4
+- Create a copy of java as alt-java with alternatives and man pages
+- java-11-openjdk doesn't have a JRE tree, so don't try and copy alt-java there...
+
+* Fri Nov 06 2020 Andrew Hughes - 1:11.0.9.11-3
+- Update release notes for 11.0.9.1 release.
+
+* Wed Nov 04 2020 Severin Gehwolf - 1:11.0.9.11-2
+- Update to jdk-11.0.9.1+1
+- RPM version stays at 11.0.9.11-2 so as to not break upgrade path.
+- Adds a single patch for JDK-8250861.
+
+* Thu Oct 29 2020 Jiri Vanek - 1:11.0.9.11-1
+- Move all license files to NVR-specific JVM directory.
+- This bad placement was killing parallel installability and thus having a bad impact on leapp, if used.
+
+* Mon Oct 19 2020 Severin Gehwolf - 1:11.0.9.11-0
+- Fix directory ownership of static-libs package
+
+* Thu Oct 15 2020 Andrew Hughes - 1:11.0.9.11-0
+- Update to jdk-11.0.9+11
+- Update release notes for 11.0.9 release.
+- Add backport of JDK-8254177 to update to tzdata 2020b
+- Require tzdata 2020b due to resource changes in JDK-8254177
+
+* Mon Oct 05 2020 Andrew Hughes - 1:11.0.9.10-0.0.ea
+- Update to jdk-11.0.9+10 (EA)
+
+* Mon Oct 05 2020 Andrew Hughes - 1:11.0.9.9-0.0.ea
+- Update to jdk-11.0.9+9 (EA)
+
+* Thu Oct 01 2020 Andrew Hughes - 1:11.0.9.8-0.0.ea
+- Update to jdk-11.0.9+8 (EA)
+
+* Mon Sep 28 2020 Andrew Hughes - 1:11.0.9.7-0.0.ea
+- Update to jdk-11.0.9+7 (EA)
+
+* Tue Sep 15 2020 Severin Gehwolf - 1:11.0.9.6-0.1.ea
+- Update static-libs packaging to new layout
+
+* Tue Sep 15 2020 Andrew Hughes - 1:11.0.9.6-0.0.ea
+- Update to jdk-11.0.9+6 (EA)
+- Update tarball generation script to use PR3802, handling JDK-8233228 & JDK-8177334
+- Resolves: rhbz#1869017
+
+* Tue Sep 08 2020 Andrew Hughes - 1:11.0.9.5-0.0.ea
+- Update to jdk-11.0.9+5 (EA)
+
+* Thu Sep 03 2020 Andrew Hughes - 1:11.0.9.4-0.0.ea
+- Update to jdk-11.0.9+4 (EA)
+
+* Wed Aug 19 2020 Andrew Hughes - 1:11.0.9.3-0.0.ea
+- Update to jdk-11.0.9+3 (EA)
+
+* Tue Aug 11 2020 Andrew Hughes - 1:11.0.9.2-0.0.ea
+- Update to jdk-11.0.9+2 (EA)
+- With Shenandoah now upstream in OpenJDK 11, we can use jdk-updates/jdk11 directly
+
+* Tue Aug 11 2020 Andrew Hughes - 1:11.0.9.1-0.2.ea
+- Cleanup architecture and JVM feature handling in preparation for using upstreamed Shenandoah.
+
+* Sun Aug 09 2020 Andrew Hughes - 1:11.0.9.1-0.1.ea
+- Update to shenandoah-jdk-11.0.9+1 (EA)
+- Switch to EA mode for 11.0.9 pre-release builds.
+- Drop JDK-8247874 backport now applied upstream.
+- JDK-8245832 increases the set of static libraries, so try and include them all with a wildcard.
+
+* Tue Jul 28 2020 Severin Gehwolf - 1:11.0.8.10-1
+- Disable LTO as this breaks the build. See RHBZ#1861401.
+
+* Tue Jul 28 2020 Fedora Release Engineering - 1:11.0.8.10-0.1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
+
+* Sat Jul 11 2020 Andrew Hughes - 1:11.0.8.10-0
+- Update to shenandoah-jdk-11.0.8+10 (GA)
+- Switch to GA mode for final release.
+- Update release notes with last minute fix (JDK-8248505).
+
+* Fri Jul 10 2020 Andrew Hughes - 1:11.0.8.9-0.0.ea
+- Update to shenandoah-jdk-11.0.8+9 (EA)
+- Update release notes for 11.0.8 release.
+
+* Thu Jul 09 2020 Jiri Vanek - 1:11.0.8.8-0.2.ea
+- bumped to become system jdk, is_system_jdk moved from 0 to 1
+
+* Thu Jul 09 2020 Andrew Hughes - 1:11.0.8.8-0.1.ea
+- Re-introduce java-openjdk-src & java-openjdk-demo for system_jdk builds.
+- Fix accidental renaming of java-openjdk-devel to java-devel-openjdk.
+
+* Tue Jun 30 2020 Andrew Hughes - 1:11.0.8.8-0.0.ea
+- Update to shenandoah-jdk-11.0.8+8 (EA)
+
+* Tue Jun 23 2020 Andrew Hughes - 1:11.0.8.7-0.0.ea
+- Update to shenandoah-jdk-11.0.8+7 (EA)
+
+* Tue Jun 23 2020 Andrew Hughes - 1:11.0.8.6-0.0.ea
+- Update to shenandoah-jdk-11.0.8+6 (EA)
+
+* Tue Jun 23 2020 Andrew Hughes - 1:11.0.8.5-0.3.ea
+- Add release notes.
+- Amend release notes, removing issue actually fixed in 11.0.6.
+
+* Tue Jun 23 2020 Andrew Hughes - 1:11.0.8.5-0.2.ea
+- Sync JDK-8247874 patch with upstream status in 11.0.9.
+- Add missing ChangeLog entry from last series of commits.
+
+* Mon Jun 22 2020 Jayashree Huttanagoudar - 1:1.0.8.5-0.2.ea
+- Added a patch jdk8247874-fix_ampersand_in_vm_bug_url.patch
+
+* Thu Jun 18 2020 Jayashree Huttanagoudar - 1:1.0.8.5-0.2.ea
+- Moved vendor_version_string to better place
+
+* Thu Jun 18 2020 Jiri Vanek - 1:11.0.8.5-0.2.ea
+- set vendor property and vendor urls
+- made urls to be preconfigured by os
+
+* Tue Jun 09 2020 Severin Gehwolf - 1:11.0.8.5-0.1.ea
+- Disable stripping of debug symbols for static libraries part of
+ the -static-libs sub-package.
+
+* Sun Jun 07 2020 Andrew Hughes - 1:11.0.8.5-0.0.ea
+- Update to shenandoah-jdk-11.0.8+5 (EA)
+
+* Mon May 25 2020 Andrew Hughes - 1:11.0.8.4-0.0.ea
+- Update to shenandoah-jdk-11.0.8+4 (EA)
+- Require tzdata 2020a due to resource changes in JDK-8243541
+
+* Fri May 22 2020 Severin Gehwolf - 1:11.0.8.3-0.1.ea
+- Build static-libs-image and add resulting files via -static-libs
+ sub-package.
+
+* Tue May 19 2020 Andrew Hughes - 1:11.0.8.3-0.0.ea
+- Update to shenandoah-jdk-11.0.8+3 (EA)
+- Drop JDK-8233880 backport now applied upstream.
+
+* Mon May 18 2020 Andrew Hughes - 1:11.0.8.2-0.0.ea
+- Update to shenandoah-jdk-11.0.8+2 (EA)
+
+* Mon May 18 2020 Andrew Hughes - 1:11.0.8.1-0.0.ea
+- Update to shenandoah-jdk-11.0.8+1 (EA)
+- Switch to EA mode for 11.0.8 pre-release builds.
+- Drop JDK-8237396 & JDK-8228407 backports now applied upstream.
+
+* Sun May 17 2020 Andrew John Hughes - 1:11.0.7.10-2
+- Backport JDK-8233880 to fix version detection of GCC 10.
+- Remove explicit compiler flags which should be handled by the upstream build
+ (-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse)
+
+* Fri Apr 24 2020 Andrew John Hughes - 1:11.0.7.10-1
+- Make use of --with-extra-asflags introduced in jdk-11.0.6+1.
+
+* Wed Apr 22 2020 Andrew John Hughes - 1:11.0.7.10-0
+- Update to shenandoah-jdk-11.0.7+10 (GA)
+- Switch to GA mode for final release.
+- Remove JDK-8237879 backport as this was integrated upstream in jdk-11.0.7+10.
+
+* Tue Apr 21 2020 Andrew John Hughes - 1:11.0.7.9-0.0.ea
+- Update to shenandoah-jdk-11.0.7+9 (EA)
+- Remove JDK-8241296 backport as this was integrated upstream in jdk-11.0.7+9.
+
+* Tue Apr 21 2020 Andrew John Hughes - 1:11.0.7.8-0.0.ea
+- Update to shenandoah-jdk-11.0.7+8 (EA)
+
+* Mon Apr 20 2020 Andrew John Hughes - 1:11.0.7.7-0.0.ea
+- Update to shenandoah-jdk-11.0.7+7 (EA)
+
+* Mon Apr 20 2020 Andrew John Hughes - 1:11.0.7.6-0.0.ea
+- Update to shenandoah-jdk-11.0.7+6 (EA)
+
+* Sun Apr 19 2020 Andrew John Hughes - 1:11.0.7.5-0.0.ea
+- Update to shenandoah-jdk-11.0.7+5 (EA)
+
+* Sun Apr 19 2020 Andrew John Hughes - 1:11.0.7.4-0.0.ea
+- Update to shenandoah-jdk-11.0.7+4 (EA)
+
+* Thu Apr 16 2020 Andrew John Hughes - 1:11.0.7.3-0.0.ea
+- Add JDK-8228407 backport to resolve crashes during verification.
+
+* Thu Apr 16 2020 Andrew John Hughes - 1:11.0.7.3-0.0.ea
+- Update to shenandoah-jdk-11.0.7+3 (EA)
+
+* Mon Apr 06 2020 Andrew John Hughes - 1:11.0.7.2-0.5.ea
+- Sync SystemTap & desktop files with upstream IcedTea release 3.15.0 using new script
+
+* Sat Mar 28 2020 Andrew John Hughes - 1:11.0.7.2-0.4.ea
+- Add JDK-8237396 backport to resolve Shenandoah TCK breakage in traversal mode.
+
+* Tue Mar 24 2020 Severin Gehwolf - 1:11.0.7.2-0.3.ea
+- Revert GCC 10 workaround for s390x.
+- Resolves RHBZ#1799087.
+
+* Fri Mar 20 2020 Andrew John Hughes - 1:11.0.7.2-0.2.ea
+- Backport JDK-8241296 to fix segfaults when active_handles is NULL (RH1813550)
+
+* Fri Mar 13 2020 Severin Gehwolf - 1:11.0.7.2-0.1.ea
+- Add patch for make 4.3 (JDK-8237879)
+
+* Wed Mar 04 2020 Andrew John Hughes - 1:11.0.7.2-0.0.ea
+- Update to shenandoah-jdk-11.0.7+2 (EA)
+- Drop JDK-8224851 backport now included upstream.
+
+* Thu Feb 27 2020 Andrew Hughes - 1:11.0.7.1-0.0.ea
+- Update to shenandoah-jdk-11.0.7+1 (EA)
+- Switch to EA mode for 11.0.7 pre-release builds.
+- Drop JDK-8236039 backport now applied upstream.
+
+* Thu Feb 27 2020 Severin Gehwolf - 1:11.0.6.10-0
+- Add workaround for building with GCC 10 on s390x. See RHBZ#1799087
+
+* Wed Jan 29 2020 Severin Gehwolf - 1:11.0.6.10-0
+- Account for building with GCC 10: JDK-8224851, -fcommon switch.
+
+* Wed Jan 29 2020 Andrew John Hughes - 1:11.0.6.10-0
+- Update to shenandoah-jdk-11.0.6+10 (GA)
+- Add JDK-8236039 backport to resolve OpenShift blocker.
+- Add JDK-8224851 backport to resolve AArch64 compiler issues.
+
+* Wed Jan 29 2020 Fedora Release Engineering - 1:11.0.6.9-0.1.ea
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
+
+* Thu Jan 09 2020 Andrew Hughes - 1:11.0.6.9-0.0.ea
+- Update to shenandoah-jdk-11.0.6+9 (EA)
+
+* Mon Dec 30 2019 Andrew Hughes - 1:11.0.6.2-0.0.ea
+- Update to shenandoah-jdk-11.0.6+2 (EA)
+
+* Thu Dec 19 2019 Andrew Hughes - 1:11.0.6.1-0.0.ea
+- Update to shenandoah-jdk-11.0.6+1 (EA)
+- Switch to EA mode for 11.0.6 pre-release builds.
+- Add support for jfr binary.
+
+* Wed Oct 09 2019 Andrew Hughes - 1:11.0.5.10-0
+- Update to shenandoah-jdk-11.0.5+10 (GA)
+- Switch to GA mode for final release.
+
+* Mon Oct 07 2019 Andrew Hughes - 1:11.0.5.9-0.0.ea
+- Update to shenandoah-jdk-11.0.5+9 (EA)
+
+* Tue Aug 27 2019 Andrew Hughes - 1:11.0.5.2-0.2.ea
+- Update generate_source_tarball.sh script to use the PR3751 patch and retain the secp256k1 curve.
+- Regenerate source tarball using the updated script and add the -'4curve' suffix.
+- PR3751 includes the changes in the PR1834/RH1022017 patch which is removed.
+
+* Sat Aug 24 2019 Andrew John Hughes - 1:11.0.5.2-0.1.ea
+- Update to shenandoah-jdk-11.0.5+2 (EA)
+
+* Mon Aug 12 2019 Andrew Hughes - 1:11.0.5.1-0.1.ea
+- Update to shenandoah-jdk-11.0.5+1 (EA)
+- Switch to EA mode for 11.0.5 pre-release builds.
+
+* Thu Aug 08 2019 Andrew Hughes - 1:11.0.4.11-4
+- Switch to in-tree SunEC code, dropping NSS runtime dependencies and patches to link against it.
+
+* Fri Jul 26 2019 Andrew John Hughes - 1:11.0.4.11-3
+- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime.
+- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency
+- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency
+- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency
+
+* Fri Jul 26 2019 Severin Gehwolf - 1:11.0.4.11-2
+- Rebuild with itself as boot JDK.
+
+* Fri Jul 26 2019 Severin Gehwolf - 1:11.0.4.11-1
+- Remove -fno-tree-ch workaround for i686 as the root cause has been
+ fixed with 11.0.4+9.
+- Resolves RHBZ#1683095
+
+* Tue Jul 09 2019 Andrew Hughes - 1:11.0.4.11-0
+- Update to shenandoah-jdk-11.0.4+11 (GA)
+- Switch to GA mode for final release.
+
+* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.10-0.2.ea
+- Obsolete javadoc-slowdebug and javadoc-slowdebug-zip packages via javadoc and javadoc-zip respectively.
+
+* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.10-0.1.ea
+- Update to shenandoah-jdk-11.0.4+10 (EA)
+
+* Sun Jun 30 2019 Andrew John Hughes - 1:11.0.4.2-0.1.ea
+- Update to shenandoah-jdk-11.0.4+2 (EA)
+
+* Fri Jun 21 2019 Severin Gehwolf - 1:11.0.4.2-0.1.ea
+- Package jspawnhelper (see JDK-8220360).
+
+* Fri Jun 21 2019 Severin Gehwolf - 1:11.0.3.7-6
+- Include 'ea' designator in Release when appropriate.
+
+* Wed May 22 2019 Andrew Hughes - 1:11.0.3.7-6
+- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately.
+
+* Tue May 14 2019 Severin Gehwolf - 1:11.0.3.7-5
+- Bump release for rebuild.
+
+* Fri May 10 2019 Severin Gehwolf - 1:11.0.3.7-4
+- Add -fno-tree-ch in order to work around GCC 9 issue on
+ i686.
+- Resolves: RHBZ#1683095
+
+* Thu Apr 25 2019 Severin Gehwolf - 1:11.0.3.7-3
+- Don't produce javadoc/javadoc-zip sub packages for the
+ debug variant build.
+- Don't perform a bootcycle build for the debug variant build.
+
+* Wed Apr 24 2019 Severin Gehwolf - 1:11.0.3.7-2
+- Don't generate lib-style requires for -slowdebug subpackages.
+- Resolves: RHBZ#1702379
+
+* Tue Apr 23 2019 Severin Gehwolf - 1:11.0.3.7-1
+- Fix requires/provides for the non-system JDK case. JDK 11
+ isn't a system JDK at this point.
+- Resolves: RHBZ#1702324
+
+* Sun Apr 07 2019 Andrew Hughes - 1:11.0.3.7-0
+- Update to shenandoah-jdk-11.0.3+7 (April 2019 GA)
+
+* Sat Apr 06 2019 Andrew Hughes - 1:11.0.3.6-0
+- Update to shenandoah-jdk-11.0.3+6 (April 2019 EA)
+- Drop JDK-8210416/RH1632174 applied upstream.
+- Drop JDK-8210425/RH1632174 applied upstream.
+- Drop JDK-8210647/RH1632174 applied upstream.
+- Drop JDK-8210761/RH1632174 applied upstream.
+- Drop JDK-8210703/RH1632174 applied upstream.
+- Add cast to resolve s390 ambiguity in call to log2_intptr
+
+* Thu Mar 21 2019 Severin Gehwolf - 1:11.0.2.7-9
+- Add patch for RH1566890
+
+* Wed Mar 20 2019 Peter Robinson 1:11.0.2.7-8
+- Drop chkconfig dep, 1.7 shipped in f24
+
+* Mon Mar 11 2019 Severin Gehwolf - 1:11.0.2.7-7
+- Add -Wa,--generate-missing-build-notes=yes C flags. So as to
+ fix annocheck warnings for assembler source files.
+
+* Tue Feb 26 2019 Severin Gehwolf - 1:11.0.2.7-6
+- Don't package lib/client and lib/client/classes.jsa
+ which don't exist.
+- Resolves: RHBZ#1643469
+
+* Tue Feb 19 2019 Severin Gehwolf - 1:11.0.2.7-5
+- Add explicit requirement for libXcomposite which is used when performing
+ screenshots from Java.
+- Add explicit BR unzip required for building OpenJDK.
+
+* Thu Feb 14 2019 Severin Gehwolf - 1:11.0.2.7-4
+- Add a test verifying system crypto policies can be disabled
+
+* Tue Feb 12 2019 Severin Gehwolf - 1:11.0.2.7-3
+- Don't build the test images needlessly.
+
+* Thu Feb 07 2019 Andrew John Hughes - 1:11.0.2.7-2
+- Add PR3695 to allow the system crypto policy to be turned off.
+- Correct original system crypto policy patch to refer to OpenJDK 11 bug (PR3694)
+
+* Fri Feb 01 2019 Fedora Release Engineering - 1:11.0.2.7-1
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Tue Jan 15 2019 Andrew Hughes - 1:11.0.2.7-0
+- Update to shenandoah-jdk-11.0.2+7 (January 2019 CPU)
+- Drop JDK-8211105/RH1628612/RH1630996 applied upstream.
+- Drop JDK-8209639/RH1640127 applied upstream.
+- Re-generate JDK-8210416/RH1632174 following JDK-8209786
+
+* Fri Jan 11 2019 Andrew Hughes - 1:11.0.1.13-11
+- Update to shenandoah-jdk-11.0.1+13-20190101
+- Update tarball generation script in preparation for PR3681/RH1656677 SunEC changes.
+- Use remove-intree-libraries.sh to remove the remaining SunEC code for now.
+- Fix PR1983 SunEC patch so that ecc_impl.h is patched rather than added
+- Add missing RH1022017 patch to reduce curves reported by SSL to those we support.
+- Remove RH1648995; fixed upstream.
+
+* Wed Dec 5 2018 Jiri Vanek - 1:11.0.1.13-9
+- for non debug supackages, ghosted all masters and slaves (rhbz1649776)
+- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic
+- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides
+
+* Wed Nov 28 2018 Severin Gehwolf - 1:11.0.1.13-8
+- Added %%global _find_debuginfo_opts -g
+- Resolves: RHBZ#1520879 (Detailed NMT issue)
+
+* Mon Nov 12 2018 Jiri Vanek - 1:11.0.1.13-6
+- fixed tck failures of arraycopy and process exec with shenandoah on
+- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch
+
+* Wed Nov 07 2018 Jiri Vanek - 1:11.0.1.13-5
+- headless' suggests of cups, replaced by Requires of cups-libs
+
+* Thu Nov 01 2018 Jiri Vanek - 1:11.0.1.13-3
+- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch
+
+* Mon Oct 29 2018 Severin Gehwolf - 1:11.0.1.13-3
+- Use upstream's version of Aarch64 intrinsics disable patch:
+ - Removed:
+ RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch
+ RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch
+ - Superceded by:
+ jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch
+
+* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-2
+- Use LTS designator in version output for RHEL.
+
+* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-1
+- Update to October 2018 CPU release, 11.0.1+13.
+
+* Wed Oct 17 2018 Severin Gehwolf - 1:11.0.0.28-2
+- Use --with-vendor-version-string=18.9 so as to show original
+ GA date for the JDK.
+
+* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.0.28-1
+- Identify as GA version and no longer as early access (EA).
+- JDK 11 has been released for GA on 2018-09-25.
+
+* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.ea.28-9
+- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes
+ RHBZ-1624122.
+- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to
+ optimize compilation of fdlibm library.
+- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so
+ as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to
+ optimize compilation of libsaproc (extra c flags won't override
+ optimization).
+- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to
+ optimize compilation of libjsig.
+- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to
+ optimize compilation of vmStructs.cpp (part of libjvm.so).
+- Reinstate filtering of opt flags coming from redhat-rpm-config.
+
+* Thu Sep 27 2018 Jiri Vanek - 1:11.0.ea.28-8
+- removed version less provides
+- javadocdir moved to arched dir as it is no longer noarch
+
+* Thu Sep 20 2018 Severin Gehwolf - 1:11.0.ea.28-6
+- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch,
+ so as to disable log math intrinsic on aarch64. Work-around for
+ JDK-8210858
+
+* Thu Sep 13 2018 Severin Gehwolf - 1:11.0.ea.28-5
+- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch,
+ so as to disable dsin/dcos math intrinsics on aarch64. Work-around for
+ JDK-8210461.
+
+* Wed Sep 12 2018 Severin Gehwolf - 1:11.0.ea.22-6
+- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to
+ optimize compilation of fdlibm library.
+- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so
+ as to optimize compilation of sharedRuntime{Trig,Trans}.cpp
+- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to
+ optimize compilation of libsaproc (extra c flags won't override
+ optimization).
+- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to
+ optimize compilation of vmStructs.cpp (part of libjvm.so).
+- No longer filter -O flags from C flags coming from
+ redhat-rpm-config.
+
+* Mon Sep 10 2018 Jiri Vanek - 1:11.0.ea.28-4
+- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x
+
+* Fri Sep 7 2018 Severin Gehwolf - 1:11.0.ea.28-3
+- Enable ZGC on x86_64.
+
+* Tue Sep 4 2018 Jiri Vanek - 1:11.0.ea.28-2
+- jfr/*jfc files listed for all arches
+- lib/classlist do not exists s390, ifarch-ed via jit_arches out
+
+* Fri Aug 31 2018 Severin Gehwolf - 1:11.0.ea.28-1
+- Update to latest upstream build jdk11+28, the first release
+ candidate.
+
+* Wed Aug 29 2018 Severin Gehwolf - 1:11.0.ea.22-8
+- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so
+ as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue.
+
+* Thu Aug 23 2018 Jiri Vanek - 1:11.0.ea.22-6
+- dissabled accessibility, fixed provides for main package's debug variant
+
+* Mon Jul 30 2018 Jiri Vanek - 1:11.0.ea.22-5
+- now buildrequires javapackages-filesystem as the issue with macros should be fixed
+
+* Wed Jul 18 2018 Jiri Vanek - 1:11.0.ea.22-2
+- changed to build by itself instead of by jdk10
+
+* Tue Jul 17 2018 Jiri Vanek - 1:11.0.ea.22-1
+- added Recommends gtk3 for main package
+- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped)
+- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package
+- see RHBZ1598152
+- added trick to catch hs_err files (sgehwolf)
+- updated to shenandaoh-jdk-11+22
+
+* Sat Jul 07 2018 Jiri Vanek - 1:11.0.ea.20-1
+- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch
+- improved a bit generate_source_tarball.sh to serve also for systemtap
+- thus deleted generate_tapsets.sh
+- simplified and cleared update_package.sh
+- moved to single source jdk - from shenandoah/jdk11
+- bumped to latest jdk11+20
+- adapted PR2126 to jdk11+20
+- adapted handling of systemtap sources to new style
+- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory)
+- shortened summaries and descriptions to around 80 chars
+- Hunspell spell checked
+- license fixed to correct jdk11 (sgehwolf)
+- more correct handling of internal libraries (sgehwolf)
+- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815)
+- added test for shenandaoh GC presence where expected
+- Removed workaround for broken aarch64 slowdebug build
+- Removed all defattrs
+- Removed no longer necessary cleanup of diz and debuginfo files
+
+* Fri Jun 22 2018 Jiri Vanek - 1:11.0.ea.19-1
+- updated sources to jdk-11+19
+- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit
+- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit
+
+* Thu Jun 14 2018 Severin Gehwolf - 1:11.0.ea.16-5
+- Revert rename: java-11-openjdk => java-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-4
+- Add aarch64 to aot_arches.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-3
+- Rename to package java-11-openjdk.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-2
+- Disable Aarch64 slowdebug build (see JDK-8204331).
+- s390x doesn't have the SA even though it's a JIT arch.
+
+* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-1
+- Initial version of JDK 11 ea based on tag jdk-11+16.
+- Removed patches no longer needed or upstream:
+ sorted-diff.patch (see JDK-8198844)
+ JDK-8201788-bootcycle-images-jobs.patch
+ JDK-8201509-s390-atomic_store.patch
+ JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11)
+ JDK-8193802-npe-jar-getVersionMap.patch
+- Updated and renamed patches:
+ java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch
+- Updated patches for JDK 11:
+ pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Tue Jun 12 2018 Severin Gehwolf - 1:10.0.1.10-9
+- Use proper private_libs expression for filtering requires/provides.
+
+* Fri Jun 08 2018 Severin Gehwolf - 1:10.0.1.10-8
+- Bump release and rebuild for fixed gdb. See RHBZ#1589118.
+
+* Mon Jun 04 2018 Jiri Vanek - 1:10.0.1.10-7
+- quoted sed expressions, changed possibly confusing # by @
+- added vendor(origin) into icons
+- removed last trace of relative symlinks
+- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem
+
+* Thu May 17 2018 Severin Gehwolf - 1:10.0.1.10-5
+- Move to javapackages-filesystem for directory ownership.
+ Resolves RHBZ#1500288
+
+* Mon Apr 30 2018 Severin Gehwolf - 1:10.0.1.10-4
+- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix
+ RHBZ#1557375.
+
+* Mon Apr 23 2018 Severin Gehwolf - 1:10.0.1.10-3
+- Inject build flags properly. See RHBZ#1571359
+- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch
+ since libjsig.so doesn't get linker flags injected properly.
+
+* Fri Apr 20 2018 Severin Gehwolf - 1:10.0.1.10-2
+- Removed unneeded patches:
+ PStack-808293.patch
+ multiple-pkcs11-library-init.patch
+ ppc_stack_overflow_fix.patch
+- Added patches for s390 Zero builds:
+ JDK-8201495-s390-java-opts.patch
+ JDK-8201509-s390-atomic_store.patch
+- Renamed patches for clarity:
+ aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch
+ systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch
+ bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch
+ system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch
+
+* Fri Apr 20 2018 Jiri Vanek - 1:10.0.1.10-1
+- updated to security update 1
+- jexec unlinked from path
+- used java-openjdk as boot jdk
+- aligned provides/requires
+- renamed zip javadoc
+
+* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12
+- Enable basic EC ciphers test in %%check.
+
+* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11
+- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10.
+- Resolves RHBZ#1565658
+
+* Mon Apr 09 2018 Jiri Vanek - 1:10.0.0.46-10
+- jexec linked to path
+
+* Fri Apr 06 2018 Jiri Vanek - 1:10.0.0.46-9
+- subpackage(s) replaced by sub-package(s) and other cosmetic changes
+
+* Tue Apr 03 2018 Jiri Vanek - 1:10.0.0.46-8
+- removed accessibility sub-packages
+- kept applied patch and properties files
+- debug sub-packages renamed to slowdebug
+
+* Fri Feb 23 2018 Jiri Vanek - 1:10.0.0.46-1
+- initial load