diff --git a/.gitignore b/.gitignore index 8c591ef..00df8f2 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz +SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata index e8c14b3..4c5a915 100644 --- a/.java-11-openjdk.metadata +++ b/.java-11-openjdk.metadata @@ -1,2 +1,2 @@ -9d43605109c7a4c5cad6cef74e19efe42fb163f8 SOURCES/jdk-updates-jdk11u-jdk-11.0.15+9-4curve.tar.xz +dc2a5d071dcf324a925de54709e153c6df94dd43 SOURCES/jdk-updates-jdk11u-jdk-11.0.14.1+1-4curve.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 559a70b..8069f37 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,217 +3,6 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 11.0.15 (2022-04-19): -============================================= -Live versions of these release notes can be found at: - * https://bitly.com/openjdk11015 - * https://builds.shipilev.net/backports-monitor/release-notes-11.0.15.txt - -* New features - - JDK-8253795: Implementation of JEP 391: macOS/AArch64 Port -* Security fixes - - JDK-8269938: Enhance XML processing passes redux - - JDK-8270504, CVE-2022-21426: Better XPath expression handling - - JDK-8272255: Completely handle MIDI files - - JDK-8272261: Improve JFR recording file processing - - JDK-8272594: Better record of recordings - - JDK-8274221: More definite BER encodings - - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 - - JDK-8275151, CVE-2022-21443: Improved Object Identification - - JDK-8277227: Better identification of OIDs - - JDK-8277672, CVE-2022-21434: Better invocation handler handling - - JDK-8278356: Improve file creation - - JDK-8278449: Improve keychain support - - JDK-8278798: Improve supported intrinsic - - JDK-8278805: Enhance BMP image loading - - JDK-8278972, CVE-2022-21496: Improve URL supports - - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo -* Other changes - - JDK-8065704: Set LC_ALL=C for all relevant commands in the build system - - JDK-8177814: jdk/editpad is not in jdk TEST.groups - - JDK-8186780: clang fastdebug assertion failure in os_linux_x86:os::verify_stack_alignment() - - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently - - JDK-8193277: SimpleFileObject inconsistency between getName and getShortName - - JDK-8199079: Test javax/swing/UIDefaults/6302464/bug6302464.java is unstable - - JDK-8202142: jfr/event/io/TestInstrumentation is unstable - - JDK-8207011: Remove uses of the register storage class specifier - - JDK-8207793: [TESTBUG] runtime/Metaspace/FragmentMetaspace.java fails: heap needs to be increased - - JDK-8208074: [TESTBUG] vmTestbase/nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption/TestDescription.java failed with NullPointerException - - JDK-8210194: [TESTBUG] jvmti_FollowRefObjects.cpp missing initializer for member _jvmtiHeapCallbacks::heap_reference_callback - - JDK-8210236: Prepare ciReceiverTypeData::translate_receiver_data_from for concurrent class unloading - - JDK-8211170: AArch64: Warnings in C1 and template interpreter - - JDK-8211333: AArch64: Fix another build failure after JDK-8211029 - - JDK-8214004: Missing space between compiler thread name and task info in hs_err - - JDK-8214026: Canonicalized archive paths appearing in diagnostics - - JDK-8214761: Bug in parallel Kahan summation implementation - - JDK-8216969: ParseException thrown for certain months with russian locale - - JDK-8218546: Unable to connect to https://google.com using java.net.HttpClient - - JDK-8220634: SymLinkArchiveTest should handle not being able to create symlinks - - JDK-8222825: ARM32 SIGILL issue on single core CPU (not supported PLDW instruction) - - JDK-8223142: Clean-up WS and CB. - - JDK-8225559: assertion error at TransTypes.visitApply - - JDK-8232533: G1 uses only a single thread for pretouching the java heap - - JDK-8233827: Enable screenshots in the enhanced failure handler on Linux/macOS - - JDK-8233986: ProblemList javax/swing/plaf/basic/BasicTextUI/8001470/bug8001470.java for windows-x64 - - JDK-8234930: Use MAP_JIT when allocating pages for code cache on macOS - - JDK-8236210: javac generates wrong annotation for fields generated from record components - - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful - - JDK-8237787: rewrite vmTestbase/vm/compiler/CodeCacheInfo* from shell to java - - JDK-8237798: rewrite vmTestbase/jit/tiered from shell to java - - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails - - JDK-8240904: Screen flashes on test failures when running tests from make - - JDK-8241004: NMT tests fail on unaligned thread size with debug build - - JDK-8241423: NUMA APIs fail to work in dockers due to dependent syscalls are disabled by default - - JDK-8247272: SA ELF file support has never worked for 64-bit causing address to symbol name mapping to fail - - JDK-8247515: OSX pc_to_symbol() lookup does not work with core files - - JDK-8249019: clean up FileInstaller $test.src $cwd in vmTestbase_vm_compiler tests - - JDK-8250750: JDK-8247515 fix for OSX pc_to_symbol() lookup fails with some symbols - - JDK-8251126: nsk.share.GoldChecker should read golden file from ${test.src} - - JDK-8251127: clean up FileInstaller $test.src $cwd in remaining vmTestbase_vm_compiler tests - - JDK-8251132: make main classes public in vmTestbase/jit tests - - JDK-8251558: J2DBench should support shaped and translucent windows - - JDK-8251998: remove usage of PropertyResolvingWrapper in vmTestbase/jit/t - - JDK-8252005: narrow disabling of allowSmartActionArgs in vmTestbase - - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" - - JDK-8253816: Support macOS W^X - - JDK-8253817: Support macOS Aarch64 ABI in Interpreter - - JDK-8253818: Support macOS Aarch64 ABI for compiled wrappers - - JDK-8253819: Implement os/cpu for macOS/AArch64 - - JDK-8253839: Update tests and JDK code for macOS/Aarch64 - - JDK-8254072: AArch64: Get rid of --disable-warnings-as-errors on Windows+ARM64 build - - JDK-8254085: javax/swing/text/Caret/TestCaretPositionJTextPane.java failed with "RuntimeException: Wrong caret position" - - JDK-8254827: JVMCI: Enable it for Windows+AArch64 - - JDK-8254940: AArch64: Cleanup non-product thread members - - JDK-8254941: Implement Serviceability Agent for macOS/AArch64 - - JDK-8255035: Update BCEL to Version 6.5.0 - - JDK-8255239: The timezone of the hs_err_pid log file is corrupted in Japanese locale - - JDK-8255410: Add ChaCha20 and Poly1305 support to SunPKCS11 provider - - JDK-8255776: Change build system for macOS/AArch64 - - JDK-8256154: Some TestNG tests require default constructors - - JDK-8256321: Some "inactive" color profiles use the wrong profile class - - JDK-8256373: [Windows/HiDPI] The Frame#setBounds does not work in a minimized state - - JDK-8257467: [TESTBUG] -Wdeprecated-declarations is reported at sigset() in exesigtest.c - - JDK-8257769: Cipher.getParameters() throws NPE for ChaCha20-Poly1305 - - JDK-8258554: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F - - JDK-8261107: ArrayIndexOutOfBoundsException in the ICC_Profile.getInstance(InputStream) - - JDK-8261205: AssertionError: Cannot add metadata to an intersection type - - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" - - JDK-8262894: [macos_aarch64] SIGBUS in Assembler::ld_st2 - - JDK-8262896: [macos_aarch64] Crash in jni_fast_GetLongField - - JDK-8262903: [macos_aarch64] Thread::current() called on detached thread - - JDK-8263185: Mallinfo deprecated in glibc 2.33 - - JDK-8264650: Cross-compilation to macos/aarch64 - - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark - - JDK-8266168: -Wmaybe-uninitialized happens in check_code.c - - JDK-8266170: -Wnonnull happens in classLoaderData.inline.hpp - - JDK-8266171: -Warray-bounds happens in imageioJPEG.c - - JDK-8266172: -Wstringop-overflow happens in vmError.cpp - - JDK-8266173: -Wmaybe-uninitialized happens in jni_util.c - - JDK-8266174: -Wmisleading-indentation happens in libmlib_image sources - - JDK-8266176: -Wmaybe-uninitialized happens in libArrayIndexOutOfBoundsExceptionTest.c - - JDK-8266187: Memory leak in appendBootClassPath() - - JDK-8266421: Deadlock in Sound System - - JDK-8266889: [macosx-aarch64] Crash with SIGBUS in MarkActivationClosure::do_code_blob during vmTestbase/nsk/jvmti/.../bi04t002 test run - - JDK-8268014: Build failure on SUSE Linux Enterprise Server 11.4 (s390x) due to 'SYS_get_mempolicy' was not declared - - JDK-8268542: serviceability/logging/TestFullNames.java tests only 1st test case - - JDK-8268882: C2: assert(n->outcnt() != 0 || C->top() == n || n->is_Proj()) failed: No dead instructions after post-alloc - - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor - - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty - - JDK-8272345: macos doesn't check `os::set_boot_path()` result - - JDK-8272473: Parsing epoch seconds at a DST transition with a non-UTC parser is wrong - - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication - - JDK-8273277: C2: Move conditional negation into rc_predicate - - JDK-8273341: Update Siphash to version 1.0 - - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 - - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests - - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests - - JDK-8273514: java/util/DoubleStreamSums/CompensatedSums.java failure - - JDK-8273575: memory leak in appendBootClassPath(), paths must be deallocated - - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java - - JDK-8273638: javax/swing/JTable/4235420/bug4235420.java fails in GTK L&F - - JDK-8273682: Upgrade Jline to 3.20.0 - - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time - - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions - - JDK-8274265: Suspicious string concatenation in logTestUtils.inline.hpp - - JDK-8274338: com/sun/jdi/RedefineCrossEvent.java failed "assert(m != __null) failed: NULL mirror" - - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures - - JDK-8274523: java/lang/management/MemoryMXBean/MemoryTest.java test should handle Shenandoah - - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake - - JDK-8274658: ISO 4217 Amendment 170 Update - - JDK-8274714: Incorrect verifier protected access error message - - JDK-8274736: Concurrent read/close of SSLSockets causes SSLSessions to be invalidated unnecessarily - - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler - - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime - - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault - - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 - - JDK-8275703: System.loadLibrary fails on Big Sur for libraries hidden from filesystem - - JDK-8275811: Incorrect instance to dispose - - JDK-8276105: C2: Conv(D|F)2(I|L)Nodes::Ideal should handle rounding correctly - - JDK-8276141: XPathFactory set/getProperty method - - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" - - JDK-8276314: [JVMCI] check alignment of call displacement during code installation - - JDK-8276623: JDK-8275650 accidentally pushed "out" file - - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows - - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for - - JDK-8277385: Zero: Enable CompactStrings support - - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last - - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop - - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 - - JDK-8277795: ldap connection timeout not honoured under contention - - JDK-8277796: Bump update version for OpenJDK: jdk-11.0.15 - - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 - - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx - - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx - - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux - - JDK-8278309: [windows] use of uninitialized OSThread::_state - - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec - - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT - - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 - - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob - - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 - - JDK-8279077: JFR crashes on Linux ppc due to missing crash protector in signal handler - - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers - - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest - - JDK-8279379: GHA: Print tests that are in error - - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition - - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 - - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 - - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks - - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" - - JDK-8280155: [PPC64, s390] frame size checks are not yet correct - - JDK-8280414: Memory leak in DefaultProxySelector - - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} - - JDK-8280786: Build failure on Solaris after 8262392 - - JDK-8280999: array_bounds should be array-bounds after 8278507 - - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames - - JDK-8281520: JFR: A wrong parameter is passed to the constructor of LeakKlassWriter - - JDK-8281599: test/lib/jdk/test/lib/KnownOIDs.java is redundant since JDK-8268801 - - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 - - JDK-8282372: [11] build issue on MacOS/aarch64 12.2.1 using Xcode 13.1: call to 'log2_intptr' is ambiguous - - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character - - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods - - JDK-8283018: 11u GHA: Update GCC 9 minor versions - - JDK-8283270: [11u] broken JRT_ENTRY_NO_ASYNC after Backport of JDK-8253795 - - JDK-8283778: 11u GHA: Fix GCC 9 ubuntu package names - - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException - -Notes on individual issues: -=========================== - -security-libs/javax.crypto:pkcs11: - -JDK-8275737: SunPKCS11 Provider Supports ChaCha20-Poly1305 Cipher and ChaCha20 KeyGenerator if Supported by PKCS11 Library -========================================================================================================================== -SunPKCS11 provider is enhanced to support the following crypto -services and algorithms when the underlying PKCS11 library supports -the corresponding PKCS#11 mechanisms: - -* ChaCha20 KeyGenerator <=> CKM_CHACHA20_KEY_GEN mechanism -* ChaCha20-Poly1305 Cipher <=> CKM_CHACHA20_POLY1305 mechanism -* ChaCha20-Poly1305 AlgorithmParameters <=> CKM_CHACHA20_POLY1305 mechanism -* ChaCha20 SecretKeyFactory <=> CKM_CHACHA20_POLY1305 mechanism - New in release OpenJDK 11.0.14.1 (2022-02-08): ============================================= Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8257794-remove_broken_assert.patch b/SOURCES/jdk8257794-remove_broken_assert.patch new file mode 100644 index 0000000..1bfc571 --- /dev/null +++ b/SOURCES/jdk8257794-remove_broken_assert.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp +index d18d70b5f9..30ab380e40 100644 +--- openjdk.orig/src/hotspot/share/interpreter/bytecodeInterpreter.cpp ++++ openjdk/src/hotspot/share/interpreter/bytecodeInterpreter.cpp +@@ -481,7 +481,6 @@ BytecodeInterpreter::run(interpreterState istate) { + #ifdef ASSERT + if (istate->_msg != initialize) { + assert(labs(istate->_stack_base - istate->_stack_limit) == (istate->_method->max_stack() + 1), "bad stack limit"); +- IA32_ONLY(assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1, "wrong")); + } + // Verify linkages. + interpreterState l = istate; diff --git a/SOURCES/jdk8284920-incorrect_token_type.patch b/SOURCES/jdk8284920-incorrect_token_type.patch deleted file mode 100644 index a223f1a..0000000 --- a/SOURCES/jdk8284920-incorrect_token_type.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 34af291680f7554b16412205e7b47aa2f829b29c Mon Sep 17 00:00:00 2001 -From: Anton Kozlov -Date: Fri, 15 Apr 2022 14:07:52 +0300 -Subject: [PATCH] 8284920: Incorrect Token type causes XPath expression to - return empty result - -Backport-of: 0d3aea2f11df585b491ae5c07de9f66679601d58 - -Reviewed-by: ---- - .../com/sun/org/apache/xpath/internal/compiler/Lexer.java | 4 ++-- - .../com/sun/org/apache/xpath/internal/compiler/Token.java | 4 ++-- - .../org/apache/xpath/internal/compiler/XPathParser.java | 8 ++++---- - 3 files changed, 8 insertions(+), 8 deletions(-) - -diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -index b7b3f419eb2..41b58da8e99 100644 ---- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -@@ -360,7 +360,7 @@ class Lexer - - addToTokenQueue(pat.substring(i, i + 1)); - break; -- case Token.COLON : -+ case Token.COLON_CHAR: - if (i>0) - { - if (posOfNSSep == (i - 1)) -@@ -615,7 +615,7 @@ class Lexer - resetTokenMark(tokPos + 1); - } - -- if (m_processor.lookahead(Token.COLON, 1)) -+ if (m_processor.lookahead(Token.COLON_CHAR, 1)) - { - tokPos += 2; - } -diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java -index 8c4fee146c6..7bce14e5770 100644 ---- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java -+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java -@@ -45,10 +45,9 @@ public final class Token { - static final char LPAREN = '('; - static final char RPAREN = ')'; - static final char COMMA = ','; -- static final char DOT = '.'; - static final char AT = '@'; - static final char US = '_'; -- static final char COLON = ':'; -+ static final char COLON_CHAR = ':'; - static final char SQ = '\''; - static final char DQ = '"'; - static final char DOLLAR = '$'; -@@ -58,6 +57,7 @@ public final class Token { - static final String DIV = "div"; - static final String MOD = "mod"; - static final String QUO = "quo"; -+ static final String DOT = "."; - static final String DDOT = ".."; - static final String DCOLON = "::"; - static final String ATTR = "attribute"; -diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java -index c3f9e1494be..22192fd06f6 100644 ---- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java -+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java -@@ -1413,7 +1413,7 @@ public class XPathParser - - matchFound = true; - } -- else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON, 1) && lookahead(Token.LPAREN, 3))) -+ else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON_CHAR, 1) && lookahead(Token.LPAREN, 3))) - { - matchFound = FunctionCall(); - } -@@ -1457,7 +1457,7 @@ public class XPathParser - - int opPos = m_ops.getOp(OpMap.MAPINDEX_LENGTH); - -- if (lookahead(Token.COLON, 1)) -+ if (lookahead(Token.COLON_CHAR, 1)) - { - appendOp(4, OpCodes.OP_EXTFUNCTION); - -@@ -1841,7 +1841,7 @@ public class XPathParser - m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), OpCodes.NODENAME); - m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1); - -- if (lookahead(Token.COLON, 1)) -+ if (lookahead(Token.COLON_CHAR, 1)) - { - if (tokenIs(Token.STAR)) - { -@@ -1944,7 +1944,7 @@ public class XPathParser - protected void QName() throws TransformerException - { - // Namespace -- if(lookahead(Token.COLON, 1)) -+ if(lookahead(Token.COLON_CHAR, 1)) - { - m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), m_queueMark - 1); - m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1); --- -2.34.1 - diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in index ead27be..1aff153 100644 --- a/SOURCES/nss.fips.cfg.in +++ b/SOURCES/nss.fips.cfg.in @@ -1,6 +1,6 @@ name = NSS-FIPS nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ +nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips diff --git a/SOURCES/rh1996182-login_to_nss_software_token.patch b/SOURCES/rh1996182-login_to_nss_software_token.patch index a443dc8..10c5666 100644 --- a/SOURCES/rh1996182-login_to_nss_software_token.patch +++ b/SOURCES/rh1996182-login_to_nss_software_token.patch @@ -1,3 +1,9 @@ +commit 53bda6adfacc02b8dddd8f10350c9569bca4eb1e +Author: Martin Balao +Date: Fri Aug 27 19:42:07 2021 +0100 + + RH1996182: Login to the NSS Software Token in FIPS Mode + diff --git openjdk.orig/src/java.base/share/classes/module-info.java openjdk/src/java.base/share/classes/module-info.java index 5460efcf8c..f08dc2fafc 100644 --- openjdk.orig/src/java.base/share/classes/module-info.java @@ -11,11 +17,11 @@ index 5460efcf8c..f08dc2fafc 100644 jdk.attach, jdk.charsets, diff --git openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -index 099caac605..ffadb43eb1 100644 +index 5e227f4531..164de8ff08 100644 --- openjdk.orig/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java +++ openjdk/src/jdk.crypto.cryptoki/share/classes/sun/security/pkcs11/SunPKCS11.java -@@ -43,6 +43,8 @@ import javax.security.auth.callback.PasswordCallback; - import com.sun.crypto.provider.ChaCha20Poly1305Parameters; +@@ -41,6 +41,8 @@ import javax.security.auth.callback.CallbackHandler; + import javax.security.auth.callback.PasswordCallback; import jdk.internal.misc.InnocuousThread; +import jdk.internal.misc.SharedSecrets; @@ -23,7 +29,7 @@ index 099caac605..ffadb43eb1 100644 import sun.security.util.Debug; import sun.security.util.ResourcesMgr; import static sun.security.util.SecurityConstants.PROVIDER_VER; -@@ -60,6 +62,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; +@@ -58,6 +60,9 @@ import static sun.security.pkcs11.wrapper.PKCS11Constants.*; */ public final class SunPKCS11 extends AuthProvider { @@ -33,7 +39,7 @@ index 099caac605..ffadb43eb1 100644 private static final long serialVersionUID = -1354835039035306505L; static final Debug debug = Debug.getInstance("sunpkcs11"); -@@ -376,6 +381,24 @@ public final class SunPKCS11 extends AuthProvider { +@@ -374,6 +379,24 @@ public final class SunPKCS11 extends AuthProvider { if (nssModule != null) { nssModule.setProvider(this); } diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch new file mode 100644 index 0000000..b5351a8 --- /dev/null +++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch @@ -0,0 +1,99 @@ +commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07 +Author: Andrew Hughes +Date: Tue Jan 18 02:09:27 2022 +0000 + + RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support + +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 28ab1846173..f9726741afd 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -61,10 +61,6 @@ public final class Security { + private static final Debug sdebug = + Debug.getInstance("properties"); + +- /* System property file*/ +- private static final String SYSTEM_PROPERTIES = +- "/etc/crypto-policies/back-ends/java.config"; +- + /* The java.security properties */ + private static Properties props; + +@@ -206,22 +202,36 @@ public final class Security { + } + } + ++ if (!loadedProps) { ++ initializeStatic(); ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties " + ++ "-- using defaults"); ++ } ++ } ++ + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); + if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && + "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { +- if (SystemConfigurator.configure(props)) { +- loadedProps = true; ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } + } + } + +- if (!loadedProps) { +- initializeStatic(); ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); + if (sdebug != null) { +- sdebug.println("unable to load security properties " + +- "-- using defaults"); ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } + } + } +- + } + + /* +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 874c6221ebe..b7ed41acf0f 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -76,7 +76,7 @@ final class SystemConfigurator { + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ +- static boolean configure(Properties props) { ++ static boolean configureSysProps(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = +@@ -96,11 +96,19 @@ final class SystemConfigurator { + e.printStackTrace(); + } + } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } +- loadedProps = false; + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch new file mode 100644 index 0000000..dd30384 --- /dev/null +++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch @@ -0,0 +1,220 @@ +commit e2be09f982af1cc05f5e6556d51900bca4757416 +Author: Andrew Hughes +Date: Mon Feb 28 05:30:32 2022 +0000 + + RH2051605: Detect NSS at Runtime for FIPS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index 34d0ff0ce91..8dcb7d9073f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -23,25 +23,99 @@ + * questions. + */ + +-#include + #include + #include ++#include "jvm_md.h" + #include + + #ifdef SYSCONF_NSS + #include ++#else ++#include + #endif //SYSCONF_NSS + + #include "java_security_SystemConfigurator.h" + ++#define MSG_MAX_SIZE 256 + #define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" +-#define MSG_MAX_SIZE 96 + ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); ++ ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-static void throwIOException(JNIEnv *env, const char *msg); +-static void dbgPrint(JNIEnv *env, const char* msg); ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} ++ ++static void throwIOException(JNIEnv *env, const char *msg) ++{ ++ jclass cls = (*env)->FindClass(env, "java/io/IOException"); ++ if (cls != 0) ++ (*env)->ThrowNew(env, cls, msg); ++} ++ ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} ++ ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } ++} ++ ++#endif + + /* + * Class: java_security_SystemConfigurator +@@ -84,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ + return (*env)->GetVersion(env); + } + +@@ -99,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif + (*env)->DeleteGlobalRef(env, debugObj); + } + } +@@ -110,61 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +-#ifdef SYSCONF_NSS +- +- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); +- fips_enabled = SECMOD_GetSystemFIPSEnabled(); +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " SECMOD_GetSystemFIPSEnabled return value"); +- } +- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); +- +-#else // SYSCONF_NSS ++ FILE *fe; + +- FILE *fe; +- +- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); +- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- fips_enabled = fgetc(fe); +- fclose(fe); +- if (fips_enabled == EOF) { ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " read character is '%c'", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); +- } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " read character"); +- } +- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); +- +-#endif // SYSCONF_NSS +-} +- +-static void throwIOException(JNIEnv *env, const char *msg) +-{ +- jclass cls = (*env)->FindClass(env, "java/io/IOException"); +- if (cls != 0) +- (*env)->ThrowNew(env, cls, msg); +-} +- +-static void dbgPrint(JNIEnv *env, const char* msg) +-{ +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } + } diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec index bdc8130..0f3a4d3 100644 --- a/SPECS/java-11-openjdk.spec +++ b/SPECS/java-11-openjdk.spec @@ -23,6 +23,8 @@ %bcond_without staticlibs # Remove build artifacts by default %bcond_with artifacts +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -32,6 +34,13 @@ %global include_staticlibs 0 %endif +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -76,7 +85,7 @@ # in alternatives those are slaves and master, very often triplicated by man pages # in files all masters and slaves are ghosted # the ghosts are here to allow installation via query like `dnf install /usr/bin/java` -# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives # TODO - fix those hardcoded lists via single list # Those files must *NOT* be ghosted for *slowdebug* packages # FIXME - if you are moving jshell or jlink or similar, always modify all three sections @@ -102,7 +111,9 @@ # Set of architectures for which we build fastdebug builds %global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{debug_arches} %{arm} +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 # Set of architectures which run a full bootstrap cycle %global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets @@ -121,6 +132,8 @@ %global zgc_arches x86_64 # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} # By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} @@ -174,7 +187,7 @@ %global fastdebug_build %{nil} %endif -# If you disable both builds, then the build fails +# If you disable all builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics %global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} @@ -208,6 +221,11 @@ %global release_targets images docs-zip # No docs nor bootcycle for debug builds %global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk # Disable LTO as this causes build failures at the moment. # See RHBZ#1861401 @@ -297,8 +315,8 @@ # New Version-String scheme-style defines %global featurever 11 %global interimver 0 -%global updatever 15 -%global patchver 0 +%global updatever 14 +%global patchver 1 # If you bump featurever, you must bump also vendor_version_string # Used via new version scheme. JDK 11 was # GA'ed in September 2018 => 18.9 @@ -344,8 +362,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 9 -%global rpmrelease 2 +%global buildver 1 +%global rpmrelease 6 #%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk @@ -443,6 +461,9 @@ %global alternatives_requires %{_sbindir}/alternatives %endif +%global family %{name}.%{_arch} +%global family_noarch %{name} + %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -460,6 +481,50 @@ # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +%define save_alternatives() %{expand: + # warning! alternatives are localised! + # LANG=cs_CZ.UTF-8 alternatives --display java | head + # LANG=en_US.UTF-8 alternatives --display java | head + function nonLocalisedAlternativesDisplayOfMaster() { + LANG=en_US.UTF-8 alternatives --display "$MASTER" + } + function headOfAbove() { + nonLocalisedAlternativesDisplayOfMaster | head -n $1 + } + MASTER="%{?1}" + LOCAL_LINK="%{?2}" + FAMILY="%{?3}" + rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null + if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then + if headOfAbove 1 | grep -q manual ; then + if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then + headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" + fi + fi + fi +} + +%define save_and_remove_alternatives() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + upgrade1_uninstal0=%{?3} + if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall + %{save_alternatives %{?1} %{?2} %{?4}} + fi + alternatives --remove "%{?1}" "%{?2}" +} + +%define set_if_needed_alternatives() %{expand: + MASTER="%{?1}" + FAMILY="%{?2}" + ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" + if [ -e "$ALTERNATIVES_FILE" ] ; then + rm "$ALTERNATIVES_FILE" + alternatives --set $MASTER $FAMILY + fi +} + %define post_script() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -467,20 +532,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : exit 0 } - -%define post_headless() %{expand: -%ifarch %{share_arches} -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif - +%define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=java alternatives \\ - --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ @@ -506,12 +570,23 @@ alternatives \\ --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\ %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext +%{set_if_needed_alternatives $key %{family}} + for X in %{origin} %{javaver} ; do - alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=jre_"$X" + alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=jre_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -538,26 +613,34 @@ exit 0 %define postun_headless() %{expand: - alternatives --remove java %{jrebindir -- %{?1}}/java - alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} + %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} } %define posttrans_script() %{expand: %{update_desktop_icons} } -%define post_devel() %{expand: +%define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=javac alternatives \\ - --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ %ifarch %{aot_arches} --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\ @@ -565,8 +648,10 @@ alternatives \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ %ifarch %{sa_arches} +%ifnarch %{zero_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ %endif +%endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ @@ -623,15 +708,22 @@ alternatives \\ --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\ %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ - %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} for X in %{origin} %{javaver} ; do - alternatives \\ - --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=java_sdk_"$X" + alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=java_sdk_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_devel() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -639,10 +731,14 @@ exit 0 } %define postun_devel() %{expand: - alternatives --remove javac %{sdkbindir -- %{?1}}/javac - alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -654,42 +750,54 @@ exit 0 } %define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} %{update_desktop_icons} } -%define post_javadoc() %{expand: - +%define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -alternatives \\ - --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ - $PRIORITY --family %{name} +key=javadocdir +alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc() %{expand: - alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +if [ "x$debug" == "xtrue" ] ; then + set -x +fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} exit 0 } -%define post_javadoc_zip() %{expand: - +%define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi - -alternatives \\ - --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ - $PRIORITY --family %{name} +key=javadoczip +alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc_zip() %{expand: - alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} exit 0 } @@ -760,8 +868,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so @@ -855,8 +965,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -1015,8 +1127,8 @@ Requires: ca-certificates # Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros Requires: javapackages-filesystem # Require zone-info data provided by tzdata-java sub-package -# 2021a required as of JDK-8260356 in April 2021 CPU -Requires: tzdata-java >= 2021a +# 2021e required as of JDK-8275766 in January 2022 CPU +Requires: tzdata-java >= 2021e # for support of kernel stream control # libsctp.so.1 is being `dlopen`ed on demand Requires: lksctp-tools%{?_isa} @@ -1029,6 +1141,8 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives @@ -1111,10 +1225,10 @@ Requires(post): %{alternatives_requires} Requires(postun): %{alternatives_requires} # Standard JPackage javadoc provides -Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %if %is_system_jdk -Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %endif } @@ -1241,6 +1355,10 @@ Patch1011: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues Patch1014: rh2021263-fips_ensure_security_initialised.patch Patch1015: rh2021263-fips_missing_native_returns.patch +# RH2052819: Fix FIPS reliance on crypto policies +Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch +# RH2052829: Detect NSS at Runtime for FIPS detection +Patch1017: rh2052829-fips_runtime_nss_detection.patch ############################################# # @@ -1269,15 +1387,25 @@ Patch8: jdk8275535-rh2053256-ldap_auth.patch ############################################# # -# Patches appearing in 11.0.15 +# Backportable patches +# +# This section includes patches which are +# present in the current development tree, but +# need to be reviewed & pushed to the appropriate +# updates tree of OpenJDK. +############################################# +# JDK-8257794: Zero: assert(istate->_stack_limit == istate->_thread->last_Java_sp() + 1) failed: wrong on Linux/x86_32 +Patch101: jdk8257794-remove_broken_assert.patch + +############################################# +# +# Patches appearing in 11.0.13 # # This section includes patches which are present # in the listed OpenJDK 11u release and should be # able to be removed once that release is out # and used by this RPM. ############################################# -# JDK-8284920: Incorrect Token type causes XPath expression to return empty result -Patch9: jdk8284920-incorrect_token_type.patch BuildRequires: autoconf BuildRequires: automake @@ -1304,8 +1432,8 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg and FIPS support -BuildRequires: nss-devel >= 3.53 +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip @@ -1313,11 +1441,11 @@ BuildRequires: unzip BuildRequires: javapackages-filesystem BuildRequires: java-%{buildjdkver}-openjdk-devel # Zero-assembler build requirement -%ifnarch %{jit_arches} +%ifarch %{zero_arches} BuildRequires: libffi-devel %endif -# 2021a required as of JDK-8260356 in April 2021 CPU -BuildRequires: tzdata-java >= 2021a +# 2021e required as of JDK-8275766 in January 2022 CPU +BuildRequires: tzdata-java >= 2021e # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1599,7 +1727,7 @@ Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-debug -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc The %{origin_nice} %{featurever} API documentation. @@ -1612,7 +1740,8 @@ Group: Documentation Requires: javapackages-filesystem Obsoletes: javadoc-zip-debug -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc-zip The %{origin_nice} %{featurever} API documentation compressed in a single archive. @@ -1668,9 +1797,10 @@ pushd %{top_level_dir_name} %patch3 -p1 %patch4 -p1 %patch7 -p1 -%patch9 -p1 popd # openjdk +%patch101 + %patch1000 %patch600 %patch1001 @@ -1683,6 +1813,8 @@ popd # openjdk %patch1011 %patch1014 %patch1015 +%patch1016 +%patch1017 %patch8 @@ -1737,7 +1869,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1764,17 +1895,21 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif # Fixes annocheck warnings in assembler files due to missing build notes EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes" -export EXTRA_CFLAGS EXTRA_ASFLAGS +export EXTRA_CFLAGS EXTRA_CPP_FLAGS EXTRA_ASFLAGS function buildjdk() { local outputdir=${1} - local installdir=${2} - local buildjdk=${3} - local maketargets="${4}" - local debuglevel=${5} - local link_opt=${6} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} @@ -1787,11 +1922,11 @@ function buildjdk() { echo "Using link_opt: ${link_opt}" echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" - mkdir -p ${outputdir} ${installdir} + mkdir -p ${outputdir} pushd ${outputdir} bash ${top_dir_abs_src_path}/configure \ -%ifnarch %{jit_arches} +%ifarch %{zero_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} @@ -1808,7 +1943,7 @@ function buildjdk() { --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ --with-native-debug-symbols="%{debug_symbols}" \ - --enable-sysconf-nss \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=${link_opt} \ @@ -1836,8 +1971,15 @@ function buildjdk() { $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) popd +} + +function installjdk() { + local outputdir=${1} + local installdir=${2} + local imagepath=${installdir}/images/%{jdkimage} echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} echo "Installing images..." mv ${outputdir}/images ${installdir} if [ -d ${outputdir}/bundles ] ; then @@ -1853,39 +1995,47 @@ function buildjdk() { echo "Removing output directory..."; rm -rf ${outputdir} %endif -} -function installjdk() { - local imagepath=${1} - - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ - # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) - install -m 644 nss.fips.cfg ${imagepath}/conf/security/ + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ - # Use system-wide tzdata - rm ${imagepath}/lib/tzdb.dat - ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat - # Create fake alt-java as a placeholder for future alt-java - pushd ${imagepath} - # add alt-java man page - echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 - cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi } +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server +%else + systemjdk=%{bootjdk} +%endif + for suffix in %{build_loop} ; do if [ "x$suffix" = "x" ] ; then @@ -1895,7 +2045,6 @@ for suffix in %{build_loop} ; do debugbuild=`echo $suffix | sed "s/-//g"` fi - systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk for loop in %{main_suffix} %{staticlibs_loop} ; do @@ -1922,11 +2071,14 @@ for suffix in %{build_loop} ; do run_bootstrap=%{bootstrap_build} fi if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} - buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} - %{!?with_artifacts:rm -rf ${bootinstalldir}} + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} else - buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} fi # Restore original source tree we modified by removing full in-tree sources rm -rf %{top_level_dir_name} @@ -1937,15 +2089,12 @@ for suffix in %{build_loop} ; do # Static library cycle only builds the static libraries maketargets="%{static_libs_target}" # Always just do the one build for the static libraries - buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + installjdk ${builddir} ${installdir} fi done # end of main / staticlibs loop - # Final setup on the main image - top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}} - installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} - # build cycles done # end of release / debug cycle loop @@ -2054,20 +2203,16 @@ gdb -q "$JAVA_HOME/bin/java" < 0 -# This fails on s390x for some reason. Disable for now. See: -# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227 -%ifnarch s390x +%ifarch %{gdb_arches} grep 'JavaCallWrapper::JavaCallWrapper' gdb.out %endif -%endif # Check src.zip has all sources. See RHBZ#1130490 $JAVA_HOME/bin/jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe' @@ -2294,6 +2439,9 @@ end %posttrans %{posttrans_script %{nil}} +%posttrans headless +%{alternatives_java_install %{nil}} + %post devel %{post_devel %{nil}} @@ -2303,14 +2451,14 @@ end %posttrans devel %{posttrans_devel %{nil}} -%post javadoc -%{post_javadoc %{nil}} +%posttrans javadoc +%{alternatives_javadoc_install %{nil}} %postun javadoc %{postun_javadoc %{nil}} -%post javadoc-zip -%{post_javadoc_zip %{nil}} +%posttrans javadoc-zip +%{alternatives_javadoczip_install %{nil}} %postun javadoc-zip %{postun_javadoc_zip %{nil}} @@ -2323,6 +2471,9 @@ end %post headless-slowdebug %{post_headless -- %{debug_suffix_unquoted}} +%posttrans headless-slowdebug +%{alternatives_java_install -- %{debug_suffix_unquoted}} + %postun slowdebug %{postun_script -- %{debug_suffix_unquoted}} @@ -2358,6 +2509,9 @@ end %posttrans fastdebug %{posttrans_script -- %{fastdebug_suffix_unquoted}} +%posttrans headless-fastdebug +%{alternatives_java_install -- %{fastdebug_suffix_unquoted}} + %post devel-fastdebug %{post_devel -- %{fastdebug_suffix_unquoted}} @@ -2464,99 +2618,148 @@ end %endif %changelog -* Sat Apr 16 2022 Andrew Hughes - 1:11.0.15.0.9-2 -- Add JDK-8284920 fix for XPath regression -- Related: rhbz#2073422 - -* Fri Apr 15 2022 Andrew Hughes - 1:11.0.15.0.9-2 -- Remove security items from release notes that were only in 17u and N/A for 11u -- Related: rhbz#2073422 - -* Wed Apr 13 2022 Andrew Hughes - 1:11.0.15.0.9-1 -- Update to jdk-11.0.15.0+9 -- Update release notes to 11.0.15.0+9 -- Switch to GA mode for release -- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. ** -- Resolves: rhbz#2073422 - -* Tue Apr 12 2022 Andrew Hughes - 1:11.0.15.0.8-0.1.ea -- Update to jdk-11.0.15.0+8 -- Update release notes to 11.0.15.0+8 -- Switch to EA mode for 11.0.15 pre-release builds. -- Rebase RH1996182 FIPS patch after JDK-8254410 -- Related: rhbz#2073422 - -* Wed Feb 23 2022 Andrew Hughes - 1:11.0.14.1.1-2 -- Add JDK-8275535 patch to fix LDAP authentication issue. -- Resolves: rhbz#2055344 +* Mon Feb 28 2022 Andrew Hughes - 1:11.0.14.1.1-6 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS +- Resolves: rhbz#2052827 -* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.1.1-1 +* Fri Feb 25 2022 Andrew Hughes - 1:11.0.14.1.1-5 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053284 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-4 +- Storing and restoring alterntives during update manually +- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE +-- The move of alternatives creation to posttrans to fix: +-- Bug 1200302 - dnf reinstall breaks alternatives +-- Had caused the alternatives to be removed, and then created again, +-- instead of being added, and then removing the old, and thus persisting +-- the selection in family +-- Thus this fix, is storing the family of manually selected master, and if +-- stored, then it is restoring the family of the master +- Resolves: rhbz#2008192 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-3 +- Family extracted to globals +- Resolves: rhbz#2008192 + +* Fri Feb 25 2022 Jiri Vanek - 1:11.0.14.1.1-2 +- alternatives creation moved to posttrans +- Thus fixing the old reisntall issue: +- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 +- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 +- Resolves: rhbz#2008192 + +* Fri Feb 18 2022 Andrew Hughes - 1:11.0.14.1.1-1 - Update to jdk-11.0.14.1+1 - Update release notes to 11.0.14.1+1 +- Require tzdata 2021e as of JDK-8275766. - Resolves: rhbz#2052809 +- Resolves: rhbz#1966234 -* Tue Jan 18 2022 Andrew Hughes - 1:11.0.14.0.9-2 +* Thu Feb 17 2022 Andrew Hughes - 1:11.0.14.0.9-6 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent +- Resolves: rhbz#2052816 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.9-5 +- Refactor build functions so we can build just HotSpot without any attempt at installation. +- Sync gdb test with java-1.8.0-openjdk. +- Improve architecture restrictions for the gdb test. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Add backport of JDK-8257794 to fix bogus assert on slowdebug x86-32 Zero builds +- Related: rhbz#2052809 + +* Fri Feb 11 2022 Jiri Vanek - 1:11.0.14.0.9-5 +- Give javadoc-zip its own Provides, next to the plain javadoc ones +- Related: rhbz#2052809 + +* Fri Feb 11 2022 Andrew Hughes - 1:11.0.14.0.9-4 - Fix FIPS issues in native code and with initialisation of java.security.Security -- Related: rhbz#2039366 +- Resolves: rhbz#2021559 + +* Thu Feb 10 2022 Severin Gehwolf - 1:11.0.14.0.9-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023534 -* Mon Jan 17 2022 Andrew Hughes - 1:11.0.14.0.9-1 +* Mon Jan 17 2022 Andrew Hughes - 1:11.0.14.0.9-2 - Update to jdk-11.0.14.0+9 - Update release notes to 11.0.14.0+9 - Switch to GA mode for final release. -- This tarball is embargoed until 2022-01-18 @ 1pm PT. - Resolves: rhbz#2039366 * Fri Jan 14 2022 Andrew Hughes - 1:11.0.14.0.8-0.1.ea - Update to jdk-11.0.14.0+8 - Update release notes to 11.0.14.0+8 +- Resolves: rhbz#2022821 + +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.14.0.1-0.1.ea +- Update to jdk-11.0.14.0+1 +- Update release notes to 11.0.14.0+1 - Switch to EA mode for 11.0.14 pre-release builds. -- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. - Rename blacklisted.certs to blocked.certs following JDK-8253866 - Rebase RH1996182 login patch and drop redundant security policy extension after JDK-8269034 -- Related: rhbz#2039366 +- Related: rhbz#2022821 -* Wed Dec 01 2021 Jiri Vanek - 1:11.0.14.0.8-0.1.ea +* Thu Jan 13 2022 Andrew Hughes - 1:11.0.13.0.8-5 +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Related: rhbz#2022821 + +* Wed Dec 01 2021 Jiri Vanek - 1:11.0.13.0.8-4 - Replaced hardcoded 11 by featurever where appropriate - Fixed comment of `for slowdebug` to correct `any debug` -- Related: rhbz#2039366 - -* Sun Nov 07 2021 Andrew Hughes - 1:11.0.13.0.8-4 -- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false -- Resolves: rhbz#2014212 - -* Sun Nov 07 2021 Martin Balao - 1:11.0.13.0.8-4 -- Add patch to allow plain key import. -- Resolves: rhbz#2014212 - -* Thu Oct 28 2021 Andrew Hughes - 1:11.0.13.0.8-3 -- Bump and rebuild to try and get a build correctly tagged. -- Related: rhbz#2012334 +- Related: rhbz#2022821 -* Wed Oct 13 2021 Andrew Hughes - 1:11.0.13.0.8-2 -- Update to jdk-11.0.12.0+8 -- Update release notes to 11.0.12.0+8 +* Wed Oct 13 2021 Andrew Hughes - 1:11.0.13.0.8-3 +- Update to jdk-11.0.13.0+8 +- Update release notes to 11.0.13.0+8 - Switch to GA mode for final release. -- This tarball is embargoed until 2021-10-19 @ 1pm PT. -- Resolves: rhbz#2012334 +- Resolves: rhbz#2012335 * Tue Oct 12 2021 Andrew Hughes - 1:11.0.13.0.7-0.1.ea - Update to jdk-11.0.13.0+7 - Update release notes to 11.0.13.0+7 +- Resolves: rhbz#1999938 + +* Mon Oct 11 2021 Andrew Hughes - 1:11.0.13.0.1-0.1.ea +- Update to jdk-11.0.13.0+1 +- Update release notes to 11.0.13.0+1 - Update tarball generation script to use git following OpenJDK 11u's move to github - Switch to EA mode for 11.0.13 pre-release builds. -- Remove non-Free test from source tarball. +- Remove "-clean" suffix as no 11.0.13 builds are unclean. - Drop JDK-8269668 patch which is now applied upstream. -- Related: rhbz#2011826 +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-9 +- The bootstrap JDK is now in bootinstalldir, not bootbuilddir. +- Related: rhbz#1999938 -* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-5 +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-9 +- Reduce disk footprint by removing build artifacts by default. +- Related: rhbz#1999938 + +* Sun Oct 10 2021 Andrew Hughes - 1:11.0.12.0.7-8 - Restructure the build so a minimal initial build is then used for the final build (with docs) - This reduces pressure on the system JDK and ensures the JDK being built can do a full build -- Reduce disk footprint by removing build artifacts by default. -- Related: rhbz#2011826 +- Related: rhbz#1999938 -* Mon Sep 06 2021 Jiri Vanek - 1:11.0.12.0.7-5 +* Tue Oct 05 2021 Andrew Hughes - 1:11.0.12.0.7-7 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Resolves: rhbz#1991003 + +* Tue Oct 05 2021 Martin Balao - 1:11.0.12.0.7-7 +- Add patch to allow plain key import. +- Resolves: rhbz#1991003 + +* Mon Sep 06 2021 Jiri Vanek - 1:11.0.12.0.7-6 - Minor cosmetic improvements to make spec more comparable between variants -- Related: rhbz#2011826 +- Related: rhbz#1999938 + +* Mon Sep 06 2021 Andrew Hughes - 1:11.0.12.0.7-5 +- Remove non-Free test from source tarball. +- Related: rhbz#1999938 * Mon Aug 30 2021 Andrew Hughes - 1:11.0.12.0.7-4 - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.