diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..3ca8fbe --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.6+10-4curve.tar.xz +SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/.java-11-openjdk.metadata b/.java-11-openjdk.metadata new file mode 100644 index 0000000..a477770 --- /dev/null +++ b/.java-11-openjdk.metadata @@ -0,0 +1,2 @@ +770fb5e2a0c18da9239ffdd4d0511fb0f5a6a2b6 SOURCES/shenandoah-jdk11-shenandoah-jdk-11.0.6+10-4curve.tar.xz +7ae2cba67467825b2c2a5fec7aea041865023002 SOURCES/tapsets-icedtea-3.15.0.tar.xz diff --git a/SOURCES/TestCryptoLevel.java b/SOURCES/TestCryptoLevel.java new file mode 100644 index 0000000..b32b7ae --- /dev/null +++ b/SOURCES/TestCryptoLevel.java @@ -0,0 +1,72 @@ +/* TestCryptoLevel -- Ensure unlimited crypto policy is in use. + Copyright (C) 2012 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.lang.reflect.Field; +import java.lang.reflect.Method; +import java.lang.reflect.InvocationTargetException; + +import java.security.Permission; +import java.security.PermissionCollection; + +public class TestCryptoLevel +{ + public static void main(String[] args) + throws NoSuchFieldException, ClassNotFoundException, + IllegalAccessException, InvocationTargetException + { + Class cls = null; + Method def = null, exempt = null; + + try + { + cls = Class.forName("javax.crypto.JceSecurity"); + } + catch (ClassNotFoundException ex) + { + System.err.println("Running a non-Sun JDK."); + System.exit(0); + } + try + { + def = cls.getDeclaredMethod("getDefaultPolicy"); + exempt = cls.getDeclaredMethod("getExemptPolicy"); + } + catch (NoSuchMethodException ex) + { + System.err.println("Running IcedTea with the original crypto patch."); + System.exit(0); + } + def.setAccessible(true); + exempt.setAccessible(true); + PermissionCollection defPerms = (PermissionCollection) def.invoke(null); + PermissionCollection exemptPerms = (PermissionCollection) exempt.invoke(null); + Class apCls = Class.forName("javax.crypto.CryptoAllPermission"); + Field apField = apCls.getDeclaredField("INSTANCE"); + apField.setAccessible(true); + Permission allPerms = (Permission) apField.get(null); + if (defPerms.implies(allPerms) && (exemptPerms == null || exemptPerms.implies(allPerms))) + { + System.err.println("Running with the unlimited policy."); + System.exit(0); + } + else + { + System.err.println("WARNING: Running with a restricted crypto policy."); + System.exit(-1); + } + } +} diff --git a/SOURCES/TestECDSA.java b/SOURCES/TestECDSA.java new file mode 100644 index 0000000..6eb9cb2 --- /dev/null +++ b/SOURCES/TestECDSA.java @@ -0,0 +1,49 @@ +/* TestECDSA -- Ensure ECDSA signatures are working. + Copyright (C) 2016 Red Hat, Inc. + +This program is free software: you can redistribute it and/or modify +it under the terms of the GNU Affero General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. + +This program is distributed in the hope that it will be useful, +but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +GNU Affero General Public License for more details. + +You should have received a copy of the GNU Affero General Public License +along with this program. If not, see . +*/ + +import java.math.BigInteger; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.Signature; + +/** + * @test + */ +public class TestECDSA { + + public static void main(String[] args) throws Exception { + KeyPairGenerator keyGen = KeyPairGenerator.getInstance("EC"); + KeyPair key = keyGen.generateKeyPair(); + + byte[] data = "This is a string to sign".getBytes("UTF-8"); + + Signature dsa = Signature.getInstance("NONEwithECDSA"); + dsa.initSign(key.getPrivate()); + dsa.update(data); + byte[] sig = dsa.sign(); + System.out.println("Signature: " + new BigInteger(1, sig).toString(16)); + + Signature dsaCheck = Signature.getInstance("NONEwithECDSA"); + dsaCheck.initVerify(key.getPublic()); + dsaCheck.update(data); + boolean success = dsaCheck.verify(sig); + if (!success) { + throw new RuntimeException("Test failed. Signature verification error"); + } + System.out.println("Test passed."); + } +} diff --git a/SOURCES/jconsole.desktop.in b/SOURCES/jconsole.desktop.in new file mode 100644 index 0000000..8a3b04d --- /dev/null +++ b/SOURCES/jconsole.desktop.in @@ -0,0 +1,10 @@ +[Desktop Entry] +Name=OpenJDK @JAVA_VER@ for @target_cpu@ Monitoring & Management Console (@OPENJDK_VER@) +Comment=Monitor and manage OpenJDK applications +Exec=_SDKBINDIR_/jconsole +Icon=java-@JAVA_VER@-@JAVA_VENDOR@ +Terminal=false +Type=Application +StartupWMClass=sun-tools-jconsole-JConsole +Categories=Development;Profiling;Java; +Version=1.0 diff --git a/SOURCES/jdk8236039-status_request_extension.patch b/SOURCES/jdk8236039-status_request_extension.patch new file mode 100644 index 0000000..be7008c --- /dev/null +++ b/SOURCES/jdk8236039-status_request_extension.patch @@ -0,0 +1,310 @@ +# HG changeset patch +# User jnimeh +# Date 1578287079 28800 +# Sun Jan 05 21:04:39 2020 -0800 +# Node ID b9d1ce20dd4b2ce34e74c8fa2d784335231abcd1 +# Parent 3782f295811625b65d57f1aef15daa10d82a58a7 +8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 +Reviewed-by: xuelei + +diff --git a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java +--- a/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java ++++ b/src/java.base/share/classes/sun/security/ssl/CertStatusExtension.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2015, 2019, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2015, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -39,11 +39,7 @@ + import javax.net.ssl.SSLProtocolException; + import sun.security.provider.certpath.OCSPResponse; + import sun.security.provider.certpath.ResponderId; +-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST; +-import static sun.security.ssl.SSLExtension.CH_STATUS_REQUEST_V2; + import sun.security.ssl.SSLExtension.ExtensionConsumer; +-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST; +-import static sun.security.ssl.SSLExtension.SH_STATUS_REQUEST_V2; + import sun.security.ssl.SSLExtension.SSLExtensionSpec; + import sun.security.ssl.SSLHandshake.HandshakeMessage; + import sun.security.util.DerInputStream; +@@ -434,8 +430,9 @@ + } else { + extBuilder.append(",\n"); + } +- extBuilder.append( +- "{\n" + Utilities.indent(ext.toString()) + "}"); ++ extBuilder.append("{\n"). ++ append(Utilities.indent(ext.toString())). ++ append("}"); + } + + extsStr = extBuilder.toString(); +@@ -552,11 +549,11 @@ + return null; + } + +- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST)) { ++ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine( + "Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLExtension.CH_STATUS_REQUEST.name); + } + return null; + } +@@ -568,8 +565,8 @@ + byte[] extData = new byte[] {0x01, 0x00, 0x00, 0x00, 0x00}; + + // Update the context. +- chc.handshakeExtensions.put( +- CH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + return extData; + } +@@ -593,10 +590,10 @@ + // The consuming happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + +- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST)) { ++ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.fine("Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLExtension.CH_STATUS_REQUEST.name); + } + return; // ignore the extension + } +@@ -610,7 +607,7 @@ + } + + // Update the context. +- shc.handshakeExtensions.put(CH_STATUS_REQUEST, spec); ++ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST, spec); + if (!shc.isResumption && + !shc.negotiatedProtocol.useTLS13PlusSpec()) { + shc.handshakeProducers.put(SSLHandshake.CERTIFICATE_STATUS.id, +@@ -654,13 +651,12 @@ + + // In response to "status_request" extension request only. + CertStatusRequestSpec spec = (CertStatusRequestSpec) +- shc.handshakeExtensions.get(CH_STATUS_REQUEST); ++ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST); + if (spec == null) { + // Ignore, no status_request extension requested. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { +- SSLLogger.finest( +- "Ignore unavailable extension: " + +- CH_STATUS_REQUEST.name); ++ SSLLogger.finest("Ignore unavailable extension: " + ++ SSLExtension.CH_STATUS_REQUEST.name); + } + + return null; // ignore the extension +@@ -681,8 +677,8 @@ + byte[] extData = new byte[0]; + + // Update the context. +- shc.handshakeExtensions.put( +- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + return extData; + } +@@ -708,7 +704,7 @@ + + // In response to "status_request" extension request only. + CertStatusRequestSpec requestedCsr = (CertStatusRequestSpec) +- chc.handshakeExtensions.get(CH_STATUS_REQUEST); ++ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST); + if (requestedCsr == null) { + throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected status_request extension in ServerHello"); +@@ -722,8 +718,8 @@ + } + + // Update the context. +- chc.handshakeExtensions.put( +- SH_STATUS_REQUEST, CertStatusRequestSpec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST, ++ CertStatusRequestSpec.DEFAULT); + + // Since we've received a legitimate status_request in the + // ServerHello, stapling is active if it's been enabled. +@@ -909,7 +905,7 @@ + return null; + } + +- if (!chc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) { ++ if (!chc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.finest( + "Ignore unavailable status_request_v2 extension"); +@@ -926,8 +922,8 @@ + 0x00, 0x07, 0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00}; + + // Update the context. +- chc.handshakeExtensions.put( +- CH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + return extData; + } +@@ -951,7 +947,7 @@ + // The consuming happens in server side only. + ServerHandshakeContext shc = (ServerHandshakeContext)context; + +- if (!shc.sslConfig.isAvailable(CH_STATUS_REQUEST_V2)) { ++ if (!shc.sslConfig.isAvailable(SSLExtension.CH_STATUS_REQUEST_V2)) { + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { + SSLLogger.finest( + "Ignore unavailable status_request_v2 extension"); +@@ -969,7 +965,8 @@ + } + + // Update the context. +- shc.handshakeExtensions.put(CH_STATUS_REQUEST_V2, spec); ++ shc.handshakeExtensions.put(SSLExtension.CH_STATUS_REQUEST_V2, ++ spec); + if (!shc.isResumption) { + shc.handshakeProducers.putIfAbsent( + SSLHandshake.CERTIFICATE_STATUS.id, +@@ -1013,7 +1010,7 @@ + + // In response to "status_request_v2" extension request only + CertStatusRequestV2Spec spec = (CertStatusRequestV2Spec) +- shc.handshakeExtensions.get(CH_STATUS_REQUEST_V2); ++ shc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2); + if (spec == null) { + // Ignore, no status_request_v2 extension requested. + if (SSLLogger.isOn && SSLLogger.isOn("ssl,handshake")) { +@@ -1038,8 +1035,8 @@ + byte[] extData = new byte[0]; + + // Update the context. +- shc.handshakeExtensions.put( +- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ shc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + return extData; + } +@@ -1065,7 +1062,7 @@ + + // In response to "status_request" extension request only + CertStatusRequestV2Spec requestedCsr = (CertStatusRequestV2Spec) +- chc.handshakeExtensions.get(CH_STATUS_REQUEST_V2); ++ chc.handshakeExtensions.get(SSLExtension.CH_STATUS_REQUEST_V2); + if (requestedCsr == null) { + throw chc.conContext.fatal(Alert.UNEXPECTED_MESSAGE, + "Unexpected status_request_v2 extension in ServerHello"); +@@ -1079,8 +1076,8 @@ + } + + // Update the context. +- chc.handshakeExtensions.put( +- SH_STATUS_REQUEST_V2, CertStatusRequestV2Spec.DEFAULT); ++ chc.handshakeExtensions.put(SSLExtension.SH_STATUS_REQUEST_V2, ++ CertStatusRequestV2Spec.DEFAULT); + + // Since we've received a legitimate status_request in the + // ServerHello, stapling is active if it's been enabled. If it +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java +--- a/src/java.base/share/classes/sun/security/ssl/SSLExtension.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLExtension.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -113,7 +113,6 @@ + null, + null, + CertStatusExtension.certStatusReqStringizer), +- + CR_STATUS_REQUEST (0x0005, "status_request"), + CT_STATUS_REQUEST (0x0005, "status_request", + SSLHandshake.CERTIFICATE, +@@ -124,6 +123,7 @@ + null, + null, + CertStatusExtension.certStatusRespStringizer), ++ + // extensions defined in RFC 4681 + USER_MAPPING (0x0006, "user_mapping"), + +@@ -515,6 +515,16 @@ + return null; + } + ++ static String nameOf(int extensionType) { ++ for (SSLExtension ext : SSLExtension.values()) { ++ if (ext.id == extensionType) { ++ return ext.name; ++ } ++ } ++ ++ return "unknown extension"; ++ } ++ + static boolean isConsumable(int extensionType) { + for (SSLExtension ext : SSLExtension.values()) { + if (ext.id == extensionType && +diff --git a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java +--- a/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java ++++ b/src/java.base/share/classes/sun/security/ssl/SSLExtensions.java +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2018, 2020 Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -86,11 +86,14 @@ + "Received buggy supported_groups extension " + + "in the ServerHello handshake message"); + } +- } else { ++ } else if (handshakeType == SSLHandshake.SERVER_HELLO) { + throw hm.handshakeContext.conContext.fatal( +- Alert.UNSUPPORTED_EXTENSION, +- "extension (" + extId + +- ") should not be presented in " + handshakeType.name); ++ Alert.UNSUPPORTED_EXTENSION, "extension (" + ++ extId + ") should not be presented in " + ++ handshakeType.name); ++ } else { ++ isSupported = false; ++ // debug log to ignore unknown extension for handshakeType + } + } + +@@ -365,9 +368,10 @@ + } + + private static String toString(int extId, byte[] extData) { ++ String extName = SSLExtension.nameOf(extId); + MessageFormat messageFormat = new MessageFormat( +- "\"unknown extension ({0})\": '{'\n" + +- "{1}\n" + ++ "\"{0} ({1})\": '{'\n" + ++ "{2}\n" + + "'}'", + Locale.ENGLISH); + +@@ -375,6 +379,7 @@ + String encoded = hexEncoder.encodeBuffer(extData); + + Object[] messageFields = { ++ extName, + extId, + Utilities.indent(encoded) + }; diff --git a/SOURCES/jdk8237396-avoid_triggering_barriers.patch b/SOURCES/jdk8237396-avoid_triggering_barriers.patch new file mode 100644 index 0000000..90d7c65 --- /dev/null +++ b/SOURCES/jdk8237396-avoid_triggering_barriers.patch @@ -0,0 +1,58 @@ +# HG changeset patch +# User zgu +# Date 1579696811 18000 +# Wed Jan 22 07:40:11 2020 -0500 +# Node ID 91ea567eeabeade6b3f8d6cf10c02ba53f700eca +# Parent 082f1d3eb1649ff776cda165ed78d65bc7361ebc +8237396: JvmtiTagMap::weak_oops_do() should not trigger barriers +Reviewed-by: stefank, rkennke + +diff --git a/src/hotspot/share/prims/jvmtiTagMap.cpp b/src/hotspot/share/prims/jvmtiTagMap.cpp +--- a/src/hotspot/share/prims/jvmtiTagMap.cpp ++++ b/src/hotspot/share/prims/jvmtiTagMap.cpp +@@ -1,5 +1,5 @@ + /* +- * Copyright (c) 2003, 2018, Oracle and/or its affiliates. All rights reserved. ++ * Copyright (c) 2003, 2020, Oracle and/or its affiliates. All rights reserved. + * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. + * + * This code is free software; you can redistribute it and/or modify it +@@ -96,6 +96,11 @@ + inline oop object_peek() { + return NativeAccess::oop_load(object_addr()); + } ++ ++ inline oop object_raw() { ++ return RawAccess<>::oop_load(object_addr()); ++ } ++ + inline jlong tag() const { return _tag; } + + inline void set_tag(jlong tag) { +@@ -3357,7 +3362,7 @@ + JvmtiTagHashmapEntry* next = entry->next(); + + // has object been GC'ed +- if (!is_alive->do_object_b(entry->object_peek())) { ++ if (!is_alive->do_object_b(entry->object_raw())) { + // grab the tag + jlong tag = entry->tag(); + guarantee(tag != 0, "checking"); +@@ -3375,7 +3380,7 @@ + ++freed; + } else { + f->do_oop(entry->object_addr()); +- oop new_oop = entry->object_peek(); ++ oop new_oop = entry->object_raw(); + + // if the object has moved then re-hash it and move its + // entry to its new location. +@@ -3409,7 +3414,7 @@ + // Re-add all the entries which were kept aside + while (delayed_add != NULL) { + JvmtiTagHashmapEntry* next = delayed_add->next(); +- unsigned int pos = JvmtiTagHashmap::hash(delayed_add->object_peek(), size); ++ unsigned int pos = JvmtiTagHashmap::hash(delayed_add->object_raw(), size); + delayed_add->set_next(table[pos]); + table[pos] = delayed_add; + delayed_add = next; diff --git a/SOURCES/nss.cfg.in b/SOURCES/nss.cfg.in new file mode 100644 index 0000000..377a39c --- /dev/null +++ b/SOURCES/nss.cfg.in @@ -0,0 +1,5 @@ +name = NSS +nssLibraryDirectory = @NSS_LIBDIR@ +nssDbMode = noDb +attributes = compatibility +handleStartupErrors = ignoreMultipleInitialisation diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in new file mode 100644 index 0000000..ead27be --- /dev/null +++ b/SOURCES/nss.fips.cfg.in @@ -0,0 +1,6 @@ +name = NSS-FIPS +nssLibraryDirectory = @NSS_LIBDIR@ +nssSecmodDirectory = @NSS_SECMOD@ +nssDbMode = readOnly +nssModule = fips + diff --git a/SOURCES/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch b/SOURCES/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch new file mode 100644 index 0000000..97f276f --- /dev/null +++ b/SOURCES/pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch @@ -0,0 +1,88 @@ + +# HG changeset patch +# User andrew +# Date 1478057514 0 +# Node ID 1c4d5cb2096ae55106111da200b0bcad304f650c +# Parent 3d53f19b48384e5252f4ec8891f7a3a82d77af2a +PR3694: Support Fedora/RHEL system crypto policy +diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/classes/java/security/Security.java +--- a/src/java.base/share/classes/java/security/Security.java Wed Oct 26 03:51:39 2016 +0100 ++++ b/src/java.base/share/classes/java/security/Security.java Wed Nov 02 03:31:54 2016 +0000 +@@ -43,6 +43,9 @@ + * implementation-specific location, which is typically the properties file + * {@code conf/security/java.security} in the Java installation directory. + * ++ *

Additional default values of security properties are read from a ++ * system-specific location, if available.

++ * + * @author Benjamin Renaud + * @since 1.1 + */ +@@ -52,6 +55,10 @@ + private static final Debug sdebug = + Debug.getInstance("properties"); + ++ /* System property file*/ ++ private static final String SYSTEM_PROPERTIES = ++ "/etc/crypto-policies/back-ends/java.config"; ++ + /* The java.security properties */ + private static Properties props; + +@@ -93,6 +100,7 @@ + if (sdebug != null) { + sdebug.println("reading security properties file: " + + propFile); ++ sdebug.println(props.toString()); + } + } catch (IOException e) { + if (sdebug != null) { +@@ -114,6 +122,31 @@ + } + + if ("true".equalsIgnoreCase(props.getProperty ++ ("security.useSystemPropertiesFile"))) { ++ ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ try (BufferedInputStream bis = ++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { ++ props.load(bis); ++ loadedProps = true; ++ ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ SYSTEM_PROPERTIES); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println ++ ("unable to load security properties from " + ++ SYSTEM_PROPERTIES); ++ e.printStackTrace(); ++ } ++ } ++ } ++ ++ if ("true".equalsIgnoreCase(props.getProperty + ("security.overridePropertiesFile"))) { + + String extraPropFile = System.getProperty +diff -r 3d53f19b4838 -r 1c4d5cb2096a src/java.base/share/conf/security/java.security +--- a/src/java.base/share/conf/security/java.security Wed Oct 26 03:51:39 2016 +0100 ++++ b/src/java.base/share/conf/security/java.security Wed Nov 02 03:31:54 2016 +0000 +@@ -276,6 +276,13 @@ + security.overridePropertiesFile=true + + # ++# Determines whether this properties file will be appended to ++# using the system properties file stored at ++# /etc/crypto-policies/back-ends/java.config ++# ++security.useSystemPropertiesFile=true ++ ++# + # Determines the default key and trust manager factory algorithms for + # the javax.net.ssl package. + # diff --git a/SOURCES/pr3695-toggle_system_crypto_policy.patch b/SOURCES/pr3695-toggle_system_crypto_policy.patch new file mode 100644 index 0000000..3799237 --- /dev/null +++ b/SOURCES/pr3695-toggle_system_crypto_policy.patch @@ -0,0 +1,78 @@ +# HG changeset patch +# User andrew +# Date 1545198926 0 +# Wed Dec 19 05:55:26 2018 +0000 +# Node ID f2cbd688824c128db7fa848c8732fb0ab3507776 +# Parent 81f07f6d1f8b7b51b136d3974c61bc8bb513770c +PR3695: Allow use of system crypto policy to be disabled by the user +Summary: Read user overrides first so security.useSystemPropertiesFile can be disabled and add -Djava.security.disableSystemPropertiesFile + +diff --git a/src/java.base/share/classes/java/security/Security.java b/src/java.base/share/classes/java/security/Security.java +--- a/src/java.base/share/classes/java/security/Security.java ++++ b/src/java.base/share/classes/java/security/Security.java +@@ -125,31 +125,6 @@ + } + + if ("true".equalsIgnoreCase(props.getProperty +- ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); +- loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } +- } +- } +- +- if ("true".equalsIgnoreCase(props.getProperty + ("security.overridePropertiesFile"))) { + + String extraPropFile = System.getProperty +@@ -215,6 +190,33 @@ + } + } + ++ String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); ++ if (disableSystemProps == null && ++ "true".equalsIgnoreCase(props.getProperty ++ ("security.useSystemPropertiesFile"))) { ++ ++ // now load the system file, if it exists, so its values ++ // will win if they conflict with the earlier values ++ try (BufferedInputStream bis = ++ new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { ++ props.load(bis); ++ loadedProps = true; ++ ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ SYSTEM_PROPERTIES); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println ++ ("unable to load security properties from " + ++ SYSTEM_PROPERTIES); ++ e.printStackTrace(); ++ } ++ } ++ } ++ + if (!loadedProps) { + initializeStatic(); + if (sdebug != null) { diff --git a/SOURCES/remove-intree-libraries.sh b/SOURCES/remove-intree-libraries.sh new file mode 100644 index 0000000..f3be341 --- /dev/null +++ b/SOURCES/remove-intree-libraries.sh @@ -0,0 +1,131 @@ +#!/bin/sh + +ZIP_SRC=src/java.base/share/native/libzip/zlib/ +JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ +GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ +PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ +LCMS_SRC=src/java.desktop/share/native/liblcms/ + +cd openjdk + +echo "Removing built-in libs (they will be linked)" + +echo "Removing zlib" +if [ ! -d ${ZIP_SRC} ]; then + echo "${ZIP_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${ZIP_SRC} + +echo "Removing libjpeg" +if [ ! -f ${JPEG_SRC}/jdhuff.c ]; then # some file that sound definitely exist + echo "${JPEG_SRC} does not contain jpeg sources. Refusing to proceed." + exit 1 +fi + +rm -vf ${JPEG_SRC}/jcomapi.c +rm -vf ${JPEG_SRC}/jdapimin.c +rm -vf ${JPEG_SRC}/jdapistd.c +rm -vf ${JPEG_SRC}/jdcoefct.c +rm -vf ${JPEG_SRC}/jdcolor.c +rm -vf ${JPEG_SRC}/jdct.h +rm -vf ${JPEG_SRC}/jddctmgr.c +rm -vf ${JPEG_SRC}/jdhuff.c +rm -vf ${JPEG_SRC}/jdhuff.h +rm -vf ${JPEG_SRC}/jdinput.c +rm -vf ${JPEG_SRC}/jdmainct.c +rm -vf ${JPEG_SRC}/jdmarker.c +rm -vf ${JPEG_SRC}/jdmaster.c +rm -vf ${JPEG_SRC}/jdmerge.c +rm -vf ${JPEG_SRC}/jdphuff.c +rm -vf ${JPEG_SRC}/jdpostct.c +rm -vf ${JPEG_SRC}/jdsample.c +rm -vf ${JPEG_SRC}/jerror.c +rm -vf ${JPEG_SRC}/jerror.h +rm -vf ${JPEG_SRC}/jidctflt.c +rm -vf ${JPEG_SRC}/jidctfst.c +rm -vf ${JPEG_SRC}/jidctint.c +rm -vf ${JPEG_SRC}/jidctred.c +rm -vf ${JPEG_SRC}/jinclude.h +rm -vf ${JPEG_SRC}/jmemmgr.c +rm -vf ${JPEG_SRC}/jmemsys.h +rm -vf ${JPEG_SRC}/jmemnobs.c +rm -vf ${JPEG_SRC}/jmorecfg.h +rm -vf ${JPEG_SRC}/jpegint.h +rm -vf ${JPEG_SRC}/jpeglib.h +rm -vf ${JPEG_SRC}/jquant1.c +rm -vf ${JPEG_SRC}/jquant2.c +rm -vf ${JPEG_SRC}/jutils.c +rm -vf ${JPEG_SRC}/jcapimin.c +rm -vf ${JPEG_SRC}/jcapistd.c +rm -vf ${JPEG_SRC}/jccoefct.c +rm -vf ${JPEG_SRC}/jccolor.c +rm -vf ${JPEG_SRC}/jcdctmgr.c +rm -vf ${JPEG_SRC}/jchuff.c +rm -vf ${JPEG_SRC}/jchuff.h +rm -vf ${JPEG_SRC}/jcinit.c +rm -vf ${JPEG_SRC}/jconfig.h +rm -vf ${JPEG_SRC}/jcmainct.c +rm -vf ${JPEG_SRC}/jcmarker.c +rm -vf ${JPEG_SRC}/jcmaster.c +rm -vf ${JPEG_SRC}/jcparam.c +rm -vf ${JPEG_SRC}/jcphuff.c +rm -vf ${JPEG_SRC}/jcprepct.c +rm -vf ${JPEG_SRC}/jcsample.c +rm -vf ${JPEG_SRC}/jctrans.c +rm -vf ${JPEG_SRC}/jdtrans.c +rm -vf ${JPEG_SRC}/jfdctflt.c +rm -vf ${JPEG_SRC}/jfdctfst.c +rm -vf ${JPEG_SRC}/jfdctint.c +rm -vf ${JPEG_SRC}/jversion.h +rm -vf ${JPEG_SRC}/README + +echo "Removing giflib" +if [ ! -d ${GIF_SRC} ]; then + echo "${GIF_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${GIF_SRC} + +echo "Removing libpng" +if [ ! -d ${PNG_SRC} ]; then + echo "${PNG_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${PNG_SRC} + +echo "Removing lcms" +if [ ! -d ${LCMS_SRC} ]; then + echo "${LCMS_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -vf ${LCMS_SRC}/cmscam02.c +rm -vf ${LCMS_SRC}/cmscgats.c +rm -vf ${LCMS_SRC}/cmscnvrt.c +rm -vf ${LCMS_SRC}/cmserr.c +rm -vf ${LCMS_SRC}/cmsgamma.c +rm -vf ${LCMS_SRC}/cmsgmt.c +rm -vf ${LCMS_SRC}/cmshalf.c +rm -vf ${LCMS_SRC}/cmsintrp.c +rm -vf ${LCMS_SRC}/cmsio0.c +rm -vf ${LCMS_SRC}/cmsio1.c +rm -vf ${LCMS_SRC}/cmslut.c +rm -vf ${LCMS_SRC}/cmsmd5.c +rm -vf ${LCMS_SRC}/cmsmtrx.c +rm -vf ${LCMS_SRC}/cmsnamed.c +rm -vf ${LCMS_SRC}/cmsopt.c +rm -vf ${LCMS_SRC}/cmspack.c +rm -vf ${LCMS_SRC}/cmspcs.c +rm -vf ${LCMS_SRC}/cmsplugin.c +rm -vf ${LCMS_SRC}/cmsps2.c +rm -vf ${LCMS_SRC}/cmssamp.c +rm -vf ${LCMS_SRC}/cmssm.c +rm -vf ${LCMS_SRC}/cmstypes.c +rm -vf ${LCMS_SRC}/cmsvirt.c +rm -vf ${LCMS_SRC}/cmswtpnt.c +rm -vf ${LCMS_SRC}/cmsxform.c +rm -vf ${LCMS_SRC}/lcms2.h +rm -vf ${LCMS_SRC}/lcms2_internal.h +rm -vf ${LCMS_SRC}/lcms2_plugin.h + + diff --git a/SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch b/SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch new file mode 100644 index 0000000..bd52828 --- /dev/null +++ b/SOURCES/rh1566890-CVE_2018_3639-speculative_store_bypass.patch @@ -0,0 +1,61 @@ +diff --git openjdk/src/hotspot/os/linux/os_linux.cpp openjdk/src/hotspot/os/linux/os_linux.cpp +--- openjdk/src/hotspot/os/linux/os_linux.cpp ++++ openjdk/src/hotspot/os/linux/os_linux.cpp +@@ -107,6 +107,8 @@ + # include + # include + ++#include ++ + #ifndef _GNU_SOURCE + #define _GNU_SOURCE + #include +@@ -4984,6 +4986,48 @@ + extern void report_error(char* file_name, int line_no, char* title, + char* format, ...); + ++/* Per task speculation control */ ++#ifndef PR_GET_SPECULATION_CTRL ++# define PR_GET_SPECULATION_CTRL 52 ++#endif ++#ifndef PR_SET_SPECULATION_CTRL ++# define PR_SET_SPECULATION_CTRL 53 ++#endif ++/* Speculation control variants */ ++#ifndef PR_SPEC_STORE_BYPASS ++# define PR_SPEC_STORE_BYPASS 0 ++#endif ++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */ ++ ++#ifndef PR_SPEC_NOT_AFFECTED ++# define PR_SPEC_NOT_AFFECTED 0 ++#endif ++#ifndef PR_SPEC_PRCTL ++# define PR_SPEC_PRCTL (1UL << 0) ++#endif ++#ifndef PR_SPEC_ENABLE ++# define PR_SPEC_ENABLE (1UL << 1) ++#endif ++#ifndef PR_SPEC_DISABLE ++# define PR_SPEC_DISABLE (1UL << 2) ++#endif ++#ifndef PR_SPEC_FORCE_DISABLE ++# define PR_SPEC_FORCE_DISABLE (1UL << 3) ++#endif ++#ifndef PR_SPEC_DISABLE_NOEXEC ++# define PR_SPEC_DISABLE_NOEXEC (1UL << 4) ++#endif ++ ++static void set_speculation() __attribute__((constructor)); ++static void set_speculation() { ++ if ( prctl(PR_SET_SPECULATION_CTRL, ++ PR_SPEC_STORE_BYPASS, ++ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) { ++ return; ++ } ++ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0); ++} ++ + // this is called _before_ most of the global arguments have been parsed + void os::init(void) { + char dummy; // used to get a guess on initial stack address diff --git a/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch new file mode 100644 index 0000000..a877506 --- /dev/null +++ b/SOURCES/rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch @@ -0,0 +1,18 @@ +diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/src/java.desktop/share/classes/java/awt/Toolkit.java +--- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java ++++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java +@@ -883,9 +883,13 @@ + return null; + } + }); + if (!GraphicsEnvironment.isHeadless()) { +- loadAssistiveTechnologies(); ++ try { ++ loadAssistiveTechnologies(); ++ } catch (AWTError error) { ++ // ignore silently ++ } + } + } + return toolkit; + } diff --git a/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch new file mode 100644 index 0000000..1b92ddc --- /dev/null +++ b/SOURCES/rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch @@ -0,0 +1,11 @@ +diff -r 5b86f66575b7 src/share/lib/security/java.security-linux +--- openjdk/src/java.base/share/conf/security/java.security Tue May 16 13:29:05 2017 -0700 ++++ openjdk/src/java.base/share/conf/security/java.security Tue Jun 06 14:05:12 2017 +0200 +@@ -83,6 +83,7 @@ + #ifndef solaris + security.provider.tbd=SunPKCS11 + #endif ++#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # + # A list of preferred providers for specific algorithms. These providers will diff --git a/SOURCES/rh1648644-java_access_bridge_privileged_security.patch b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch new file mode 100644 index 0000000..53026ad --- /dev/null +++ b/SOURCES/rh1648644-java_access_bridge_privileged_security.patch @@ -0,0 +1,20 @@ +--- openjdk/src/java.base/share/conf/security/java.security ++++ openjdk/src/java.base/share/conf/security/java.security +@@ -304,6 +304,8 @@ + # + package.access=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # List of comma-separated packages that start with or equal this string +@@ -316,6 +318,8 @@ + # + package.definition=sun.misc.,\ + sun.reflect.,\ ++ org.GNOME.Accessibility.,\ ++ org.GNOME.Bonobo.,\ + + # + # Determines whether this properties file can be appended to diff --git a/SOURCES/rh1655466-global_crypto_and_fips.patch b/SOURCES/rh1655466-global_crypto_and_fips.patch new file mode 100644 index 0000000..1c67c83 --- /dev/null +++ b/SOURCES/rh1655466-global_crypto_and_fips.patch @@ -0,0 +1,205 @@ +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/Security.java openjdk///src/java.base/share/classes/java/security/Security.java +--- openjdk.orig///src/java.base/share/classes/java/security/Security.java ++++ openjdk///src/java.base/share/classes/java/security/Security.java +@@ -196,26 +196,8 @@ + if (disableSystemProps == null && + "true".equalsIgnoreCase(props.getProperty + ("security.useSystemPropertiesFile"))) { +- +- // now load the system file, if it exists, so its values +- // will win if they conflict with the earlier values +- try (BufferedInputStream bis = +- new BufferedInputStream(new FileInputStream(SYSTEM_PROPERTIES))) { +- props.load(bis); ++ if (SystemConfigurator.configure(props)) { + loadedProps = true; +- +- if (sdebug != null) { +- sdebug.println("reading system security properties file " + +- SYSTEM_PROPERTIES); +- sdebug.println(props.toString()); +- } +- } catch (IOException e) { +- if (sdebug != null) { +- sdebug.println +- ("unable to load security properties from " + +- SYSTEM_PROPERTIES); +- e.printStackTrace(); +- } + } + } + +diff --git a/src/java.base/share/classes/javopenjdk.orig///security/SystemConfigurator.java openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java +new file mode 100644 +--- /dev/null ++++ openjdk///src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -0,0 +1,151 @@ ++/* ++ * Copyright (c) 2019, Red Hat, Inc. ++ * ++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. ++ * ++ * This code is free software; you can redistribute it and/or modify it ++ * under the terms of the GNU General Public License version 2 only, as ++ * published by the Free Software Foundation. ++ * ++ * This code is distributed in the hope that it will be useful, but WITHOUT ++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or ++ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License ++ * version 2 for more details (a copy is included in the LICENSE file that ++ * accompanied this code). ++ * ++ * You should have received a copy of the GNU General Public License version ++ * 2 along with this work; if not, write to the Free Software Foundation, ++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. ++ * ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA ++ * or visit www.oracle.com if you need additional information or have any ++ * questions. ++ */ ++ ++package java.security; ++ ++import java.io.BufferedInputStream; ++import java.io.FileInputStream; ++import java.io.IOException; ++ ++import java.nio.file.Files; ++import java.nio.file.Path; ++ ++import java.util.Iterator; ++import java.util.Map.Entry; ++import java.util.Properties; ++import java.util.function.Consumer; ++import java.util.regex.Matcher; ++import java.util.regex.Pattern; ++ ++import sun.security.util.Debug; ++ ++/** ++ * Internal class to align OpenJDK with global crypto-policies. ++ * Called from java.security.Security class initialization, ++ * during startup. ++ * ++ */ ++ ++class SystemConfigurator { ++ ++ private static final Debug sdebug = ++ Debug.getInstance("properties"); ++ ++ private static final String CRYPTO_POLICIES_BASE_DIR = ++ "/etc/crypto-policies"; ++ ++ private static final String CRYPTO_POLICIES_JAVA_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/back-ends/java.config"; ++ ++ private static final String CRYPTO_POLICIES_CONFIG = ++ CRYPTO_POLICIES_BASE_DIR + "/config"; ++ ++ private static final class SecurityProviderInfo { ++ int number; ++ String key; ++ String value; ++ SecurityProviderInfo(int number, String key, String value) { ++ this.number = number; ++ this.key = key; ++ this.value = value; ++ } ++ } ++ ++ /* ++ * Invoked when java.security.Security class is initialized, if ++ * java.security.disableSystemPropertiesFile property is not set and ++ * security.useSystemPropertiesFile is true. ++ */ ++ static boolean configure(Properties props) { ++ boolean loadedProps = false; ++ ++ try (BufferedInputStream bis = ++ new BufferedInputStream( ++ new FileInputStream(CRYPTO_POLICIES_JAVA_CONFIG))) { ++ props.load(bis); ++ loadedProps = true; ++ if (sdebug != null) { ++ sdebug.println("reading system security properties file " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ sdebug.println(props.toString()); ++ } ++ } catch (IOException e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties from " + ++ CRYPTO_POLICIES_JAVA_CONFIG); ++ e.printStackTrace(); ++ } ++ } ++ ++ try { ++ if (enableFips()) { ++ if (sdebug != null) { sdebug.println("FIPS mode detected"); } ++ loadedProps = false; ++ // Remove all security providers ++ Iterator> i = props.entrySet().iterator(); ++ while (i.hasNext()) { ++ Entry e = i.next(); ++ if (((String) e.getKey()).startsWith("security.provider")) { ++ if (sdebug != null) { sdebug.println("Removing provider: " + e); } ++ i.remove(); ++ } ++ } ++ // Add FIPS security providers ++ String fipsProviderValue = null; ++ for (int n = 1; ++ (fipsProviderValue = (String) props.get("fips.provider." + n)) != null; n++) { ++ String fipsProviderKey = "security.provider." + n; ++ if (sdebug != null) { ++ sdebug.println("Adding provider " + n + ": " + ++ fipsProviderKey + "=" + fipsProviderValue); ++ } ++ props.put(fipsProviderKey, fipsProviderValue); ++ } ++ loadedProps = true; ++ } ++ } catch (Exception e) { ++ if (sdebug != null) { ++ sdebug.println("unable to load FIPS configuration"); ++ e.printStackTrace(); ++ } ++ } ++ return loadedProps; ++ } ++ ++ /* ++ * FIPS is enabled only if crypto-policies are set to "FIPS" ++ * and the com.redhat.fips property is true. ++ */ ++ private static boolean enableFips() throws Exception { ++ boolean fipsEnabled = Boolean.valueOf(System.getProperty("com.redhat.fips", "false")); ++ if (fipsEnabled) { ++ String cryptoPoliciesConfig = new String(Files.readAllBytes(Path.of(CRYPTO_POLICIES_CONFIG))); ++ if (sdebug != null) { sdebug.println("Crypto config:\n" + cryptoPoliciesConfig); } ++ Pattern pattern = Pattern.compile("^FIPS$", Pattern.MULTILINE); ++ return pattern.matcher(cryptoPoliciesConfig).find(); ++ } else { ++ return false; ++ } ++ } ++} +diff --git openjdk.orig///src/java.base/share/conf/security/java.security openjdk///src/java.base/share/conf/security/java.security +--- openjdk.orig///src/java.base/share/conf/security/java.security ++++ openjdk///src/java.base/share/conf/security/java.security +@@ -87,6 +87,14 @@ + #security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg + + # ++# Security providers used when global crypto-policies are set to FIPS. ++# ++fips.provider.1=SunPKCS11 ${java.home}/conf/security/nss.fips.cfg ++fips.provider.2=SUN ++fips.provider.3=SunEC ++fips.provider.4=com.sun.net.ssl.internal.ssl.Provider SunPKCS11-NSS-FIPS ++ ++# + # A list of preferred providers for specific algorithms. These providers will + # be searched for matching algorithms before the list of registered providers. + # Entries containing errors (parsing, etc) will be ignored. Use the diff --git a/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch new file mode 100644 index 0000000..1b706a1 --- /dev/null +++ b/SOURCES/rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch @@ -0,0 +1,19 @@ +Remove uses of FAR in jpeg code + +Upstream libjpeg-trubo removed the (empty) FAR macro: +http://sourceforge.net/p/libjpeg-turbo/code/1312/ + +Adjust our code to not use the undefined FAR macro anymore. + +diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c ++++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c +@@ -1385,7 +1385,7 @@ + /* and fill it in */ + dst_ptr = icc_data; + for (seq_no = first; seq_no < last; seq_no++) { +- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; ++ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN; + unsigned int length = + icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN; + diff --git a/SOURCES/s390-8214206_fix.patch b/SOURCES/s390-8214206_fix.patch new file mode 100644 index 0000000..1d0c686 --- /dev/null +++ b/SOURCES/s390-8214206_fix.patch @@ -0,0 +1,12 @@ +diff --git openjdk.orig/jdk/src/hotspot/share/runtime/os.cpp openjdk/jdk/src/hotspot/share/runtime/os.cpp +--- openjdk.orig/src/hotspot/share/runtime/os.cpp ++++ openjdk/src/hotspot/share/runtime/os.cpp +@@ -1368,7 +1368,7 @@ + } + + void os::set_memory_serialize_page(address page) { +- int count = log2_intptr(sizeof(class JavaThread)) - log2_int(64); ++ int count = log2_intptr((uintptr_t) sizeof(class JavaThread)) - log2_int(64); + _mem_serialize_page = (volatile int32_t *)page; + // We initialize the serialization page shift count here + // We assume a cache line size of 64 bytes diff --git a/SPECS/java-11-openjdk.spec b/SPECS/java-11-openjdk.spec new file mode 100644 index 0000000..8906590 --- /dev/null +++ b/SPECS/java-11-openjdk.spec @@ -0,0 +1,2367 @@ +# RPM conditionals so as to be able to dynamically produce +# slowdebug/release builds. See: +# http://rpm.org/user_doc/conditional_builds.html +# +# Examples: +# +# Produce release *and* slowdebug builds on x86_64 (default): +# $ rpmbuild -ba java-1.8.0-openjdk.spec +# +# Produce only release builds (no slowdebug builds) on x86_64: +# $ rpmbuild -ba java-1.8.0-openjdk.spec --without slowdebug +# +# Only produce a release build on x86_64: +# $ fedpkg mockbuild --without slowdebug +# +# Only produce a debug build on x86_64: +# $ fedpkg local --without release +# +# Enable slowdebug builds by default on relevant arches. +%bcond_without slowdebug +# Enable release builds by default on relevant arches. +%bcond_without release + +# The -g flag says to use strip -g instead of full strip on DSOs or EXEs. +# This fixes detailed NMT and other tools which need minimal debug info. +# See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 +%global _find_debuginfo_opts -g + +# note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros +# also necessary when passing it as parameter to other macros. If not macro, then it is considered a switch +# see the difference between global and define: +# See https://github.com/rpm-software-management/rpm/issues/127 to comments at "pmatilai commented on Aug 18, 2017" +# (initiated in https://bugzilla.redhat.com/show_bug.cgi?id=1482192) +%global debug_suffix_unquoted -slowdebug +# quoted one for shell operations +%global debug_suffix "%{debug_suffix_unquoted}" +%global normal_suffix "" + +# if you want only debug build but providing java build only normal build but set normalbuild_parameter +%global debug_warning This package has full debug on. Install only in need and remove asap. +%global debug_on with full debug on +%global for_debug for packages with debug on + +%if %{with release} +%global include_normal_build 1 +%else +%global include_normal_build 0 +%endif + +%if %{include_normal_build} +%global build_loop1 %{normal_suffix} +%else +%global build_loop1 %{nil} +%endif + +# We have hardcoded list of files, which is appearing in alternatives, and in files +# in alternatives those are slaves and master, very often triplicated by man pages +# in files all masters and slaves are ghosted +# the ghosts are here to allow installation via query like `dnf install /usr/bin/java` +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# TODO - fix those hardcoded lists via single list +# those files ,must *NOT* be ghosted for *slowdebug* packages +# FIXME - if you are moving jshell or jlink or simialr, always modify all three sections +# you can check via headless and devels: +# rpm -ql --noghost java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# == rpm -ql java-11-openjdk-headless-slowdebug-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# != rpm -ql java-11-openjdk-headless-11.0.1.13-8.fc29.x86_64.rpm | grep bin +# similarly for other %%{_jvmdir}/{jre,java} and %%{_javadocdir}/{java,java-zip} +%define is_release_build() %( if [ "%{?1}" == "%{debug_suffix_unquoted}" ]; then echo "0" ; else echo "1"; fi ) + +# while JDK is a techpreview(is_system_jdk=0), some provides are turned off. Once jdk stops to be an techpreview, move it to 1 +# as sytem JDK, we mean any JDK which can run whole system java stack without issues (like bytecode issues, module issues, dependencies...) +%global is_system_jdk 0 + +%global aarch64 aarch64 arm64 armv8 +# we need to distinguish between big and little endian PPC64 +%global ppc64le ppc64le +%global ppc64be ppc64 ppc64p7 +%global multilib_arches %{power64} sparc64 x86_64 +%global jit_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} s390x +%global aot_arches x86_64 %{aarch64} + +# By default, we build a debug build during main build on JIT architectures +%if %{with slowdebug} +%ifarch %{jit_arches} +%ifnarch %{arm} +%global include_debug_build 1 +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif +%else +%global include_debug_build 0 +%endif + +# On x86_64 and AArch64, we use the Shenandoah HotSpot +%ifarch x86_64 %{aarch64} +%global use_shenandoah_hotspot 1 +%else +%global use_shenandoah_hotspot 0 +%endif + +%if %{include_debug_build} +%global build_loop2 %{debug_suffix} +%else +%global build_loop2 %{nil} +%endif + +# if you disable both builds, then the build fails +%global build_loop %{build_loop1} %{build_loop2} +# note: that order: normal_suffix debug_suffix, in case of both enabled +# is expected in one single case at the end of the build +%global rev_build_loop %{build_loop2} %{build_loop1} + +%ifarch %{jit_arches} +%global bootstrap_build 1 +%else +%global bootstrap_build 1 +%endif + +%if %{bootstrap_build} +%global release_targets bootcycle-images docs-zip +%else +%global release_targets images docs-zip +%endif +# No docs nor bootcycle for debug builds +%global debug_targets images + + +# Filter out flags from the optflags macro that cause problems with the OpenJDK build +# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 +# We filter out -Wall which will otherwise cause HotSpot to produce hundreds of thousands of warnings (100+mb logs) +# We replace it with -Wformat (required by -Werror=format-security) and -Wno-cpp to avoid FORTIFY_SOURCE warnings +# We filter out -fexceptions as the HotSpot build explicitly does -fno-exceptions and it's otherwise the default for C++ +%global ourflags %(echo %optflags | sed -e 's|-Wall|-Wformat -Wno-cpp|' | sed -r -e 's|-O[0-9]*||') +%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||') +%global ourldflags %{__global_ldflags} + +# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path +# the initialization must be here. Later the pkg-config have buggy behavior +# looks like openjdk RPM specific bug +# Always set this so the nss.cfg file is not broken +%global NSS_LIBDIR %(pkg-config --variable=libdir nss) + +# In some cases, the arch used by the JDK does +# not match _arch. +# Also, in some cases, the machine name used by SystemTap +# does not match that given by _target_cpu +%ifarch x86_64 +%global archinstall amd64 +%global stapinstall x86_64 +%endif +%ifarch ppc +%global archinstall ppc +%global stapinstall powerpc +%endif +%ifarch %{ppc64be} +%global archinstall ppc64 +%global stapinstall powerpc +%endif +%ifarch %{ppc64le} +%global archinstall ppc64le +%global stapinstall powerpc +%endif +%ifarch %{ix86} +%global archinstall i686 +%global stapinstall i386 +%endif +%ifarch ia64 +%global archinstall ia64 +%global stapinstall ia64 +%endif +%ifarch s390 +%global archinstall s390 +%global stapinstall s390 +%endif +%ifarch s390x +%global archinstall s390x +%global stapinstall s390 +%endif +%ifarch %{arm} +%global archinstall arm +%global stapinstall arm +%endif +%ifarch %{aarch64} +%global archinstall aarch64 +%global stapinstall arm64 +%endif +# 32 bit sparc, optimized for v9 +%ifarch sparcv9 +%global archinstall sparc +%global stapinstall %{_target_cpu} +%endif +# 64 bit sparc +%ifarch sparc64 +%global archinstall sparcv9 +%global stapinstall %{_target_cpu} +%endif +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} +%endif + +%ifarch %{jit_arches} +%global with_systemtap 1 +%else +%global with_systemtap 0 +%endif + +# New Version-String scheme-style defines +%global majorver 11 +%global securityver 6 +# buildjdkver is usually same as %%{majorver}, +# but in time of bootstrap of next jdk, it is majorver-1, +# and this it is better to change it here, on single place +%global buildjdkver %{majorver} +# Used via new version scheme. JDK 11 was +# GA'ed in September 2018 => 18.9 +%global vendor_version_string 18.9 +# Add LTS designator for RHEL builds +%if 0%{?rhel} + %global lts_designator "LTS" + %global lts_designator_zip -%{lts_designator} +%else + %global lts_designator "" + %global lts_designator_zip "" +%endif + +# Define IcedTea version used for SystemTap tapsets and desktop file +%global icedteaver 3.15.0 + +# Standard JPackage naming and versioning defines +%global origin openjdk +%global origin_nice OpenJDK +%global top_level_dir_name %{origin} +%global minorver 0 +%global buildver 10 +%global rpmrelease 4 +#%%global tagsuffix "" +# priority must be 8 digits in total; untill openjdk 1.8 we were using 18..... so when moving to 11 we had to add another digit +%if %is_system_jdk +%global priority %( printf '%02d%02d%02d%02d' %{majorver} %{minorver} %{securityver} %{buildver} ) +%else +# for techpreview, using 1, so slowdebugs can have 0 +%global priority %( printf '%08d' 1 ) +%endif +%global newjavaver %{majorver}.%{minorver}.%{securityver} + +%global javaver %{majorver} + +# Define milestone (EA for pre-releases, GA for releases) +# Release will be (where N is usually a number starting at 1): +# - 0.N%%{?extraver}%%{?dist} for EA releases, +# - N%%{?extraver}{?dist} for GA releases +%global is_ga 1 +%if %{is_ga} +%global ea_designator "" +%global ea_designator_zip "" +%global extraver %{nil} +%global eaprefix %{nil} +%else +%global ea_designator ea +%global ea_designator_zip -%{ea_designator} +%global extraver .%{ea_designator} +%global eaprefix 0. +%endif + +# parametrized macros are order-sensitive +%global compatiblename java-%{majorver}-%{origin} +%global fullversion %{compatiblename}-%{version}-%{release} +# images stub +%global jdkimage jdk +# output dir stub +%define buildoutputdir() %{expand:openjdk/build%{?1}} +# we can copy the javadoc to not arched dir, or make it not noarch +%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} +# main id and dir of this jdk +%define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} + +################################################################# +# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 +# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 +# https://bugzilla.redhat.com/show_bug.cgi?id=1655938 +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.* +%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* +%if %is_system_jdk +%global __provides_exclude ^(%{_privatelibs})$ +%global __requires_exclude ^(%{_privatelibs})$ +# Never generate lib-style provides/requires for slowdebug packages +%global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ +%else +# Don't generate provides/requires for JDK provided shared libraries at all. +%global __provides_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ +%endif + + +%global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} +%define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} +# Standard JPackage directories and symbolic links. +%define sdkdir() %{expand:%{uniquesuffix -- %{?1}}} +%define jrelnk() %{expand:jre-%{javaver}-%{origin}-%{version}-%{release}.%{_arch}%{?1}} + +%define sdkbindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} +%define jrebindir() %{expand:%{_jvmdir}/%{sdkdir -- %{?1}}/bin} + +%global rpm_state_dir %{_localstatedir}/lib/rpm-state/ + +%if %{with_systemtap} +# Where to install systemtap tapset (links) +# We would like these to be in a package specific sub-dir, +# but currently systemtap doesn't support that, so we have to +# use the root tapset dir for now. To distinguish between 64 +# and 32 bit architectures we place the tapsets under the arch +# specific dir (note that systemtap will only pickup the tapset +# for the primary arch for now). Systemtap uses the machine name +# aka target_cpu as architecture specific directory name. +%global tapsetroot /usr/share/systemtap +%global tapsetdirttapset %{tapsetroot}/tapset/ +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} +%endif + +# not-duplicated scriptlets for normal/debug packages +%global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : + + +%define post_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : +exit 0 +} + + +%define post_headless() %{expand: +%ifarch %{jit_arches} +# MetaspaceShared::generate_vtable_methods not implemented for PPC JIT +%ifnarch %{ppc64le} +# see https://bugzilla.redhat.com/show_bug.cgi?id=513605 +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif +%endif + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +alternatives \\ + --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ + --slave %{_bindir}/jjs jjs %{jrebindir -- %{?1}}/jjs \\ + --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ + --slave %{_bindir}/pack200 pack200 %{jrebindir -- %{?1}}/pack200 \\ + --slave %{_bindir}/rmid rmid %{jrebindir -- %{?1}}/rmid \\ + --slave %{_bindir}/rmiregistry rmiregistry %{jrebindir -- %{?1}}/rmiregistry \\ + --slave %{_bindir}/unpack200 unpack200 %{jrebindir -- %{?1}}/unpack200 \\ + --slave %{_mandir}/man1/java.1$ext java.1$ext \\ + %{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jjs.1$ext jjs.1$ext \\ + %{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ + %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/pack200.1$ext pack200.1$ext \\ + %{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmid.1$ext rmid.1$ext \\ + %{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/unpack200.1$ext unpack200.1$ext \\ + %{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1$ext + +for X in %{origin} %{javaver} ; do + alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +done + +update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} + + +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +# see pretrans where this file is declared +# also see that pretrans is only for non-debug +if [ ! "%{?1}" == %{debug_suffix} ]; then + if [ -f %{_libexecdir}/copy_jdk_configs_fixFiles.sh ] ; then + sh %{_libexecdir}/copy_jdk_configs_fixFiles.sh %{rpm_state_dir}/%{name}.%{_arch} %{_jvmdir}/%{sdkdir -- %{?1}} + fi +fi + +exit 0 +} + +%define postun_script() %{expand: +update-desktop-database %{_datadir}/applications &> /dev/null || : +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + + +%define postun_headless() %{expand: + alternatives --remove java %{jrebindir -- %{?1}}/java + alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} +} + +%define posttrans_script() %{expand: +%{update_desktop_icons} +} + +%define post_devel() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +ext=.gz +alternatives \\ + --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ +%ifarch %{aot_arches} + --slave %{_bindir}/jaotc jaotc %{sdkbindir -- %{?1}}/jaotc \\ +%endif + --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ + --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ +%ifarch %{jit_arches} +%ifnarch s390x + --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ +%endif +%endif + --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ + --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ + --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ + --slave %{_bindir}/javap javap %{sdkbindir -- %{?1}}/javap \\ + --slave %{_bindir}/jcmd jcmd %{sdkbindir -- %{?1}}/jcmd \\ + --slave %{_bindir}/jconsole jconsole %{sdkbindir -- %{?1}}/jconsole \\ + --slave %{_bindir}/jdb jdb %{sdkbindir -- %{?1}}/jdb \\ + --slave %{_bindir}/jdeps jdeps %{sdkbindir -- %{?1}}/jdeps \\ + --slave %{_bindir}/jdeprscan jdeprscan %{sdkbindir -- %{?1}}/jdeprscan \\ + --slave %{_bindir}/jfr jfr %{sdkbindir -- %{?1}}/jfr \\ + --slave %{_bindir}/jimage jimage %{sdkbindir -- %{?1}}/jimage \\ + --slave %{_bindir}/jinfo jinfo %{sdkbindir -- %{?1}}/jinfo \\ + --slave %{_bindir}/jmap jmap %{sdkbindir -- %{?1}}/jmap \\ + --slave %{_bindir}/jps jps %{sdkbindir -- %{?1}}/jps \\ + --slave %{_bindir}/jrunscript jrunscript %{sdkbindir -- %{?1}}/jrunscript \\ + --slave %{_bindir}/jshell jshell %{sdkbindir -- %{?1}}/jshell \\ + --slave %{_bindir}/jstack jstack %{sdkbindir -- %{?1}}/jstack \\ + --slave %{_bindir}/jstat jstat %{sdkbindir -- %{?1}}/jstat \\ + --slave %{_bindir}/jstatd jstatd %{sdkbindir -- %{?1}}/jstatd \\ + --slave %{_bindir}/rmic rmic %{sdkbindir -- %{?1}}/rmic \\ + --slave %{_bindir}/serialver serialver %{sdkbindir -- %{?1}}/serialver \\ + --slave %{_mandir}/man1/jar.1$ext jar.1$ext \\ + %{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jarsigner.1$ext jarsigner.1$ext \\ + %{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javac.1$ext javac.1$ext \\ + %{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javadoc.1$ext javadoc.1$ext \\ + %{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/javap.1$ext javap.1$ext \\ + %{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jcmd.1$ext jcmd.1$ext \\ + %{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jconsole.1$ext jconsole.1$ext \\ + %{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdb.1$ext jdb.1$ext \\ + %{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jdeps.1$ext jdeps.1$ext \\ + %{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jinfo.1$ext jinfo.1$ext \\ + %{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jmap.1$ext jmap.1$ext \\ + %{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jps.1$ext jps.1$ext \\ + %{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jrunscript.1$ext jrunscript.1$ext \\ + %{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstack.1$ext jstack.1$ext \\ + %{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstat.1$ext jstat.1$ext \\ + %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/jstatd.1$ext jstatd.1$ext \\ + %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/rmic.1$ext rmic.1$ext \\ + %{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1$ext \\ + --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ + %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext \\ + +for X in %{origin} %{javaver} ; do + alternatives \\ + --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +done + +update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + +update-desktop-database %{_datadir}/applications &> /dev/null || : +/bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : + +exit 0 +} + +%define postun_devel() %{expand: + alternatives --remove javac %{sdkbindir -- %{?1}}/javac + alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} + alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + +update-desktop-database %{_datadir}/applications &> /dev/null || : + +if [ $1 -eq 0 ] ; then + /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null + %{update_desktop_icons} +fi +exit 0 +} + +%define posttrans_devel() %{expand: +%{update_desktop_icons} +} + +%define post_javadoc() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +alternatives \\ + --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ + $PRIORITY --family %{name} +exit 0 +} + +%define postun_javadoc() %{expand: + alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +exit 0 +} + +%define post_javadoc_zip() %{expand: + +PRIORITY=%{priority} +if [ "%{?1}" == %{debug_suffix} ]; then + let PRIORITY=PRIORITY-1 +fi + +alternatives \\ + --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ + $PRIORITY --family %{name} +exit 0 +} + +%define postun_javadoc_zip() %{expand: + alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +exit 0 +} + +%define files_jre() %{expand: +%{_datadir}/icons/hicolor/*x*/apps/java-%{javaver}-%{origin}.png +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsplashscreen.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_xawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjawt.so +} + + +%define files_jre_headless() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%dir %{_sysconfdir}/.java/.systemPrefs +%dir %{_sysconfdir}/.java +%dir %{_jvmdir}/%{sdkdir -- %{?1}} +%{_jvmdir}/%{sdkdir -- %{?1}}/release +%{_jvmdir}/%{jrelnk -- %{?1}} +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/java +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jjs +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/keytool +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/pack200 +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmid +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmiregistry +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/unpack200 +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib +%ifarch %{jit_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/classlist +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jexec +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jspawnhelper +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jrt-fs.jar +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/modules +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jli +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jli/libjli.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libextnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsig.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pkcs11.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjaas.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjava.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjavajpeg.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjdwp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjimage.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjsound.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/liblcms.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_agent.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmanagement_ext.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libmlib_image.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnet.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libnio.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libprefs.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so +# Zero and S390x don't have SA +%ifarch %{jit_arches} +%ifnarch s390x +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/default.jfc +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jfr/profile.jfc +%{_mandir}/man1/java-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jjs-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/pack200-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmid-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/unpack200-%{uniquesuffix -- %{?1}}.1* +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/ +%ifarch %{jit_arches} +%ifnarch %{power64} +%attr(444, root, root) %ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/server/classes.jsa +%endif +%endif +%dir %{etcjavasubdir} +%dir %{etcjavadir -- %{?1}} +%dir %{etcjavadir -- %{?1}}/lib +%dir %{etcjavadir -- %{?1}}/lib/security +%{etcjavadir -- %{?1}}/lib/security/cacerts +%dir %{etcjavadir -- %{?1}}/conf +%dir %{etcjavadir -- %{?1}}/conf/management +%dir %{etcjavadir -- %{?1}}/conf/security +%dir %{etcjavadir -- %{?1}}/conf/security/policy +%dir %{etcjavadir -- %{?1}}/conf/security/policy/limited +%dir %{etcjavadir -- %{?1}}/conf/security/policy/unlimited +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/default.policy +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/blacklisted.certs +%config(noreplace) %{etcjavadir -- %{?1}}/lib/security/public_suffix_list.dat +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/exempt_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/limited/default_US_export.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_local.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/policy/unlimited/default_US_export.policy + %{etcjavadir -- %{?1}}/conf/security/policy/README.txt +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.policy +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/java.security +%config(noreplace) %{etcjavadir -- %{?1}}/conf/logging.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access +# this is conifg template, thus not config-noreplace +%config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template +%config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/net.properties +%config(noreplace) %{etcjavadir -- %{?1}}/conf/sound.properties +%{_jvmdir}/%{sdkdir -- %{?1}}/conf +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/security +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/java +%ghost %{_jvmdir}/jre +# https://bugzilla.redhat.com/show_bug.cgi?id=1312019 +%ghost %{_bindir}/jjs +%ghost %{_bindir}/keytool +%ghost %{_bindir}/pack200 +%ghost %{_bindir}/rmid +%ghost %{_bindir}/rmiregistry +%ghost %{_bindir}/unpack200 +%ghost %{_jvmdir}/jre-%{origin} +%ghost %{_jvmdir}/jre-%{javaver} +%ghost %{_jvmdir}/jre-%{javaver}-%{origin} +%endif +%endif +} + +%define files_devel() %{expand: +%dir %{_jvmdir}/%{sdkdir -- %{?1}}/bin +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jar +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jarsigner +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javac +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javadoc +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/javap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jconsole +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jcmd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdb +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jdeprscan +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jfr +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage +# Zero and S390x don't have SA +%ifarch %{jit_arches} +%ifnarch s390x +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb +%endif +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmod +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jps +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jrunscript +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jshell +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstack +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstat +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jstatd +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/rmic +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/serialver +%ifarch %{aot_arches} +%{_jvmdir}/%{sdkdir -- %{?1}}/bin/jaotc +%endif +%{_jvmdir}/%{sdkdir -- %{?1}}/include +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/ct.sym +%if %{with_systemtap} +%{_jvmdir}/%{sdkdir -- %{?1}}/tapset +%endif +%{_datadir}/applications/*jconsole%{?1}.desktop +%{_mandir}/man1/jar-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jarsigner-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javac-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javadoc-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/javap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jconsole-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jcmd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdb-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jdeps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jinfo-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmap-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jps-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jrunscript-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstack-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/rmic-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* +%if %{with_systemtap} +%dir %{tapsetroot} +%dir %{tapsetdirttapset} +%dir %{tapsetdir} +%{tapsetdir}/*%{_arch}%{?1}.stp +%endif +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_bindir}/javac +%ghost %{_jvmdir}/java +%ghost %{_bindir}/jaotc +%ghost %{_bindir}/jlink +%ghost %{_bindir}/jmod +%ghost %{_bindir}/jhsdb +%ghost %{_bindir}/jar +%ghost %{_bindir}/jarsigner +%ghost %{_bindir}/javadoc +%ghost %{_bindir}/javap +%ghost %{_bindir}/jcmd +%ghost %{_bindir}/jconsole +%ghost %{_bindir}/jdb +%ghost %{_bindir}/jdeps +%ghost %{_bindir}/jdeprscan +%ghost %{_bindir}/jimage +%ghost %{_bindir}/jinfo +%ghost %{_bindir}/jmap +%ghost %{_bindir}/jps +%ghost %{_bindir}/jrunscript +%ghost %{_bindir}/jshell +%ghost %{_bindir}/jstack +%ghost %{_bindir}/jstat +%ghost %{_bindir}/jstatd +%ghost %{_bindir}/rmic +%ghost %{_bindir}/serialver +%ghost %{_jvmdir}/java-%{origin} +%ghost %{_jvmdir}/java-%{javaver} +%ghost %{_jvmdir}/java-%{javaver}-%{origin} +%endif +%endif +} + +%define files_jmods() %{expand: +%{_jvmdir}/%{sdkdir -- %{?1}}/jmods +} + +%define files_demo() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/demo +%{_jvmdir}/%{sdkdir -- %{?1}}/sample +} + +%define files_src() %{expand: +%license %{_jvmdir}/%{sdkdir -- %{?1}}/legal +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/src.zip +} + +%define files_javadoc() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}} +%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java +%endif +%endif +} + +%define files_javadoc_zip() %{expand: +%doc %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip +%license %{buildoutputdir -- %{?1}}/images/%{jdkimage}/legal +%if %is_system_jdk +%if %{is_release_build -- %{?1}} +%ghost %{_javadocdir}/java-zip +%endif +%endif +} + +# not-duplicated requires/provides/obsoletes for normal/debug packages +%define java_rpo() %{expand: +Requires: fontconfig%{?_isa} +Requires: xorg-x11-fonts-Type1 +# Require libXcomposite explicitly since it's only dynamically loaded +# at runtime. Fixes screenshot issues. See JDK-8150954. +Requires: libXcomposite%{?_isa} +# Requires rest of java +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# for java-X-openjdk package's desktop binding +%if 0%{?rhel} >= 8 +Recommends: gtk3%{?_isa} +%endif + +Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} + +# Standard JPackage base provides +Provides: jre-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java%{?1} = %{epoch}:%{version}-%{release} +Provides: jre%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_headless_rpo() %{expand: +# Require /etc/pki/java/cacerts +Requires: ca-certificates +# Require javapackages-filesystem for ownership of /usr/lib/jvm/ and macros +Requires: javapackages-filesystem +# Require zone-info data provided by tzdata-java sub-package +Requires: tzdata-java >= 2015d +# libsctp.so.1 is being `dlopen`ed on demand +Requires: lksctp-tools%{?_isa} +# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, +# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be +# considered as regression +Requires: copy-jdk-configs >= 3.3 +OrderWithRequires: copy-jdk-configs +# for printing support +Requires: cups-libs +# Post requires alternatives to install tool alternatives +Requires(post): %{_sbindir}/alternatives +# in version 1.7 and higher for --family switch +Requires(post): chkconfig >= 1.7 +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{_sbindir}/alternatives +# in version 1.7 and higher for --family switch +Requires(postun): chkconfig >= 1.7 +# for optional support of kernel stream control, card reader and printing bindings +%if 0%{?rhel} >= 8 +Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa} +%endif + +# Standard JPackage base provides +Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-headless%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: jre-headless%{?1} = %{epoch}:%{version}-%{release} +Provides: java-headless%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_devel_rpo() %{expand: +# Requires base package +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install tool alternatives +Requires(post): %{_sbindir}/alternatives +# in version 1.7 and higher for --family switch +Requires(post): chkconfig >= 1.7 +# Postun requires alternatives to uninstall tool alternatives +Requires(postun): %{_sbindir}/alternatives +# in version 1.7 and higher for --family switch +Requires(postun): chkconfig >= 1.7 + +# Standard JPackage devel provides +Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} +Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} +Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_jmods_rpo() %{expand: +# Requires devel package +# as jmods are bytecode, they should be OK without any _isa +Requires: %{name}-devel%{?1} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-jmods%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-jmods%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-jmods%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_demo_rpo() %{expand: +Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-demo%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_javadoc_rpo() %{expand: +OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} +# Post requires alternatives to install javadoc alternative +Requires(post): %{_sbindir}/alternatives +# in version 1.7 and higher for --family switch +Requires(post): chkconfig >= 1.7 +# Postun requires alternatives to uninstall javadoc alternative +Requires(postun): %{_sbindir}/alternatives +# in version 1.7 and higher for --family switch +Requires(postun): chkconfig >= 1.7 + +# Standard JPackage javadoc provides +Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +%define java_src_rpo() %{expand: +Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} + +# Standard JPackage sources provides +Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release} +%if %is_system_jdk +Provides: java-src%{?1} = %{epoch}:%{version}-%{release} +%endif +} + +# Prevent brp-java-repack-jars from being run +%global __jar_repack 0 + +Name: java-%{javaver}-%{origin} +Version: %{newjavaver}.%{buildver} +Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} +# java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons +# and this change was brought into RHEL-4. java-1.5.0-ibm packages +# also included the epoch in their virtual provides. This created a +# situation where in-the-wild java-1.5.0-ibm packages provided "java = +# 1:1.5.0". In RPM terms, "1.6.0 < 1:1.5.0" since 1.6.0 is +# interpreted as 0:1.6.0. So the "java >= 1.6.0" requirement would be +# satisfied by the 1:1.5.0 packages. Thus we need to set the epoch in +# JDK package >= 1.6.0 to 1, and packages referring to JDK virtual +# provides >= 1.6.0 must specify the epoch, "java >= 1:1.6.0". + +Epoch: 1 +Summary: %{origin_nice} Runtime Environment %{majorver} +Group: Development/Languages + +# HotSpot code is licensed under GPLv2 +# JDK library code is licensed under GPLv2 with the Classpath exception +# The Apache license is used in code taken from Apache projects (primarily xalan & xerces) +# DOM levels 2 & 3 and the XML digital signature schemas are licensed under the W3C Software License +# The JSR166 concurrency code is in the public domain +# The BSD and MIT licenses are used for a number of third-party libraries (see ADDITIONAL_LICENSE_INFO) +# The OpenJDK source tree includes: +# - JPEG library (IJG), zlib & libpng (zlib), giflib (MIT), harfbuzz (ISC), +# - freetype (FTL), jline (BSD) and LCMS (MIT) +# - jquery (MIT), jdk.crypto.cryptoki PKCS 11 wrapper (RSA) +# - public_suffix_list.dat from publicsuffix.org (MPLv2.0) +# The test code includes copies of NSS under the Mozilla Public License v2.0 +# The PCSClite headers are under a BSD with advertising license +# The elliptic curve cryptography (ECC) source code is licensed under the LGPLv2.1 or any later version +License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA +URL: http://openjdk.java.net/ + + +# to regenerate source0 (jdk) run update_package.sh +# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives +Source0: shenandoah-jdk%{majorver}-shenandoah-jdk-%{newjavaver}+%{buildver}%{?tagsuffix:-%{tagsuffix}}-4curve.tar.xz + +# Use 'icedtea_sync.sh' to update the following +# They are based on code contained in the IcedTea project (3.x). +# Systemtap tapsets. Zipped up to keep it small. +Source8: tapsets-icedtea-%{icedteaver}.tar.xz + +# Desktop files. Adapted from IcedTea +Source9: jconsole.desktop.in + +# nss configuration file +Source11: nss.cfg.in + +# Removed libraries that we link instead +Source12: remove-intree-libraries.sh + +# Ensure we aren't using the limited crypto policy +Source13: TestCryptoLevel.java + +# Ensure ECDSA is working +Source14: TestECDSA.java + +# nss fips configuration file +Source15: nss.fips.cfg.in + +############################################ +# +# RPM/distribution specific patches +# +############################################ + +# Ignore AWTError when assistive technologies are loaded +Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch +# Restrict access to java-atk-wrapper classes +Patch2: rh1648644-java_access_bridge_privileged_security.patch +# NSS via SunPKCS11 Provider (disabled due to memory leak). +Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch +# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider +Patch1001: rh1655466-global_crypto_and_fips.patch + +############################################# +# +# Shenandoah specific patches +# +############################################# +# JDK-8237396: JvmtiTagMap::weak_oops_do() should not trigger barriers +Patch10: jdk8237396-avoid_triggering_barriers.patch + +# Currently empty + +############################################# +# +# Upstreamable patches +# +# This section includes patches which need to +# be reviewed & pushed to the current development +# tree of OpenJDK. +############################################# + +Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch +# PR3694, RH1340845: Add security.useSystemPropertiesFile option to java.security to use system crypto policy +Patch4: pr3694-rh1340845-support_fedora_rhel_system_crypto_policy.patch +# RH1566890: CVE-2018-3639 +Patch6: rh1566890-CVE_2018_3639-speculative_store_bypass.patch +# PR3695: Allow use of system crypto policy to be disabled by the user +Patch7: pr3695-toggle_system_crypto_policy.patch +# S390 ambiguous log2_intptr call +Patch8: s390-8214206_fix.patch +# JDK-8236039: JSSE Client does not accept status_request extension in CertificateRequest messages for TLS 1.3 +Patch9: jdk8236039-status_request_extension.patch + +############################################# +# +# JDK 9+ only patches +# +############################################# + +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: alsa-lib-devel +BuildRequires: binutils +BuildRequires: cups-devel +BuildRequires: desktop-file-utils +# elfutils only are OK for build without AOT +BuildRequires: elfutils-devel +BuildRequires: fontconfig-devel +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: gcc-c++ +BuildRequires: gdb +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +BuildRequires: libxslt +BuildRequires: libX11-devel +BuildRequires: libXi-devel +BuildRequires: libXinerama-devel +BuildRequires: libXrandr-devel +BuildRequires: libXrender-devel +BuildRequires: libXt-devel +BuildRequires: libXtst-devel +# Requirements for setting up the nss.cfg +BuildRequires: nss-devel +BuildRequires: pkgconfig +BuildRequires: xorg-x11-proto-devel +BuildRequires: zip +BuildRequires: unzip +BuildRequires: javapackages-filesystem +BuildRequires: java-%{buildjdkver}-openjdk-devel +# Zero-assembler build requirement +%ifnarch %{jit_arches} +BuildRequires: libffi-devel +%endif +BuildRequires: tzdata-java >= 2015d +# Earlier versions have a bug in tree vectorization on PPC +BuildRequires: gcc >= 4.8.3-8 + +%if %{with_systemtap} +BuildRequires: systemtap-sdt-devel +%endif + +# this is always built, also during debug-only build +# when it is built in debug-only this package is just placeholder +%{java_rpo %{nil}} + +%description +The %{origin_nice} runtime environment. + +%if %{include_debug_build} +%package slowdebug +Summary: %{origin_nice} Runtime Environment %{majorver} %{debug_on} +Group: Development/Languages + +%{java_rpo -- %{debug_suffix_unquoted}} +%description slowdebug +The %{origin_nice} runtime environment. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package headless +Summary: %{origin_nice} Headless Runtime Environment %{majorver} +Group: Development/Languages + +%{java_headless_rpo %{nil}} + +%description headless +The %{origin_nice} runtime environment %{majorver} without audio and video support. +%endif + +%if %{include_debug_build} +%package headless-slowdebug +Summary: %{origin_nice} Runtime Environment %{debug_on} +Group: Development/Languages + +%{java_headless_rpo -- %{debug_suffix_unquoted}} + +%description headless-slowdebug +The %{origin_nice} runtime environment %{majorver} without audio and video support. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package devel +Summary: %{origin_nice} Development Environment %{majorver} +Group: Development/Tools + +%{java_devel_rpo %{nil}} + +%description devel +The %{origin_nice} development tools %{majorver}. +%endif + +%if %{include_debug_build} +%package devel-slowdebug +Summary: %{origin_nice} Development Environment %{majorver} %{debug_on} +Group: Development/Tools + +%{java_devel_rpo -- %{debug_suffix_unquoted}} + +%description devel-slowdebug +The %{origin_nice} development tools %{majorver}. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package jmods +Summary: JMods for %{origin_nice} %{majorver} +Group: Development/Tools + +%{java_jmods_rpo %{nil}} + +%description jmods +The JMods for %{origin_nice}. +%endif + +%if %{include_debug_build} +%package jmods-slowdebug +Summary: JMods for %{origin_nice} %{majorver} %{debug_on} +Group: Development/Tools + +%{java_jmods_rpo -- %{debug_suffix_unquoted}} + +%description jmods-slowdebug +The JMods for %{origin_nice} %{majorver}. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package demo +Summary: %{origin_nice} Demos %{majorver} +Group: Development/Languages + +%{java_demo_rpo %{nil}} + +%description demo +The %{origin_nice} demos %{majorver}. +%endif + +%if %{include_debug_build} +%package demo-slowdebug +Summary: %{origin_nice} Demos %{majorver} %{debug_on} +Group: Development/Languages + +%{java_demo_rpo -- %{debug_suffix_unquoted}} + +%description demo-slowdebug +The %{origin_nice} demos %{majorver}. +%{debug_warning} +%endif + +%if %{include_normal_build} +%package src +Summary: %{origin_nice} Source Bundle %{majorver} +Group: Development/Languages + +%{java_src_rpo %{nil}} + +%description src +The java-%{origin}-src sub-package contains the complete %{origin_nice} %{majorver} +class library source code for use by IDE indexers and debuggers. +%endif + +%if %{include_debug_build} +%package src-slowdebug +Summary: %{origin_nice} Source Bundle %{majorver} %{for_debug} +Group: Development/Languages + +%{java_src_rpo -- %{debug_suffix_unquoted}} + +%description src-slowdebug +The java-%{origin}-src-slowdebug sub-package contains the complete %{origin_nice} %{majorver} + class library source code for use by IDE indexers and debuggers. Debugging %{for_debug}. +%endif + +%if %{include_normal_build} +%package javadoc +Summary: %{origin_nice} %{majorver} API documentation +Group: Documentation +Requires: javapackages-filesystem +Obsoletes: javadoc-debug + +%{java_javadoc_rpo %{nil}} + +%description javadoc +The %{origin_nice} %{majorver} API documentation. +%endif + +%if %{include_normal_build} +%package javadoc-zip +Summary: %{origin_nice} %{majorver} API documentation compressed in single archive +Group: Documentation +Requires: javapackages-filesystem +Obsoletes: javadoc-zip-debug + +%{java_javadoc_rpo %{nil}} + +%description javadoc-zip +The %{origin_nice} %{majorver} API documentation compressed in single archive. +%endif + +%prep + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + +if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then + echo "include_normal_build is %{include_normal_build}" +else + echo "include_normal_build is %{include_normal_build}, thats invalid. Use 1 for yes or 0 for no" + exit 11 +fi +if [ %{include_debug_build} -eq 0 -o %{include_debug_build} -eq 1 ] ; then + echo "include_debug_build is %{include_debug_build}" +else + echo "include_debug_build is %{include_debug_build}, thats invalid. Use 1 for yes or 0 for no" + exit 12 +fi +if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 ] ; then + echo "You have disabled both include_debug_build and include_normal_build. That is a no go." + exit 13 +fi +%setup -q -c -n %{uniquesuffix ""} -T -a 0 +# https://bugzilla.redhat.com/show_bug.cgi?id=1189084 +prioritylength=`expr length %{priority}` +if [ $prioritylength -ne 8 ] ; then + echo "priority must be 8 digits in total, violated" + exit 14 +fi + +# OpenJDK patches + +# Remove libraries that are linked +sh %{SOURCE12} +pushd %{top_level_dir_name} +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +popd # openjdk + +%patch1000 +%patch1001 + +# Extract systemtap tapsets +%if %{with_systemtap} +tar --strip-components=1 -x -I xz -f %{SOURCE8} +%if %{include_debug_build} +cp -r tapset tapset%{debug_suffix} +%endif + + +for suffix in %{build_loop} ; do + for file in "tapset"$suffix/*.in; do + OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 +# TODO find out which architectures other than i686 have a client vm +%ifarch %{ix86} + sed -e "s:@ABS_CLIENT_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/client/libjvm.so:g" $file.1 > $OUTPUT_FILE +%else + sed -e "/@ABS_CLIENT_LIBJVM_SO@/d" $file.1 > $OUTPUT_FILE +%endif + sed -i -e "s:@ABS_JAVA_HOME_DIR@:%{_jvmdir}/%{sdkdir -- $suffix}:g" $OUTPUT_FILE + sed -i -e "s:@INSTALL_ARCH_DIR@:%{archinstall}:g" $OUTPUT_FILE + sed -i -e "s:@prefix@:%{_jvmdir}/%{sdkdir -- $suffix}/:g" $OUTPUT_FILE + done +done +# systemtap tapsets ends +%endif + +# Prepare desktop files +# The _X_ syntax indicates variables that are replaced by make upstream +# The @X@ syntax indicates variables that are replaced by configure upstream +for suffix in %{build_loop} ; do +for file in %{SOURCE9}; do + FILE=`basename $file | sed -e s:\.in$::g` + EXT="${FILE##*.}" + NAME="${FILE%.*}" + OUTPUT_FILE=$NAME$suffix.$EXT + sed -e "s:_SDKBINDIR_:%{sdkbindir -- $suffix}:g" $file > $OUTPUT_FILE + sed -i -e "s:@target_cpu@:%{_arch}:g" $OUTPUT_FILE + sed -i -e "s:@OPENJDK_VER@:%{version}-%{release}.%{_arch}$suffix:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VER@:%{javaver}:g" $OUTPUT_FILE + sed -i -e "s:@JAVA_VENDOR@:%{origin}:g" $OUTPUT_FILE +done +done + +# Setup nss.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg + +# Setup nss.fips.cfg +sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE15} > nss.fips.cfg +sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg + +%build +# How many CPU's do we have? +export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) +export NUM_PROC=${NUM_PROC:-1} +%if 0%{?_smp_ncpus_max} +# Honor %%_smp_ncpus_max +[ ${NUM_PROC} -gt %{?_smp_ncpus_max} ] && export NUM_PROC=%{?_smp_ncpus_max} +%endif + +%ifarch s390x sparc64 alpha %{power64} %{aarch64} +export ARCH_DATA_MODEL=64 +%endif +%ifarch alpha +export CFLAGS="$CFLAGS -mieee" +%endif + +# We use ourcppflags because the OpenJDK build seems to +# pass EXTRA_CFLAGS to the HotSpot C++ compiler... +# Explicitly set the C++ standard as the default has changed on GCC >= 6 +EXTRA_CFLAGS="%ourcppflags -std=gnu++98 -Wno-error -fno-delete-null-pointer-checks -fno-lifetime-dse" +EXTRA_CPP_FLAGS="%ourcppflags -std=gnu++98 -fno-delete-null-pointer-checks -fno-lifetime-dse" + +%ifarch %{power64} ppc +# fix rpmlint warnings +EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" +%endif +export EXTRA_CFLAGS + +for suffix in %{build_loop} ; do +if [ "x$suffix" = "x" ] ; then + debugbuild=release +else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` +fi + +# Variable used in hs_err hook on build failures +top_dir_abs_path=$(pwd)/%{top_level_dir_name} + +mkdir -p %{buildoutputdir -- $suffix} +pushd %{buildoutputdir -- $suffix} + +bash ../configure \ +%ifnarch %{jit_arches} + --with-jvm-variants=zero \ +%endif +%ifarch %{ppc64le} + --with-jobs=1 \ +%endif + --with-version-build=%{buildver} \ + --with-version-pre="%{ea_designator}" \ + --with-version-opt=%{lts_designator} \ + --with-vendor-version-string="%{vendor_version_string}" \ + --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ + --with-debug-level=$debugbuild \ + --with-native-debug-symbols=internal \ + --enable-unlimited-crypto \ + --with-zlib=system \ + --with-libjpeg=system \ + --with-giflib=system \ + --with-libpng=system \ + --with-lcms=system \ + --with-stdc++lib=dynamic \ + --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ + --with-extra-cflags="$EXTRA_CFLAGS" \ + --with-extra-ldflags="%{ourldflags}" \ + --with-num-cores="$NUM_PROC" \ + --disable-javac-server \ +%ifarch x86_64 + --with-jvm-features=zgc \ +%endif + --disable-warnings-as-errors + +# Debug builds don't need same targets as release for +# build speed-up +maketargets="%{release_targets}" +if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" +fi +make \ + JAVAC_FLAGS=-g \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find $top_dir_abs_path -name "hs_err_pid*.log" | xargs cat && false ) + +# the build (erroneously) removes read permissions from some jars +# this is a regression in OpenJDK 7 (our compiler): +# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 +find images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; + +# Build screws up permissions on binaries +# https://bugs.openjdk.java.net/browse/JDK-8173610 +find images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; +find images/%{jdkimage}/bin/ -exec chmod +x {} \; + +popd >& /dev/null + +# Install nss.cfg right away as we will be using the JRE above +export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} + +# Install nss.cfg right away as we will be using the JRE above +install -m 644 nss.cfg $JAVA_HOME/conf/security/ + +# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) +install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + +# Use system-wide tzdata +rm $JAVA_HOME/lib/tzdb.dat +ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat + +# build cycles +done + +%check + +# We test debug first as it will give better diagnostics on a crash +for suffix in %{rev_build_loop} ; do + +export JAVA_HOME=$(pwd)/%{buildoutputdir -- $suffix}/images/%{jdkimage} + +#check Shenandoah is enabled +%if %{use_shenandoah_hotspot} +$JAVA_HOME//bin/java -XX:+UseShenandoahGC -version +%endif + +# Check unlimited policy has been used +$JAVA_HOME/bin/javac -d . %{SOURCE13} +$JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLevel + +# Check ECC is working +$JAVA_HOME/bin/javac -d . %{SOURCE14} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") + +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +-- see https://bugzilla.redhat.com/show_bug.cgi?id=1290388 for pretrans over pre +-- if copy-jdk-configs is in transaction, it installs in pretrans to temp +-- if copy_jdk_configs is in temp, then it means that copy-jdk-configs is in transaction and so is +-- preferred over one in %%{_libexecdir}. If it is not in transaction, then depends +-- whether copy-jdk-configs is installed or not. If so, then configs are copied +-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all +local posix = require "posix" +local debug = false + +SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua" +SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua" + +local stat1 = posix.stat(SOURCE1, "type"); +local stat2 = posix.stat(SOURCE2, "type"); + + if (stat1 ~= nil) then + if (debug) then + print(SOURCE1 .." exists - copy-jdk-configs in transaction, using this one.") + end; + package.path = package.path .. ";" .. SOURCE1 +else + if (stat2 ~= nil) then + if (debug) then + print(SOURCE2 .." exists - copy-jdk-configs already installed and NOT in transaction. Using.") + end; + package.path = package.path .. ";" .. SOURCE2 + else + if (debug) then + print(SOURCE1 .." does NOT exists") + print(SOURCE2 .." does NOT exists") + print("No config files will be copied") + end + return + end +end +-- run content of included file with fake args +arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +require "copy_jdk_configs.lua" + +%post +%{post_script %{nil}} + +%post headless +%{post_headless %{nil}} + +%postun +%{postun_script %{nil}} + +%postun headless +%{postun_headless %{nil}} + +%posttrans +%{posttrans_script %{nil}} + +%post devel +%{post_devel %{nil}} + +%postun devel +%{postun_devel %{nil}} + +%posttrans devel +%{posttrans_devel %{nil}} + +%post javadoc +%{post_javadoc %{nil}} + +%postun javadoc +%{postun_javadoc %{nil}} + +%post javadoc-zip +%{post_javadoc_zip %{nil}} + +%postun javadoc-zip +%{postun_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%post slowdebug +%{post_script -- %{debug_suffix_unquoted}} + +%post headless-slowdebug +%{post_headless -- %{debug_suffix_unquoted}} + +%postun slowdebug +%{postun_script -- %{debug_suffix_unquoted}} + +%postun headless-slowdebug +%{postun_headless -- %{debug_suffix_unquoted}} + +%posttrans slowdebug +%{posttrans_script -- %{debug_suffix_unquoted}} + +%post devel-slowdebug +%{post_devel -- %{debug_suffix_unquoted}} + +%postun devel-slowdebug +%{postun_devel -- %{debug_suffix_unquoted}} + +%posttrans devel-slowdebug +%{posttrans_devel -- %{debug_suffix_unquoted}} + +%endif + +%if %{include_normal_build} +%files +# main package builds always +%{files_jre %{nil}} +%else +%files +# placeholder +%endif + + +%if %{include_normal_build} +%files headless +# important note, see https://bugzilla.redhat.com/show_bug.cgi?id=1038092 for whole issue +# all config/noreplace files (and more) have to be declared in pretrans. See pretrans +%{files_jre_headless %{nil}} + +%files devel +%{files_devel %{nil}} + +%files jmods +%{files_jmods %{nil}} + +%files demo +%{files_demo %{nil}} + +%files src +%{files_src %{nil}} + +%files javadoc +%{files_javadoc %{nil}} + +# this puts huge file to /usr/share +# unluckily ti is really a documentation file +# and unluckily it really is architecture-dependent, as eg. aot and grail are now x86_64 only +# same for debug variant +%files javadoc-zip +%{files_javadoc_zip %{nil}} +%endif + +%if %{include_debug_build} +%files slowdebug +%{files_jre -- %{debug_suffix_unquoted}} + +%files headless-slowdebug +%{files_jre_headless -- %{debug_suffix_unquoted}} + +%files devel-slowdebug +%{files_devel -- %{debug_suffix_unquoted}} + +%files jmods-slowdebug +%{files_jmods -- %{debug_suffix_unquoted}} + +%files demo-slowdebug +%{files_demo -- %{debug_suffix_unquoted}} + +%files src-slowdebug +%{files_src -- %{debug_suffix_unquoted}} + +%endif + +%changelog +* Fri Mar 27 2020 Andrew John Hughes - 1:11.0.6.10-4 +- Need to support noarch for creating source RPMs for non-scratch builds. +- Resolves: rhbz#1737115 + +* Thu Mar 19 2020 Andrew John Hughes - 1:11.0.6.10-4 +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Resolves: rhbz#1737115 + +* Sun Feb 23 2020 Andrew John Hughes - 1:11.0.6.10-3 +- Sync SystemTap & desktop files with upstream IcedTea release 3.15.0 +- Resolves: rhbz#1737115 + +* Sun Feb 23 2020 Andrew John Hughes - 1:11.0.6.10-3 +- Sync SystemTap & desktop files with upstream IcedTea release 3.11.0 using new script +- Resolves: rhbz#1737115 + +* Sun Feb 16 2020 Andrew Hughes - 1:11.0.6.10-2 +- Add JDK-8237396 backport to resolve Shenandoah TCK breakage in traversal mode. +- Resolves: rhbz#1785753 + +* Sat Jan 11 2020 Andrew John Hughes - 1:11.0.6.10-1 +- Update to shenandoah-jdk-11.0.6+10 (GA) +- Switch to GA mode for final release. +- Add JDK-8236039 backport to resolve OpenShift blocker +- Resolves: rhbz#1785753 + +* Thu Jan 09 2020 Andrew Hughes - 1:11.0.6.1-0.1.ea +- Update to shenandoah-jdk-11.0.6+1 (EA) +- Switch to EA mode for 11.0.6 pre-release builds. +- Add support for jfr binary. +- Drop JDK-8230923 now applied upstream. +- Resolves: rhbz#1785753 + +* Wed Jan 08 2020 Andrew Hughes - 1:11.0.5.10-6 +- Update generate_source_tarball.sh script to use the PR3751 patch and retain the secp256k1 curve. +- Regenerate source tarball using the updated script and add the -'4curve' suffix. +- Resolves: rhbz#1746875 + +* Thu Jan 02 2020 Andrew John Hughes - 1:11.0.5.10-5 +- Revert SSBD removal for now, until appropriate messaging has been decided. +- Resolves: rhbz#1784116 + +* Fri Dec 27 2019 Andrew John Hughes - 1:11.0.5.10-4 +- Remove CVE-2018-3639 mitigation due to performance regression and + OpenJDK position on speculative execution vulnerabilities. + https://mail.openjdk.java.net/pipermail/vuln-announce/2019-July/000002.html +- Resolves: rhbz#1784116 + +* Wed Nov 06 2019 Andrew John Hughes - 1:11.0.5.10-3 +- Bump release number for RHEL 8.2.0. +- Resolves: rhbz#1753423 + +* Fri Oct 25 2019 Andrew John Hughes - 1:11.0.5.10-2 +- Disable FIPS mode support unless com.redhat.fips is set to "true". +- Resolves: rhbz#1751845 + +* Wed Oct 09 2019 Andrew Hughes - 1:11.0.5.10-1 +- Update to shenandoah-jdk-11.0.5+10 (GA) +- Switch to GA mode for final release. +- Remove PR1834/RH1022017 which is now handled by JDK-8228825 upstream. +- Resolves: rhbz#1753423 + +* Wed Oct 09 2019 Andrew Hughes - 1:11.0.5.9-0.0.ea +- Update to shenandoah-jdk-11.0.5+9 (EA) +- Resolves: rhbz#1753423 + +* Mon Oct 07 2019 Andrew Hughes - 1:11.0.5.1-0.1.ea +- Update to shenandoah-jdk-11.0.5+1 (EA) +- Switch to EA mode for 11.0.5 pre-release builds. +- Drop JDK-8223482 which is included upstream in 11.0.5+1. +- Resolves: rhbz#1753423 + +* Mon Sep 30 2019 Andrew John Hughes - 1:11.0.4.11-4 +- Backport JDK-8230923 so arguments are passed to security providers. +- Update RH1655466 patch with changes in OpenJDK 8 version. +- SunPKCS11 runtime provider name is a concatenation of "SunPKCS11-" and the name in the config file. +- Change nss.fips.cfg config name to "NSS-FIPS" to avoid confusion with nss.cfg. +- No need to substitute path to nss.fips.cfg as java.security file supports a java.home variable. +- Resolves: rhbz#1751845 + +* Tue Aug 13 2019 Martin Balao - 1:11.0.4.11-3 +- Support the FIPS mode crypto policy on RHEL 8. +- Resolves: rhbz#1725961 + +* Tue Jul 09 2019 Andrew Hughes - 1:11.0.4.11-2 +- Drop NSS runtime dependencies and patches to link against it. +- Resolves: rhbz#1678554 + +* Tue Jul 09 2019 Andrew Hughes - 1:11.0.4.11-1 +- Update to shenandoah-jdk-11.0.4+11 (GA) +- Switch to GA mode for final release. +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.10-0.1.ea +- Update to shenandoah-jdk-11.0.4+10 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.9-0.1.ea +- Update to shenandoah-jdk-11.0.4+9 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 08 2019 Andrew Hughes - 1:11.0.4.8-0.1.ea +- Update to shenandoah-jdk-11.0.4+8 (EA) +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- fontconfig build requirement should be fontconfig-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Add missing build requirement for libXrandr-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Add missing build requirement for libXrender-devel, previously masked by Gtk3+ dependency +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew John Hughes - 1:11.0.4.7-0.2.ea +- Make use of Recommends and Suggests dependent on RHEL 8+ environment. +- Drop unnecessary build requirement on gtk3-devel, as OpenJDK searches for Gtk+ at runtime. +- Resolves: rhbz#1724452 + +* Sun Jul 07 2019 Andrew Hughes - 1:11.0.4.7-0.1.ea +- Update to shenandoah-jdk-11.0.4+7 (EA) +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.6-0.1.ea +- Obsolete javadoc-debug and javadoc-debug-zip packages via javadoc and javadoc-zip respectively. +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.6-0.1.ea +- Update to shenandoah-jdk-11.0.4+6 (EA) +- Resolves: rhbz#1724452 + +* Wed Jul 03 2019 Andrew Hughes - 1:11.0.4.5-0.1.ea +- Update to shenandoah-jdk-11.0.4+5 (EA) +- Resolves: rhbz#1724452 + +* Tue Jul 02 2019 Andrew Hughes - 1:11.0.4.4-0.1.ea +- Update to shenandoah-jdk-11.0.4+4 (EA) +- Resolves: rhbz#1724452 + +* Mon Jul 01 2019 Andrew Hughes - 1:11.0.4.3-0.1.ea +- Update to shenandoah-jdk-11.0.4+3 (EA) +- Resolves: rhbz#1724452 + +* Sun Jun 30 2019 Andrew John Hughes - 1:11.0.4.2-0.1.ea +- Update to shenandoah-jdk-11.0.4+2 (EA) +- Resolves: rhbz#1724452 + +* Fri Jun 21 2019 Severin Gehwolf - 1:11.0.4.2-0.1.ea +- Package jspawnhelper (see JDK-8220360). +- Resolves: rhbz#1724452 + +* Fri Jun 21 2019 Severin Gehwolf - 1:11.0.3.7-5 +- Include 'ea' designator in Release when appropriate. +- Resolves: rhbz#1724452 + +* Wed May 22 2019 Andrew Hughes - 1:11.0.3.7-5 +- Handle milestone as variables so we can alter it easily and set the docs zip filename appropriately. +- Resolves: rhbz#1724452 + +* Thu Apr 25 2019 Severin Gehwolf - 1:11.0.3.7-4 +- Don't build the test images needlessly. +- Don't produce javadoc/javadoc-zip sub packages for the debug variant build. +- Don't perform a bootcycle build for the debug variant build. +- Resolves: rhbz#1724452 + +* Wed Apr 24 2019 Severin Gehwolf - 1:11.0.3.7-3 +- Do not generate lib-style requires for -slowdebug subpackages. +- Resolves: rhbz#1693468 + +* Tue Apr 23 2019 Severin Gehwolf - 1:11.0.3.7-3 +- Fix requires/provides for the non-system JDK case. JDK 11 is not a system JDK at this point. +- Resolves: rhbz#1693468 + +* Tue Apr 16 2019 Severin Gehwolf - 1:11.0.3.7-2 +- Don't package lib/client and lib/client/classes.jsa which don't exist (see RH1643469) +- Resolves: rhbz#1693468 + +* Sun Apr 07 2019 Andrew Hughes - 1:11.0.3.7-1 +- Update to shenandoah-jdk-11.0.3+7 (April 2019 GA) +- Resolves: rhbz#1693468 + +* Sat Apr 06 2019 Andrew Hughes - 1:11.0.3.6-1 +- Update to shenandoah-jdk-11.0.3+6 (April 2019 EA) +- Drop JDK-8210416/RH1632174 applied upstream. +- Drop JDK-8210425/RH1632174 applied upstream. +- Drop JDK-8210647/RH1632174 applied upstream. +- Drop JDK-8210761/RH1632174 applied upstream. +- Drop JDK-8210703/RH1632174 applied upstream. +- Add cast to resolve s390 ambiguity in call to log2_intptr +- Resolves: rhbz#1693468 + +* Fri Apr 05 2019 Severin Gehwolf - 1:11.0.2.7-4 +- Add patch for RH1566890 +- Resolves: rhbz#1693468 + +* Tue Mar 26 2019 Jiri Vanek - 1:11.0.2.7-3 +- added gating + +* Fri Feb 08 2019 Severin Gehwolf - 1:11.0.2.7-2 +- Add explicit requirement for libXcomposite which is used when performing + screenshots from Java. +- Add explicit BR unzip required for building OpenJDK. +- Resolves: rhbz#1666532 + +* Thu Feb 07 2019 Andrew John Hughes - 1:11.0.2.7-1 +- Add PR3695 to allow the system crypto policy to be turned off. +- Correct original system crypto policy patch to refer to OpenJDK 11 bug (PR3694) +- Resolves: rhbz#1666532 + +* Tue Jan 15 2019 Andrew Hughes - 1:11.0.2.7-0 +- Update to shenandoah-jdk-11.0.2+7 (January 2019 CPU) +- Drop JDK-8211105/RH1628612/RH1630996 applied upstream. +- Drop JDK-8209639/RH1640127 applied upstream. +- Re-generate JDK-8210416/RH1632174 following JDK-8209786 +- Resolves: rhbz#1666532 +- Resolves: rhbz#1659143 + +* Fri Jan 11 2019 Andrew Hughes - 1:11.0.1.13-11 +- Update to shenandoah-jdk-11.0.1+13-20190101 +- Update tarball generation script in preparation for PR3681/RH1656677 SunEC changes. +- Use remove-intree-libraries.sh to remove the remaining SunEC code for now. +- Fix PR1983 SunEC patch so that ecc_impl.h is patched rather than added +- Add missing RH1022017 patch to reduce curves reported by SSL to those we support. +- Remove RH1648995; fixed upstream +- Resolves: rhbz#1659143 + +* Wed Dec 5 2018 Jiri Vanek - 1:11.0.1.13-9 +- for non debug supackages, ghosted all masters and slaves (rhbz1649776) +- for tech-preview packages, if-outed versionless provides. Aligned versions to be %%{epoch}:%%{version}-%%{release} instead of chaotic +- Removed all slowdebug provides (rhbz1655938); for tech-preview packages also removed all internal provides + +* Wed Dec 5 2018 Severin Gehwolf - 1:11.0.1.13-8 +- Added %%global _find_debuginfo_opts -g +- Resolves: rhbz#1657335 + +* Mon Nov 12 2018 Jiri Vanek - 1:11.0.1.13-6 +- fixed tck failures of arraycopy and process exec with shenandoah on +- added patch585 rh1648995-shenandoah_array_copy_broken_by_not_always_copy_forward_for_disjoint_arrays.patch + +* Wed Nov 07 2018 Jiri Vanek - 1:11.0.1.13-5 +- headless' suggests of cups, replaced by Requires of cups-libs + +* Thu Nov 01 2018 Jiri Vanek - 1:11.0.1.13-3 +- added Patch584 jdk8209639-rh1640127-02-coalesce_attempted_spill_non_spillable.patch + +* Mon Oct 29 2018 Severin Gehwolf - 1:11.0.1.13-3 +- Use upstream's version of Aarch64 intrinsics disable patch: + - Removed: + RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch + RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch + - Superceded by: + jdk8211105-aarch64-disable_cos_sin_and_log_intrinsics.patch + +* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-2 +- Use LTS designator in version output for RHEL. + +* Thu Oct 18 2018 Severin Gehwolf - 1:11.0.1.13-1 +- Update to October 2018 CPU release, 11.0.1+13. + +* Wed Oct 17 2018 Severin Gehwolf - 1:11.0.0.28-2 +- Use --with-vendor-version-string=18.9 so as to show original + GA date for the JDK. + +* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.0.28-1 +- Identify as GA version and no longer as early access (EA). +- JDK 11 has been released for GA on 2018-09-25. + +* Fri Sep 28 2018 Severin Gehwolf - 1:11.0.ea.28-9 +- Rework changes from 1:11.0.ea.22-6. RHBZ#1632174 supercedes + RHBZ-1624122. +- Add patch, jdk8210416-rh1632174-compile_fdlibm_with_o2_ffp_contract_off_on_gcc_clang_arches.patch, so as to + optimize compilation of fdlibm library. +- Add patch, jdk8210425-rh1632174-sharedRuntimeTrig_sharedRuntimeTrans_compiled_without_optimization.patch, so + as to optimize compilation of sharedRuntime{Trig,Trans}.cpp +- Add patch, jdk8210647-rh1632174-libsaproc_is_being_compiled_without_optimization.patch, so as to + optimize compilation of libsaproc (extra c flags won't override + optimization). +- Add patch, jdk8210761-rh1632174-libjsig_is_being_compiled_without_optimization.patch, so as to + optimize compilation of libjsig. +- Add patch, jdk8210703-rh1632174-vmStructs_cpp_no_longer_compiled_with_o0, so as to + optimize compilation of vmStructs.cpp (part of libjvm.so). +- Reinstate filtering of opt flags coming from redhat-rpm-config. + +* Thu Sep 27 2018 Jiri Vanek - 1:11.0.ea.28-8 +- removed version less provides +- javadocdir moved to arched dir as it is no longer noarch + +* Thu Sep 20 2018 Severin Gehwolf - 1:11.0.ea.28-6 +- Add patch, RHBZ-1630996-JDK-8210858-workaround-disable-aarch64-intrinsic-log.patch, + so as to disable log math intrinsic on aarch64. Work-around for + JDK-8210858 + +* Thu Sep 13 2018 Severin Gehwolf - 1:11.0.ea.28-5 +- Add patch, RHBZ-1628612-JDK-8210461-workaround-disable-aarch64-intrinsic.patch, + so as to disable dsin/dcos math intrinsics on aarch64. Work-around for + JDK-8210461. + +* Wed Sep 12 2018 Severin Gehwolf - 1:11.0.ea.22-6 +- Add patch, JDK-8210416-RHBZ-1624122-fdlibm-opt-fix.patch, so as to + optimize compilation of fdlibm library. +- Add patch, JDK-8210425-RHBZ-1624122-sharedRuntimeTrig-opt-fix.patch, so + as to optimize compilation of sharedRuntime{Trig,Trans}.cpp +- Add patch, JDK-8210647-RHBZ-1624122-libsaproc-opt-fix.patch, so as to + optimize compilation of libsaproc (extra c flags won't override + optimization). +- Add patch, JDK-8210703-RHBZ-1624122-vmStructs-opt-fix.patch, so as to + optimize compilation of vmStructs.cpp (part of libjvm.so). +- No longer filter -O flags from C flags coming from + redhat-rpm-config. + +* Mon Sep 10 2018 Jiri Vanek - 1:11.0.ea.28-4 +- link to jhsdb followed its file to ifarch jit_arches ifnarch s390x + +* Fri Sep 7 2018 Severin Gehwolf - 1:11.0.ea.28-3 +- Enable ZGC on x86_64. + +* Tue Sep 4 2018 Jiri Vanek - 1:11.0.ea.28-2 +- jfr/*jfc files listed for all arches +- lib/classlist do not exists s390, ifarch-ed via jit_arches out + +* Fri Aug 31 2018 Severin Gehwolf - 1:11.0.ea.28-1 +- Update to latest upstream build jdk11+28, the first release + candidate. + +* Wed Aug 29 2018 Severin Gehwolf - 1:11.0.ea.22-8 +- Adjust system NSS patch, pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch, so + as to filter -Wl,--as-needed from linker flags. Fixes FTBFS issue. + +* Thu Aug 23 2018 Jiri Vanek - 1:11.0.ea.22-6 +- dissabled accessibility, fixed provides for main package's debug variant + +* Mon Jul 30 2018 Jiri Vanek - 1:11.0.ea.22-5 +- now buildrequires javapackages-filesystem as the issue with macros should be fixed + +* Wed Jul 18 2018 Jiri Vanek - 1:11.0.ea.22-2 +- changed to build by itself instead of by jdk10 + +* Tue Jul 17 2018 Jiri Vanek - 1:11.0.ea.22-1 +- added Recommends gtk3 for main package +- changed BuildRequires from gtk2-devel to gtk3-devel (it can be more likely dropped) +- added Suggests lksctp-tools, pcsc-lite-devel, cups for headless package +- see RHBZ1598152 +- added trick to catch hs_err files (sgehwolf) +- updated to shenandaoh-jdk-11+22 + +* Sat Jul 07 2018 Jiri Vanek - 1:11.0.ea.20-1 +- removed patch6 JDK-8205616-systemLcmsAndJpgFixFor-rev_f0aeede1b855.patch +- improved a bit generate_source_tarball.sh to serve also for systemtap +- thus deleted generate_tapsets.sh +- simplified and cleared update_package.sh +- moved to single source jdk - from shenandoah/jdk11 +- bumped to latest jdk11+20 +- adapted PR2126 to jdk11+20 +- adapted handling of systemtap sources to new style +- (no (misleading) version inside (full version is in name), thus different sed on tapsets and different directory) +- shortened summaries and descriptions to around 80 chars +- Hunspell spell checked +- license fixed to correct jdk11 (sgehwolf) +- more correct handling of internal libraries (sgehwolf) +- added lib/security/public_suffix_list.dat as +20 have added it (JDK-8201815) +- added test for shenandaoh GC presence where expected +- Removed workaround for broken aarch64 slowdebug build +- Removed all defattrs +- Removed no longer necessary cleanup of diz and debuginfo files + +* Fri Jun 22 2018 Jiri Vanek - 1:11.0.ea.19-1 +- updated sources to jdk-11+19 +- added patch6 systemLcmsAndJpgFixFor-f0aeede1b855.patch to fix regression of system libraries after f0aeede1b855 commit +- adapted pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch to accommodate changes after f0aeede1b855 commit + +* Thu Jun 14 2018 Severin Gehwolf - 1:11.0.ea.16-5 +- Revert rename: java-11-openjdk => java-openjdk. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-4 +- Add aarch64 to aot_arches. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-3 +- Rename to package java-11-openjdk. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-2 +- Disable Aarch64 slowdebug build (see JDK-8204331). +- s390x doesn't have the SA even though it's a JIT arch. + +* Wed Jun 13 2018 Severin Gehwolf - 1:11.0.ea.16-1 +- Initial version of JDK 11 ea based on tag jdk-11+16. +- Removed patches no longer needed or upstream: + sorted-diff.patch (see JDK-8198844) + JDK-8201788-bootcycle-images-jobs.patch + JDK-8201509-s390-atomic_store.patch + JDK-8202262-libjsig.so-extra-link-flags.patch (never was an issue on 11) + JDK-8193802-npe-jar-getVersionMap.patch +- Updated and renamed patches: + java-openjdk-s390-size_t.patch => JDK-8203030-s390-size_t.patch +- Updated patches for JDK 11: + pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch + +* Tue Jun 12 2018 Severin Gehwolf - 1:10.0.1.10-9 +- Use proper private_libs expression for filtering requires/provides. + +* Fri Jun 08 2018 Severin Gehwolf - 1:10.0.1.10-8 +- Bump release and rebuild for fixed gdb. See RHBZ#1589118. + +* Mon Jun 04 2018 Jiri Vanek - 1:10.0.1.10-7 +- quoted sed expressions, changed possibly confusing # by @ +- added vendor(origin) into icons +- removed last trace of relative symlinks +- added BuildRequires of javapackages-tools to fix build failure after Requires change to javapackages-filesystem + +* Thu May 17 2018 Severin Gehwolf - 1:10.0.1.10-5 +- Move to javapackages-filesystem for directory ownership. + Resolves RHBZ#1500288 + +* Mon Apr 30 2018 Severin Gehwolf - 1:10.0.1.10-4 +- Add JDK-8193802-npe-jar-getVersionMap.patch so as to fix + RHBZ#1557375. + +* Mon Apr 23 2018 Severin Gehwolf - 1:10.0.1.10-3 +- Inject build flags properly. See RHBZ#1571359 +- Added patch JDK-8202262-libjsig.so-extra-link-flags.patch + since libjsig.so doesn't get linker flags injected properly. + +* Fri Apr 20 2018 Severin Gehwolf - 1:10.0.1.10-2 +- Removed unneeded patches: + PStack-808293.patch + multiple-pkcs11-library-init.patch + ppc_stack_overflow_fix.patch +- Added patches for s390 Zero builds: + JDK-8201495-s390-java-opts.patch + JDK-8201509-s390-atomic_store.patch +- Renamed patches for clarity: + aarch64BuildFailure.patch => JDK-8200556-aarch64-slowdebug-crash.patch + systemCryptoPolicyPR3183.patch => pr3183-rh1340845-support_fedora_rhel_system_crypto_policy.patch + bootcycle_jobs.patch => JDK-8201788-bootcycle-images-jobs.patch + system-nss-ec-rh1565658.patch => pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk11.patch + +* Fri Apr 20 2018 Jiri Vanek - 1:10.0.1.10-1 +- updated to security update 1 +- jexec unlinked from path +- used java-openjdk as boot jdk +- aligned provides/requires +- renamed zip javadoc + +* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-12 +- Enable basic EC ciphers test in %check. + +* Tue Apr 10 2018 Severin Gehwolf - 1:10.0.0.46-11 +- Port Martin Balao's JDK 9 patch for system NSS support to JDK 10. +- Resolves RHBZ#1565658 + +* Mon Apr 09 2018 Jiri Vanek - 1:10.0.0.46-10 +- jexec linked to path + +* Fri Apr 06 2018 Jiri Vanek - 1:10.0.0.46-9 +- subpackage(s) replaced by sub-package(s) and other cosmetic changes + +* Tue Apr 03 2018 Jiri Vanek - 1:10.0.0.46-8 +- removed accessibility sub-packages +- kept applied patch and properties files +- debug sub-packages renamed to slowdebug + +* Fri Feb 23 2018 Jiri Vanek - 1:10.0.0.46-1 +- initial load