diff --git a/.gitignore b/.gitignore index 759cc9b..659f4f9 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz +SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/.java-17-openjdk.metadata b/.java-17-openjdk.metadata index d398070..46765c0 100644 --- a/.java-17-openjdk.metadata +++ b/.java-17-openjdk.metadata @@ -1,2 +1,2 @@ -15b13a23d8a862fc881ab110858c0054cf34180e SOURCES/openjdk-jdk17u-17usec.17.0.3+5-220408.tar.xz +47c1e3a97ba6f63908c2a9f55e1514b52f0b8333 SOURCES/openjdk-jdk17u-jdk-17.0.2+8.tar.xz c8281ee37b77d535c9c1af86609a531958ff7b34 SOURCES/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz diff --git a/SOURCES/NEWS b/SOURCES/NEWS index 9ae3564..78938f4 100644 --- a/SOURCES/NEWS +++ b/SOURCES/NEWS @@ -3,210 +3,6 @@ Key: JDK-X - https://bugs.openjdk.java.net/browse/JDK-X CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY -New in release OpenJDK 17.0.3 (2022-04-19): -=========================================== -Live versions of these release notes can be found at: - * https://bitly.com/openjdk1703 - * https://builds.shipilev.net/backports-monitor/release-notes-17.0.3.txt - -* Security fixes - - JDK-8269938: Enhance XML processing passes redux - - JDK-8270504, CVE-2022-21426: Better XPath expression handling - - JDK-8272255: Completely handle MIDI files - - JDK-8272261: Improve JFR recording file processing - - JDK-8272588: Enhanced recording parsing - - JDK-8272594: Better record of recordings - - JDK-8274221: More definite BER encodings - - JDK-8275082, JDK-8278008, CVE-2022-21476: Update XML Security for Java to 2.3.0 - - JDK-8275151, CVE-2022-21443: Improved Object Identification - - JDK-8277227: Better identification of OIDs - - JDK-8277233, CVE-2022-21449: Improve ECDSA signature support - - JDK-8277672, CVE-2022-21434: Better invocation handler handling - - JDK-8278356: Improve file creation - - JDK-8278449: Improve keychain support - - JDK-8278798: Improve supported intrinsic - - JDK-8278805: Enhance BMP image loading - - JDK-8278972, CVE-2022-21496: Improve URL supports - - JDK-8281388: Change wrapping of EncryptedPrivateKeyInfo -* Other changes - - JDK-8177814: jdk/editpad is not in jdk TEST.groups - - JDK-8186670: Implement _onSpinWait() intrinsic for AArch64 - - JDK-8190748: java/text/Format/DateFormat/DateFormatTest.java and NonGregorianFormatTest fail intermittently - - JDK-8225559: assertion error at TransTypes.visitApply - - JDK-8236505: Mark jdk/editpad/EditPadTest.java as @headful - - JDK-8239502: [TEST_BUG] Test javax/swing/text/FlowView/6318524/bug6318524.java never fails - - JDK-8244602: Add JTREG_REPEAT_COUNT to repeat execution of a test - - JDK-8247980: Exclusive execution of java/util/stream tests slows down tier1 - - JDK-8251216: Implement MD5 intrinsics on AArch64 - - JDK-8253197: vmTestbase/nsk/jvmti/StopThread/stopthrd007/TestDescription.java fails with "ERROR: DebuggeeSleepingThread: ThreadDeath lost" - - JDK-8262134: compiler/uncommontrap/TestDeoptOOM.java failed with "guarantee(false) failed: wrong number of expression stack elements during deopt" - - JDK-8263567: gtests don't terminate the VM safely - - JDK-8265150: AsyncGetCallTrace crashes on ResourceMark - - JDK-8266490: Extend the OSContainer API to support the pids controller of cgroups - - JDK-8269032: Stringdedup tests are failing if the ergonomically select GC does not support it - - JDK-8269037: jsig/Testjsig.java doesn't have to be restricted to linux only - - JDK-8269087: CheckSegmentedCodeCache test fails in an emulated-client VM - - JDK-8269175: [macosx-aarch64] wrong CPU speed in hs_err file - - JDK-8269206: A small typo in comment in test/lib/sun/hotspot/WhiteBox.java - - JDK-8269523: runtime/Safepoint/TestAbortOnVMOperationTimeout.java failed when expecting 'VM operation took too long' - - JDK-8269616: serviceability/dcmd/framework/VMVersionTest.java fails with Address already in use error - - JDK-8269849: vmTestbase/gc/gctests/PhantomReference/phantom002/TestDescription.java failed with "OutOfMemoryError: Java heap space: failed reallocation of scalar replaced objects" - - JDK-8270117: Broken jtreg link in "Building the JDK" page - - JDK-8270874: JFrame paint artifacts when dragged from standard monitor to HiDPI monitor - - JDK-8271056: C2: "assert(no_dead_loop) failed: dead loop detected" due to cmoving identity - - JDK-8271199: Mutual TLS handshake fails signing client certificate with custom sensitive PKCS11 key - - JDK-8271202: C1: assert(false) failed: live_in set of first block must be empty - - JDK-8271506: Add ResourceHashtable support for deleting selected entries - - JDK-8271721: Split gc/g1/TestMixedGCLiveThreshold into separate tests - - JDK-8272167: AbsPathsInImage.java should skip *.dSYM directories - - JDK-8272327: Shenandoah: Avoid enqueuing duplicate string candidates - - JDK-8272398: Update DockerTestUtils.buildJdkDockerImage() - - JDK-8272541: Incorrect overflow test in Toom-Cook branch of BigInteger multiplication - - JDK-8272553: several hotspot runtime/CommandLine tests don't check exit code - - JDK-8272600: (test) Use native "sleep" in Basic.java - - JDK-8272866: java.util.random package summary contains incorrect mixing function in table - - JDK-8272996: JNDI DNS provider fails to resolve SRV entries when IPV6 stack is enabled - - JDK-8273162: AbstractSplittableWithBrineGenerator does not create a random salt - - JDK-8273277: C2: Move conditional negation into rc_predicate - - JDK-8273341: Update Siphash to version 1.0 - - JDK-8273351: bad tag in jdk.random module-info.java - - JDK-8273366: [testbug] javax/swing/UIDefaults/6302464/bug6302464.java fails on macOS12 - - JDK-8273381: Assert in PtrQueueBufferAllocatorTest.stress_free_list_allocator_vm - - JDK-8273387: remove some unreferenced gtk-related functions - - JDK-8273433: Enable parallelism in vmTestbase_nsk_sysdict tests - - JDK-8273438: Enable parallelism in vmTestbase/metaspace/stressHierarchy tests - - JDK-8273526: Extend the OSContainer API pids controller with pids.current - - JDK-8273634: [TEST_BUG] Improve javax/swing/text/ParagraphView/6364882/bug6364882.java - - JDK-8273655: content-types.properties files are missing some common types - - JDK-8273682: Upgrade Jline to 3.20.0 - - JDK-8273704: DrawStringWithInfiniteXform.java failed : drawString with InfiniteXform transform takes long time - - JDK-8273895: compiler/ciReplay/TestVMNoCompLevel.java fails due to wrong data size with TieredStopAtLevel=2,3 - - JDK-8273933: [TESTBUG] Test must run without preallocated exceptions - - JDK-8273967: gtest os.dll_address_to_function_and_library_name_vm fails on macOS12 - - JDK-8273972: Multi-core choke point in CMM engine (LCMSTransform.doTransform) - - JDK-8274130: C2: MulNode::Ideal chained transformations may act on wrong nodes - - JDK-8274171: java/nio/file/Files/probeContentType/Basic.java failed on "Content type" mismatches - - JDK-8274465: Fix javax/swing/text/ParagraphView/6364882/bug6364882.java failures - - JDK-8274471: Add support for RSASSA-PSS in OCSP Response - - JDK-8274506: TestPids.java and TestPidsLimit.java fail with podman run as root - - JDK-8274524: SSLSocket.close() hangs if it is called during the ssl handshake - - JDK-8274562: (fs) UserDefinedFileAttributeView doesn't correctly determine if supported when using OverlayFS - - JDK-8274658: ISO 4217 Amendment 170 Update - - JDK-8274714: Incorrect verifier protected access error message - - JDK-8274750: java/io/File/GetXSpace.java failed: '/dev': 191488 != 190976 - - JDK-8274753: ZGC: SEGV in MetaspaceShared::link_shared_classes - - JDK-8274795: AArch64: avoid spilling and restoring r18 in macro assembler - - JDK-8274935: dumptime_table has stale entry - - JDK-8274944: AppCDS dump causes SEGV in VM thread while adjusting lambda proxy class info - - JDK-8275326: C2: assert(no_dead_loop) failed: dead loop detected - - JDK-8275330: C2: assert(n->is_Root() || n->is_Region() || n->is_Phi() || n->is_MachMerge() || def_block->dominates(block)) failed: uses must be dominated by definitions - - JDK-8275536: Add test to check that File::lastModified returns same time stamp as Files.getLastModifiedTime - - JDK-8275586: Zero: Simplify interpreter initialization - - JDK-8275608: runtime/Metaspace/elastic/TestMetaspaceAllocationMT2 too slow - - JDK-8275610: C2: Object field load floats above its null check resulting in a segfault - - JDK-8275643: C2's unaryOp vector intrinsic does not properly handle LongVector.neg - - JDK-8275645: [JVMCI] avoid unaligned volatile reads on AArch64 - - JDK-8275650: Problemlist java/io/File/createTempFile/SpecialTempFile.java for Windows 11 - - JDK-8275687: runtime/CommandLine/PrintTouchedMethods test shouldn't catch RuntimeException - - JDK-8275800: Redefinition leaks MethodData::_extra_data_lock - - JDK-8275847: Scheduling fails with "too many D-U pinch points" on small method - - JDK-8275874: [JVMCI] only support aligned reads in c2v_readFieldValue - - JDK-8276057: Update JMH devkit to 1.33 - - JDK-8276141: XPathFactory set/getProperty method - - JDK-8276177: nsk/jvmti/RedefineClasses/StressRedefineWithoutBytecodeCorruption failed with "assert(def_ik->is_being_redefined()) failed: should be being redefined to get here" - - JDK-8276314: [JVMCI] check alignment of call displacement during code installation - - JDK-8276623: JDK-8275650 accidentally pushed "out" file - - JDK-8276654: element-list order is non deterministic - - JDK-8276662: Scalability bottleneck in SymbolTable::lookup_common() - - JDK-8276764: Enable deterministic file content ordering for Jar and Jmod - - JDK-8276766: Enable jar and jmod to produce deterministic timestamped content - - JDK-8276841: Add support for Visual Studio 2022 - - JDK-8277069: [REDO] JDK-8276743 Make openjdk build Zip Archive generation "reproducible" - - JDK-8277137: Set OnSpinWaitInst/OnSpinWaitInstCount defaults to "isb"/1 for Arm Neoverse N1 - - JDK-8277180: Intrinsify recursive ObjectMonitor locking for C2 x64 and A64 - - JDK-8277299: STACK_OVERFLOW in Java_sun_awt_shell_Win32ShellFolder2_getIconBits - - JDK-8277328: jdk/jshell/CommandCompletionTest.java failures on Windows - - JDK-8277342: vmTestbase/nsk/stress/strace/strace004.java fails with SIGSEGV in InstanceKlass::jni_id_for - - JDK-8277383: VM.metaspace optionally show chunk freelist details - - JDK-8277385: Zero: Enable CompactStrings support - - JDK-8277441: CompileQueue::add fails with assert(_last->next() == __null) failed: not last - - JDK-8277447: Hotspot C1 compiler crashes on Kotlin suspend fun with loop - - JDK-8277449: compiler/vectorapi/TestLongVectorNeg.java fails with release VMs - - JDK-8277488: Add expiry exception for Digicert (geotrustglobalca) expiring in May 2022 - - JDK-8277497: Last column cell in the JTable row is read as empty cell - - JDK-8277503: compiler/onSpinWait/TestOnSpinWaitAArch64DefaultFlags.java failed with "OnSpinWaitInst with the expected value 'isb' not found." - - JDK-8277762: Allow configuration of HOTSPOT_BUILD_USER - - JDK-8277777: [Vector API] assert(r->is_XMMRegister()) failed: must be in x86_32.ad - - JDK-8277795: ldap connection timeout not honoured under contention - - JDK-8277846: Implement fast-path for ASCII-compatible CharsetEncoders on ppc64 - - JDK-8277919: OldObjectSample event causing bloat in the class constant pool in JFR recording - - JDK-8277992: Add fast jdk_svc subtests to jdk:tier3 - - JDK-8278016: Add compiler tests to tier{2,3} - - JDK-8278020: ~13% variation in Renaissance-Scrabble - - JDK-8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation - - JDK-8278099: two sun/security/pkcs11/Signature tests failed with AssertionError - - JDK-8278104: C1 should support the compiler directive 'BreakAtExecute' - - JDK-8278115: gc/stress/gclocker/TestGCLockerWithSerial.java has duplicate -Xmx - - JDK-8278116: runtime/modules/LoadUnloadModuleStress.java has duplicate -Xmx - - JDK-8278163: --with-cacerts-src variable resolved after GenerateCacerts recipe setup - - JDK-8278172: java/nio/channels/FileChannel/BlockDeviceSize.java should only run on Linux - - JDK-8278185: Custom JRE cannot find non-ASCII named module inside - - JDK-8278239: vmTestbase/nsk/jvmti/RedefineClasses/StressRedefine failed with EXCEPTION_ACCESS_VIOLATION at 0x000000000000000d - - JDK-8278241: Implement JVM SpinPause on linux-aarch64 - - JDK-8278309: [windows] use of uninitialized OSThread::_state - - JDK-8278344: sun/security/pkcs12/KeytoolOpensslInteropTest.java test fails because of different openssl output - - JDK-8278346: java/nio/file/Files/probeContentType/Basic.java fails on Linux SLES15 machine - - JDK-8278381: [GCC 11] Address::make_raw() does not initialize rspec - - JDK-8278384: Bytecodes::result_type() for arraylength returns T_VOID instead of T_INT - - JDK-8278389: SuspendibleThreadSet::_suspend_all should be volatile/atomic - - JDK-8278526: [macos] Screen reader reads SwingSet2 JTable row selection as null, dimmed row for last column - - JDK-8278604: SwingSet2 table demo does not have accessible description set for images - - JDK-8278627: Shenandoah: TestHeapDump test failed - - JDK-8278758: runtime/BootstrapMethod/BSMCalledTwice.java fails with release VMs after JDK-8262134 - - JDK-8278822: Bump update version for OpenJDK: jdk-17.0.3 - - JDK-8278824: Uneven work distribution when scanning heap roots in G1 - - JDK-8278871: [JVMCI] assert((uint)reason < 2* _trap_hist_limit) failed: oob - - JDK-8278951: containers/cgroup/PlainRead.java fails on Ubuntu 21.10 - - JDK-8278987: RunThese24H.java failed with EXCEPTION_ACCESS_VIOLATION in __write_sample_info__ - - JDK-8279011: JFR: JfrChunkWriter incorrectly handles int64_t chunk size as size_t - - JDK-8279076: C2: Bad AD file when matching SqrtF with UseSSE=0 - - JDK-8279124: VM does not handle SIGQUIT during initialization - - JDK-8279225: [arm32] C1 longs comparison operation destroys argument registers - - JDK-8279300: [arm32] SIGILL when running GetObjectSizeIntrinsicsTest - - JDK-8279379: GHA: Print tests that are in error - - JDK-8279385: [test] Adjust sun/security/pkcs12/KeytoolOpensslInteropTest.java after 8278344 - - JDK-8279412: [JVMCI] failed speculations list must outlive any nmethod that refers to it - - JDK-8279445: Update JMH devkit to 1.34 - - JDK-8279453: Disable tools/jar/ReproducibleJar.java on 32-bit platforms - - JDK-8279505: Update documentation for RETRY_COUNT and REPEAT_COUNT - - JDK-8279669: test/jdk/com/sun/jdi/TestScaffold.java uses wrong condition - - JDK-8279695: [TESTBUG] modify compiler/loopopts/TestSkeletonPredicateNegation.java to run on C1 also - - JDK-8279702: [macosx] ignore xcodebuild warnings on M1 - - JDK-8279833: Loop optimization issue in String.encodeUTF8_UTF16 - - JDK-8279924: [PPC64, s390] implement frame::is_interpreted_frame_valid checks - - JDK-8279998: PPC64 debug builds fail with "untested: RangeCheckStub: predicate_failed_trap_id" - - JDK-8280002: jmap -histo may leak stream - - JDK-8280155: [PPC64, s390] frame size checks are not yet correct - - JDK-8280373: Update Xalan serializer / SystemIDResolver to align with JDK-8270492 - - JDK-8280414: Memory leak in DefaultProxySelector - - JDK-8280526: x86_32 Math.sqrt performance regression with -XX:UseSSE={0,1} - - JDK-8281061: [s390] JFR runs into assertions while validating interpreter frames - - JDK-8281460: Let ObjectMonitor have its own NMT category - - JDK-8282219: jdk/java/lang/ProcessBuilder/Basic.java fails on AIX - - JDK-8282300: Throws NamingException instead of InvalidNameException after JDK-8278972 - - JDK-8282397: createTempFile method of java.io.File is failing when called with suffix of spaces character - - JDK-8282761: XPathFactoryImpl remove setProperty and getProperty methods - - JDK-8284548: Invalid XPath expression causes StringIndexOutOfBoundsException - -Notes on individual issues: -=========================== - -security-libs/java.security: - -JDK-8274791: Support for RSASSA-PSS in OCSP Response -==================================================== -An OCSP response signed with the RSASSA-PSS algorithm is now supported. - New in release OpenJDK 17.0.2 (2022-01-18): =========================================== Live versions of these release notes can be found at: diff --git a/SOURCES/jdk8275535-rh2053256-ldap_auth.patch b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch new file mode 100644 index 0000000..51bd6d2 --- /dev/null +++ b/SOURCES/jdk8275535-rh2053256-ldap_auth.patch @@ -0,0 +1,26 @@ +diff --git openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +index 70903206ea0..09956084cf9 100644 +--- openjdk.orig/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java ++++ openjdk/src/java.naming/share/classes/com/sun/jndi/ldap/LdapCtxFactory.java +@@ -189,6 +189,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor + ctx = getLdapCtxFromUrl( + r.getDomainName(), url, new LdapURL(u), env); + return ctx; ++ } catch (AuthenticationException e) { ++ // do not retry on a different endpoint to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + // try the next element + lastException = e; +@@ -241,6 +245,10 @@ public final class LdapCtxFactory implements ObjectFactory, InitialContextFactor + for (String u : urls) { + try { + return getUsingURL(u, env); ++ } catch (AuthenticationException e) { ++ // do not retry on a different URL to avoid blocking ++ // the user if authentication credentials are wrong. ++ throw e; + } catch (NamingException e) { + ex = e; + } diff --git a/SOURCES/jdk8284548-jaxp_regression.patch b/SOURCES/jdk8284548-jaxp_regression.patch deleted file mode 100644 index c972585..0000000 --- a/SOURCES/jdk8284548-jaxp_regression.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 722bf5b20de2ee64e0fdabb2f5e5fa89e043e3f1 Mon Sep 17 00:00:00 2001 -From: Christoph Langer -Date: Fri, 8 Apr 2022 14:06:47 +0200 -Subject: [PATCH] 8284548: Unexpected StringIndexOutOfBoundsException can occur - for invalid XPath expressions after JDK-8270504 - ---- - .../apache/xpath/internal/compiler/Lexer.java | 4 +- - .../javax/xml/jaxp/XPath/InvalidXPath.java | 53 +++++++++++++++++++ - 2 files changed, 54 insertions(+), 3 deletions(-) - create mode 100644 test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java - -diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -index 54595e2d036..b7b3f419eb2 100644 ---- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -@@ -24,7 +24,6 @@ import com.sun.org.apache.xalan.internal.res.XSLMessages; - import com.sun.org.apache.xml.internal.utils.PrefixResolver; - import com.sun.org.apache.xpath.internal.res.XPATHErrorResources; - import java.util.List; --import java.util.Objects; - import javax.xml.transform.TransformerException; - import jdk.xml.internal.XMLSecurityManager; - import jdk.xml.internal.XMLSecurityManager.Limit; -@@ -451,8 +450,7 @@ class Lexer - * @return the next char - */ - private char peekNext(String s, int index) { -- Objects.checkIndex(index, s.length()); -- if (s.length() > index) { -+ if (index >= 0 && index < s.length() - 1) { - return s.charAt(index + 1); - } - return 0; -diff --git openjdk.orig/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java openjdk/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java -new file mode 100644 -index 00000000000..478f4212d5b ---- /dev/null -+++ openjdk/test/jdk/javax/xml/jaxp/XPath/InvalidXPath.java -@@ -0,0 +1,53 @@ -+/* -+ * Copyright (c) 2022, SAP SE. All rights reserved. -+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. -+ * -+ * This code is free software; you can redistribute it and/or modify it -+ * under the terms of the GNU General Public License version 2 only, as -+ * published by the Free Software Foundation. -+ * -+ * This code is distributed in the hope that it will be useful, but WITHOUT -+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or -+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License -+ * version 2 for more details (a copy is included in the LICENSE file that -+ * accompanied this code). -+ * -+ * You should have received a copy of the GNU General Public License version -+ * 2 along with this work; if not, write to the Free Software Foundation, -+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. -+ * -+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA -+ * or visit www.oracle.com if you need additional information or have any -+ * questions. -+ */ -+ -+/* -+ * @test -+ * @bug 8284548 -+ * @summary Test whether the expected exception is thrown when -+ * trying to compile an invalid XPath expression. -+ * @run main InvalidXPath -+ */ -+ -+import javax.xml.xpath.XPathExpressionException; -+import javax.xml.xpath.XPathFactory; -+ -+public class InvalidXPath { -+ -+ public static void main(String... args) { -+ // define an invalid XPath expression -+ final String invalidXPath = ">>"; -+ -+ // expect XPathExpressionException when the invalid XPath expression is compiled -+ try { -+ XPathFactory.newInstance().newXPath().compile(invalidXPath); -+ } catch (XPathExpressionException e) { -+ System.out.println("Caught expected exception: " + e.getClass().getName() + -+ "(" + e.getMessage() + ")."); -+ } catch (Exception e) { -+ System.out.println("Caught unexpected exception: " + e.getClass().getName() + -+ "(" + e.getMessage() + ")!"); -+ throw e; -+ } -+ } -+} --- -2.35.1.windows.2 - diff --git a/SOURCES/jdk8284920-incorrect_token_type.patch b/SOURCES/jdk8284920-incorrect_token_type.patch deleted file mode 100644 index 25266e7..0000000 --- a/SOURCES/jdk8284920-incorrect_token_type.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 0d3aea2f11df585b491ae5c07de9f66679601d58 Mon Sep 17 00:00:00 2001 -From: Anton Kozlov -Date: Fri, 15 Apr 2022 14:07:52 +0300 -Subject: [PATCH] 8284920: Incorrect Token type causes XPath expression to - return empty result - -Reviewed-by: ---- - .../com/sun/org/apache/xpath/internal/compiler/Lexer.java | 4 ++-- - .../com/sun/org/apache/xpath/internal/compiler/Token.java | 4 ++-- - .../org/apache/xpath/internal/compiler/XPathParser.java | 8 ++++---- - 3 files changed, 8 insertions(+), 8 deletions(-) - -diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -index b7b3f419eb2..41b58da8e99 100644 ---- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Lexer.java -@@ -360,7 +360,7 @@ class Lexer - - addToTokenQueue(pat.substring(i, i + 1)); - break; -- case Token.COLON : -+ case Token.COLON_CHAR: - if (i>0) - { - if (posOfNSSep == (i - 1)) -@@ -615,7 +615,7 @@ class Lexer - resetTokenMark(tokPos + 1); - } - -- if (m_processor.lookahead(Token.COLON, 1)) -+ if (m_processor.lookahead(Token.COLON_CHAR, 1)) - { - tokPos += 2; - } -diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java -index 8c4fee146c6..7bce14e5770 100644 ---- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java -+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/Token.java -@@ -45,10 +45,9 @@ public final class Token { - static final char LPAREN = '('; - static final char RPAREN = ')'; - static final char COMMA = ','; -- static final char DOT = '.'; - static final char AT = '@'; - static final char US = '_'; -- static final char COLON = ':'; -+ static final char COLON_CHAR = ':'; - static final char SQ = '\''; - static final char DQ = '"'; - static final char DOLLAR = '$'; -@@ -58,6 +57,7 @@ public final class Token { - static final String DIV = "div"; - static final String MOD = "mod"; - static final String QUO = "quo"; -+ static final String DOT = "."; - static final String DDOT = ".."; - static final String DCOLON = "::"; - static final String ATTR = "attribute"; -diff --git openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java -index c3f9e1494be..22192fd06f6 100644 ---- openjdk.orig/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java -+++ openjdk/src/java.xml/share/classes/com/sun/org/apache/xpath/internal/compiler/XPathParser.java -@@ -1413,7 +1413,7 @@ public class XPathParser - - matchFound = true; - } -- else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON, 1) && lookahead(Token.LPAREN, 3))) -+ else if (lookahead(Token.LPAREN, 1) || (lookahead(Token.COLON_CHAR, 1) && lookahead(Token.LPAREN, 3))) - { - matchFound = FunctionCall(); - } -@@ -1457,7 +1457,7 @@ public class XPathParser - - int opPos = m_ops.getOp(OpMap.MAPINDEX_LENGTH); - -- if (lookahead(Token.COLON, 1)) -+ if (lookahead(Token.COLON_CHAR, 1)) - { - appendOp(4, OpCodes.OP_EXTFUNCTION); - -@@ -1841,7 +1841,7 @@ public class XPathParser - m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), OpCodes.NODENAME); - m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1); - -- if (lookahead(Token.COLON, 1)) -+ if (lookahead(Token.COLON_CHAR, 1)) - { - if (tokenIs(Token.STAR)) - { -@@ -1944,7 +1944,7 @@ public class XPathParser - protected void QName() throws TransformerException - { - // Namespace -- if(lookahead(Token.COLON, 1)) -+ if(lookahead(Token.COLON_CHAR, 1)) - { - m_ops.setOp(m_ops.getOp(OpMap.MAPINDEX_LENGTH), m_queueMark - 1); - m_ops.setOp(OpMap.MAPINDEX_LENGTH, m_ops.getOp(OpMap.MAPINDEX_LENGTH) + 1); --- -2.24.3 - diff --git a/SOURCES/nss.fips.cfg.in b/SOURCES/nss.fips.cfg.in index ead27be..1aff153 100644 --- a/SOURCES/nss.fips.cfg.in +++ b/SOURCES/nss.fips.cfg.in @@ -1,6 +1,6 @@ name = NSS-FIPS nssLibraryDirectory = @NSS_LIBDIR@ -nssSecmodDirectory = @NSS_SECMOD@ +nssSecmodDirectory = sql:/etc/pki/nssdb nssDbMode = readOnly nssModule = fips diff --git a/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch new file mode 100644 index 0000000..b5351a8 --- /dev/null +++ b/SOURCES/rh2021263-fips_separate_policy_and_fips_init.patch @@ -0,0 +1,99 @@ +commit 0cd8cee94fe0f867b0b39890e00be620af1d9b07 +Author: Andrew Hughes +Date: Tue Jan 18 02:09:27 2022 +0000 + + RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support + +diff --git openjdk.orig/src/java.base/share/classes/java/security/Security.java openjdk/src/java.base/share/classes/java/security/Security.java +index 28ab1846173..f9726741afd 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/Security.java ++++ openjdk/src/java.base/share/classes/java/security/Security.java +@@ -61,10 +61,6 @@ public final class Security { + private static final Debug sdebug = + Debug.getInstance("properties"); + +- /* System property file*/ +- private static final String SYSTEM_PROPERTIES = +- "/etc/crypto-policies/back-ends/java.config"; +- + /* The java.security properties */ + private static Properties props; + +@@ -206,22 +202,36 @@ public final class Security { + } + } + ++ if (!loadedProps) { ++ initializeStatic(); ++ if (sdebug != null) { ++ sdebug.println("unable to load security properties " + ++ "-- using defaults"); ++ } ++ } ++ + String disableSystemProps = System.getProperty("java.security.disableSystemPropertiesFile"); + if ((disableSystemProps == null || "false".equalsIgnoreCase(disableSystemProps)) && + "true".equalsIgnoreCase(props.getProperty("security.useSystemPropertiesFile"))) { +- if (SystemConfigurator.configure(props)) { +- loadedProps = true; ++ if (!SystemConfigurator.configureSysProps(props)) { ++ if (sdebug != null) { ++ sdebug.println("WARNING: System properties could not be loaded."); ++ } + } + } + +- if (!loadedProps) { +- initializeStatic(); ++ // FIPS support depends on the contents of java.security so ++ // ensure it has loaded first ++ if (loadedProps) { ++ boolean fipsEnabled = SystemConfigurator.configureFIPS(props); + if (sdebug != null) { +- sdebug.println("unable to load security properties " + +- "-- using defaults"); ++ if (fipsEnabled) { ++ sdebug.println("FIPS support enabled."); ++ } else { ++ sdebug.println("FIPS support disabled."); ++ } + } + } +- + } + + /* +diff --git openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +index 874c6221ebe..b7ed41acf0f 100644 +--- openjdk.orig/src/java.base/share/classes/java/security/SystemConfigurator.java ++++ openjdk/src/java.base/share/classes/java/security/SystemConfigurator.java +@@ -76,7 +76,7 @@ final class SystemConfigurator { + * java.security.disableSystemPropertiesFile property is not set and + * security.useSystemPropertiesFile is true. + */ +- static boolean configure(Properties props) { ++ static boolean configureSysProps(Properties props) { + boolean loadedProps = false; + + try (BufferedInputStream bis = +@@ -96,11 +96,19 @@ final class SystemConfigurator { + e.printStackTrace(); + } + } ++ return loadedProps; ++ } ++ ++ /* ++ * Invoked at the end of java.security.Security initialisation ++ * if java.security properties have been loaded ++ */ ++ static boolean configureFIPS(Properties props) { ++ boolean loadedProps = false; + + try { + if (enableFips()) { + if (sdebug != null) { sdebug.println("FIPS mode detected"); } +- loadedProps = false; + // Remove all security providers + Iterator> i = props.entrySet().iterator(); + while (i.hasNext()) { diff --git a/SOURCES/rh2052829-fips_runtime_nss_detection.patch b/SOURCES/rh2052829-fips_runtime_nss_detection.patch new file mode 100644 index 0000000..c609fce --- /dev/null +++ b/SOURCES/rh2052829-fips_runtime_nss_detection.patch @@ -0,0 +1,213 @@ +commit 090ea0389db5c2e0c8ee13652bccd544b17872c2 +Author: Andrew Hughes +Date: Mon Feb 7 15:33:27 2022 +0000 + + RH2051605: Detect NSS at Runtime for FIPS detection + +diff --git openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +index caf678a7dd6..8dcb7d9073f 100644 +--- openjdk.orig/src/java.base/linux/native/libsystemconf/systemconf.c ++++ openjdk/src/java.base/linux/native/libsystemconf/systemconf.c +@@ -23,26 +23,37 @@ + * questions. + */ + +-#include + #include + #include ++#include "jvm_md.h" + #include + + #ifdef SYSCONF_NSS + #include ++#else ++#include + #endif //SYSCONF_NSS + + #include "java_security_SystemConfigurator.h" + +-#define MSG_MAX_SIZE 96 ++#define MSG_MAX_SIZE 256 ++#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++ ++typedef int (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE)(void); + ++static SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE *getSystemFIPSEnabled; + static jmethodID debugPrintlnMethodID = NULL; + static jobject debugObj = NULL; + +-// Only used when NSS is unavailable and FIPS_ENABLED_PATH is read +-#ifndef SYSCONF_NSS +- +-#define FIPS_ENABLED_PATH "/proc/sys/crypto/fips_enabled" ++static void dbgPrint(JNIEnv *env, const char* msg) ++{ ++ jstring jMsg; ++ if (debugObj != NULL) { ++ jMsg = (*env)->NewStringUTF(env, msg); ++ CHECK_NULL(jMsg); ++ (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); ++ } ++} + + static void throwIOException(JNIEnv *env, const char *msg) + { +@@ -51,18 +62,61 @@ static void throwIOException(JNIEnv *env, const char *msg) + (*env)->ThrowNew(env, cls, msg); + } + +-#endif ++static void handle_msg(JNIEnv *env, const char* msg, int msg_bytes) ++{ ++ if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { ++ dbgPrint(env, msg); ++ } else { ++ dbgPrint(env, "systemconf: cannot render message"); ++ } ++} + +-static void dbgPrint(JNIEnv *env, const char* msg) ++// Only used when NSS is not linked at build time ++#ifndef SYSCONF_NSS ++ ++static void *nss_handle; ++ ++static jboolean loadNSS(JNIEnv *env) + { +- jstring jMsg; +- if (debugObj != NULL) { +- jMsg = (*env)->NewStringUTF(env, msg); +- CHECK_NULL(jMsg); +- (*env)->CallVoidMethod(env, debugObj, debugPrintlnMethodID, jMsg); +- } ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ nss_handle = dlopen(JNI_LIB_NAME("nss3"), RTLD_LAZY); ++ if (nss_handle == NULL) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlopen: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ dlerror(); /* Clear errors */ ++ getSystemFIPSEnabled = (SECMOD_GET_SYSTEM_FIPS_ENABLED_TYPE*)dlsym(nss_handle, "SECMOD_GetSystemFIPSEnabled"); ++ if ((errmsg = dlerror()) != NULL) { ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "loadNSS: dlsym: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ return JNI_FALSE; ++ } ++ return JNI_TRUE; ++} ++ ++static void closeNSS(JNIEnv *env) ++{ ++ char msg[MSG_MAX_SIZE]; ++ int msg_bytes; ++ const char* errmsg; ++ ++ if (dlclose(nss_handle) != 0) { ++ errmsg = dlerror(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "closeNSS: dlclose: %s\n", ++ errmsg); ++ handle_msg(env, msg, msg_bytes); ++ } + } + ++#endif ++ + /* + * Class: java_security_SystemConfigurator + * Method: JNI_OnLoad +@@ -104,6 +158,14 @@ JNIEXPORT jint JNICALL DEF_JNI_OnLoad(JavaVM *vm, void *reserved) + debugObj = (*env)->NewGlobalRef(env, debugObj); + } + ++#ifdef SYSCONF_NSS ++ getSystemFIPSEnabled = *SECMOD_GetSystemFIPSEnabled; ++#else ++ if (loadNSS(env) == JNI_FALSE) { ++ dbgPrint(env, "libsystemconf: Failed to load NSS library."); ++ } ++#endif ++ + return (*env)->GetVersion(env); + } + +@@ -119,6 +181,9 @@ JNIEXPORT void JNICALL DEF_JNI_OnUnload(JavaVM *vm, void *reserved) + if ((*vm)->GetEnv(vm, (void**) &env, JNI_VERSION_1_2) != JNI_OK) { + return; /* Should not happen */ + } ++#ifndef SYSCONF_NSS ++ closeNSS(env); ++#endif + (*env)->DeleteGlobalRef(env, debugObj); + } + } +@@ -130,44 +195,30 @@ JNIEXPORT jboolean JNICALL Java_java_security_SystemConfigurator_getSystemFIPSEn + char msg[MSG_MAX_SIZE]; + int msg_bytes; + +-#ifdef SYSCONF_NSS +- +- dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); +- fips_enabled = SECMOD_GetSystemFIPSEnabled(); +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); ++ if (getSystemFIPSEnabled != NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: calling SECMOD_GetSystemFIPSEnabled"); ++ fips_enabled = (*getSystemFIPSEnabled)(); ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " SECMOD_GetSystemFIPSEnabled returned 0x%x", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); + } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " SECMOD_GetSystemFIPSEnabled return value"); +- } +- return (fips_enabled == 1 ? JNI_TRUE : JNI_FALSE); ++ FILE *fe; + +-#else // SYSCONF_NSS +- +- FILE *fe; +- +- dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); +- if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { ++ dbgPrint(env, "getSystemFIPSEnabled: reading " FIPS_ENABLED_PATH); ++ if ((fe = fopen(FIPS_ENABLED_PATH, "r")) == NULL) { + throwIOException(env, "Cannot open " FIPS_ENABLED_PATH); + return JNI_FALSE; +- } +- fips_enabled = fgetc(fe); +- fclose(fe); +- if (fips_enabled == EOF) { ++ } ++ fips_enabled = fgetc(fe); ++ fclose(fe); ++ if (fips_enabled == EOF) { + throwIOException(env, "Cannot read " FIPS_ENABLED_PATH); + return JNI_FALSE; ++ } ++ msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ ++ " read character is '%c'", fips_enabled); ++ handle_msg(env, msg, msg_bytes); ++ return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); + } +- msg_bytes = snprintf(msg, MSG_MAX_SIZE, "getSystemFIPSEnabled:" \ +- " read character is '%c'", fips_enabled); +- if (msg_bytes > 0 && msg_bytes < MSG_MAX_SIZE) { +- dbgPrint(env, msg); +- } else { +- dbgPrint(env, "getSystemFIPSEnabled: cannot render" \ +- " read character"); +- } +- return (fips_enabled == '1' ? JNI_TRUE : JNI_FALSE); +- +-#endif // SYSCONF_NSS + } diff --git a/SPECS/java-17-openjdk.spec b/SPECS/java-17-openjdk.spec index 8ea46ff..c3b603c 100644 --- a/SPECS/java-17-openjdk.spec +++ b/SPECS/java-17-openjdk.spec @@ -12,10 +12,7 @@ # # Only produce a release build on x86_64: # $ fedpkg mockbuild --without slowdebug --without fastdebug -# -# Only produce a debug build on x86_64: -# $ fedpkg local --without release -# + # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. @@ -24,6 +21,8 @@ %bcond_without release # Enable static library builds by default. %bcond_without staticlibs +# Build a fresh libjvm.so for use in a copy of the bootstrap JDK +%bcond_without fresh_libjvm # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -33,6 +32,13 @@ %global include_staticlibs 0 %endif +# Define whether to use the bootstrap JDK directly or with a fresh libjvm.so +%if %{with fresh_libjvm} +%global build_hotspot_first 1 +%else +%global build_hotspot_first 0 +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -59,11 +65,11 @@ %global staticlibs_suffix "%{staticlibs_suffix_unquoted}" %global debug_warning This package is unoptimised with full debugging. Install only as needed and remove ASAP. -%global debug_on with full debugging on -%global fastdebug_on with minimal debugging on %global fastdebug_warning This package is optimised with full debugging. Install only as needed and remove ASAP. -%global for_fastdebug_on for packages with minimal debugging on -%global for_debug for packages with debugging on +%global debug_on unoptimised with full debugging on +%global fastdebug_on optimised with full debugging on +%global for_fastdebug for packages with debugging on and optimisation +%global for_debug for packages with debugging on and no optimisation %if %{with release} %global include_normal_build 1 @@ -81,7 +87,7 @@ # in alternatives those are slaves and master, very often triplicated by man pages # in files all masters and slaves are ghosted # the ghosts are here to allow installation via query like `dnf install /usr/bin/java` -# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives # TODO - fix those hardcoded lists via single list # Those files must *NOT* be ghosted for *slowdebug* packages # FIXME - if you are moving jshell or jlink or similar, always modify all three sections @@ -102,17 +108,20 @@ %global ppc64be ppc64 ppc64p7 # Set of architectures which support multiple ABIs %global multilib_arches %{power64} sparc64 x86_64 -# Set of architectures for which we build debug builds +# Set of architectures for which we build slowdebug builds %global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x +# Set of architectures for which we build fastdebug builds +%global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures with a Just-In-Time (JIT) compiler -%global jit_arches %{debug_arches} %{arm} +%global jit_arches %{arm} %{aarch64} %{ix86} %{power64} s390x sparcv9 sparc64 x86_64 +# Set of architectures which use the Zero assembler port (!jit_arches) +%global zero_arches ppc s390 # Set of architectures which run a full bootstrap cycle %global bootstrap_arches %{jit_arches} # Set of architectures which support SystemTap tapsets %global systemtap_arches %{jit_arches} # Set of architectures with a Ahead-Of-Time (AOT) compiler %global aot_arches x86_64 %{aarch64} -%global fastdebug_arches x86_64 ppc64le aarch64 # Set of architectures which support the serviceability agent %global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} # Set of architectures which support class data sharing @@ -125,8 +134,10 @@ %global zgc_arches x86_64 # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 -# Set of architectures for which java has short vector math library (libsvml.so) +# Set of architectures for which java has short vector math library (libjsvml.so) %global svml_arches x86_64 +# Set of architectures where we verify backtraces with gdb +%global gdb_arches %{jit_arches} %{zero_arches} # By default, we build a debug build during main build on JIT architectures %if %{with slowdebug} @@ -169,9 +180,9 @@ %global fastdebug_build %{nil} %endif -# If you disable both builds, then the build fails +# If you disable all builds, then the build fails # Build and test slowdebug first as it provides the best diagnostics -%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} +%global build_loop %{slowdebug_build} %{fastdebug_build} %{normal_build} %if %{include_staticlibs} %global staticlibs_loop %{staticlibs_suffix} @@ -180,27 +191,35 @@ %endif %ifarch %{bootstrap_arches} -%global bootstrap_build 1 +%global bootstrap_build true %else -%global bootstrap_build 1 +%global bootstrap_build false %endif -%if %{bootstrap_build} -%global release_targets bootcycle-images docs-zip -%else -%global release_targets images docs-zip -%endif -# No docs nor bootcycle for debug builds -%global debug_targets images - %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from # other targets since this target is configured to use in-tree # AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib # and possibly others %global static_libs_target static-libs-image +%else +%global static_libs_target %{nil} %endif +# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM +%global debug_symbols internal + +# unlike portables,the rpms have to use static_libs_target very dynamically +%global bootstrap_targets images +%global release_targets images docs-zip +# No docs nor bootcycle for debug builds +%global debug_targets images +# Target to use to just build HotSpot +%global hotspot_target hotspot + +# JDK to use for bootstrapping +%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk + # Filter out flags from the optflags macro that cause problems with the OpenJDK build # We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2 @@ -220,51 +239,63 @@ # In some cases, the arch used by the JDK does # not match _arch. # Also, in some cases, the machine name used by SystemTap -# does not match that given by _build_cpu +# does not match that given by _target_cpu %ifarch x86_64 %global archinstall amd64 +%global stapinstall x86_64 %endif %ifarch ppc %global archinstall ppc +%global stapinstall powerpc %endif %ifarch %{ppc64be} %global archinstall ppc64 +%global stapinstall powerpc %endif %ifarch %{ppc64le} %global archinstall ppc64le +%global stapinstall powerpc %endif %ifarch %{ix86} %global archinstall i686 +%global stapinstall i386 %endif %ifarch ia64 %global archinstall ia64 +%global stapinstall ia64 %endif %ifarch s390 %global archinstall s390 +%global stapinstall s390 %endif %ifarch s390x %global archinstall s390x +%global stapinstall s390 %endif %ifarch %{arm} %global archinstall arm +%global stapinstall arm %endif %ifarch %{aarch64} %global archinstall aarch64 +%global stapinstall arm64 %endif # 32 bit sparc, optimized for v9 %ifarch sparcv9 %global archinstall sparc +%global stapinstall %{_target_cpu} %endif # 64 bit sparc %ifarch sparc64 %global archinstall sparcv9 +%global stapinstall %{_target_cpu} %endif -%ifnarch %{jit_arches} -%global archinstall %{_arch} +# Need to support noarch for srpm build +%ifarch noarch +%global archinstall %{nil} +%global stapinstall %{nil} %endif - - %ifarch %{systemtap_arches} %global with_systemtap 1 %else @@ -274,7 +305,7 @@ # New Version-String scheme-style defines %global featurever 17 %global interimver 0 -%global updatever 3 +%global updatever 2 %global patchver 0 # If you bump featurever, you must also bump vendor_version_string # Used via new version scheme. JDK 17 was @@ -302,8 +333,8 @@ %global origin_nice OpenJDK %global top_level_dir_name %{origin} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 6 -%global rpmrelease 2 +%global buildver 8 +%global rpmrelease 15 # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -316,17 +347,12 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} %global javaver %{featurever} # Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames %global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) -# The tag used to create the OpenJDK tarball -#%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} -# Temporarily use pre-release tag from vulnerability group -%global vcstag 17usec.17.0.3+5-220408 - # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): # - 0.N%%{?extraver}%%{?dist} for EA releases, @@ -418,6 +444,9 @@ %global alternatives_requires %{_sbindir}/alternatives %endif +%global family %{name}.%{_arch} +%global family_noarch %{name} + %if %{with_systemtap} # Where to install systemtap tapset (links) # We would like these to be in a package specific sub-dir, @@ -426,15 +455,59 @@ # and 32 bit architectures we place the tapsets under the arch # specific dir (note that systemtap will only pickup the tapset # for the primary arch for now). Systemtap uses the machine name -# aka build_cpu as architecture specific directory name. +# aka target_cpu as architecture specific directory name. %global tapsetroot /usr/share/systemtap %global tapsetdirttapset %{tapsetroot}/tapset/ -%global tapsetdir %{tapsetdirttapset}/%{_build_cpu} +%global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif # not-duplicated scriptlets for normal/debug packages %global update_desktop_icons /usr/bin/gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : +%define save_alternatives() %{expand: + # warning! alternatives are localised! + # LANG=cs_CZ.UTF-8 alternatives --display java | head + # LANG=en_US.UTF-8 alternatives --display java | head + function nonLocalisedAlternativesDisplayOfMaster() { + LANG=en_US.UTF-8 alternatives --display "$MASTER" + } + function headOfAbove() { + nonLocalisedAlternativesDisplayOfMaster | head -n $1 + } + MASTER="%{?1}" + LOCAL_LINK="%{?2}" + FAMILY="%{?3}" + rm -f %{_localstatedir}/lib/rpm-state/"$MASTER"_$FAMILY > /dev/null + if nonLocalisedAlternativesDisplayOfMaster > /dev/null ; then + if headOfAbove 1 | grep -q manual ; then + if headOfAbove 2 | tail -n 1 | grep -q %{compatiblename} ; then + headOfAbove 2 > %{_localstatedir}/lib/rpm-state/"$MASTER"_"$FAMILY" + fi + fi + fi +} + +%define save_and_remove_alternatives() %{expand: + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + upgrade1_uninstal0=%{?3} + if [ "0$upgrade1_uninstal0" -gt 0 ] ; then # removal of this condition will cause persistence between uninstall + %{save_alternatives %{?1} %{?2} %{?4}} + fi + alternatives --remove "%{?1}" "%{?2}" +} + +%define set_if_needed_alternatives() %{expand: + MASTER="%{?1}" + FAMILY="%{?2}" + ALTERNATIVES_FILE="%{_localstatedir}/lib/rpm-state/$MASTER"_"$FAMILY" + if [ -e "$ALTERNATIVES_FILE" ] ; then + rm "$ALTERNATIVES_FILE" + alternatives --set $MASTER $FAMILY + fi +} + %define post_script() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -442,20 +515,19 @@ update-desktop-database %{_datadir}/applications &> /dev/null || : exit 0 } - -%define post_headless() %{expand: -%ifarch %{share_arches} -%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null -%endif - +%define alternatives_java_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=java alternatives \\ - --install %{_bindir}/java java %{jrebindir -- %{?1}}/java $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/java $key %{jrebindir -- %{?1}}/java $PRIORITY --family %{family} \\ --slave %{_jvmdir}/jre jre %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/%{alt_java_name} %{alt_java_name} %{jrebindir -- %{?1}}/%{alt_java_name} \\ --slave %{_bindir}/keytool keytool %{jrebindir -- %{?1}}/keytool \\ @@ -467,14 +539,25 @@ alternatives \\ --slave %{_mandir}/man1/keytool.1$ext keytool.1$ext \\ %{_mandir}/man1/keytool-%{uniquesuffix -- %{?1}}.1$ext \\ --slave %{_mandir}/man1/rmiregistry.1$ext rmiregistry.1$ext \\ - %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + %{_mandir}/man1/rmiregistry-%{uniquesuffix -- %{?1}}.1$ext + +%{set_if_needed_alternatives $key %{family}} for X in %{origin} %{javaver} ; do - alternatives --install %{_jvmdir}/jre-"$X" jre_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=jre_"$X" + alternatives --install %{_jvmdir}/jre-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=jre_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/jre-%{javaver}-%{origin} $key %{_jvmdir}/%{jrelnk -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_headless() %{expand: +%ifarch %{share_arches} +%{jrebindir -- %{?1}}/java -Xshare:dump >/dev/null 2>/dev/null +%endif update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -501,32 +584,42 @@ exit 0 %define postun_headless() %{expand: - alternatives --remove java %{jrebindir -- %{?1}}/java - alternatives --remove jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives java %{jrebindir -- %{?1}}/java $post_state %{family}} + %{save_and_remove_alternatives jre_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives jre_%{javaver}_%{origin} %{_jvmdir}/%{jrelnk -- %{?1}} $post_state %{family}} } %define posttrans_script() %{expand: %{update_desktop_icons} } -%define post_devel() %{expand: +%define alternatives_javac_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi ext=.gz +key=javac alternatives \\ - --install %{_bindir}/javac javac %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{name}.%{_arch} \\ + --install %{_bindir}/javac $key %{sdkbindir -- %{?1}}/javac $PRIORITY --family %{family} \\ --slave %{_jvmdir}/java java_sdk %{_jvmdir}/%{sdkdir -- %{?1}} \\ --slave %{_bindir}/jlink jlink %{sdkbindir -- %{?1}}/jlink \\ --slave %{_bindir}/jmod jmod %{sdkbindir -- %{?1}}/jmod \\ %ifarch %{sa_arches} +%ifnarch %{zero_arches} --slave %{_bindir}/jhsdb jhsdb %{sdkbindir -- %{?1}}/jhsdb \\ %endif +%endif --slave %{_bindir}/jar jar %{sdkbindir -- %{?1}}/jar \\ --slave %{_bindir}/jarsigner jarsigner %{sdkbindir -- %{?1}}/jarsigner \\ --slave %{_bindir}/javadoc javadoc %{sdkbindir -- %{?1}}/javadoc \\ @@ -585,13 +678,20 @@ alternatives \\ --slave %{_mandir}/man1/serialver.1$ext serialver.1$ext \\ %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1$ext +%{set_if_needed_alternatives $key %{family}} + for X in %{origin} %{javaver} ; do - alternatives \\ - --install %{_jvmdir}/java-"$X" java_sdk_"$X" %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} + key=java_sdk_"$X" + alternatives --install %{_jvmdir}/java-"$X" $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} + %{set_if_needed_alternatives $key %{family}} done -update-alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{name}.%{_arch} +key=java_sdk_%{javaver}_%{origin} +alternatives --install %{_jvmdir}/java-%{javaver}-%{origin} $key %{_jvmdir}/%{sdkdir -- %{?1}} $PRIORITY --family %{family} +%{set_if_needed_alternatives $key %{family}} +} +%define post_devel() %{expand: update-desktop-database %{_datadir}/applications &> /dev/null || : /bin/touch --no-create %{_datadir}/icons/hicolor &>/dev/null || : @@ -599,10 +699,14 @@ exit 0 } %define postun_devel() %{expand: - alternatives --remove javac %{sdkbindir -- %{?1}}/javac - alternatives --remove java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} - alternatives --remove java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javac %{sdkbindir -- %{?1}}/javac $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} + %{save_and_remove_alternatives java_sdk_%{javaver}_%{origin} %{_jvmdir}/%{sdkdir -- %{?1}} $post_state %{family}} update-desktop-database %{_datadir}/applications &> /dev/null || : @@ -614,42 +718,54 @@ exit 0 } %define posttrans_devel() %{expand: +%{alternatives_javac_install -- %{?1}} %{update_desktop_icons} } -%define post_javadoc() %{expand: - +%define alternatives_javadoc_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi -alternatives \\ - --install %{_javadocdir}/java javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api \\ - $PRIORITY --family %{name} +key=javadocdir +alternatives --install %{_javadocdir}/java $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc() %{expand: - alternatives --remove javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api +if [ "x$debug" == "xtrue" ] ; then + set -x +fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadocdir %{_javadocdir}/%{uniquejavadocdir -- %{?1}}/api $post_state %{family_noarch}} exit 0 } -%define post_javadoc_zip() %{expand: - +%define alternatives_javadoczip_install() %{expand: +if [ "x$debug" == "xtrue" ] ; then + set -x +fi PRIORITY=%{priority} if [ "%{?1}" == %{debug_suffix} ]; then let PRIORITY=PRIORITY-1 fi - -alternatives \\ - --install %{_javadocdir}/java-zip javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip \\ - $PRIORITY --family %{name} +key=javadoczip +alternatives --install %{_javadocdir}/java-zip $key %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $PRIORITY --family %{family_noarch} +%{set_if_needed_alternatives $key %{family_noarch}} exit 0 } %define postun_javadoc_zip() %{expand: - alternatives --remove javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip + if [ "x$debug" == "xtrue" ] ; then + set -x + fi + post_state=$1 # from postun, https://docs.fedoraproject.org/en-US/packaging-guidelines/Scriptlets/#_syntax + %{save_and_remove_alternatives javadoczip %{_javadocdir}/%{uniquejavadocdir -- %{?1}}.zip $post_state %{family_noarch}} exit 0 } @@ -715,8 +831,10 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/librmi.so # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsaproc.so %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so %ifarch %{svml_arches} @@ -763,7 +881,7 @@ exit 0 %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/security/nss.fips.cfg %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/jmxremote.access -# these are config templates, thus not config-noreplace +# This is a config template, thus not config-noreplace %config %{etcjavadir -- %{?1}}/conf/management/jmxremote.password.template %config %{etcjavadir -- %{?1}}/conf/sdp/sdp.conf.template %config(noreplace) %{etcjavadir -- %{?1}}/conf/management/management.properties @@ -786,6 +904,10 @@ exit 0 %ghost %{_jvmdir}/jre-%{javaver}-%{origin} %endif %endif +# https://bugzilla.redhat.com/show_bug.cgi?id=1820172 +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/ +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/conf.rpmmoved +%ghost %{_jvmdir}/%{sdkdir -- %{?1}}/lib/security.rpmmoved } %define files_devel() %{expand: @@ -804,9 +926,11 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jimage # Some architectures don't have the serviceability agent %ifarch %{sa_arches} +%ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb %{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz %endif +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jlink %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jmap @@ -945,7 +1069,10 @@ Requires: libXcomposite%{?_isa} Requires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release} # for java-X-openjdk package's desktop binding +# Where recommendations are available, recommend Gtk+ for the Swing look and feel +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 Recommends: gtk3%{?_isa} +%endif Provides: java-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release} @@ -980,12 +1107,17 @@ OrderWithRequires: copy-jdk-configs %endif # for printing support Requires: cups-libs +# for FIPS PKCS11 provider +Requires: nss # Post requires alternatives to install tool alternatives Requires(post): %{alternatives_requires} # Postun requires alternatives to uninstall tool alternatives Requires(postun): %{alternatives_requires} -# for optional support of kernel stream control, card reader and printing bindings +# Where suggestions are available, recommend the sctp and pcsc libraries +# for optional support of kernel stream control and card reader +%if 0%{?rhel} >= 8 || 0%{?fedora} > 0 Suggests: lksctp-tools%{?_isa}, pcsc-lite-libs%{?_isa} +%endif # Standard JPackage base provides Provides: jre-%{javaver}-%{origin}-headless%{?1} = %{epoch}:%{version}-%{release} @@ -1015,9 +1147,9 @@ Provides: java-sdk-%{javaver}%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-devel%{?1} = %{epoch}:%{version}-%{release} Provides: java-%{javaver}-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} %if %is_system_jdk +Provides: java-devel-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java-sdk-%{origin}%{?1} = %{epoch}:%{version}-%{release} Provides: java-devel%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{origin}-devel%{?1} = %{epoch}:%{version}-%{release} Provides: java-sdk%{?1} = %{epoch}:%{version}-%{release} %endif } @@ -1060,10 +1192,10 @@ Requires(post): %{alternatives_requires} Requires(postun): %{alternatives_requires} # Standard JPackage javadoc provides -Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release} -Provides: java-%{javaver}-%{origin}-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} +Provides: java-%{javaver}-%{origin}-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %if %is_system_jdk -Provides: java-javadoc%{?1} = %{epoch}:%{version}-%{release} +Provides: java-javadoc%{?1}%{?2} = %{epoch}:%{version}-%{release} %endif } @@ -1097,6 +1229,10 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} Epoch: 1 Summary: %{origin_nice} %{featurever} Runtime Environment +# Groups are only used up to RHEL 8 and on Fedora versions prior to F30 +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif # HotSpot code is licensed under GPLv2 # JDK library code is licensed under GPLv2 with the Classpath exception @@ -1116,8 +1252,9 @@ License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv URL: http://openjdk.java.net/ -# The source tarball, generated using generate_source_tarball.sh -Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz +# to regenerate source0 (jdk) run update_package.sh +# update_package.sh contains hard-coded repos, revisions, tags, and projects to regenerate the source archives +Source0: openjdk-jdk%{featurever}u-jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -1157,7 +1294,7 @@ Source17: nss.fips.cfg.in # NSS via SunPKCS11 Provider (disabled comment # due to memory leak). Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# enable build of speculative store bypass hardened alt-java +# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) Patch600: rh1750419-redhat_alt_java.patch # Ignore AWTError when assistive technologies are loaded @@ -1194,6 +1331,10 @@ Patch1013: rh1991003-enable_fips_keys_import.patch # RH2021263: Resolve outstanding FIPS issues Patch1014: rh2021263-fips_ensure_security_initialised.patch Patch1015: rh2021263-fips_missing_native_returns.patch +# RH2052819: Fix FIPS reliance on crypto policies +Patch1016: rh2021263-fips_separate_policy_and_fips_init.patch +# RH2052829: Detect NSS at Runtime for FIPS detection +Patch1017: rh2052829-fips_runtime_nss_detection.patch # RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch @@ -1202,16 +1343,14 @@ Patch1018: rh2052070-enable_algorithmparameters_in_fips_mode.patch # OpenJDK patches in need of upstreaming # ############################################# +# JDK-8275535, RH2053256: Retrying a failed authentication on multiple LDAP servers can lead to users blocked +Patch2000: jdk8275535-rh2053256-ldap_auth.patch ############################################# # -# OpenJDK patches appearing in 17.0.3 +# OpenJDK patches appearing in 17.0.1 # ############################################# -# JDK-8284548: Unexpected StringIndexOutOfBoundsException can occur for invalid XPath expressions after JDK-8270504 -Patch2002: jdk8284548-jaxp_regression.patch -# JDK-8284920: Incorrect Token type causes XPath expression to return empty result -Patch2003: jdk8284920-incorrect_token_type.patch BuildRequires: autoconf BuildRequires: automake @@ -1238,15 +1377,15 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirements for setting up the nss.cfg and FIPS support -BuildRequires: nss-devel >= 3.53 +# Requirement for setting up nss.cfg and nss.fips.cfg +BuildRequires: nss-devel BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip BuildRequires: javapackages-filesystem BuildRequires: java-17-openjdk-devel # Zero-assembler build requirement -%ifnarch %{jit_arches} +%ifarch %{zero_arches} BuildRequires: libffi-devel %endif BuildRequires: tzdata-java >= 2015d @@ -1268,6 +1407,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_debug_build} %package slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_rpo -- %{debug_suffix_unquoted}} %description slowdebug @@ -1278,7 +1420,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_fastdebug_build} %package fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_rpo -- %{fastdebug_suffix_unquoted}} %description fastdebug @@ -1289,6 +1433,9 @@ The %{origin_nice} %{featurever} runtime environment. %if %{include_normal_build} %package headless Summary: %{origin_nice} %{featurever} Headless Runtime Environment +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_headless_rpo %{nil}} @@ -1299,6 +1446,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_debug_build} %package headless-slowdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_headless_rpo -- %{debug_suffix_unquoted}} @@ -1310,7 +1460,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_fastdebug_build} %package headless-fastdebug Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_headless_rpo -- %{fastdebug_suffix_unquoted}} @@ -1322,6 +1474,9 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup %if %{include_normal_build} %package devel Summary: %{origin_nice} %{featurever} Development Environment +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_devel_rpo %{nil}} @@ -1332,6 +1487,9 @@ The %{origin_nice} %{featurever} development tools. %if %{include_debug_build} %package devel-slowdebug Summary: %{origin_nice} %{featurever} Development Environment %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_devel_rpo -- %{debug_suffix_unquoted}} @@ -1343,7 +1501,9 @@ The %{origin_nice} %{featurever} development tools. %if %{include_fastdebug_build} %package devel-fastdebug Summary: %{origin_nice} %{featurever} Development Environment %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Tools +%endif %{java_devel_rpo -- %{fastdebug_suffix_unquoted}} @@ -1392,6 +1552,9 @@ The %{origin_nice} %{featurever} libraries for static linking. %if %{include_normal_build} %package jmods Summary: JMods for %{origin_nice} %{featurever} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_jmods_rpo %{nil}} @@ -1402,6 +1565,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_debug_build} %package jmods-slowdebug Summary: JMods for %{origin_nice} %{featurever} %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_jmods_rpo -- %{debug_suffix_unquoted}} @@ -1413,7 +1579,9 @@ The JMods for %{origin_nice} %{featurever}. %if %{include_fastdebug_build} %package jmods-fastdebug Summary: JMods for %{origin_nice} %{featurever} %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Tools +%endif %{java_jmods_rpo -- %{fastdebug_suffix_unquoted}} @@ -1422,10 +1590,12 @@ The JMods for %{origin_nice} %{featurever}. %{fastdebug_warning} %endif - %if %{include_normal_build} %package demo Summary: %{origin_nice} %{featurever} Demos +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_demo_rpo %{nil}} @@ -1436,6 +1606,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_debug_build} %package demo-slowdebug Summary: %{origin_nice} %{featurever} Demos %{debug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_demo_rpo -- %{debug_suffix_unquoted}} @@ -1447,7 +1620,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_fastdebug_build} %package demo-fastdebug Summary: %{origin_nice} %{featurever} Demos %{fastdebug_on} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_demo_rpo -- %{fastdebug_suffix_unquoted}} @@ -1459,6 +1634,9 @@ The %{origin_nice} %{featurever} demos. %if %{include_normal_build} %package src Summary: %{origin_nice} %{featurever} Source Bundle +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_src_rpo %{nil}} @@ -1470,6 +1648,9 @@ class library source code for use by IDE indexers and debuggers. %if %{include_debug_build} %package src-slowdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Development/Languages +%endif %{java_src_rpo -- %{debug_suffix_unquoted}} @@ -1481,7 +1662,9 @@ The %{compatiblename}-src-slowdebug sub-package contains the complete %{origin_n %if %{include_fastdebug_build} %package src-fastdebug Summary: %{origin_nice} %{featurever} Source Bundle %{for_fastdebug} +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) Group: Development/Languages +%endif %{java_src_rpo -- %{fastdebug_suffix_unquoted}} @@ -1490,14 +1673,16 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n class library source code for use by IDE indexers and debuggers, %{for_fastdebug}. %endif - %if %{include_normal_build} %package javadoc Summary: %{origin_nice} %{featurever} API documentation +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Documentation +%endif Requires: javapackages-filesystem Obsoletes: javadoc-slowdebug < 1:13.0.0.33-1.rolling -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc The %{origin_nice} %{featurever} API documentation. @@ -1506,16 +1691,28 @@ The %{origin_nice} %{featurever} API documentation. %if %{include_normal_build} %package javadoc-zip Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive +%if (0%{?rhel} > 0 && 0%{?rhel} <= 8) || (0%{?fedora} >= 0 && 0%{?fedora} < 30) +Group: Documentation +%endif Requires: javapackages-filesystem Obsoletes: javadoc-zip-slowdebug < 1:13.0.0.33-1.rolling -%{java_javadoc_rpo %{nil}} +%{java_javadoc_rpo -- %{nil} -zip} +%{java_javadoc_rpo -- %{nil} %{nil}} %description javadoc-zip The %{origin_nice} %{featurever} API documentation compressed in a single archive. %endif %prep + +# Using the echo macro breaks rpmdev-bumpspec, as it parses the first line of stdout :-( +%if 0%{?stapinstall:1} + echo "CPU: %{_target_cpu}, arch install directory: %{archinstall}, SystemTap install directory: %{stapinstall}" +%else + %{error:Unrecognised architecture %{_target_cpu}} +%endif + if [ %{include_normal_build} -eq 0 -o %{include_normal_build} -eq 1 ] ; then echo "include_normal_build is %{include_normal_build}" else @@ -1574,10 +1771,11 @@ popd # openjdk %patch1013 %patch1014 %patch1015 +%patch1016 +%patch1017 %patch1018 -%patch2002 -%patch2003 +%patch2000 # Extract systemtap tapsets %if %{with_systemtap} @@ -1589,7 +1787,6 @@ cp -r tapset tapset%{debug_suffix} cp -r tapset tapset%{fastdebug_suffix} %endif - for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` @@ -1631,7 +1828,6 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg # Setup nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg -sed -i -e "s:@NSS_SECMOD@:/etc/pki/nssdb:g" nss.fips.cfg %build # How many CPU's do we have? @@ -1659,63 +1855,54 @@ EXTRA_CPP_FLAGS="%ourcppflags" # fix rpmlint warnings EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing" %endif -export EXTRA_CFLAGS - -for suffix in %{build_loop} ; do -if [ "x$suffix" = "x" ] ; then - debugbuild=release -else - # change --something to something - debugbuild=`echo $suffix | sed "s/-//g"` -fi - -for loop in %{main_suffix} %{staticlibs_loop} ; do - -if test "x${loop}" = "x%{main_suffix}" ; then - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full - # Variable used by configure and hs_err hook on build failures - link_opt="system" - # Debug builds don't need same targets as release for - # build speed-up - maketargets="%{release_targets}" - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" +%ifarch %{ix86} +# Align stack boundary on x86_32 +EXTRA_CFLAGS="$(echo ${EXTRA_CFLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming-stack-boundary=2 -mpreferred-stack-boundary=4|')" +%endif +export EXTRA_CFLAGS EXTRA_CPP_FLAGS + +function buildjdk() { + local outputdir=${1} + local buildjdk=${2} + local maketargets="${3}" + local debuglevel=${4} + local link_opt=${5} + + local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} + local top_dir_abs_build_path=$(pwd)/${outputdir} + + # The OpenJDK version file includes the current + # upstream version information. For some reason, + # configure does not automatically use the + # default pre-version supplied there (despite + # what the file claims), so we pass it manually + # to configure + VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf + if [ -f ${VERSION_FILE} ] ; then + EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) + else + echo "Could not find OpenJDK version file."; + exit 16 + fi + if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then + echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; + exit 17 fi -else - # Variable used by configure and hs_err hook on build failures - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" -fi -top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} -top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}} -# The OpenJDK version file includes the current -# upstream version information. For some reason, -# configure does not automatically use the -# default pre-version supplied there (despite -# what the file claims), so we pass it manually -# to configure -VERSION_FILE=${top_dir_abs_src_path}/make/conf/version-numbers.conf -if [ -f ${VERSION_FILE} ] ; then - EA_DESIGNATOR=$(grep '^DEFAULT_PROMOTED_VERSION_PRE' ${VERSION_FILE} | cut -d '=' -f 2) -else - echo "Could not find OpenJDK version file."; - exit 16 -fi -if [ "x${EA_DESIGNATOR}" != "x%{expected_ea_designator}" ] ; then - echo "Spec file is configured for a %{build_type} build, but upstream version-pre setting is ${EA_DESIGNATOR}"; - exit 17 -fi + echo "Using output directory: ${outputdir}"; + echo "Checking build JDK ${buildjdk} is operational..." + ${buildjdk}/bin/java -version + echo "Using make targets: ${maketargets}" + echo "Using debuglevel: ${debuglevel}" + echo "Using link_opt: ${link_opt}" + echo "Building %{newjavaver}-%{buildver}, pre=${EA_DESIGNATOR}, opt=%{lts_designator}" -mkdir -p ${top_dir_abs_build_path} -pushd ${top_dir_abs_build_path} + mkdir -p ${outputdir} + pushd ${outputdir} -bash ${top_dir_abs_src_path}/configure \ -%ifnarch %{jit_arches} + bash ${top_dir_abs_src_path}/configure \ +%ifarch %{zero_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} @@ -1729,10 +1916,10 @@ bash ${top_dir_abs_src_path}/configure \ --with-vendor-url="https://www.redhat.com/" \ --with-vendor-bug-url="%{bugs}" \ --with-vendor-vm-bug-url="%{bugs}" \ - --with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \ - --with-debug-level=$debugbuild \ - --with-native-debug-symbols=internal \ - --enable-sysconf-nss \ + --with-boot-jdk=${buildjdk} \ + --with-debug-level=${debuglevel} \ + --with-native-debug-symbols="%{debug_symbols}" \ + --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=system \ --with-libjpeg=${link_opt} \ @@ -1752,53 +1939,116 @@ bash ${top_dir_abs_src_path}/configure \ %endif --disable-warnings-as-errors -make \ - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + cat spec.gmk -popd >& /dev/null + make \ + LOG=trace \ + WARNINGS_ARE_ERRORS="-Wno-error" \ + CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ + $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) -# Restore original source tree if we modified it by removing full in-tree sources -if [ -d %{top_level_dir_name_backup} ] ; then - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -fi + popd +} -done # end of main / staticlibs loop +function installjdk() { + local imagepath=${1} -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; -# the build (erroneously) removes read permissions from some jars -# this is a regression in OpenJDK 7 (our compiler): -# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \; + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; -# Build screws up permissions on binaries -# https://bugs.openjdk.java.net/browse/JDK-8173610 -find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \; -find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \; + # Install nss.cfg right away as we will be using the JRE above + install -m 644 nss.cfg ${imagepath}/conf/security/ -# Install nss.cfg right away as we will be using the JRE above -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} + # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) + install -m 644 nss.fips.cfg ${imagepath}/conf/security/ -# Install nss.cfg right away as we will be using the JRE above -install -m 644 nss.cfg $JAVA_HOME/conf/security/ + # Use system-wide tzdata + rm ${imagepath}/lib/tzdb.dat + ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat -# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) -install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/ + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} + # add alt-java man page + echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 + cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 + popd + fi +} -# Use system-wide tzdata -rm $JAVA_HOME/lib/tzdb.dat -ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat +%if %{build_hotspot_first} + # Build a fresh libjvm.so first and use it to bootstrap + cp -LR --preserve=mode,timestamps %{bootjdk} newboot + systemjdk=$(pwd)/newboot + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" + mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server +%else + systemjdk=%{bootjdk} +%endif + +for suffix in %{build_loop} ; do + + if [ "x$suffix" = "x" ] ; then + debugbuild=release + else + # change --something to something + debugbuild=`echo $suffix | sed "s/-//g"` + fi -# Create fake alt-java as a placeholder for future alt-java -pushd ${JAVA_HOME} -# add alt-java man page -echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 -cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 -popd + + for loop in %{main_suffix} %{staticlibs_loop} ; do + + builddir=%{buildoutputdir -- ${suffix}${loop}} + bootbuilddir=boot${builddir} + + if test "x${loop}" = "x%{main_suffix}" ; then + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full + # Use system libraries + link_opt="system" + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} + buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} + rm -rf ${bootbuilddir} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + fi + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} + else + # Use bundled libraries for building statically + link_opt="bundled" + # Static library cycle only builds the static libraries + maketargets="%{static_libs_target}" + # Always just do the one build for the static libraries + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} + fi + + done # end of main / staticlibs loop + + # Final setup on the main image + top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} + installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} # build cycles done # end of release / debug cycle loop @@ -1849,8 +2099,9 @@ readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c %endif +so_suffix="so" # Check debug symbols are present and can identify code -find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib do if [ -f "$lib" ] ; then echo "Testing $lib for debug symbols" @@ -1903,7 +2154,7 @@ done # Make sure gdb can do a backtrace based on line numbers on libjvm.so # javaCalls.cpp:58 should map to: -# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 # Using line number 1 might cause build problems. See: # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 @@ -1911,7 +2162,7 @@ gdb -q "$JAVA_HOME/bin/java" < - 1:17.0.3.0.6-2 -- Add JDK-8284920 fix for XPath regression -- Related: rhbz#2073575 - -* Fri Apr 15 2022 Andrew Hughes - 1:17.0.3.0.6-2 -- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476 -- Related: rhbz#2073575 - -* Mon Apr 11 2022 Andrew Hughes - 1:17.0.3.0.6-1 -- JDK-8283911 patch no longer needed now we're GA... -- Resolves: rhbz#2073575 - -* Mon Apr 11 2022 Andrew Hughes - 1:17.0.3.0.6-1 -- April 2022 security update to jdk 17.0.3+6 -- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408) -- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga -- Update release notes to 17.0.3.0+6 -- Add missing README.md and generate_source_tarball.sh -- Introduce tests/tests.yml, based on the one in java-11-openjdk -- Switch to GA mode for release -- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. ** -- Resolves: rhbz#2073575 - -* Sun Apr 10 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea -- Update to jdk-17.0.3.0+5 -- Update release notes to 17.0.3.0+5 -- Switch to EA mode for 17.0.3 pre-release builds. -- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value -- Related: rhbz#2073422 - -* Sun Apr 10 2022 Andrew Hughes - 1:17.0.2.0.8-6 +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-15 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -- Resolves: rhbz#2055396 +- Resolves: rhbz#2052070 -* Sat Apr 09 2022 Andrew Hughes - 1:17.0.2.0.8-5 -- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false -- Resolves: rhbz#2018189 - -* Sat Apr 09 2022 Martin Balao - 1:17.0.2.0.8-5 -- Add patch to allow plain key import. -- Resolves: rhbz#2018189 - -* Mon Jan 17 2022 Andrew Hughes - 1:17.0.2.0.8-4 +* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-14 +- Introduce tests/tests.yml, based on the one in java-11-openjdk +- Resolves: rhbz#2058493 + +* Sun Feb 27 2022 Severin Gehwolf - 1:17.0.2.0.8-13 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023536 + +* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-12 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS +- Resolves: rhbz#2051605 + +* Fri Feb 25 2022 Andrew Hughes - 1:17.0.2.0.8-11 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053256 + +* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-10 +- Storing and restoring alterntives during update manually +- Fixing Bug 2001567 - update of JDK/JRE is removing its manually selected alterantives and select (as auto) system JDK/JRE +-- The move of alternatives creation to posttrans to fix: +-- Bug 1200302 - dnf reinstall breaks alternatives +-- Had caused the alternatives to be removed, and then created again, +-- instead of being added, and then removing the old, and thus persisting +-- the selection in family +-- Thus this fix, is storing the family of manually selected master, and if +-- stored, then it is restoring the family of the master +- Resolves: rhbz#2008200 + +* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-9 +- Family extracted to globals +- Resolves: rhbz#2008200 + +* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-8 +- alternatives creation moved to posttrans +- Thus fixing the old reisntall issue: +- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 +- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 +- Resolves: rhbz#2008200 + +* Mon Feb 21 2022 Andrew Hughes - 1:17.0.2.0.8-7 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent +- Resolves: rhbz#2051590 + +* Fri Feb 18 2022 Andrew Hughes - 1:17.0.2.0.8-6 - Fix FIPS issues in native code and with initialisation of java.security.Security -- Related: rhbz#2039366 - -* Fri Jan 14 2022 Andrew Hughes - 1:17.0.2.0.8-3 +- Resolves: rhbz#2023378 + +* Thu Feb 17 2022 Andrew Hughes - 1:17.0.2.0.8-5 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Handle Fedora in distro conditionals that currently only pertain to RHEL. +- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace +- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Need to support noarch for creating source RPMs for non-scratch builds. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Resolves: rhbz#2022822 + +* Thu Feb 17 2022 Jiri Vanek - 1:17.0.2.0.8-5 +- Replaced tabs by sets of spaces to make rpmlint happy +- javadoc-zip gets its own provides next to plain javadoc ones +- Resolves: rhbz#2022822 + +* Tue Feb 08 2022 Jiri Vanek - 1:17.0.2.0.8-4 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-3 - Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ - Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository -- Related: rhbz#2039366 +- Related: rhbz#2022822 -* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-2 -- Sync desktop files with upstream IcedTea release 3.15.0 using new script -- Related: rhbz#2039366 +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-2 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Severin Gehwolf - 1:17.0.2.0.8-2 +- Set LTS designator. +- Related: rhbz#2022822 * Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1 - January 2022 security update to jdk 17.0.2+8 - Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java - Rename libsvml.so to libjsvml.so following JDK-8276025 -- ** This tarball is embargoed until 2022-01-18 @ 1pm PT. ** - Resolves: rhbz#2039366 -* Thu Oct 28 2021 Andrew Hughes - 1:17.0.1.0.12-2 -- Extend LTS check to exclude EPEL. -- Related: rhbz#2013841 - -* Thu Oct 28 2021 Severin Gehwolf - 1:17.0.1.0.12-2 -- Set LTS designator. -- Related: rhbz#2013841 +* Thu Oct 28 2021 Andrew Hughes - 1:17.0.1.0.12-3 +- Sync desktop files with upstream IcedTea release 3.15.0 using new script +- Related: rhbz#2013842 -* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-1 +* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2 - Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 -- Resolves: rhbz#2013841 +- Resolves: rhbz#2013842 -* Wed Oct 20 2021 Petra Alice Mikova - 1:17.0.1.0.12-1 +* Wed Oct 20 2021 Petra Alice Mikova - 1:17.0.1.0.12-2 - October CPU update to jdk 17.0.1+12 - Dropped commented-out source line -- Resolves: rhbz#2013841 +- Resolves: rhbz#2013842 -* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-4 -- Bump release to avoid conflict with RHEL 8.6. -- Resolves: rhbz#1994084 +* Sun Oct 10 2021 Andrew Hughes - 1:17.0.0.0.35-6 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Resolves: rhbz#1994661 -* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-3 -- Update release notes to document the major changes between OpenJDK 11 & 17. -- Resolves: rhbz#1994084 +* Sun Oct 10 2021 Martin Balao - 1:17.0.0.0.35-6 +- Add patch to allow plain key import. +- Resolves: rhbz#1994661 -* Thu Sep 16 2021 Andrew Hughes - 1:17.0.0.0.35-2 -- Add JDK-8272332 fix so we actually link against HarfBuzz. -- Resolves: rhbz#1994084 +* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-5 +- Update release notes to document the major changes between OpenJDK 11 & 17. +- Resolves: rhbz#2003072 -* Tue Sep 14 2021 Andrew Hughes - 1:17.0.0.0.35-1 +* Thu Sep 16 2021 Andrew Hughes - 1:17.0.0.0.35-3 - Update to jdk-17+35, also known as jdk-17-ga. - Switch to GA mode. -- Resolves: rhbz#1994084 +- Add JDK-8272332 fix so we actually link against HarfBuzz. +- Resolves: rhbz#2003072 +- Resolves: rhbz#2004078 * Mon Aug 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.5.ea - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. @@ -2492,7 +2782,7 @@ require "copy_jdk_configs.lua" * Sun Apr 25 2021 Petra Alice Mikova - 1:16.0.1.0.9-1.rolling - update to 16.0.1+9 april cpu tag -- dropped jdk8259949-allow_cf-protection_on_x86.patch +- dropped jdk8259949-allow_cf-protection_on_x86.patch * Thu Mar 11 2021 Andrew Hughes - 1:16.0.0.0.36-2.rolling - Perform static library build on a separate source tree with bundled image libraries @@ -2540,7 +2830,7 @@ require "copy_jdk_configs.lua" * Sat Dec 19 2020 Jiri Vanek - 1:15.0.1.9-6.rolling - many cosmetic changes taken from more maintained jdk11 -- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches +- introduced debug_arches, bootstrap_arches, systemtap_arches, fastdebug_arches, sa_arches, share_arches, shenandoah_arches, zgc_arches instead of various hardcoded ifarches - updated systemtap - added requires excludes for debug pkgs @@ -2623,7 +2913,7 @@ require "copy_jdk_configs.lua" * Tue Mar 24 2020 Petra Alice Mikova - 1:14.0.0.36-3.rolling - Remove s390x workaround flags for GCC 10 - bump buildjdkver to 14 -- uploaded new src tarball +- uploaded new src tarball * Mon Mar 23 2020 Petra Alice Mikova - 1:14.0.0.36-2.rolling - removed a whitespace causing fail of postinstall script @@ -2643,7 +2933,7 @@ require "copy_jdk_configs.lua" - fix issues with build with GCC10: JDK-8224851, -fcommon switch * Thu Feb 27 2020 Petra Alice Mikova pmikova@redhat.com> - 1:13.0.2.8-3.rolling -- Add JDK-8224851 patch to resolve aarch64 issues +- Add JDK-8224851 patch to resolve aarch64 issues * Tue Feb 04 2020 Petra Alice Mikova - 1:13.0.2.8-2.rolling - fix Release, as it was broken by last rpmdev-bumpspec @@ -2964,7 +3254,7 @@ require "copy_jdk_configs.lua" - Removed unneeded patches: PStack-808293.patch multiple-pkcs11-library-init.patch - ppc_stack_overflow_fix.patch + ppc_stack_overflow_fix.patch - Added patches for s390 Zero builds: JDK-8201495-s390-java-opts.patch JDK-8201509-s390-atomic_store.patch