diff --git a/NEWS b/NEWS index b1f281d4e58150cf6ae3906534911c64af8d16fd..0aacfef84ff9a6a695c8c979d63a90d2043cbf7a 100644 --- a/NEWS +++ b/NEWS @@ -275,6 +275,17 @@ make it clear they map to the current user: * "Windows-MY-CURRENTUSER" (same as "Windows-MY") * "Windows-ROOT-CURRENTUSER" (same as "Windows-ROOT") +JDK-8286918: Better HttpServer service +====================================== +The HttpServer can be optionally configured with a maximum connection +limit by setting the jdk.httpserver.maxConnections system property. A +value of 0 or a negative integer is ignored and considered to +represent no connection limit. In the case of a positive integer +value, any newly accepted connections will be first checked against +the current count of established connections and, if the configured +limit has been reached, then the newly accepted connection will be +closed immediately. + hotspot/runtime: JDK-8281181: CPU Shares Ignored When Computing Active Processor Count @@ -369,6 +380,7 @@ Live versions of these release notes can be found at: * Security fixes - JDK-8272243: Improve DER parsing - JDK-8272249: Better properties of loaded Properties + - JDK-8273056, JDK-8283875, CVE-2022-21549: java.util.random does not correctly sample exponential or Gaussian distributions - JDK-8277608: Address IP Addressing - JDK-8281859, CVE-2022-21540: Improve class compilation - JDK-8281866, CVE-2022-21541: Enhance MethodHandle invocations @@ -423,7 +435,6 @@ Live versions of these release notes can be found at: - JDK-8272493: Suboptimal code generation around Preconditions.checkIndex intrinsic with AVX2 - JDK-8272908: Missing coverage for certain classes in com.sun.org.apache.xml.internal.security - JDK-8272964: java/nio/file/Files/InterruptCopy.java fails with java.lang.RuntimeException: Copy was not interrupted - - JDK-8273056: java.util.random does not correctly sample exponential or Gaussian distributions - JDK-8273095: vmTestbase/vm/mlvm/anonloader/stress/oome/heap/Test.java fails with "wrong OOME" - JDK-8273139: C2: assert(f <= 1 && f >= 0) failed: Incorrect frequency - JDK-8273142: Remove dependancy of TestHttpServer, HttpTransaction, HttpCallback from open/test/jdk/sun/net/www/protocol/http/ tests diff --git a/dist b/dist deleted file mode 100644 index 0ee7539a2292be885eb3a6caf1a4ee4666e5e99f..0000000000000000000000000000000000000000 --- a/dist +++ /dev/null @@ -1 +0,0 @@ -an8_6 diff --git a/java-17-openjdk.spec b/java-17-openjdk.spec index 054783072c20113b369836d93d929a02394a29e6..865faaf7a56471d52aa1248af43aef943e132a0f 100644 --- a/java-17-openjdk.spec +++ b/java-17-openjdk.spec @@ -23,6 +23,8 @@ %bcond_without staticlibs # Build a fresh libjvm.so for use in a copy of the bootstrap JDK %bcond_without fresh_libjvm +# Build with system libraries +%bcond_with system_libs # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} @@ -39,6 +41,16 @@ %global build_hotspot_first 0 %endif +%if %{with system_libs} +%global system_libs 1 +%global link_type system +%global freetype_lib %{nil} +%else +%global system_libs 0 +%global link_type bundled +%global freetype_lib |libfreetype[.]so.* +%endif + # The -g flag says to use strip -g instead of full strip on DSOs or EXEs. # This fixes detailed NMT and other tools which need minimal debug info. # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 @@ -190,11 +202,15 @@ %global staticlibs_loop %{nil} %endif +%if 0%{?flatpak} +%global bootstrap_build false +%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif +%endif %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from @@ -411,7 +427,7 @@ # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 # https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14 # https://bugzilla.redhat.com/show_bug.cgi?id=1655938 -%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.* +%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsystemconf[.]so.*|libzip[.]so.*%{freetype_lib} %global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.* %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ @@ -815,6 +831,9 @@ exit 0 %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libawt_headless.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libdt_socket.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfontmanager.so +%if ! %{system_libs} +%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libfreetype.so +%endif %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libinstrument.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2gss.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libj2pcsc.so @@ -933,7 +952,7 @@ exit 0 %ifarch %{sa_arches} %ifnarch %{zero_arches} %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jhsdb -%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jhsdb-%{uniquesuffix -- %{?1}}.1* %endif %endif %{_jvmdir}/%{sdkdir -- %{?1}}/bin/jinfo @@ -972,11 +991,11 @@ exit 0 %{_mandir}/man1/jstat-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/jstatd-%{uniquesuffix -- %{?1}}.1* %{_mandir}/man1/serialver-%{uniquesuffix -- %{?1}}.1* -%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1.gz -%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1.gz +%{_mandir}/man1/jdeprscan-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jlink-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jmod-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jshell-%{uniquesuffix -- %{?1}}.1* +%{_mandir}/man1/jfr-%{uniquesuffix -- %{?1}}.1* %if %{with_systemtap} %dir %{tapsetroot} @@ -1109,7 +1128,7 @@ Requires: lksctp-tools%{?_isa} # tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it, # not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be # considered as regression -Requires: copy-jdk-configs >= 3.3 +Requires: copy-jdk-configs >= 4.0 OrderWithRequires: copy-jdk-configs %endif # for printing support @@ -1320,7 +1339,7 @@ Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk1 Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch # Crypto policy and FIPS support patches -# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u-cpu-2022-07 +# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u # as follows: git diff %%{vcstag} src make > fips-17u-$(git show -s --format=%h HEAD).patch # Diff is limited to src and make subdirectories to exclude .github changes # Fixes currently included: @@ -1359,7 +1378,13 @@ Patch2000: jdk8275535-rh2053256-ldap_auth.patch ############################################# # -# OpenJDK patches appearing in 17.0.6 +# OpenJDK patches appearing in 17.0.3 +# +############################################# + +############################################# +# +# OpenJDK patches targetted for 17.0.6 # ############################################# # JDK-8293834: Update CLDR data following tzdata 2022c update @@ -1378,14 +1403,8 @@ BuildRequires: desktop-file-utils # elfutils only are OK for build without AOT BuildRequires: elfutils-devel BuildRequires: fontconfig-devel -BuildRequires: freetype-devel -BuildRequires: giflib-devel BuildRequires: gcc-c++ BuildRequires: gdb -BuildRequires: harfbuzz-devel -BuildRequires: lcms2-devel -BuildRequires: libjpeg-devel -BuildRequires: libpng-devel BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXi-devel @@ -1410,7 +1429,6 @@ BuildRequires: libffi-devel # 2022d required as of JDK-8294357 # Should be bumped to 2022e once available (JDK-8295173) BuildRequires: tzdata-java >= 2022d - # Earlier versions have a bug in tree vectorization on PPC BuildRequires: gcc >= 4.8.3-8 @@ -1419,6 +1437,30 @@ BuildRequires: systemtap-sdt-devel %endif BuildRequires: make +%if %{system_libs} +BuildRequires: freetype-devel +BuildRequires: giflib-devel +BuildRequires: harfbuzz-devel +BuildRequires: lcms2-devel +BuildRequires: libjpeg-devel +BuildRequires: libpng-devel +%else +# Version in src/java.desktop/share/native/libfreetype/include/freetype/freetype.h +Provides: bundled(freetype) = 2.12.1 +# Version in src/java.desktop/share/native/libsplashscreen/giflib/gif_lib.h +Provides: bundled(giflib) = 5.2.1 +# Version in src/java.desktop/share/native/libharfbuzz/hb-version.h +Provides: bundled(harfbuzz) = 4.4.1 +# Version in src/java.desktop/share/native/liblcms/lcms2.h +Provides: bundled(lcms2) = 2.12.0 +# Version in src/java.desktop/share/native/libjavajpeg/jpeglib.h +Provides: bundled(libjpeg) = 6b +# Version in src/java.desktop/share/native/libsplashscreen/libpng/png.h +Provides: bundled(libpng) = 1.6.37 +# We link statically against libstdc++ to increase portability +BuildRequires: libstdc++-static +%endif + # this is always built, also during debug-only build # when it is built in debug-only this package is just placeholder %{java_rpo %{nil}} @@ -1768,8 +1810,11 @@ if [ $prioritylength -ne 8 ] ; then fi # OpenJDK patches + +%if %{system_libs} # Remove libraries that are linked by both static and dynamic builds sh %{SOURCE12} %{top_level_dir_name} +%endif # Patch the JDK pushd %{top_level_dir_name} @@ -1907,6 +1952,14 @@ function buildjdk() { local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} + # This must be set using the global, so that the + # static libraries still use a dynamic stdc++lib + if [ "x%{link_type}" = "xbundled" ] ; then + libc_link_opt="static"; + else + libc_link_opt="dynamic"; + fi + echo "Using output directory: ${outputdir}"; echo "Checking build JDK ${buildjdk} is operational..." ${buildjdk}/bin/java -version @@ -1918,6 +1971,10 @@ function buildjdk() { mkdir -p ${outputdir} pushd ${outputdir} + # Note: zlib and freetype use %{link_type} + # rather than ${link_opt} as the system versions + # are always used in a system_libs build, even + # for the static library build bash ${top_dir_abs_src_path}/configure \ %ifarch %{zero_arches} --with-jvm-variants=zero \ @@ -1938,13 +1995,14 @@ function buildjdk() { --with-native-debug-symbols="%{debug_symbols}" \ --disable-sysconf-nss \ --enable-unlimited-crypto \ - --with-zlib=system \ + --with-zlib=%{link_type} \ + --with-freetype=%{link_type} \ --with-libjpeg=${link_opt} \ --with-giflib=${link_opt} \ --with-libpng=${link_opt} \ --with-lcms=${link_opt} \ --with-harfbuzz=${link_opt} \ - --with-stdc++lib=dynamic \ + --with-stdc++lib=${libc_link_opt} \ --with-extra-cxxflags="$EXTRA_CPP_FLAGS" \ --with-extra-cflags="$EXTRA_CFLAGS" \ --with-extra-ldflags="%{ourldflags}" \ @@ -2030,12 +2088,13 @@ for suffix in %{build_loop} ; do bootbuilddir=boot${builddir} if test "x${loop}" = "x%{main_suffix}" ; then + link_opt="%{link_type}" +%if %{system_libs} # Copy the source tree so we can remove all in-tree libraries cp -a %{top_level_dir_name} %{top_level_dir_name_backup} # Remove all libraries that are linked sh %{SOURCE12} %{top_level_dir_name} full - # Use system libraries - link_opt="system" +%endif # Debug builds don't need same targets as release for # build speed-up. We also avoid bootstrapping these # slower builds. @@ -2053,9 +2112,11 @@ for suffix in %{build_loop} ; do else buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} fi +%if %{system_libs} # Restore original source tree we modified by removing full in-tree sources rm -rf %{top_level_dir_name} mv %{top_level_dir_name_backup} %{top_level_dir_name} +%endif else # Use bundled libraries for building statically link_opt="bundled" @@ -2385,9 +2446,10 @@ else return end end --- run content of included file with fake args -arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} -require "copy_jdk_configs.lua" +arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua" +cjc = require "copy_jdk_configs.lua" +args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"} +cjc.mainProgram(args) %post %{post_script %{nil}} @@ -2583,58 +2645,66 @@ require "copy_jdk_configs.lua" %endif %changelog -* Sat Oct 15 2022 Andrew Hughes - 1:17.0.5.0.8-2 +* Wed Oct 26 2022 Andrew Hughes - 1:17.0.5.0.8-2 +- Update to jdk-17.0.5+8 (GA) +- Update release notes to 17.0.5+8 (GA) +- Switch to GA mode for final release. - Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 - Update CLDR data with Europe/Kyiv (JDK-8293834) - Drop JDK-8292223 patch which we found to be unnecessary - Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream -- Related: rhbz#2133695 - -* Thu Oct 13 2022 Andrew Hughes - 1:17.0.5.0.8-1 -- Update to jdk-17.0.5+8 (GA) -- Update release notes to 17.0.5+8 (GA) -- Switch to GA mode for final release. -- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * +- The stdc++lib, zlib & freetype options should always be set from the global, so they are not altered for staticlibs builds +- Remove freetype sources along with zlib sources - Resolves: rhbz#2133695 -* Tue Oct 04 2022 Andrew Hughes - 1:17.0.5.0.7-0.1.ea +* Tue Oct 04 2022 Andrew Hughes - 1:17.0.5.0.7-0.2.ea - Update to jdk-17.0.5+7 - Update release notes to 17.0.5+7 -- Resolves: rhbz#2132503 +- Resolves: rhbz#2130622 -* Mon Oct 03 2022 Andrew Hughes - 1:17.0.5.0.1-0.1.ea +* Mon Oct 03 2022 Andrew Hughes - 1:17.0.5.0.1-0.2.ea - Update to jdk-17.0.5+1 - Update release notes to 17.0.5+1 - Switch to EA mode for 17.0.5 pre-release builds. -- Related: rhbz#2132503 +- Bump HarfBuzz bundled version to 4.4.1 following JDK-8289853 +- Bump FreeType bundled version to 2.12.1 following JDK-8290334 +- Related: rhbz#2130622 + +* Tue Aug 30 2022 Andrew Hughes - 1:17.0.4.1.1-5 +- Switch to static builds, reducing system dependencies and making build more portable +- Resolves: rhbz#2121268 + +* Mon Aug 29 2022 Stephan Bergmann - 1:17.0.4.1.1-4 +- Fix flatpak builds (catering for their uncompressed manual pages) +- Fix flatpak builds by exempting them from bootstrap +- Resolves: rhbz#2102726 -* Fri Sep 02 2022 Andrew Hughes - 1:17.0.4.1.1-2 +* Mon Aug 29 2022 Andrew Hughes - 1:17.0.4.1.1-3 - Update FIPS support to bring in latest changes -- * RH2023467: Enable FIPS keys export - * RH2104724: Avoid import/export of DH private keys - * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode - * Build the systemconf library on all platforms - * RH2048582: Support PKCS#12 keystores - * RH2020290: Support TLS 1.3 in FIPS mode -- Resolves: rhbz#2123561 -- Resolves: rhbz#2123564 -- Resolves: rhbz#2123566 -- Resolves: rhbz#2123568 -- Resolves: rhbz#2123572 +- Resolves: rhbz#2104725 +- Resolves: rhbz#2117758 +- Resolves: rhbz#2115164 +- Resolves: rhbz#2029665 -* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1 +* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-2 - Update to jdk-17.0.4.1+1 - Update release notes to 17.0.4.1+1 - Add patch to provide translations for Europe/Kyiv added in tzdata2022b - Add test to ensure timezones can be translated -- Resolves: rhbz#2120059 +- Resolves: rhbz#2119532 -* Wed Jul 20 2022 Andrew Hughes - 1:17.0.4.0.8-0.2.ea -- Add rpminspect.yaml to turn off Java bytecode inspections -- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode -- Resolves: rhbz#2109106 +* Fri Jul 22 2022 Andrew Hughes - 1:17.0.4.0.8-3 +- Update to jdk-17.0.4.0+8 +- Update release notes to 17.0.4.0+8 +- Switch to GA mode for release +- Resolves: rhbz#2106524 -* Wed Jul 20 2022 Andrew Hughes - 1:17.0.4.0.8-0.2.ea +* Wed Jul 20 2022 Andrew Hughes - 1:17.0.4.0.7-0.2.ea - Revert the following changes until copy-java-configs has adapted to relative symlinks: - * Move cacerts replacement to install section and retain original of this and tzdb.dat - * Run tests on the installed image, rather than the build image @@ -2642,85 +2712,108 @@ require "copy_jdk_configs.lua" - * Use relative symlinks so they work within the image - * Run debug symbols check during build stage, before the install strips them - The move of turning on system security properties is retained so we don't ship with them off -- Related: rhbz#2084650 +- Related: rhbz#2084218 -* Wed Jul 20 2022 Jiri Vanek - 1:17.0.4.0.8-0.2.ea -- Returned absolute symlinks -- Relative symlinks are breaking cjc, and deeper investigations are necessary --- why cjc intentionally skips relative symllinks -- Images have to be workarounded differently -- Related: rhbz#2084650 - -* Mon Jul 18 2022 Andrew Hughes - 1:17.0.4.0.8-1 -- Update to jdk-17.0.4.0+8 -- Update release notes to 17.0.4.0+8 +* Sat Jul 16 2022 Andrew Hughes - 1:17.0.4.0.7-0.1.ea +- Update to jdk-17.0.3.0+7 +- Update release notes to 17.0.3.0+7 - Need to include the '.S' suffix in debuginfo checks after JDK-8284661 +- Explicitly require crypto-policies during build and runtime for system security properties +- Make use of the vendor version string to store our version & release rather than an upstream release date +- Include a test in the RPM to check the build has the correct vendor information. +- Resolves: rhbz#2084218 + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Related: rhbz#2084218 + +* Tue Jul 12 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea +- Update to jdk-17.0.4.0+1 +- Update release notes to 17.0.4.0+1 +- Switch to EA mode for 17.0.4 pre-release builds. - Print release file during build, which should now include a correct SOURCE value from .src-rev - Update tarball script with IcedTea GitHub URL and .src-rev generation - Include script to generate bug list for release notes - Update tzdata requirement to 2022a to match JDK-8283350 - Move EA designator check to prep so failures can be caught earlier - Make EA designator check non-fatal while upstream is not maintaining it -- Explicitly require crypto-policies during build and runtime for system security properties -- Make use of the vendor version string to store our version & release rather than an upstream release date -- Include a test in the RPM to check the build has the correct vendor information. -- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository -- * RH2094027: SunEC runtime permission for FIPS -- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage -- * RH2090378: Revert to disabling system security properties and FIPS mode support together -- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch -- Enable system security properties in the RPM (now disabled by default in the FIPS repo) -- Improve security properties test to check both enabled and disabled behaviour -- Run security properties test with property debugging on +- Related: rhbz#2084218 + +* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-5 +- Fix whitespace in spec file +- Related: rhbz#2100677 + +* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-5 +- Sequence spec file sections as they are run by rpmbuild (build, install then test) +- Related: rhbz#2100677 + +* Fri Jul 08 2022 Andrew Hughes - 1:17.0.3.0.7-5 - Turn on system security properties as part of the build's install section - Move cacerts replacement to install section and retain original of this and tzdb.dat - Run tests on the installed image, rather than the build image - Introduce variables to refer to the static library installation directories - Use relative symlinks so they work within the image - Run debug symbols check during build stage, before the install strips them -- Resolves: rhbz#2084650 -- Resolves: rhbz#2099913 -- Resolves: rhbz#2108206 -- Resolves: rhbz#2108209 -- Resolves: rhbz#2106521 +- Related: rhbz#2100677 -* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea -- Fix issue where CheckVendor.java test erroneously passes when it should fail. -- Add proper quoting so '&' is not treated as a special character by the shell. -- Related: rhbz#2084650 - -* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-2 +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-4 - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode -- Resolves: rhbz#2108190 +- Resolves: rhbz#2102433 -* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-2 -- April 2022 security update to jdk 17.0.3+7 -- Update to jdk-17.0.3.0+7 tarball -- Update release notes to 17.0.3.0+7 -- Add missing README.md and generate_source_tarball.sh -- Resolves: rhbz#2073576 +* Wed Jun 22 2022 Andrew Hughes - 1:17.0.3.0.7-3 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Resolves: rhbz#2099844 +- Resolves: rhbz#2100677 -* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-15 +* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-2 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS +- Resolves: rhbz#2029657 +- Resolves: rhbz#2096117 + +* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1 +- April 2022 security update to jdk 17.0.3+6 +- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408) +- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga +- Update release notes to 17.0.3.0+6 +- Add missing README.md and generate_source_tarball.sh +- Switch to GA mode for release +- JDK-8283911 patch no longer needed now we're GA... +- Resolves: rhbz#2073579 + +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 +- Resolves: rhbz#2050460 + +* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value +- Related: rhbz#2050460 + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-13 - Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode -- Resolves: rhbz#2052070 +- Resolves: rhbz#2055383 -* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-14 -- Introduce tests/tests.yml, based on the one in java-11-openjdk -- Resolves: rhbz#2058493 - -* Sun Feb 27 2022 Severin Gehwolf - 1:17.0.2.0.8-13 -- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy - secmod.db file as part of nss -- Resolves: rhbz#2023536 - -* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-12 -- Detect NSS at runtime for FIPS detection -- Turn off build-time NSS linking and go back to an explicit Requires on NSS -- Resolves: rhbz#2051605 +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-12 +- Add rpminspect.yaml to turn off Java bytecode inspections +- java-17-openjdk deliberately produces Java 17 bytecode, not the default Java 11 bytecode +- Resolves: rhbz#2023540 -* Fri Feb 25 2022 Andrew Hughes - 1:17.0.2.0.8-11 -- Add JDK-8275535 patch to fix LDAP authentication issue. -- Resolves: rhbz#2053256 +* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-11 +- Introduce tests/tests.yml, based on the one in java-11-openjdk +- Resolves: rhbz#2058490 * Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-10 - Storing and restoring alterntives during update manually @@ -2732,28 +2825,30 @@ require "copy_jdk_configs.lua" -- the selection in family -- Thus this fix, is storing the family of manually selected master, and if -- stored, then it is restoring the family of the master -- Resolves: rhbz#2008200 +- Resolves: rhbz#2008206 * Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-9 - Family extracted to globals -- Resolves: rhbz#2008200 +- Related: rhbz#2008206 -* Fri Feb 25 2022 Jiri Vanek - 1:17.0.2.0.8-8 -- alternatives creation moved to posttrans -- Thus fixing the old reisntall issue: -- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 -- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 -- Resolves: rhbz#2008200 +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- Detect NSS at runtime for FIPS detection +- Turn off build-time NSS linking and go back to an explicit Requires on NSS +- Resolves: rhbz#2052829 -* Mon Feb 21 2022 Andrew Hughes - 1:17.0.2.0.8-7 +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-7 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053521 + +* Mon Feb 21 2022 Andrew Hughes - 1:17.0.2.0.8-6 - Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent -- Resolves: rhbz#2051590 +- Resolves: rhbz#2052819 -* Fri Feb 18 2022 Andrew Hughes - 1:17.0.2.0.8-6 +* Fri Feb 18 2022 Andrew Hughes - 1:17.0.2.0.8-5 - Fix FIPS issues in native code and with initialisation of java.security.Security -- Resolves: rhbz#2023378 +- Resolves: rhbz#2023531 -* Thu Feb 17 2022 Andrew Hughes - 1:17.0.2.0.8-5 +* Thu Feb 17 2022 Andrew Hughes - 1:17.0.2.0.8-4 - Restructure the build so a minimal initial build is then used for the final build (with docs) - This reduces pressure on the system JDK and ensures the JDK being built can do a full build - Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. @@ -2766,92 +2861,108 @@ require "copy_jdk_configs.lua" - Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. - Explicitly list JIT architectures rather than relying on those with slowdebug builds - Disable the serviceability agent on Zero architectures even when the architecture itself is supported -- Resolves: rhbz#2022822 +- Resolves: rhbz#2022826 -* Thu Feb 17 2022 Jiri Vanek - 1:17.0.2.0.8-5 +* Thu Feb 17 2022 Jiri Vanek - 1:17.0.2.0.8-4 - Replaced tabs by sets of spaces to make rpmlint happy - javadoc-zip gets its own provides next to plain javadoc ones -- Resolves: rhbz#2022822 +- Resolves: rhbz#2022826 -* Tue Feb 08 2022 Jiri Vanek - 1:17.0.2.0.8-4 +* Wed Feb 16 2022 Jiri Vanek - 1:17.0.2.0.8-3 - Minor cosmetic improvements to make spec more comparable between variants -- Related: rhbz#2022822 +- Related: rhbz#2022826 -* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-3 +* Wed Feb 16 2022 Andrew Hughes - 1:17.0.2.0.8-2 - Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ - Update icedtea_sync.sh with a VCS mode that retrieves sources from a Mercurial repository -- Related: rhbz#2022822 - -* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-2 -- Extend LTS check to exclude EPEL. -- Related: rhbz#2022822 +- Related: rhbz#2022826 -* Thu Feb 03 2022 Severin Gehwolf - 1:17.0.2.0.8-2 -- Set LTS designator. -- Related: rhbz#2022822 - -* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1 +* Fri Feb 11 2022 Andrew Hughes - 1:17.0.2.0.8-1 - January 2022 security update to jdk 17.0.2+8 - Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java - Rename libsvml.so to libjsvml.so following JDK-8276025 -- Resolves: rhbz#2039366 +- Drop JDK-8276572 patch which is now upstream +- Resolves: rhbz#2039392 -* Thu Oct 28 2021 Andrew Hughes - 1:17.0.1.0.12-3 +* Thu Feb 10 2022 Andrew Hughes - 1:17.0.1.0.12-3 - Sync desktop files with upstream IcedTea release 3.15.0 using new script -- Related: rhbz#2013842 +- Related: rhbz#2022826 + +* Mon Nov 29 2021 Severin Gehwolf - 1:17.0.1.0.12-2 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023537 -* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2 -- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 -- Resolves: rhbz#2013842 +* Tue Nov 16 2021 Andrew Hughes - 1:17.0.1.0.12-1 +- Drop JDK-8272332 patch now included upstream. +- Resolves: rhbz#2013846 -* Wed Oct 20 2021 Petra Alice Mikova - 1:17.0.1.0.12-2 +* Tue Nov 16 2021 Petra Alice Mikova - 1:17.0.1.0.12-1 - October CPU update to jdk 17.0.1+12 - Dropped commented-out source line -- Resolves: rhbz#2013842 +- Resolves: rhbz#2013846 + +* Tue Nov 09 2021 Andrew Hughes - 1:17.0.0.0.35-8 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2013846 + +* Tue Nov 09 2021 Severin Gehwolf - 1:17.0.0.0.35-8 +- Set LTS designator. +- Related: rhbz#2013846 + +* Mon Nov 08 2021 Jiri Vanek - 1:17.0.0.0.35-7 +- alternatives creation moved to posttrans +- Thus fixing the old reinstall issue: +- https://bugzilla.redhat.com/show_bug.cgi?id=1200302 +- https://bugzilla.redhat.com/show_bug.cgi?id=1976053 +- Resolves: rhbz#2008206 + +* Fri Nov 05 2021 Andrew Hughes - 1:17.0.0.0.35-6 +- Patch syslookup.c so it actually has some code to be compiled into libsyslookup +- Related: rhbz#2013846 -* Sun Oct 10 2021 Andrew Hughes - 1:17.0.0.0.35-6 +* Sun Oct 10 2021 Andrew Hughes - 1:17.0.0.0.35-5 - Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false -- Resolves: rhbz#1994661 +- Resolves: rhbz#1994682 -* Sun Oct 10 2021 Martin Balao - 1:17.0.0.0.35-6 +* Sun Oct 10 2021 Martin Balao - 1:17.0.0.0.35-5 - Add patch to allow plain key import. -- Resolves: rhbz#1994661 +- Resolves: rhbz#1994682 -* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-5 +* Mon Sep 27 2021 Andrew Hughes - 1:17.0.0.0.35-4 - Update release notes to document the major changes between OpenJDK 11 & 17. -- Resolves: rhbz#2003072 +- Resolves: rhbz#2000925 * Thu Sep 16 2021 Andrew Hughes - 1:17.0.0.0.35-3 - Update to jdk-17+35, also known as jdk-17-ga. - Switch to GA mode. - Add JDK-8272332 fix so we actually link against HarfBuzz. -- Resolves: rhbz#2003072 -- Resolves: rhbz#2004078 +- Resolves: rhbz#2000925 * Mon Aug 30 2021 Andrew Hughes - 1:17.0.0.0.33-0.5.ea - Extend the default security policy to accomodate PKCS11 accessing jdk.internal.access. -- Resolves: rhbz#1996182 +- Resolves: rhbz#1997359 * Sat Aug 28 2021 Andrew Hughes - 1:17.0.0.0.33-0.4.ea - Fix unused function compiler warning found in systemconf.c -- Related: rhbz#1995150 +- Related: rhbz#1995889 * Sat Aug 28 2021 Martin Balao - 1:17.0.0.0.33-0.4.ea - Add patch to login to the NSS software token when in FIPS mode. -- Resolves: rhbz#1996182 +- Resolves: rhbz#1997359 * Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.3.ea - Add patch to disable non-FIPS crypto in the SUN and SunEC security providers. -- Resolves: rhbz#1995150 +- Resolves: rhbz#1995889 * Fri Aug 27 2021 Andrew Hughes - 1:17.0.0.0.33-0.2.ea - Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure. - Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM. -- Related: rhbz#1995150 +- Related: rhbz#1995889 * Fri Aug 27 2021 Martin Balao - 1:17.0.0.0.33-0.2.ea - Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library. -- Related: rhbz#1995150 +- Related: rhbz#1995889 * Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.1.ea - Update RH1655466 FIPS patch with changes in OpenJDK 8 version. @@ -2862,51 +2973,56 @@ require "copy_jdk_configs.lua" - Enable alignment with FIPS crypto policy by default (-Dcom.redhat.fips=false to disable). - Add explicit runtime dependency on NSS for the PKCS11 provider in FIPS mode - Move setup of JavaSecuritySystemConfiguratorAccess to Security class so it always occurs (RH1915071) -- Related: rhbz#1995150 +- Related: rhbz#1995889 * Thu Aug 26 2021 Martin Balao - 1:17.0.0.0.33-0.1.ea - Support the FIPS mode crypto policy (RH1655466) - Use appropriate keystore types when in FIPS mode (RH1818909) - Disable TLSv1.3 when the FIPS crypto policy and the NSS-FIPS provider are in use (RH1860986) -- Related: rhbz#1995150 +- Related: rhbz#1995889 * Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.33-0.0.ea - Update to jdk-17+33, including JDWP fix and July 2021 CPU -- Resolves: rhbz#1959487 +- Resolves: rhbz#1870625 * Thu Aug 26 2021 Andrew Hughes - 1:17.0.0.0.26-0.5.ea - Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics. - Remove restriction on disabling product build, as debug packages no longer have javadoc packages. -- Resolves: rhbz#1959487 +- Resolves: rhbz#1870625 -* Wed Aug 25 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.4.ea +* Mon Aug 09 2021 Mohan Boddu - 1:17.0.0.0.26-0.4.ea.1 +- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags + Related: rhbz#1991688 + +* Wed Jul 14 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.4.ea - Fix patch rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch which made the SunPKCS provider show up again -- Resolves: rhbz#1959487 +- Resolves: rhbz#1870625 + +* Tue Jul 13 2021 Jiri Vanek - 1:17.0.0.0.26-0.3.ea +- Add gating support +- Resolves: rhbz#1870625 -* Wed Aug 25 2021 Severin Gehwolf - 1:17.0.0.0.26-0.3.ea +* Fri Jun 25 2021 Severin Gehwolf - 1:17.0.0.0.26-0.2.ea - Re-enable TestSecurityProperties after inclusion of PR3695 -- Resolves: rhbz#1959487 +- Resolves: rhbz#1870625 -* Wed Aug 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.3.ea +* Fri Jun 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.2.ea - Add PR3695 to allow the system crypto policy to be turned off -- Resolves: rhbz#1959487 +- Resolves: rhbz#1870625 -* Wed Jul 14 2021 Andrew Hughes - 1:17.0.0.0.26-0.2.ea +* Fri Jun 25 2021 Andrew Hughes - 1:17.0.0.0.26-0.1.ea - Remove boot JDKs in favour of OpenJDK 17 build now in the buildroot. -- Resolves: rhbz#1959487 +- Resolves: rhbz#1870625 -* Wed Jul 14 2021 Severin Gehwolf - 1:17.0.0.0.26-0.2.ea +* Thu Jun 24 2021 Severin Gehwolf - 1:17.0.0.0.26-0.1.ea - Update buildjdkver to 17 so as to build with itself -- Resolves: rhbz#1959487 - -* Tue Jul 13 2021 Jiri Vanek - 1:17.0.0.0.26-0.1.ea -- Add gating support -- Resolves: rhbz#1959487 +- Resolves: rhbz#1870625 * Mon Jun 21 2021 Andrew Hughes - 1:17.0.0.0.26-0.0.ea -- Rename as java-17-openjdk and bootstrap using boot JDK in local sources +- Rename to java-17-openjdk and bootstrap using boot JDK in local sources - Exclude x86 as this is not supported by OpenJDK 17 -- Resolves: rhbz#1959487 +- Use unzip to test src.zip to avoid looking for jar on path +- Resolves: rhbz#1870625 * Fri Jun 11 2021 Petra Alice Mikova - 1:17.0.0.0.26-0.0.ea.rolling - update sources to jdk 17.0.0+26 @@ -2920,6 +3036,9 @@ require "copy_jdk_configs.lua" - add lib/libsvml.so for intel - skip debuginfo check for libsyslookup.so on s390x +* Fri May 07 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling +- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction + * Thu Apr 29 2021 Jiri Vanek - 1:16.0.1.0.9-2.rolling - adapted to debug handling in newer cjc - The rest of the "rpm 4.17" patch must NOT be backported, as on rpm 4.16 and down, it would casue double execution diff --git a/remove-intree-libraries.sh b/remove-intree-libraries.sh index e999c7e3dc054a4cfb19cb45709dc7f53ab9f782..25c2fc8d6b6223c0442a41adb51230244589d1a1 100644 --- a/remove-intree-libraries.sh +++ b/remove-intree-libraries.sh @@ -5,6 +5,7 @@ TREE=${1} TYPE=${2} ZIP_SRC=src/java.base/share/native/libzip/zlib/ +FREETYPE_SRC=src/java.desktop/share/native/libfreetype/ JPEG_SRC=src/java.desktop/share/native/libjavajpeg/ GIF_SRC=src/java.desktop/share/native/libsplashscreen/giflib/ PNG_SRC=src/java.desktop/share/native/libsplashscreen/libpng/ @@ -31,15 +32,21 @@ cd ${TREE} echo "Removing built-in libs (they will be linked)" -# On full runs, allow for zlib having already been deleted by minimal +# On full runs, allow for zlib & freetype having already been deleted by minimal echo "Removing zlib" if [ "x${TYPE}" = "xminimal" -a ! -d ${ZIP_SRC} ]; then echo "${ZIP_SRC} does not exist. Refusing to proceed." exit 1 fi rm -rvf ${ZIP_SRC} +echo "Removing freetype" +if [ "x${TYPE}" = "xminimal" -a ! -d ${FREETYPE_SRC} ]; then + echo "${FREETYPE_SRC} does not exist. Refusing to proceed." + exit 1 +fi +rm -rvf ${FREETYPE_SRC} -# Minimal is limited to just zlib so finish here +# Minimal is limited to just zlib and freetype so finish here if test "x${TYPE}" = "xminimal"; then echo "Finished."; exit 0; diff --git a/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz b/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz new file mode 100644 index 0000000000000000000000000000000000000000..bc4e1747e3a003d6e7e64363425c8e286044c792 Binary files /dev/null and b/tapsets-icedtea-6.0.0pre00-c848b93a8598.tar.xz differ