@ -7,12 +7,12 @@
# Produce release, fastdebug *and* slowdebug builds on x86_64 (default):
# $ rpmbuild -ba java-11-openjdk.spec
#
# Produce only release builds (no slow debug builds) on x86_64:
# Produce only release builds (no debug builds) on x86_64:
# $ rpmbuild -ba java-11-openjdk.spec --without slowdebug --without fastdebug
#
# Only produce a release build on x86_64:
# $ rhpkg mockbuild --without slowdebug --without fastdebug
#
# Enable fastdebug builds by default on relevant arches.
%bcond_without fastdebug
# Enable slowdebug builds by default on relevant arches.
@ -21,8 +21,6 @@
%bcond_without release
# Enable static library builds by default.
%bcond_without staticlibs
# Remove build artifacts by default
%bcond_with artifacts
# Workaround for stripping of debug symbols from static libraries
%if %{with staticlibs}
@ -100,7 +98,7 @@
# Set of architectures for which we build slowdebug builds
%global debug_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} s390x
# Set of architectures for which we build fastdebug builds
%global fastdebug_arches x86_64
%global fastdebug_arches x86_64 ppc64le aarch64
# Set of architectures with a Just-In-Time (JIT) compiler
%global jit_arches %{debug_arches} %{arm}
# Set of architectures which run a full bootstrap cycle
@ -122,7 +120,7 @@
# Set of architectures for which alt-java has SSB mitigation
%global ssbd_arches x86_64
# By default, we build a slow debug build during main build on JIT architectures
# By default, we build a debug build during main build on JIT architectures
%if %{with slowdebug}
%ifarch %{debug_arches}
%global include_debug_build 1
@ -190,28 +188,22 @@
%global bootstrap_build 1
%endif
%if %{bootstrap_build}
%global release_targets bootcycle-images docs-zip
%else
%global release_targets images docs-zip
%endif
# No docs nor bootcycle for debug builds
%global debug_targets images
%if %{include_staticlibs}
# Extra target for producing the static-libraries. Separate from
# other targets since this target is configured to use in-tree
# AWT dependencies: lcms, libjpeg, libpng, libharfbuzz, giflib
# and possibly others
%global static_libs_target static-libs-image
%else
%global static_libs_target %{nil}
%endif
# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM
%global debug_symbols internal
# unlike portables,the rpms have to use static_libs_target very dynamically
%global bootstrap_targets images
%global release_targets images docs-zip
# No docs nor bootcycle for debug builds
%global debug_targets images
# Disable LTO as this causes build failures at the moment.
# See RHBZ#1861401
%define _lto_cflags %{nil}
# Filter out flags from the optflags macro that cause problems with the OpenJDK build
# We filter out -O flags so that the optimization of HotSpot is not lowered from O3 to O2
@ -297,7 +289,7 @@
# New Version-String scheme-style defines
%global featurever 11
%global interimver 0
%global updatever 13
%global updatever 12
%global patchver 0
# If you bump featurever, you must bump also vendor_version_string
# Used via new version scheme. JDK 11 was
@ -344,8 +336,8 @@
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 8
%global rpmrelease 1
%global buildver 7
%global rpmrelease 4
#%%global tagsuffix %%{nil}
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
@ -395,7 +387,6 @@
%global static_libs_image static-libs
# output dir stub
%define buildoutputdir() %{expand:build/jdk11.build%{?1}}
%define installoutputdir() %{expand:install/jdk11.install%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
# main id and dir of this jdk
@ -405,7 +396,7 @@
# fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349
# https://bugzilla.redhat.com/show_bug.cgi?id=1590796#c14
# https://bugzilla.redhat.com/show_bug.cgi?id=1655938
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libunpack[.]so.*|libzip[.]so.*
%global _privatelibs libsplashscreen[.]so.*|libawt_xawt[.]so.*|libjli[.]so.*|libattach[.]so.*|libawt[.]so.*|libextnet[.]so.*|libawt_headless[.]so.*|libdt_socket[.]so.*|libfontmanager[.]so.*|libinstrument[.]so.*|libj2gss[.]so.*|libj2pcsc[.]so.*|libj2pkcs11[.]so.*|libjaas[.]so.*|libjavajpeg[.]so.*|libjdwp[.]so.*|libjimage[.]so.*|libjsound[.]so.*|liblcms[.]so.*|libmanagement[.]so.*|libmanagement_agent[.]so.*|libmanagement_ext[.]so.*|libmlib_image[.]so.*|libnet[.]so.*|libnio[.]so.*|libprefs[.]so.*|librmi[.]so.*|libsaproc[.]so.*|libsctp[.]so.*|libsunec[.]so.*|libsystemconf[.]so.*|lib unpack[.]so.*|libzip[.]so.*
%global _publiclibs libjawt[.]so.*|libjava[.]so.*|libjvm[.]so.*|libverify[.]so.*|libjsig[.]so.*
%if %is_system_jdk
%global __provides_exclude ^(%{_privatelibs})$
@ -764,6 +755,7 @@ exit 0
%endif
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsctp.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsunec.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libsystemconf.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libunpack.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libverify.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libzip.so
@ -1019,19 +1011,23 @@ Requires: tzdata-java >= 2021a
# for support of kernel stream control
# libsctp.so.1 is being `dlopen`ed on demand
Requires: lksctp-tools%{?_isa}
%if ! 0%{?flatpak}
# tool to copy jdk's configs - should be Recommends only, but then only dnf/yum enforce it,
# not rpm transaction and so no configs are persisted when pure rpm -u is run. It may be
# considered as regression
Requires: copy-jdk-configs >= 3.3
Requires: copy-jdk-configs >= 4.0
OrderWithRequires: copy-jdk-configs
%endif
# for printing support
Requires: cups-libs
# for FIPS PKCS11 provider
Requires: nss
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(post): chkconfig >= 1.7
# Postun requires alternatives to uninstall tool alternatives
Requires(postun): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(postun): chkconfig >= 1.7
# for optional support of kernel stream control, card reader and printing bindings
%if 0%{?rhel} >= 8
Suggests: lksctp-tools%{?_isa}, pcsc-lite-devel%{?_isa}
@ -1056,8 +1052,12 @@ Requires: %{name}%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
# Post requires alternatives to install tool alternatives
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(post): chkconfig >= 1.7
# Postun requires alternatives to uninstall tool alternatives
Requires(postun): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(postun): chkconfig >= 1.7
# Standard JPackage devel provides
Provides: java-sdk-%{javaver}-%{origin}%{?1} = %{epoch}:%{version}-%{release}
@ -1098,7 +1098,6 @@ Provides: java-%{javaver}-demo%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{javaver}-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
%if %is_system_jdk
Provides: java-demo%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
%endif
}
@ -1106,8 +1105,12 @@ Provides: java-%{origin}-demo%{?1} = %{epoch}:%{version}-%{release}
OrderWithRequires: %{name}-headless%{?1}%{?_isa} = %{epoch}:%{version}-%{release}
# Post requires alternatives to install javadoc alternative
Requires(post): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(post): chkconfig >= 1.7
# Postun requires alternatives to uninstall javadoc alternative
Requires(postun): %{alternatives_requires}
# in version 1.7 and higher for --family switch
Requires(postun): chkconfig >= 1.7
# Standard JPackage javadoc provides
Provides: java-%{javaver}-javadoc%{?1} = %{epoch}:%{version}-%{release}
@ -1125,7 +1128,6 @@ Provides: java-%{javaver}-src%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{javaver}-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
%if %is_system_jdk
Provides: java-src%{?1} = %{epoch}:%{version}-%{release}
Provides: java-%{origin}-src%{?1} = %{epoch}:%{version}-%{release}
%endif
}
@ -1147,9 +1149,7 @@ Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist}
Epoch: 1
Summary: %{origin_nice} %{featurever} Runtime Environment
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
# HotSpot code is licensed under GPLv2
# JDK library code is licensed under GPLv2 with the Classpath exception
@ -1217,7 +1217,7 @@ Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
Patch2: rh1648644-java_access_bridge_privileged_security.patch
# NSS via SunPKCS11 Provider (disabled due to memory leak).
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
# enable build of speculative store bypass hardened alt-java
Patch600: rh1750419-redhat_alt_java.patch
# RH1582504: Use RSA as default for keytool, as DSA is disabled in all crypto policies except LEGACY
Patch1003: rh1842572-rsa_default_for_keytool.patch
@ -1231,6 +1231,11 @@ Patch1002: rh1818909-fips_default_keystore_type.patch
Patch1004: rh1860986-disable_tlsv1.3_in_fips_mode.patch
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
Patch1007: rh1915071-always_initialise_configurator_access.patch
# RH1929465: Improve system FIPS detection
Patch1008: rh1929465-improve_system_FIPS_detection.patch
# RH1996182: Login to the NSS software token in FIPS mode
Patch1009: rh1996182-login_to_nss_software_token.patch
Patch1010: rh1996182-extend_security_policy.patch
#############################################
#
@ -1257,13 +1262,15 @@ Patch7: pr3695-toggle_system_crypto_policy.patch
#############################################
#
# Patches appearing in 11.0.10
# Patches appearing in 11.0.13
#
# This section includes patches which are present
# in the listed OpenJDK 11u release and should be
# able to be removed once that release is out
# and used by this RPM.
#############################################
# JDK-8269668, RH1977671: [aarch64] java.library.path not including /usr/lib64
Patch8: jdk8269668-rh1977671-aarch64_lib_path_fix.patch
BuildRequires: autoconf
BuildRequires: automake
@ -1290,8 +1297,8 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirements for setting up the nss.cfg
BuildRequires: nss-devel
# Requirements for setting up the nss.cfg and FIPS support
BuildRequires: nss-devel >= 3.53
BuildRequires: pkgconfig
BuildRequires: xorg-x11-proto-devel
BuildRequires: zip
@ -1310,7 +1317,6 @@ BuildRequires: gcc >= 4.8.3-8
%if %{with_systemtap}
BuildRequires: systemtap-sdt-devel
%endif
BuildRequires: make
# this is always built, also during debug-only build
# when it is built in debug-only this package is just placeholder
@ -1322,9 +1328,7 @@ The %{origin_nice} %{featurever} runtime environment.
%if %{include_debug_build}
%package slowdebug
Summary: %{origin_nice} %{featurever} Runtime Environment %{debug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_rpo -- %{debug_suffix_unquoted}}
%description slowdebug
@ -1335,9 +1339,7 @@ The %{origin_nice} %{featurever} runtime environment.
%if %{include_fastdebug_build}
%package fastdebug
Summary: %{origin_nice} %{featurever} Runtime Environment %{fastdebug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_rpo -- %{fastdebug_suffix_unquoted}}
%description fastdebug
@ -1348,9 +1350,7 @@ The %{origin_nice} %{featurever} runtime environment.
%if %{include_normal_build}
%package headless
Summary: %{origin_nice} %{featurever} Headless Runtime Environment
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_headless_rpo %{nil}}
@ -1385,9 +1385,7 @@ The %{origin_nice} %{featurever} runtime environment without audio and video sup
%if %{include_normal_build}
%package devel
Summary: %{origin_nice} %{featurever} Development Environment
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
Group: Development/Tools
%{java_devel_rpo %{nil}}
@ -1398,9 +1396,7 @@ The %{origin_nice} %{featurever} development tools.
%if %{include_debug_build}
%package devel-slowdebug
Summary: %{origin_nice} %{featurever} Development Environment %{debug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
Group: Development/Tools
%{java_devel_rpo -- %{debug_suffix_unquoted}}
@ -1461,9 +1457,7 @@ The %{origin_nice} %{featurever} libraries for static linking.
%if %{include_normal_build}
%package jmods
Summary: JMods for %{origin_nice} %{featurever}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
Group: Development/Tools
%{java_jmods_rpo %{nil}}
@ -1474,9 +1468,7 @@ The JMods for %{origin_nice} %{featurever}.
%if %{include_debug_build}
%package jmods-slowdebug
Summary: JMods for %{origin_nice} %{featurever} %{debug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
Group: Development/Tools
%{java_jmods_rpo -- %{debug_suffix_unquoted}}
@ -1500,9 +1492,7 @@ The JMods for %{origin_nice} %{featurever}.
%if %{include_normal_build}
%package demo
Summary: %{origin_nice} %{featurever} Demos
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_demo_rpo %{nil}}
@ -1513,9 +1503,7 @@ The %{origin_nice} %{featurever} demos.
%if %{include_debug_build}
%package demo-slowdebug
Summary: %{origin_nice} %{featurever} Demos %{debug_on}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_demo_rpo -- %{debug_suffix_unquoted}}
@ -1539,9 +1527,7 @@ The %{origin_nice} %{featurever} demos.
%if %{include_normal_build}
%package src
Summary: %{origin_nice} %{featurever} Source Bundle
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_src_rpo %{nil}}
@ -1553,9 +1539,7 @@ class library source code for use by IDE indexers and debuggers.
%if %{include_debug_build}
%package src-slowdebug
Summary: %{origin_nice} %{featurever} Source Bundle %{for_debug}
%if 0%{?rhel} <= 8
Group: Development/Languages
%endif
%{java_src_rpo -- %{debug_suffix_unquoted}}
@ -1579,9 +1563,7 @@ The %{compatiblename}-src-fastdebug sub-package contains the complete %{origin_n
%if %{include_normal_build}
%package javadoc
Summary: %{origin_nice} %{featurever} API documentation
%if 0%{?rhel} <= 8
Group: Documentation
%endif
Requires: javapackages-filesystem
Obsoletes: javadoc-debug
@ -1592,9 +1574,7 @@ The %{origin_nice} %{featurever} API documentation.
%package javadoc-zip
Summary: %{origin_nice} %{featurever} API documentation compressed in a single archive
%if 0%{?rhel} <= 8
Group: Documentation
%endif
Requires: javapackages-filesystem
Obsoletes: javadoc-zip-debug
@ -1654,6 +1634,7 @@ pushd %{top_level_dir_name}
%patch3 -p1
%patch4 -p1
%patch7 -p1
%patch8 -p1
popd # openjdk
%patch1000
@ -1663,6 +1644,9 @@ popd # openjdk
%patch1003
%patch1004
%patch1007
%patch1008
%patch1009
%patch1010
# Extract systemtap tapsets
%if %{with_systemtap}
@ -1674,6 +1658,7 @@ cp -r tapset tapset%{debug_suffix}
cp -r tapset tapset%{fastdebug_suffix}
%endif
for suffix in %{build_loop} ; do
for file in "tapset"$suffix/*.in; do
OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"`
@ -1742,33 +1727,45 @@ EXTRA_CPP_FLAGS="%ourcppflags"
# fix rpmlint warnings
EXTRA_CFLAGS="$EXTRA_CFLAGS -fno-strict-aliasing"
%endif
# Fixes annocheck warnings in assembler files due to missing build notes
EXTRA_ASFLAGS="${EXTRA_CFLAGS} -Wa,--generate-missing-build-notes=yes"
export EXTRA_CFLAGS EXTRA_ASFLAGS
function buildjdk() {
local outputdir=${1}
local installdir=${2}
local buildjdk=${3}
local maketargets="${4}"
local debuglevel=${5}
local link_opt=${6}
local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
local top_dir_abs_build_path=$(pwd)/${outputdir}
echo "Using output directory: ${outputdir}";
echo "Checking build JDK ${buildjdk} is operational..."
${buildjdk}/bin/java -version
echo "Using make targets: ${maketargets}"
echo "Using debuglevel: ${debuglevel}"
echo "Using link_opt: ${link_opt}"
echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}"
mkdir -p ${outputdir} ${installdir}
pushd ${outputdir}
bash ${top_dir_abs_src_path}/configure \
for suffix in %{build_loop} ; do
if [ "x$suffix" = "x" ] ; then
debugbuild=release
else
# change --something to something
debugbuild=`echo $suffix | sed "s/-//g"`
fi
for loop in %{main_suffix} %{staticlibs_loop} ; do
if test "x${loop}" = "x%{main_suffix}" ; then
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
# Variable used by configure and hs_err hook on build failures
link_opt="system"
# Debug builds don't need same targets as release for
# build speed-up
maketargets="%{release_targets}"
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
fi
else
# Variable used by configure and hs_err hook on build failures
link_opt="bundled"
# Static library cycle only builds the static libraries
maketargets="%{static_libs_target}"
fi
top_dir_abs_src_path=$(pwd)/%{top_level_dir_name}
top_dir_abs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}${loop}}
mkdir -p ${top_dir_abs_build_path}
pushd ${top_dir_abs_build_path}
bash ${top_dir_abs_src_path}/configure \
%ifnarch %{jit_arches}
--with-jvm-variants=zero \
%endif
@ -1783,9 +1780,10 @@ function buildjdk() {
--with-vendor-url="%{oj_vendor_url}" \
--with-vendor-bug-url="%{oj_vendor_bug_url}" \
--with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \
--with-boot-jdk=${buildjdk} \
--with-debug-level=${debuglevel} \
--with-native-debug-symbols="%{debug_symbols}" \
--with-boot-jdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk \
--with-debug-level=$debugbuild \
--with-native-debug-symbols=internal \
--enable-sysconf-nss \
--enable-unlimited-crypto \
--with-zlib=system \
--with-libjpeg=${link_opt} \
@ -1803,121 +1801,54 @@ function buildjdk() {
--with-jvm-features="%{shenandoah_feature},%{zgc_feature}" \
--disable-warnings-as-errors
cat spec.gmk
make \
make \
JAVAC_FLAGS=-g \
LOG=trace \
WARNINGS_ARE_ERRORS="-Wno-error" \
CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \
$maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false )
popd
echo "Installing build from ${outputdir} to ${installdir}..."
echo "Installing images..."
mv ${outputdir}/images ${installdir}
if [ -d ${outputdir}/bundles ] ; then
echo "Installing bundles...";
mv ${outputdir}/bundles ${installdir} ;
fi
if [ -d ${outputdir}/docs ] ; then
echo "Installing docs...";
mv ${outputdir}/docs ${installdir} ;
fi
%if !%{with artifacts}
echo "Removing output directory...";
rm -rf ${outputdir}
%endif
}
function installjdk() {
local imagepath=${1}
popd >& /dev/null
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \;
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
# Restore original source tree if we modified it by removing full in-tree sources
if [ -d %{top_level_dir_name_backup} ] ; then
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
fi
# Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
}
done # end of main / staticlibs loop
for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
if [ "x$suffix" = "x" ] ; then
debugbuild=release
else
# change --something to something
debugbuild=`echo $suffix | sed "s/-//g"`
fi
# the build (erroneously) removes read permissions from some jars
# this is a regression in OpenJDK 7 (our compiler):
# http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437
find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.jar' -exec chmod ugo+r {} \;
systemjdk=/usr/lib/jvm/java-%{buildjdkver}-openjdk
# Build screws up permissions on binaries
# https://bugs.openjdk.java.net/browse/JDK-8173610
find ${top_dir_abs_main_build_path}/images/%{jdkimage} -iname '*.so' -exec chmod +x {} \;
find ${top_dir_abs_main_build_path}/images/%{jdkimage}/bin/ -exec chmod +x {} \;
for loop in %{main_suffix} %{staticlibs_loop} ; do
# Install nss.cfg right away as we will be using the JRE above
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
builddir=%{buildoutputdir -- ${suffix}${loop}}
bootbuilddir=boot${builddir}
installdir=%{installoutputdir -- ${suffix}${loop}}
bootinstalldir=boot${installdir}
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg $JAVA_HOME/conf/security/
if test "x${loop}" = "x%{main_suffix}" ; then
# Copy the source tree so we can remove all in-tree libraries
cp -a %{top_level_dir_name} %{top_level_dir_name_backup}
# Remove all libraries that are linked
sh %{SOURCE12} %{top_level_dir_name} full
# Use system libraries
link_opt="system"
# Debug builds don't need same targets as release for
# build speed-up
maketargets="%{release_targets}"
if echo $debugbuild | grep -q "debug" ; then
maketargets="%{debug_targets}"
fi
%if %{bootstrap_build}
buildjdk ${bootbuilddir} ${bootinstalldir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt}
buildjdk ${builddir} ${installdir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt}
%{!?with_artifacts:rm -rf ${bootinstalldir}}
%else
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
%endif
# Restore original source tree we modified by removing full in-tree sources
rm -rf %{top_level_dir_name}
mv %{top_level_dir_name_backup} %{top_level_dir_name}
else
# Use bundled libraries for building statically
link_opt="bundled"
# Static library cycle only builds the static libraries
maketargets="%{static_libs_target}"
# Always just do the one build for the static libraries
buildjdk ${builddir} ${installdir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt}
fi
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg $JAVA_HOME/conf/security/
done # end of main / staticlibs loop
# Use system-wide tzdata
rm $JAVA_HOME/lib/tzdb.dat
ln -s %{_datadir}/javazi-1.8/tzdb.dat $JAVA_HOME/lib/tzdb.dat
# Final setup on the main image
top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
# Create fake alt-java as a placeholder for future alt-java
pushd ${JAVA_HOME}
# add alt-java man page
echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1
cat man/man1/java.1 >> man/man1/%{alt_java_name}.1
popd
# build cycles
done # end of release / debug cycle loop
@ -1927,9 +1858,9 @@ done # end of release / debug cycle loop
# We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{install outputdir -- ${suffix}%{main_suffix}}
top_dir_abs_main_build_path=$(pwd)/%{build outputdir -- ${suffix}%{main_suffix}}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{install outputdir -- ${suffix}%{staticlibs_loop}}
top_dir_abs_staticlibs_build_path=$(pwd)/%{build outputdir -- ${suffix}%{staticlibs_loop}}
%endif
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
@ -1972,9 +1903,8 @@ readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c
%endif
so_suffix="so"
# Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
find "$JAVA_HOME" -iname '*.so' -print0 | while read -d $'\0' lib
do
if [ -f "$lib" ] ; then
echo "Testing $lib for debug symbols"
@ -2034,16 +1964,10 @@ quit
end
run -version
EOF
%if 0%{?fedora} > 0
# This fails on s390x for some reason. Disable for now. See:
# https://koji.fedoraproject.org/koji/taskinfo?taskID=41499227
%ifnarch s390x
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
%endif
%endif
# Check src.zip has all sources. See RHBZ#1130490
$JAVA_HOME/bin/ jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
jar -tf $JAVA_HOME/lib/src.zip | grep 'sun.misc.Unsafe'
# Check class files include useful debugging information
$JAVA_HOME/bin/javap -l java.lang.Object | grep "Compiled from"
@ -2063,9 +1987,9 @@ STRIP_KEEP_SYMTAB=libjvm*
for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{install outputdir -- ${suffix}%{main_suffix}}
top_dir_abs_main_build_path=$(pwd)/%{build outputdir -- ${suffix}%{main_suffix}}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{install outputdir -- ${suffix}%{staticlibs_loop}}
top_dir_abs_staticlibs_build_path=$(pwd)/%{build outputdir -- ${suffix}%{staticlibs_loop}}
%endif
jdk_image=${top_dir_abs_main_build_path}/images/%{jdkimage}
@ -2133,7 +2057,7 @@ if ! echo $suffix | grep -q "debug" ; then
fi
# Install release notes
commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir -- $suffix}
commondocdir=${RPM_BUILD_ROOT}%{_defaultdocdir}/%{uniquejavadocdir $suffix}
install -d -m 755 ${commondocdir}
cp -a %{SOURCE10} ${commondocdir}
@ -2191,7 +2115,13 @@ done
-- whether copy-jdk-configs is installed or not. If so, then configs are copied
-- (copy_jdk_configs from %%{_libexecdir} used) or not copied at all
local posix = require "posix"
local debug = false
if (os.getenv("debug") == "true") then
debug = true;
print("cjc: in spec debug is on")
else
debug = false;
end
SOURCE1 = "%{rpm_state_dir}/copy_jdk_configs.lua"
SOURCE2 = "%{_libexecdir}/copy_jdk_configs.lua"
@ -2219,9 +2149,10 @@ else
return
end
end
-- run content of included file with fake args
arg = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
require "copy_jdk_configs.lua"
arg = nil ; -- it is better to null the arg up, no meter if they exists or not, and use cjc as module in unified way, instead of relaying on "main" method during require "copy_jdk_configs.lua"
cjc = require "copy_jdk_configs.lua"
args = {"--currentjvm", "%{uniquesuffix %{nil}}", "--jvmdir", "%{_jvmdir %{nil}}", "--origname", "%{name}", "--origjavaver", "%{javaver}", "--arch", "%{_arch}", "--temp", "%{rpm_state_dir}/%{name}.%{_arch}"}
cjc.mainProgram(args)
-- the returns from copy_jdk_configs.lua should not affect this 'main', so it shodl run under all circumstances, except fatal error
-- https://bugzilla.redhat.com/show_bug.cgi?id=1820172
-- https://docs.fedoraproject.org/en-US/packaging-guidelines/Directory_Replacement/
@ -2306,6 +2237,7 @@ end
%posttrans devel-slowdebug
%{posttrans_devel -- %{debug_suffix_unquoted}}
%endif
%if %{include_fastdebug_build}
@ -2401,6 +2333,7 @@ end
%files src-slowdebug
%{files_src -- %{debug_suffix_unquoted}}
%endif
%if %{include_fastdebug_build}
@ -2430,79 +2363,146 @@ end
%endif
%changelog
* Wed Oct 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.8-1
- Update to jdk-11.0.12.0+8
- Update release notes to 11.0.12.0+8
- Switch to GA mode for final release.
- This tarball is embargoed until 2021-10-19 @ 1pm PT.
- Resolves: rhbz#2012333
* Tue Oct 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.13.0.7-0.1.ea
- Update to jdk-11.0.13.0+7
- Update release notes to 11.0.13.0+7
- Update tarball generation script to use git following OpenJDK 11u's move to github
- Switch to EA mode for 11.0.13 pre-release builds.
- Remove non-Free test from source tarball.
- Related: rhbz#2011826
* Sun Oct 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
- Restructure the build so a minimal initial build is then used for the final build (with docs)
- This reduces pressure on the system JDK and ensures the JDK being built can do a full build
- Reduce disk footprint by removing build artifacts by default.
- Related: rhbz#2011826
* Mon Sep 06 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.12.0.7-1
- Minor cosmetic improvements to make spec more comparable between variants
- Related: rhbz#2011826
* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-0
* Mon Aug 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-4
- Extend the default security policy to accomodate PKCS11 accessing jdk.internal.misc.
- Resolves: rhbz#1997357
* Fri Aug 27 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-3
- Add patch to login to the NSS software token when in FIPS mode.
- Resolves: rhbz#1997357
* Wed Jul 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.7-2
- Add patch in order to fix java.library.path issue on aarch64 (JDK-8269668)
- Resolves: rhbz#1994104
* Tue Jul 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.7-1
- Update to jdk-11.0.12.0+7
- Update release notes to 11.0.12.0+7
- Switch to GA mode for final release.
- This tarball is embargoed until 2021-07-20 @ 1pm PT.
- Resolves: rhbz#1972395
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.6-0.0.ea
- Update to jdk-11.0.12.0+6
- Update release notes to 11.0.12.0+6
- Switch to EA mode for 11.0.12 pre-release builds.
- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
- Re-order source files to sync with Fedora.
- Remove explicit compiler flags which should be handled by the upstream build
(-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse)
- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
- Resolves: rhbz#1967374
* Thu Jul 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.4-0.0.ea
- Update to jdk-11.0.12.0+4
- Update release notes to 11.0.12.0+4
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
- Resolves: rhbz#1967374
* Mon Jul 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.3-0.0.ea
- Update to jdk-11.0.12.0+3
- Update release notes to 11.0.12.0+3
- Resolves: rhbz#1967374
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.1.ea
- Use the "reverse" build loop (debug first) as the main and only build loop to get more diagnostics.
- Remove restriction on disabling product build, as debug packages no longer have javadoc packages.
- Correct bug ID JDK-8264846 to intended ID of JDK-8264848
- Skip 11.0.12.0+5 as 11.0.12.0+6 only adds a test change
- Resolves: rhbz#1972395
- Resolves: rhbz#1966234
* Fri Jul 02 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.2-0.0.ea
- Update to jdk-11.0.12.0+2
- Update release notes to 11.0.12.0+2
- Resolves: rhbz#1967374
* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.6-0.0.ea
* Wed Jun 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.3.ea
- Remove explicit compiler flags which should be handled by the upstream build
(-std=gnu++98, -fno-delete-null-pointer-checks, -fno-lifetime-dse)
- Resolves: rhbz#1966234
* Wed Jun 30 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.2.ea
- Add ppc64le and aarch64 to fastdebug_arches
- Resolves: rhbz#1969255
* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.1.ea
- Re-order source files to sync with Fedora.
- Resolves: rhbz#1966234
* Mon Jun 28 2021 Severin Gehwolf <sgehwolf@redhat.com> - 1:11.0.12.0.1-0.1.ea
- Add a test verifying system crypto policies can be disabled
- Resolves: rhbz#1972395
- Resolves: rhbz#1966234
* Thu Apr 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-2
- Require tzdata 2021a to match upstream change JDK-8260356
- Resolves: rhbz#1942310
* Mon Jun 28 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.12.0.1-0.0.ea
- Update to jdk-11.0.12.0+1
- Update release notes to 11.0.12.0+1
- Switch to EA mode for 11.0.12 pre-release builds.
- Update ECC patch following JDK-8226374 (bug ID yet to be confirmed)
- Resolves: rhbz#1967374
* Wed Jun 16 2021 Jiri Vanek <jvanek@redhat.com> - 1:11.0.11.0.9-5
- adapted to newst cjc to fix issue with rpm 4.17
- Disable copy-jdk-configs for Flatpak builds
- removed cjc backward comaptiblity, to fix when both rpm 4.16 and 4.17 are in transaction
- Resolves: rhbz#1953923
* Tue Jun 08 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-4
- Minor code cleanups on FIPS detection patch and check for SECMOD_GetSystemFIPSEnabled in configure.
- Remove unneeded Requires on NSS as it will now be dynamically linked and detected by RPM.
- Resolves: rhbz#1929465
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-1
* Tue Jun 08 2021 Martin Balao <mbalao@redhat.com> - 1:11.0.11.0.9-4
- Detect FIPS using SECMOD_GetSystemFIPSEnabled in the new libsystemconf JDK library.
- Resolves: rhbz#1929465
* Wed Apr 21 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.9-3
- Update to jdk-11.0.11.0+9
- Update release notes to 11.0.11.0+9
- Switch to GA mode for final release.
- This tarball is embargoed until 2021-04-20 @ 1pm PT.
- Resolves: rhbz#1938201
* Tue Apr 13 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.1.ea
* Thu Apr 15 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.3.ea
- Require tzdata 2021a to match upstream change JDK-8260356
- Resolves: rhbz#1942310
* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.7-0.2.ea
- Update to jdk-11.0.11.0+7
- Update release notes to 11.0.11.0+7
- Resolves: rhbz#1942310
* Mon Apr 12 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.6-0.2.ea
- Update to jdk-11.0.11.0+6
- Update release notes to 11.0.11.0+6
- Resolves: rhbz#1942310
* Sat Apr 10 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.5-0.2.ea
- Update to jdk-11.0.11.0+5
- Update release notes to 11.0.11.0+5
- Resolves: rhbz#1942310
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.4-0.2.ea
- Update to jdk-11.0.11.0+4
- Update release notes to 11.0.11.0+4
- Resolves: rhbz#1942310
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.3-0.2.ea
- Update to jdk-11.0.11.0+3
- Update release notes to 11.0.11.0+3
- Resolves: rhbz#1942310
* Fri Apr 09 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.2-0.2.ea
- Update to jdk-11.0.11.0+2
- Update release notes to 11.0.11.0+2
- Resolves: rhbz#1942310
* Mon Apr 05 2021 Andrew Hughes <gnu.andrew@redhat.com> - 1:11.0.11.0.1-0.2.ea
- Update to jdk-11.0.11.0+1
- Update release notes to 11.0.11.0+1
- Switch to EA mode for 11.0.11 pre-release builds.
- Require tzdata 2020f to match upstream change JDK-8259048
- Remove RH1868754 patch as this is now resolved upstream by JDK-8258833
- Remove RH1868740 & RH1883849 patches as these are now resolved by JDK-8259319
- Resolves: rhbz#1942310
* Tue Apr 13 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.11.0.7-0.1.ea
* Sun Mar 28 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.10.0.9-10
- Fix issue where CheckVendor.java test erroneously passes when it should fail.
- Add proper quoting so '&' is not treated as a special character by the shell.
- Resolves: rhbz#1942310
* Wed Mar 24 2021 Jayashree Huttanagoudar <jhuttana@redhat.com> - 1:11.0.10.0.9-9
- Fixed not-including fastdebug build in case of --without fastdebug
- Resolves: rhbz#1942310
CentOS Sources
3 years ago
committed by
Stepan Oksanichenko