|
|
|
@ -322,7 +322,7 @@
|
|
|
|
# New Version-String scheme-style defines
|
|
|
|
# New Version-String scheme-style defines
|
|
|
|
%global featurever 17
|
|
|
|
%global featurever 17
|
|
|
|
%global interimver 0
|
|
|
|
%global interimver 0
|
|
|
|
%global updatever 9
|
|
|
|
%global updatever 10
|
|
|
|
%global patchver 0
|
|
|
|
%global patchver 0
|
|
|
|
# buildjdkver is usually same as %%{featurever},
|
|
|
|
# buildjdkver is usually same as %%{featurever},
|
|
|
|
# but in time of bootstrap of next jdk, it is featurever-1,
|
|
|
|
# but in time of bootstrap of next jdk, it is featurever-1,
|
|
|
|
@ -362,7 +362,7 @@
|
|
|
|
# Define IcedTea version used for SystemTap tapsets and desktop file
|
|
|
|
# Define IcedTea version used for SystemTap tapsets and desktop file
|
|
|
|
%global icedteaver 6.0.0pre00-c848b93a8598
|
|
|
|
%global icedteaver 6.0.0pre00-c848b93a8598
|
|
|
|
# Define current Git revision for the FIPS support patches
|
|
|
|
# Define current Git revision for the FIPS support patches
|
|
|
|
%global fipsver 51e1d00be4e
|
|
|
|
%global fipsver d63771ea660
|
|
|
|
%global javaver %{featurever}
|
|
|
|
%global javaver %{featurever}
|
|
|
|
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
|
|
|
|
%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver}
|
|
|
|
|
|
|
|
|
|
|
|
@ -377,7 +377,7 @@
|
|
|
|
%global origin_nice OpenJDK
|
|
|
|
%global origin_nice OpenJDK
|
|
|
|
%global top_level_dir_name %{vcstag}
|
|
|
|
%global top_level_dir_name %{vcstag}
|
|
|
|
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
|
|
|
%global top_level_dir_name_backup %{top_level_dir_name}-backup
|
|
|
|
%global buildver 9
|
|
|
|
%global buildver 7
|
|
|
|
# rpmrelease numbering must start at 2 to be later than the 8.6 RPM
|
|
|
|
# rpmrelease numbering must start at 2 to be later than the 8.6 RPM
|
|
|
|
%global rpmrelease 2
|
|
|
|
%global rpmrelease 2
|
|
|
|
# Settings used by the portable build
|
|
|
|
# Settings used by the portable build
|
|
|
|
@ -1347,8 +1347,6 @@ Patch600: rh1750419-redhat_alt_java.patch
|
|
|
|
|
|
|
|
|
|
|
|
# Ignore AWTError when assistive technologies are loaded
|
|
|
|
# Ignore AWTError when assistive technologies are loaded
|
|
|
|
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
|
|
|
|
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
|
|
|
|
# Restrict access to java-atk-wrapper classes
|
|
|
|
|
|
|
|
Patch2: rh1648644-java_access_bridge_privileged_security.patch
|
|
|
|
|
|
|
|
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
|
|
|
|
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
|
|
|
|
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
|
|
|
|
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
|
|
|
|
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
|
|
|
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
|
|
|
|
@ -1357,38 +1355,45 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
|
|
|
|
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
|
|
|
|
# Patch is generated from the fips-17u tree at https://github.com/rh-openjdk/jdk/tree/fips-17u
|
|
|
|
# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
|
|
|
|
# as follows: git diff %%{vcstag} src make test > fips-17u-$(git show -s --format=%h HEAD).patch
|
|
|
|
# Diff is limited to src and make subdirectories to exclude .github changes
|
|
|
|
# Diff is limited to src and make subdirectories to exclude .github changes
|
|
|
|
|
|
|
|
# The following list is generated by:
|
|
|
|
|
|
|
|
# git log %%{vcstag}.. --no-merges --format=%s --reverse:
|
|
|
|
# Fixes currently included:
|
|
|
|
# Fixes currently included:
|
|
|
|
# PR3183, RH1340845: Follow system wide crypto policy
|
|
|
|
# PR3183, RH1340845: Support Fedora & RHEL system crypto policy
|
|
|
|
# PR3695: Allow use of system crypto policy to be disabled by the user
|
|
|
|
# PR3695: Allow system crypto policy enforcement to be toggled on/off
|
|
|
|
# RH1655466: Support RHEL FIPS mode using SunPKCS11 provider
|
|
|
|
# RH1655466: Support global RHEL crypto policy
|
|
|
|
# RH1818909: No ciphersuites availale for SSLSocket in FIPS mode
|
|
|
|
# RH1818909: Set default keystore type for PKCS11 provider in FIPS mode
|
|
|
|
# RH1860986: Disable TLSv1.3 with the NSS-FIPS provider until PKCS#11 v3.0 support is available
|
|
|
|
# RH1860986: Disable TLSv1.3 in FIPS mode
|
|
|
|
# RH1915071: Always initialise JavaSecuritySystemConfiguratorAccess
|
|
|
|
# RH1915071: Always initialise configurator access.patch
|
|
|
|
# RH1929465: Improve system FIPS detection
|
|
|
|
# RH1929465: Improve system FIPS detection
|
|
|
|
# RH1995150: Disable non-FIPS crypto in SUN and SunEC security providers
|
|
|
|
# RH1995150: Disable non-FIPS crypto in the SUN and SunEC providers
|
|
|
|
# RH1996182: Login to the NSS software token in FIPS mode
|
|
|
|
# RH1996182: Login to the NSS Software Token in FIPS Mode
|
|
|
|
# RH1991003: Allow plain key import unless com.redhat.fips.plainKeySupport is set to false
|
|
|
|
# RH1929465: Don't define unused throwIOException function when using NSS detection
|
|
|
|
# RH2021263: Resolve outstanding FIPS issues
|
|
|
|
# RH1996182: Extend default security policy to allow SunPKCS11 access to jdk.internal.access
|
|
|
|
# RH2052819: Fix FIPS reliance on crypto policies
|
|
|
|
# RH1991003: Enable the import of plain keys into the NSS software token.
|
|
|
|
# RH2052829: Detect NSS at Runtime for FIPS detection
|
|
|
|
# RH2021263: Return in C code after having generated Java exception
|
|
|
|
|
|
|
|
# RH2021263: Make sure java.security.Security is initialised when retrieving JavaSecuritySystemConfiguratorAccess instance
|
|
|
|
|
|
|
|
# RH2021263: Improve Security initialisation, now FIPS support no longer relies on crypto policy support
|
|
|
|
|
|
|
|
# RH2051605: Detect NSS at Runtime for FIPS detection
|
|
|
|
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
|
|
|
# RH2052070: Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode
|
|
|
|
# RH2023467: Enable FIPS keys export
|
|
|
|
# RH2023467: Enable FIPS keys export (#1)
|
|
|
|
# RH2094027: SunEC runtime permission for FIPS
|
|
|
|
# Run workflows on pull request, as we are not using SKARA.
|
|
|
|
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage
|
|
|
|
# RH2094027: SunEC runtime permission for FIPS (#5)
|
|
|
|
# RH2090378: Revert to disabling system security properties and FIPS mode support together
|
|
|
|
# RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage (#8)
|
|
|
|
# RH2104724: Avoid import/export of DH private keys
|
|
|
|
# RH2090378: Revert to disabling system security properties and FIPS mode support together (#4)
|
|
|
|
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
|
|
|
|
# Use encoded space rather than quoting for JTReg JAVA_OPTIONS
|
|
|
|
# Build the systemconf library on all platforms
|
|
|
|
# RH2104724: Avoid import/export of DH private keys (#14)
|
|
|
|
# RH2048582: Support PKCS#12 keystores
|
|
|
|
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode (#16)
|
|
|
|
# RH2020290: Support TLS 1.3 in FIPS mode
|
|
|
|
# Build the systemconf library on all platforms (#7)
|
|
|
|
# Add nss.fips.cfg support to OpenJDK tree
|
|
|
|
# RH2048582: Support PKCS#12 keystores (#2)
|
|
|
|
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
|
|
|
|
# RH2020290: Support TLS 1.3 in FIPS mode (#13)
|
|
|
|
# Remove forgotten dead code from RH2020290 and RH2104724
|
|
|
|
# Add nss.fips.cfg support to OpenJDK tree (#22)
|
|
|
|
# OJ1357: Fix issue on FIPS with a SecurityManager in place
|
|
|
|
# RH2117972 - Extend the support for NSS DBs (PKCS11) in FIPS mode (#17)
|
|
|
|
# RH2134669: Add missing attributes when registering services in FIPS mode.
|
|
|
|
# Remove forgotten dead code from #13 and #14 (#21)
|
|
|
|
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
|
|
|
|
# Fix issue on FIPS with a SecurityManager in place (#25)
|
|
|
|
# RH1940064: Enable XML Signature provider in FIPS mode
|
|
|
|
# RH2134669: Add missing attributes when registering services in FIPS mode. (#19)
|
|
|
|
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized
|
|
|
|
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class (#27)
|
|
|
|
|
|
|
|
# RH1940064: Enable XML Signature provider in FIPS mode (#24)
|
|
|
|
|
|
|
|
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized (#26)
|
|
|
|
Patch1001: fips-17u-%{fipsver}.patch
|
|
|
|
Patch1001: fips-17u-%{fipsver}.patch
|
|
|
|
|
|
|
|
|
|
|
|
#############################################
|
|
|
|
#############################################
|
|
|
|
@ -1402,8 +1407,8 @@ Patch1001: fips-17u-%{fipsver}.patch
|
|
|
|
# OpenJDK patches appearing in 17.0.10
|
|
|
|
# OpenJDK patches appearing in 17.0.10
|
|
|
|
#
|
|
|
|
#
|
|
|
|
#############################################
|
|
|
|
#############################################
|
|
|
|
# JDK-8312489, OJ2095: Increase jdk.jar.maxSignatureFileSize default which is too low for JARs such as WhiteSource/Mend unified agent jar
|
|
|
|
|
|
|
|
Patch2000: jdk8312489-max_sig_default_increase.patch
|
|
|
|
# Currently empty
|
|
|
|
|
|
|
|
|
|
|
|
BuildRequires: autoconf
|
|
|
|
BuildRequires: autoconf
|
|
|
|
BuildRequires: automake
|
|
|
|
BuildRequires: automake
|
|
|
|
@ -1838,22 +1843,20 @@ sh %{SOURCE12} %{top_level_dir_name}
|
|
|
|
%endif
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
|
|
# Patch the JDK
|
|
|
|
# Patch the JDK
|
|
|
|
|
|
|
|
# -P N: apply patch number N, same as passing N as a positional argument on rpm >= 4.18
|
|
|
|
|
|
|
|
# -p N: strip N leading slashes from paths
|
|
|
|
pushd %{top_level_dir_name}
|
|
|
|
pushd %{top_level_dir_name}
|
|
|
|
%patch1 -p1
|
|
|
|
%patch -P1 -p1
|
|
|
|
%patch2 -p1
|
|
|
|
%patch -P3 -p1
|
|
|
|
%patch3 -p1
|
|
|
|
%patch -P6 -p1
|
|
|
|
%patch6 -p1
|
|
|
|
|
|
|
|
# Add crypto policy and FIPS support
|
|
|
|
# Add crypto policy and FIPS support
|
|
|
|
%patch1001 -p1
|
|
|
|
%patch -P1001 -p1
|
|
|
|
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
|
|
|
# nss.cfg PKCS11 support; must come last as it also alters java.security
|
|
|
|
%patch1000 -p1
|
|
|
|
%patch -P1000 -p1
|
|
|
|
# JDK-8312489 backport, coming in 17.0.10
|
|
|
|
|
|
|
|
%patch2000 -p1
|
|
|
|
|
|
|
|
# alt-java support
|
|
|
|
# alt-java support
|
|
|
|
%patch600 -p1
|
|
|
|
%patch -P600 -p1
|
|
|
|
popd # openjdk
|
|
|
|
popd # openjdk
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# The OpenJDK version file includes the current
|
|
|
|
# The OpenJDK version file includes the current
|
|
|
|
# upstream version information. For some reason,
|
|
|
|
# upstream version information. For some reason,
|
|
|
|
# configure does not automatically use the
|
|
|
|
# configure does not automatically use the
|
|
|
|
@ -1871,9 +1874,7 @@ if [ "x${UPSTREAM_EA_DESIGNATOR}" != "x%{ea_designator}" ] ; then
|
|
|
|
echo "WARNING: Designator mismatch";
|
|
|
|
echo "WARNING: Designator mismatch";
|
|
|
|
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
|
|
|
|
echo "Spec file is configured for a %{build_type} build with designator '%{ea_designator}'"
|
|
|
|
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
|
|
|
|
echo "Upstream version-pre setting is '${UPSTREAM_EA_DESIGNATOR}'";
|
|
|
|
# Temporarily commented out as local copy of jdk-17.0.8+7 has the wrong setting
|
|
|
|
exit 17
|
|
|
|
# This is fixed in the final upstream version
|
|
|
|
|
|
|
|
# exit 17
|
|
|
|
|
|
|
|
fi
|
|
|
|
fi
|
|
|
|
|
|
|
|
|
|
|
|
# Prepare desktop files
|
|
|
|
# Prepare desktop files
|
|
|
|
@ -2472,6 +2473,41 @@ require "copy_jdk_configs.lua"
|
|
|
|
%endif
|
|
|
|
%endif
|
|
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
%changelog
|
|
|
|
|
|
|
|
* Thu Jan 11 2024 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.10.0.7-1
|
|
|
|
|
|
|
|
- Update to jdk-17.0.10+7 (GA)
|
|
|
|
|
|
|
|
- Sync the copy of the portable specfile with the latest update
|
|
|
|
|
|
|
|
- Move to -P<n> usage for patch macro which works on all RPM versions
|
|
|
|
|
|
|
|
- Remove RH1648644 patch not in portable build (and so not applied to binary used)
|
|
|
|
|
|
|
|
- Re-enable DEFAULT_PROMOTED_VERSION_PRE check disabled for the July 2023 release
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Add --sort=name to tar invocation for reproducibility
|
|
|
|
|
|
|
|
- ** This tarball is embargoed until 2024-01-16 @ 1pm PT. **
|
|
|
|
|
|
|
|
- Resolves: RHEL-20969
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Thu Jan 11 2024 Thomas Fitzsimmons <fitzsim@redhat.com> - 1:17.0.10.0.7-1
|
|
|
|
|
|
|
|
- Update to jdk-17.0.10+6 (EA)
|
|
|
|
|
|
|
|
- fips-17u-d63771ea660.patch: Regenerate from gnu-andrew branch
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Add WITH_TEMP environment variable
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Multithread xz on all available cores
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Add OPENJDK_LATEST environment variable
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Update comment about tarball naming
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Remove REPO_NAME from FILE_NAME_ROOT
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Set compile-command in Emacs
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Reformat comment header
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Reformat and update help output
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Move PROJECT_NAME and REPO_NAME checks
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Do a shallow clone, for speed
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Append -ea designator when required
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Eliminate some removal prompting
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Make tarball reproducible
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Prefix temporary directory with temp-
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: shellcheck: Remove x-prefixes since we use Bash
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: shellcheck: Double-quote variable references
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: shellcheck: Do not use -a
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: shellcheck: Do not use $ in expression
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Remove temporary directory exit conditions
|
|
|
|
|
|
|
|
- generate_source_tarball.sh: Add note on network usage of OPENJDK_LATEST
|
|
|
|
|
|
|
|
- Related: RHEL-20969
|
|
|
|
|
|
|
|
|
|
|
|
* Thu Oct 12 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-1
|
|
|
|
* Thu Oct 12 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.9.0.9-1
|
|
|
|
- Update to jdk-17.0.9+9 (GA)
|
|
|
|
- Update to jdk-17.0.9+9 (GA)
|
|
|
|
- Sync the copy of the portable specfile with the latest update
|
|
|
|
- Sync the copy of the portable specfile with the latest update
|
|
|
|
|
MSVSphere Packaging Team
1 year ago