From f098dc080cde72e40fcd4eab7b57b575320cabff Mon Sep 17 00:00:00 2001 From: tigro Date: Wed, 8 Nov 2023 17:57:02 +0300 Subject: [PATCH] Another build --- SPECS/java-21-openjdk-portable.spec | 1487 ++++++++++++++++----------- 1 file changed, 888 insertions(+), 599 deletions(-) diff --git a/SPECS/java-21-openjdk-portable.spec b/SPECS/java-21-openjdk-portable.spec index eb4430c..327c5bd 100644 --- a/SPECS/java-21-openjdk-portable.spec +++ b/SPECS/java-21-openjdk-portable.spec @@ -1,7 +1,5 @@ -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -# portable jdk 17 specific bug, _jvmdir being missing +# portable jdk 21 specific bug, _jvmdir being missing %define _jvmdir /usr/lib/jvm -%endif # debug_package %%{nil} is portable-jdks specific %define debug_package %{nil} @@ -20,7 +18,6 @@ # # Only produce a release build on x86_64: # $ fedpkg mockbuild --without slowdebug --without fastdebug - # Enable fastdebug builds by default on relevant arches. %bcond_without fastdebug # Enable slowdebug builds by default on relevant arches. @@ -34,15 +31,6 @@ # Build with system libraries %bcond_with system_libs - -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -# This is RHEL 7 specific as it doesn't seem to have the -# __brp_strip_static_archive macro. -%define __os_install_post %{nil} -%endif - -%global unpacked_licenses %{_datarootdir}/licenses - # Workaround for stripping of debug symbols from static libraries %if %{with staticlibs} %define __brp_strip_static_archive %{nil} @@ -66,8 +54,8 @@ # See: https://bugzilla.redhat.com/show_bug.cgi?id=1520879 %global _find_debuginfo_opts -g -# With LTO flags enabled, debuginfo checks fail for some reason. Disable -# LTO for a passing build. This really needs to be looked at. +# Disable LTO as this causes build failures at the moment. +# See RHBZ#1861401 %define _lto_cflags %{nil} # note: parametrized macros are order-sensitive (unlike not-parametrized) even with normal macros @@ -109,7 +97,7 @@ # in alternatives those are slaves and master, very often triplicated by man pages # in files all masters and slaves are ghosted # the ghosts are here to allow installation via query like `dnf install /usr/bin/java` -# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ -e alternatives +# you can list those files, with appropriate sections: cat *.spec | grep -e --install -e --slave -e post_ # TODO - fix those hardcoded lists via single list # Those files must *NOT* be ghosted for *slowdebug* packages # FIXME - if you are moving jshell or jlink or similar, always modify all three sections @@ -147,16 +135,16 @@ # Set of architectures which support the serviceability agent %global sa_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{power64} %{arm} # Set of architectures which support class data sharing -# See https://bugzilla.redhat.com/show_bug.cgi?id=513605 -# MetaspaceShared::generate_vtable_methods is not implemented for the PPC JIT -%global share_arches %{ix86} x86_64 sparcv9 sparc64 %{aarch64} %{arm} s390x +# As of JDK-8005165 in OpenJDK 10, class sharing is not arch-specific +# However, it does segfault on the Zero assembler port, so currently JIT only +%global share_arches %{jit_arches} # Set of architectures for which we build the Shenandoah garbage collector %global shenandoah_arches x86_64 %{aarch64} # Set of architectures for which we build the Z garbage collector %global zgc_arches x86_64 # Set of architectures for which alt-java has SSB mitigation %global ssbd_arches x86_64 -# Set of architectures for which java has short vector math library (libsvml.so) +# Set of architectures for which java has short vector math library (libjsvml.so) %global svml_arches x86_64 # Set of architectures where we verify backtraces with gdb # s390x fails on RHEL 7 so we exclude it there @@ -166,7 +154,7 @@ %global gdb_arches %{jit_arches} %{zero_arches} %endif -# By default, we build a debug build during main build on JIT architectures +# By default, we build a slowdebug build during main build on JIT architectures %if %{with slowdebug} %ifarch %{debug_arches} %global include_debug_build 1 @@ -217,15 +205,11 @@ %global staticlibs_loop %{nil} %endif -%if 0%{?flatpak} -%global bootstrap_build false -%else %ifarch %{bootstrap_arches} %global bootstrap_build true %else %global bootstrap_build false %endif -%endif %if %{include_staticlibs} # Extra target for producing the static-libraries. Separate from @@ -237,14 +221,14 @@ %global static_libs_target %{nil} %endif -# RPM JDK builds keep the debug symbols internal, to be later stripped by RPM -%global debug_symbols internal - -# unlike portables,the rpms have to use static_libs_target very dynamically -%global bootstrap_targets images legacy-jre-image -%global release_targets images docs-zip legacy-jre-image +# The static libraries are produced under the same configuration as the main +# build for portables, as we expect in-tree libraries to be used throughout. +# If system libraries are enabled, the static libraries will also use them +# which may cause issues. +%global bootstrap_targets images %{static_libs_target} legacy-jre-image +%global release_targets images docs-zip %{static_libs_target} legacy-jre-image # No docs nor bootcycle for debug builds -%global debug_targets images legacy-jre-image +%global debug_targets images %{static_libs_target} legacy-jre-image # Target to use to just build HotSpot %global hotspot_target hotspot @@ -261,7 +245,7 @@ # the initialization must be here. Later the pkg-config have buggy behavior # looks like openjdk RPM specific bug # Always set this so the nss.cfg file is not broken -%global NSS_LIBDIR %(pkg-config --variable=libdir nss) +#%global NSS_LIBDIR %(pkg-config --variable=libdir nss) # In some cases, the arch used by the JDK does # not match _arch. @@ -338,18 +322,18 @@ # buildjdkver is usually same as %%{featurever}, # but in time of bootstrap of next jdk, it is featurever-1, # and this it is better to change it here, on single place -%global buildjdkver 21 +%global buildjdkver 20 # We don't add any LTS designator for STS packages (Fedora and EPEL). # We need to explicitly exclude EPEL as it would have the %%{rhel} macro defined. %if 0%{?rhel} && !0%{?epel} %global lts_designator "LTS" %global lts_designator_zip -%{lts_designator} %else - %global lts_designator "" - %global lts_designator_zip "" + %global lts_designator "" + %global lts_designator_zip "" %endif # JDK to use for bootstrapping -%global bootjdk /usr/lib/jvm/java-%{buildjdkver}-openjdk +%global bootjdk /usr/lib/jvm/java-%{featurever}-openjdk # Define whether to use the bootstrap JDK directly or with a fresh libjvm.so # This will only work where the bootstrap JDK is the same major version # as the JDK being built @@ -378,20 +362,28 @@ %endif %endif %endif -%global oj_vendor_version (Red_Hat-%{version}-%{release}) +%global oj_vendor_version (Red_Hat-%{version}-%{rpmrelease}) # Define IcedTea version used for SystemTap tapsets and desktop file %global icedteaver 6.0.0pre00-c848b93a8598 # Define current Git revision for the FIPS support patches %global fipsver 75ffdc48eda +# Define JDK versions +%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} +%global javaver %{featurever} +# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames +%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) +# The tag used to create the OpenJDK tarball +%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Standard JPackage naming and versioning defines %global origin openjdk %global origin_nice OpenJDK -%global top_level_dir_name %{origin} +%global top_level_dir_name %{vcstag} %global top_level_dir_name_backup %{top_level_dir_name}-backup -%global buildver 35 -%global rpmrelease 1 +%global buildver 35 +%global rpmrelease 2 +#%%global tagsuffix %%{nil} # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit %if %is_system_jdk # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions @@ -404,14 +396,6 @@ # for techpreview, using 1, so slowdebugs can have 0 %global priority %( printf '%08d' 1 ) %endif -%global newjavaver %{featurever}.%{interimver}.%{updatever}.%{patchver} -%global javaver %{featurever} - -# Strip up to 6 trailing zeros in newjavaver, as the JDK does, to get the correct version used in filenames -%global filever %(svn=%{newjavaver}; for i in 1 2 3 4 5 6 ; do svn=${svn%%.0} ; done; echo ${svn}) - -# The tag used to create the OpenJDK tarball -%global vcstag jdk-%{filever}+%{buildver}%{?tagsuffix:-%{tagsuffix}} # Define milestone (EA for pre-releases, GA for releases) # Release will be (where N is usually a number starting at 1): @@ -438,40 +422,32 @@ # images directories from upstream build %global jdkimage jdk %global static_libs_image static-libs -# installation directory for static libraries -%global static_libs_root lib/static -%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall} -%global static_libs_install_dir %{static_libs_arch_dir}/glibc # output dir stub %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} +%define installoutputdir() %{expand:install/jdk%{featurever}.install%{?1}} +%global altjavaoutputdir install/altjava.install +%define packageoutputdir() %{expand:packages/jdk%{featurever}.packages%{?1}} # we can copy the javadoc to not arched dir, or make it not noarch %define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}} # main id and dir of this jdk %define uniquesuffix() %{expand:%{fullversion}.%{_arch}%{?1}} # portable only declarations %global jreimage jre -%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;%{version}-%{release};\\0.portable%{1}.jre;g" | sed "s;openjdkportable;el;g") -%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;%{version}-%{release};\\0.portable%{1}.jdk;g" | sed "s;openjdkportable;el;g") -%define jdkportablesourcesnameimpl() %(echo %{uniquesuffix ""} | sed "s;%{version}-%{release};\\0.portable%{1}.sources;g" | sed "s;openjdkportable;el;g" | sed "s;.%{_arch};.noarch;g") -%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;%{version}-%{release};\\0.portable%{1}.static-libs;g" | sed "s;openjdkportable;el;g") +%define jreportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jre;g") +%define jdkportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.jdk;g") +%define staticlibsportablenameimpl() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable%{1}.static-libs;g") %define jreportablearchive() %{expand:%{jreportablenameimpl -- %%{1}}.tar.xz} %define jdkportablearchive() %{expand:%{jdkportablenameimpl -- %%{1}}.tar.xz} -%define jdkportablesourcesarchive() %{expand:%{jdkportablesourcesnameimpl -- %%{1}}.tar.xz} %define staticlibsportablearchive() %{expand:%{staticlibsportablenameimpl -- %%{1}}.tar.xz} %define jreportablename() %{expand:%{jreportablenameimpl -- %%{1}}} %define jdkportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} -%define jdkportablesourcesname() %{expand:%{jdkportablesourcesnameimpl -- %%{1}}} # Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on # top of the JDK archive %define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}} - -# RPM 4.19 no longer accept our double percentaged %%{nil} passed to %%{1} -# so we have to pass in "" but evaluate it, otherwise files record will include it -%define jreportablearchiveForFiles() %(echo %{jreportablearchive -- ""}) -%define jdkportablearchiveForFiles() %(echo %{jdkportablearchive -- ""}) -%define jdkportablesourcesarchiveForFiles() %(echo %{jdkportablesourcesarchive -- ""}) -%define staticlibsportablearchiveForFiles() %(echo %{staticlibsportablearchive -- ""}) -%define jdkportablesourcesnameForFiles() %(echo %{jdkportablesourcesname -- ""}) +%define docportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.docs;g") +%define docportablearchive() %{docportablename}.tar.xz +%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;el%{rhel}\\(_[0-9]\\)*;portable.misc;g") +%define miscportablearchive() %{miscportablename}.tar.xz ################################################################# # fix for https://bugzilla.redhat.com/show_bug.cgi?id=1111349 @@ -482,7 +458,7 @@ %if %is_system_jdk %global __provides_exclude ^(%{_privatelibs})$ %global __requires_exclude ^(%{_privatelibs})$ -# Never generate lib-style provides/requires for any debug packages +# Never generate lib-style provides/requires for slowdebug packages %global __provides_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __requires_exclude_from ^.*/%{uniquesuffix -- %{debug_suffix_unquoted}}/.*$ %global __provides_exclude_from ^.*/%{uniquesuffix -- %{fastdebug_suffix_unquoted}}/.*$ @@ -493,6 +469,12 @@ %global __requires_exclude ^(%{_privatelibs}|%{_publiclibs})$ %endif +# VM variant being built +%ifarch %{zero_arches} +%global vm_variant zero +%else +%global vm_variant server +%endif %global etcjavasubdir %{_sysconfdir}/java/java-%{javaver}-%{origin} %define etcjavadir() %{expand:%{etcjavasubdir}/%{uniquesuffix -- %{?1}}} @@ -529,15 +511,11 @@ %global tapsetdir %{tapsetdirttapset}/%{stapinstall} %endif -# x86 is no longer supported -%if 0%{?java_arches:1} -ExclusiveArch: %{java_arches} -%else +# x86 is not supported by OpenJDK 17 ExcludeArch: %{ix86} -%endif -# Portables have no rpo (requires/provides), but thsoe are awesome for orientation in spec -# also scriptlets are hapily missing and files are handled old fashion +# Portables have no repo (requires/provides), but these are awesome for orientation in spec +# Also scriptlets are happily missing and files are handled old fashion # not-duplicated requires/provides/obsoletes for normal/debug packages %define java_rpo() %{expand: } @@ -548,6 +526,14 @@ ExcludeArch: %{ix86} %define java_static_libs_rpo() %{expand: } +%define java_unstripped_rpo() %{expand: +} + +%define java_docs_rpo() %{expand: +} + +%define java_misc_rpo() %{expand: +} # Prevent brp-java-repack-jars from being run %global __jar_repack 0 @@ -556,11 +542,8 @@ ExcludeArch: %{ix86} # this expression, when declared as global, filled component with java-x-vendor portable %define component %(echo %{name} | sed "s;-portable;;g") -Name: java-21-%{origin}-portable +Name: java-%{javaver}-%{origin}-portable Version: %{newjavaver}.%{buildver} -# This package needs `.rolling` as part of Release so as to not conflict on install with -# java-X-openjdk. I.e. when latest rolling release is also an LTS release packaged as -# java-X-openjdk. See: https://bugzilla.redhat.com/show_bug.cgi?id=1647298 Release: %{?eaprefix}%{rpmrelease}%{?extraver}%{?dist} # java-1.5.0-ibm from jpackage.org set Epoch to 1 for unknown reasons # and this change was brought into RHEL-4. java-1.5.0-ibm packages @@ -596,9 +579,8 @@ Group: Development/Languages License: ASL 1.1 and ASL 2.0 and BSD and BSD with advertising and GPL+ and GPLv2 and GPLv2 with exceptions and IJG and LGPLv2+ and MIT and MPLv2.0 and Public Domain and W3C and zlib and ISC and FTL and RSA URL: http://openjdk.java.net/ - # The source tarball, generated using generate_source_tarball.sh -Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz +Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/openjdk-jdk%{featurever}u-%{vcstag}.tar.xz # Use 'icedtea_sync.sh' to update the following # They are based on code contained in the IcedTea project (6.x). @@ -613,12 +595,11 @@ Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz # Release notes Source10: NEWS -# nss configuration file -Source11: nss.cfg.in +# Source code for alt-java +Source11: alt-java.c # Removed libraries that we link instead -# Disabled in portables -#Source12: remove-intree-libraries.sh +Source12: remove-intree-libraries.sh # Ensure we aren't using the limited crypto policy Source13: TestCryptoLevel.java @@ -635,34 +616,12 @@ Source16: CheckVendor.java # Ensure translations are available for new timezones Source18: TestTranslations.java -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -# boot jdk for portable build root on -Source1001: ojdk17-aarch64-17.35.tar.gz -Source1002: ojdk17-ppc64le-17.35.tar.gz -Source1003: ojdk17-x86_64-17.35.tar.gz -Source1004: ojdk17-s390x-17.35.tar.gz -%endif - ############################################ # # RPM/distribution specific patches # ############################################ -# NSS via SunPKCS11 Provider (disabled comment -# due to memory leak). -Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch -# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639) -Patch600: rh1750419-redhat_alt_java.patch - -# Ignore AWTError when assistive technologies are loaded -Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch -# Restrict access to java-atk-wrapper classes -Patch2: rh1648644-java_access_bridge_privileged_security.patch -Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch -# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo -Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch - # Crypto policy and FIPS support patches # Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u # as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch @@ -688,7 +647,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2090378: Revert to disabling system security properties and FIPS mode support together # RH2104724: Avoid import/export of DH private keys # RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode -# RH2048582: Support PKCS#12 keystores +# Build the systemconf library on all platforms +# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream] # RH2020290: Support TLS 1.3 in FIPS mode # Add nss.fips.cfg support to OpenJDK tree # RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode @@ -697,9 +657,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d # RH2134669: Add missing attributes when registering services in FIPS mode. # test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class # RH1940064: Enable XML Signature provider in FIPS mode -# Build the systemconf library on all platforms -# Remove GCC minor versioning (JDK-8284772) to unbreak testing -Patch1001: fips-21u-%{fipsver}.patch +# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream] +Patch1001: fips-%{featurever}u-%{fipsver}.patch ############################################# # @@ -707,12 +666,27 @@ Patch1001: fips-21u-%{fipsver}.patch # ############################################# +# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo +# PR: https://github.com/openjdk/jdk/pull/15409 +Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch + +# Currently empty + ############################################# # # OpenJDK patches which missed last update # ############################################# -#empty now + +# Currently empty + +############################################# +# +# Portable build specific patches +# +############################################# + +# Currently empty BuildRequires: autoconf BuildRequires: automake @@ -722,22 +696,10 @@ BuildRequires: cups-devel BuildRequires: desktop-file-utils # elfutils only are OK for build without AOT BuildRequires: elfutils-devel +BuildRequires: file BuildRequires: fontconfig-devel -BuildRequires: freetype-devel -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -BuildRequires: devtoolset-8-gcc -BuildRequires: devtoolset-8-gcc-c++ -%else -BuildRequires: gcc -# gcc-c++ is already needed -BuildRequires: java-%{buildjdkver}-openjdk-devel -%endif BuildRequires: gcc-c++ BuildRequires: gdb -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -# rhel7 only, portables only. Rhel8 have gtk3, rpms have runtime recommends of gtk -BuildRequires: gtk2-devel -%endif BuildRequires: libxslt BuildRequires: libX11-devel BuildRequires: libXi-devel @@ -746,31 +708,26 @@ BuildRequires: libXrandr-devel BuildRequires: libXrender-devel BuildRequires: libXt-devel BuildRequires: libXtst-devel -# Requirement for setting up nss.cfg and nss.fips.cfg +# Requirement for setting up nss.fips.cfg BuildRequires: nss-devel # Requirement for system security property test -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -BuildRequires: crypto-policies -%endif +# N/A for portable. RHEL7 doesn't provide them +#BuildRequires: crypto-policies BuildRequires: pkgconfig BuildRequires: xorg-x11-proto-devel BuildRequires: zip # to pack portable tarballs BuildRequires: tar BuildRequires: unzip -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -# No javapackages-filesystem on el7,nor is needed for portables -%else -BuildRequires: javapackages-filesystem -BuildRequires: java-21-openjdk-devel -%endif +# Not needed for portables +# BuildRequires: javapackages-filesystem +BuildRequires: java-%{featurever}-openjdk-devel # Zero-assembler build requirement %ifarch %{zero_arches} BuildRequires: libffi-devel %endif # 2023c required as of JDK-8305113 BuildRequires: tzdata-java >= 2023c - # cacerts build requirement in portable mode BuildRequires: ca-certificates # Earlier versions have a bug in tree vectorization on PPC @@ -875,7 +832,7 @@ Group: Development/Tools %{java_devel_rpo -- %{fastdebug_suffix_unquoted}} %description devel-fastdebug -The %{origin_nice} %{featurever} development tools - portable edition. +The %{origin_nice} %{featurever} runtime environment and development tools - portable edition %{fastdebug_warning} %endif @@ -883,7 +840,7 @@ The %{origin_nice} %{featurever} development tools - portable edition. %if %{include_normal_build} %package static-libs -Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition. +Summary: %{origin_nice} %{featurever} libraries for static linking - portable edition %{java_static_libs_rpo %{nil}} @@ -898,7 +855,7 @@ Summary: %{origin_nice} %{featurever} libraries for static linking - portable ed %{java_static_libs_rpo -- %{debug_suffix_unquoted}} %description static-libs-slowdebug -The %{origin_nice} %{featurever} libraries for static linking - portable edition. +The %{origin_nice} %{featurever} libraries for static linking - portable edition %{debug_warning} %endif @@ -909,18 +866,39 @@ Summary: %{origin_nice} %{featurever} libraries for static linking - portable ed %{java_static_libs_rpo -- %{fastdebug_suffix_unquoted}} %description static-libs-fastdebug -The %{origin_nice} %{featurever} libraries for static linking - portable edition. +The %{origin_nice} %{featurever} libraries for static linking - portable edition %{fastdebug_warning} %endif # staticlibs %endif -%package sources -Summary: %{origin_nice} %{featurever} full patched sources of portable JDK +%if %{include_normal_build} +%package unstripped +Summary: The %{origin_nice} %{featurever} runtime environment. + +%{java_unstripped_rpo %{nil}} -%description sources -The %{origin_nice} %{featurever} full patched sources of portable JDK to build, attach to debuggers or for debuginfo +%description unstripped +The %{origin_nice} %{featurever} runtime environment. + +%endif + +%package docs +Summary: %{origin_nice} %{featurever} API documentation + +%{java_docs_rpo %{nil}} + +%description docs +The %{origin_nice} %{featurever} API documentation. + +%package misc +Summary: %{origin_nice} %{featurever} miscellany + +%{java_misc_rpo %{nil}} + +%description misc +The %{origin_nice} %{featurever} miscellany. %prep @@ -951,7 +929,6 @@ else echo "include_fastdebug_build is %{include_fastdebug_build}, that is invalid. Use 1 for yes or 0 for no" exit 13 fi - if [ %{include_debug_build} -eq 0 -a %{include_normal_build} -eq 0 -a %{include_fastdebug_build} -eq 0 ] ; then echo "You have disabled all builds (normal,fastdebug,slowdebug). That is a no go." exit 14 @@ -979,17 +956,12 @@ sh %{SOURCE12} %{top_level_dir_name} # Patch the JDK pushd %{top_level_dir_name} -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch6 -p1 # Add crypto policy and FIPS support %patch1001 -p1 -# nss.cfg PKCS11 support; must come last as it also alters java.security -%patch1000 -p1 +# Patches in need of upstreaming +%patch6 -p1 popd # openjdk -%patch600 # The OpenJDK version file includes the current # upstream version information. For some reason, @@ -1024,7 +996,7 @@ cp -r tapset tapset%{fastdebug_suffix} for suffix in %{build_loop} ; do for file in "tapset"$suffix/*.in; do OUTPUT_FILE=`echo $file | sed -e "s:\.stp\.in$:-%{version}-%{release}.%{_arch}.stp:g"` - sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/server/libjvm.so:g" $file > $file.1 + sed -e "s:@ABS_SERVER_LIBJVM_SO@:%{_jvmdir}/%{sdkdir -- $suffix}/lib/%{vm_variant}/libjvm.so:g" $file > $file.1 sed -e "s:@JAVA_SPEC_VER@:%{javaver}:g" $file.1 > $file.2 # TODO find out which architectures other than i686 have a client vm %ifarch %{ix86} @@ -1044,30 +1016,9 @@ done # Portables do not have desktop integration # Setup nss.cfg -sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg +#sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg %build -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) -mkdir bootjdk -pushd bootjdk -%ifarch %{aarch64} -tar --strip-components=1 -xf %{SOURCE1001} -%endif -%ifarch %{ppc64le} -tar --strip-components=1 -xf %{SOURCE1002} -%endif -%ifarch x86_64 -tar --strip-components=1 -xf %{SOURCE1003} -%endif -%ifarch s390x -tar --strip-components=1 -xf %{SOURCE1004} -%endif -BOOT_JDK=$PWD -popd -%else -BOOT_JDK=%{bootjdk} -%endif - # How many CPU's do we have? export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=${NUM_PROC:-1} @@ -1100,12 +1051,19 @@ EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming %endif export EXTRA_CFLAGS EXTRA_CPP_FLAGS +echo "Building %{SOURCE11}" +mkdir -p %{altjavaoutputdir} +gcc ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11} + +echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" + function buildjdk() { local outputdir=${1} local buildjdk=${2} local maketargets="${3}" local debuglevel=${4} local link_opt=${5} + local debug_symbols=${6} local top_dir_abs_src_path=$(pwd)/%{top_level_dir_name} local top_dir_abs_build_path=$(pwd)/${outputdir} @@ -1124,6 +1082,7 @@ function buildjdk() { echo "Using make targets: ${maketargets}" echo "Using debuglevel: ${debuglevel}" echo "Using link_opt: ${link_opt}" + echo "Using debug_symbols: ${debug_symbols}" echo "Building %{newjavaver}-%{buildver}, pre=%{ea_designator}, opt=%{lts_designator}" mkdir -p ${outputdir} @@ -1133,19 +1092,16 @@ function buildjdk() { # rather than ${link_opt} as the system versions # are always used in a system_libs build, even # for the static library build -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) - scl enable devtoolset-8 -- bash ${top_dir_abs_src_path}/configure \ -%else bash ${top_dir_abs_src_path}/configure \ -%endif %ifarch %{zero_arches} --with-jvm-variants=zero \ %endif %ifarch %{ppc64le} --with-jobs=1 \ %endif + --with-cacerts-file=$(readlink -f %{_sysconfdir}/pki/java/cacerts) \ --with-version-build=%{buildver} \ - --with-version-pre="%{ea_designator}" \ + --with-version-pre="${ea_designator}" \ --with-version-opt=%{lts_designator} \ --with-vendor-version-string="%{oj_vendor_version}" \ --with-vendor-name="%{oj_vendor}" \ @@ -1154,7 +1110,7 @@ function buildjdk() { --with-vendor-vm-bug-url="%{oj_vendor_bug_url}" \ --with-boot-jdk=${buildjdk} \ --with-debug-level=${debuglevel} \ - --with-native-debug-symbols="%{debug_symbols}" \ + --with-native-debug-symbols="${debug_symbols}" \ --disable-sysconf-nss \ --enable-unlimited-crypto \ --with-zlib=%{link_type} \ @@ -1177,319 +1133,274 @@ function buildjdk() { --disable-warnings-as-errors cat spec.gmk -%if (0%{?rhel} > 0 && 0%{?rhel} < 8) - scl enable devtoolset-8 -- make \ -%else - make \ -%endif - LOG=trace \ - WARNINGS_ARE_ERRORS="-Wno-error" \ - CFLAGS_WARNINGS_ARE_ERRORS="-Wno-error" \ - $maketargets || ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name "hs_err_pid*.log" | xargs cat && false ) + make LOG=trace $maketargets || \ + ( pwd; find ${top_dir_abs_src_path} ${top_dir_abs_build_path} -name \"hs_err_pid*.log\" | xargs cat && false ) popd } function installjdk() { - local imagepath=${1} - - if [ -d ${imagepath} ] ; then - # the build (erroneously) removes read permissions from some jars - # this is a regression in OpenJDK 7 (our compiler): - # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 - find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; - - # Build screws up permissions on binaries - # https://bugs.openjdk.java.net/browse/JDK-8173610 - find ${imagepath} -iname '*.so' -exec chmod +x {} \; - find ${imagepath}/bin/ -exec chmod +x {} \; - - # Install nss.cfg right away as we will be using the JRE above - install -m 644 nss.cfg ${imagepath}/conf/security/ + local outputdir=${1} + local installdir=${2} + local jdkimagepath=${installdir}/images/%{jdkimage} + local jreimagepath=${installdir}/images/%{jreimage} + + echo "Installing build from ${outputdir} to ${installdir}..." + mkdir -p ${installdir} + echo "Installing images..." + mv ${outputdir}/images ${installdir} + if [ -d ${outputdir}/bundles ] ; then + echo "Installing bundles..."; + mv ${outputdir}/bundles ${installdir} ; + fi - # Create fake alt-java as a placeholder for future alt-java - if [ -d man/man1 ] ; then - pushd ${imagepath} +%if !%{with artifacts} + echo "Removing output directory..."; + rm -rf ${outputdir} +%endif + + # legacy-jre-image target does not install any man pages for the JRE + # We copy the jdk man directory and then remove pages for binaries that + # don't exist in the JRE + cp -a ${jdkimagepath}/man ${jreimagepath} + for manpage in $(find ${jreimagepath}/man -name '*.1'); do + filename=$(basename ${manpage}); + binary=${filename/.1/}; + if [ ! -f ${jreimagepath}/bin/${binary} ] ; then + echo "Removing ${manpage} from JRE for which no binary ${binary} exists"; + rm -f ${manpage}; + fi; + done + + for imagepath in ${jdkimagepath} ${jreimagepath} ; do + + if [ -d ${imagepath} ] ; then + # the build (erroneously) removes read permissions from some jars + # this is a regression in OpenJDK 7 (our compiler): + # http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=1437 + find ${imagepath} -iname '*.jar' -exec chmod ugo+r {} \; + + # Build screws up permissions on binaries + # https://bugs.openjdk.java.net/browse/JDK-8173610 + find ${imagepath} -iname '*.so' -exec chmod +x {} \; + find ${imagepath}/bin/ -exec chmod +x {} \; + + # Install local files which are distributed with the JDK + install -m 644 %{SOURCE10} ${imagepath} + #install -m 644 nss.cfg ${imagepath}/conf/security/ + + # Create fake alt-java as a placeholder for future alt-java + pushd ${imagepath} # add alt-java man page echo "Hardened java binary recommended for launching untrusted code from the Web e.g. javaws" > man/man1/%{alt_java_name}.1 cat man/man1/java.1 >> man/man1/%{alt_java_name}.1 - popd - fi - fi + popd + + # Print release information + cat ${imagepath}/release + fi + done } -# Checks on debuginfo must be performed before the files are stripped -# by the RPM installation stage -function debugcheckjdk() { - local imagepath=${1} - - if [ -d ${imagepath} ] ; then - - so_suffix="so" - # Check debug symbols are present and can identify code - find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib - do - if [ -f "$lib" ] ; then - echo "Testing $lib for debug symbols" - # All these tests rely on RPM failing the build if the exit code of any set - # of piped commands is non-zero. - - # Test for .debug_* sections in the shared object. This is the main test - # Stripped objects will not contain these - eu-readelf -S "$lib" | grep "] .debug_" - test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 - - # Test FILE symbols. These will most likely be removed by anything that - # manipulates symbol tables because it's generally useless. So a nice test - # that nothing has messed with symbols - old_IFS="$IFS" - IFS=$'\n' - for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") - do - # We expect to see .cpp and .S files, except for architectures like aarch64 and - # s390 where we expect .o and .oS files - echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" - done - IFS="$old_IFS" - - # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking - if [ "`basename $lib`" = "libjvm.so" ]; then - eu-readelf -s "$lib" | \ - grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" - fi - - # Test that there are no .gnu_debuglink sections pointing to another - # debuginfo file. There shouldn't be any debuginfo files, so the link makes - # no sense either - eu-readelf -S "$lib" | grep 'gnu' - if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then - echo "bad .gnu_debuglink section." - eu-readelf -x .gnu_debuglink "$lib" - false - fi +function genchecksum() { + local checkedfile=${1} + + checkdir=$(dirname ${1}) + checkfile=$(basename ${1}) + + echo "Generating checksum for ${checkfile} in ${checkdir}..." + pushd ${checkdir} + sha256sum ${checkfile} > ${checkfile}.sha256sum + sha256sum --check ${checkfile}.sha256sum + popd +} + +function packagejdk() { + local imagesdir=$(pwd)/${1}/images + local docdir=$(pwd)/${1}/images/docs + local bundledir=$(pwd)/${1}/bundles + local packagesdir=$(pwd)/${2} + local srcdir=$(pwd)/%{top_level_dir_name} + local altjavadir=$(pwd)/${3} + + echo "Packaging build from ${imagesdir} to ${packagesdir}..." + mkdir -p ${packagesdir} + pushd ${imagesdir} + + if [ "x$suffix" = "x" ] ; then + nameSuffix="" + else + nameSuffix=`echo "$suffix"| sed s/-/./` + fi + + jdkname=%{jdkportablename -- "$nameSuffix"} + jdkarchive=${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} + jrename=%{jreportablename -- "$nameSuffix"} + jrearchive=${packagesdir}/%{jreportablearchive -- "$nameSuffix"} + staticname=%{staticlibsportablename -- "$nameSuffix"} + staticarchive=${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} + debugarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.debuginfo"} + unstrippedarchive=${packagesdir}/%{jdkportablearchive -- "${nameSuffix}.unstripped"} + # We only use docs for the release build + docname=%{docportablename} + docarchive=${packagesdir}/%{docportablearchive} + built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip + # These are from the source tree so no debug variants + miscname=%{miscportablename} + miscarchive=${packagesdir}/%{miscportablearchive} + + # Rename directories for packaging + mv %{jdkimage} ${jdkname} + mv %{jreimage} ${jrename} + + # Release images have external debug symbols + if [ "x$suffix" = "x" ] ; then + # Keep the unstripped version for consumption by RHEL RPMs + tar -cJf ${unstrippedarchive} ${jdkname} + genchecksum ${unstrippedarchive} + + # Strip the files + for file in $(find ${jdkname} ${jrename} -type f) ; do + if file ${file} | grep -q 'ELF'; then + noextfile=${file/.so/}; + objcopy --only-keep-debug ${file} ${noextfile}.debuginfo; + objcopy --add-gnu-debuglink=${noextfile}.debuginfo ${file}; + strip -g ${file}; fi done - # Make sure gdb can do a backtrace based on line numbers on libjvm.so - # javaCalls.cpp:58 should map to: - # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 - # Using line number 1 might cause build problems. See: - # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 - # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 - gdb -q "${imagepath}/bin/java" < ../%{jdkportablesourcesarchive -- ""}.sha256sum + popd #images + +} %if %{build_hotspot_first} # Build a fresh libjvm.so first and use it to bootstrap cp -LR --preserve=mode,timestamps %{bootjdk} newboot systemjdk=$(pwd)/newboot - buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" - mv build/newboot/jdk/lib/server/libjvm.so newboot/lib/server + buildjdk build/newboot ${systemjdk} %{hotspot_target} "release" "bundled" "internal" + mv build/newboot/jdk/lib/%{vm_variant}/libjvm.so newboot/lib/%{vm_variant} %else systemjdk=%{bootjdk} %endif for suffix in %{build_loop} ; do + if [ "x$suffix" = "x" ] ; then debugbuild=release else # change --something to something debugbuild=`echo $suffix | sed "s/-//g"` fi - for loop in %{main_suffix} %{staticlibs_loop} ; do - builddir=%{buildoutputdir -- ${suffix}${loop}} - bootbuilddir=boot${builddir} - if test "x${loop}" = "x%{main_suffix}" ; then - link_opt="%{link_type}" -%if %{system_libs} - # Copy the source tree so we can remove all in-tree libraries - cp -a %{top_level_dir_name} %{top_level_dir_name_backup} - # Remove all libraries that are linked - sh %{SOURCE12} %{top_level_dir_name} full -%endif - # Debug builds don't need same targets as release for - # build speed-up. We also avoid bootstrapping these - # slower builds. - if echo $debugbuild | grep -q "debug" ; then - maketargets="%{debug_targets}" - run_bootstrap=false - else - maketargets="%{release_targets}" - run_bootstrap=%{bootstrap_build} - fi - if ${run_bootstrap} ; then - buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} - buildjdk ${builddir} $(pwd)/${bootbuilddir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} - rm -rf ${bootbuilddir} - else - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} - fi + # We build with internal debug symbols and do + # our own stripping for one version of the + # release build + debug_symbols=internal + + builddir=%{buildoutputdir -- ${suffix}} + bootbuilddir=boot${builddir} + installdir=%{installoutputdir -- ${suffix}} + bootinstalldir=boot${installdir} + packagesdir=%{packageoutputdir -- ${suffix}} + + link_opt="%{link_type}" %if %{system_libs} - # Restore original source tree we modified by removing full in-tree sources - rm -rf %{top_level_dir_name} - mv %{top_level_dir_name_backup} %{top_level_dir_name} -%endif - else - # Use bundled libraries for building statically - link_opt="bundled" - # Static library cycle only builds the static libraries - maketargets="%{static_libs_target}" - # Always just do the one build for the static libraries - buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} - fi - - done # end of main / staticlibs loop - - # Final setup on the main image - top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} - for image in %{jdkimage} %{jreimage} ; do - imagePath=${top_dir_abs_main_build_path}/images/${image} - installjdk ${imagePath} - done - # Check debug symbols were built into the dynamic libraries; todo, why it passes in JDK only? - debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} - - # Print release information - cat ${top_dir_abs_main_build_path}/images/%{jdkimage}/release + # Copy the source tree so we can remove all in-tree libraries + cp -a %{top_level_dir_name} %{top_level_dir_name_backup} + # Remove all libraries that are linked + sh %{SOURCE12} %{top_level_dir_name} full +%endif + # Debug builds don't need same targets as release for + # build speed-up. We also avoid bootstrapping these + # slower builds. + if echo $debugbuild | grep -q "debug" ; then + maketargets="%{debug_targets}" + run_bootstrap=false + else + maketargets="%{release_targets}" + run_bootstrap=%{bootstrap_build} + fi + if ${run_bootstrap} ; then + buildjdk ${bootbuilddir} ${systemjdk} "%{bootstrap_targets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${bootbuilddir} ${bootinstalldir} + buildjdk ${builddir} $(pwd)/${bootinstalldir}/images/%{jdkimage} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${builddir} ${installdir} + %{!?with_artifacts:rm -rf ${bootinstalldir}} + else + buildjdk ${builddir} ${systemjdk} "${maketargets}" ${debugbuild} ${link_opt} ${debug_symbols} + installjdk ${builddir} ${installdir} + fi + packagejdk ${installdir} ${packagesdir} %{altjavaoutputdir} -################################################################################ - pushd ${top_dir_abs_main_build_path}/images - if [ "x$suffix" == "x" ] ; then - nameSuffix="" - else - nameSuffix=`echo "$suffix"| sed s/-/./` - fi - # additional steps needed for fluent repack; most of them done twice, as images are already populated - # maybe most of them should be done in upstream build? - for imagedir in %{jdkimage} %{jreimage} ; do - pushd $imagedir - # Convert man pages to UTF8 encoding - if [ -d man/man1 ] ; then # jre do not have man pages... - for manpage in man/man1/* ; do - iconv -f ISO_8859-1 -t UTF8 $manpage -o $manpage.tmp - mv -f $manpage.tmp $manpage - done - fi - # Install release notes - cp -a %{SOURCE10} `pwd` - cp -a %{SOURCE10} `pwd`/legal - # stabilize permissions; aprtially duplicated in instalojdk - find `pwd` -name "*.so" -exec chmod 755 {} \; -exec echo "set 755 to so {}" \; ; - find `pwd` -type d -exec chmod 755 {} \; -exec echo "set 755 to dir {}" \; ; - find `pwd`/legal -type f -exec chmod 644 {} \; -exec echo "set 644 to licences {}" \; ; - popd # jdkimage/jreimage - done # jre/sdk work in loop - # javadoc is done only for release sdkimage - if ! echo $suffix | grep -q "debug" ; then - # Install Javadoc documentation - #cp -a docs %{jdkimage} # not sure if the plaintext javadoc is for some use - built_doc_archive=jdk-%{filever}%{ea_designator_zip}+%{buildver}%{lts_designator_zip}-docs.zip - cp -a `pwd`/../bundles/${built_doc_archive} `pwd`/%{jdkimage}/javadocs.zip || ls -l `pwd`/../bundles - fi - # end of additional steps - - mv %{jdkimage} %{jdkportablename -- "$nameSuffix"} - mv %{jreimage} %{jreportablename -- "$nameSuffix"} - tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"} - sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum - tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"} - sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum - # copy licenses so they are avialable out of tarball - cp -rf %{jdkportablename -- "$nameSuffix"}/legal ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal - mv %{jdkportablename -- "$nameSuffix"} %{jdkimage} - mv %{jreportablename -- "$nameSuffix"} %{jreimage} - popd #images -%if %{include_staticlibs} - top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_suffix}} - pushd ${top_dir_abs_staticlibs_build_path}/images - # Static libraries (needed for building graal vm with native image) - # Tar as overlay. Transform to the JDK name, since we just want to "add" - # static libraries to that folder - portableJDKname=%{staticlibsportablename -- "$nameSuffix"} - tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib" - sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum - popd #staticlibs-images +%if %{system_libs} + # Restore original source tree we modified by removing full in-tree sources + rm -rf %{top_level_dir_name} + mv %{top_level_dir_name_backup} %{top_level_dir_name} %endif -################################################################################ -# note, currently no debuginfo, consult portbale spec for external (zipped) debuginfo, being tarred alone -################################################################################ # build cycles done # end of release / debug cycle loop -%install -mkdir -p $RPM_BUILD_ROOT%{_jvmdir} -mv ../%{jdkportablesourcesarchive -- ""} $RPM_BUILD_ROOT%{_jvmdir}/ -mv ../%{jdkportablesourcesarchive -- ""}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ +%check +# We test debug first as it will give better diagnostics on a crash for suffix in %{build_loop} ; do -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} -################################################################################ - if [ "x$suffix" == "x" ] ; then - nameSuffix="" - else - nameSuffix=`echo "$suffix"| sed s/-/./` - fi - mv ../%{jdkportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ - mv ../%{jdkportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ - mv ../%{jreportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ - mv ../%{jreportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ +# portable builds have static_libs embedded, thus top_dir_abs_main_build_path is same as top_dir_abs_staticlibs_build_path +top_dir_abs_main_build_path=$(pwd)/%{installoutputdir -- ${suffix}} %if %{include_staticlibs} - mv ../%{staticlibsportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ - mv ../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ -%endif - if [ "x$suffix" == "x" ] ; then - dnameSuffix="$nameSuffix".debuginfo -# todo handle debuginfo, see note at build (we will need to pack one stripped and one unstripped release build) -# mv ../%{jdkportablearchive -- "$dnameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/ -# mv ../%{jdkportablearchive -- "$dnameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/ - fi -################################################################################ -# end, dual install -done -################################################################################ -# the licenses are packed onloy once and shared -mkdir -p $RPM_BUILD_ROOT%{unpacked_licenses} -mv ../%{jdkportablearchive -- "%{normal_suffix}"}-legal $RPM_BUILD_ROOT%{unpacked_licenses}/%{jdkportablesourcesarchive -- "%{normal_suffix}"} -# To show sha in the build log -for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do ls -l $file ; cat $file ; done -################################################################################ +top_dir_abs_staticlibs_build_path=${top_dir_abs_main_build_path} +%endif -%check +export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} -# We test debug first as it will give better diagnostics on a crash -for suffix in %{build_loop} ; do +# Pre-test setup -# Tests in the check stage are performed on the installed image -# rpmbuild operates as follows: build -> install -> test -# however in portbales, we test built image instead of installed one -top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} -export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} +# System security properties are disabled by default on portable. +# Turn on system security properties +#sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ +#${JAVA_HOME}/conf/security/java.security -#check Shenandoah is enabled +# Check Shenandoah is enabled %if %{use_shenandoah_hotspot} -$JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version +$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version %endif # Check unlimited policy has been used @@ -1500,33 +1411,36 @@ $JAVA_HOME/bin/java --add-opens java.base/javax.crypto=ALL-UNNAMED TestCryptoLev $JAVA_HOME/bin/javac -d . %{SOURCE14} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE14})|sed "s|\.java||") -# Check system crypto (policy) is deactive and can not be enabled +# Check system crypto (policy) is active and can be disabled # Test takes a single argument - true or false - to state whether system # security properties are enabled or not. $JAVA_HOME/bin/javac -d . %{SOURCE15} export PROG=$(echo $(basename %{SOURCE15})|sed "s|\.java||") export SEC_DEBUG="-Djava.security.debug=properties" +# Specific to portable:System security properties to be off by default $JAVA_HOME/bin/java ${SEC_DEBUG} ${PROG} false -$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=false ${PROG} false +$JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=true ${PROG} false + +# Check correct vendor values have been set +$JAVA_HOME/bin/javac -d . %{SOURCE16} +$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" # Check java launcher has no SSB mitigation if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi # Check alt-java launcher has SSB mitigation on supported architectures +# set_speculation function exists in both cases, so check for prctl call %ifarch %{ssbd_arches} -nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation +nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl %else -if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi +if ! nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi %endif -# Check correct vendor values have been set -$JAVA_HOME/bin/javac -d . %{SOURCE16} -$JAVA_HOME/bin/java $(echo $(basename %{SOURCE16})|sed "s|\.java||") "%{oj_vendor}" "%{oj_vendor_url}" "%{oj_vendor_bug_url}" "%{oj_vendor_version}" - %if ! 0%{?flatpak} # Check translations are available for new timezones (during flatpak builds, the # tzdb.dat used by this test is not where the test expects it, so this is -# disabled for flatpak builds) +# disabled for flatpak builds) +# Disable test until we are on the latest JDK $JAVA_HOME/bin/javac -d . %{SOURCE18} $JAVA_HOME/bin/java $(echo $(basename %{SOURCE18})|sed "s|\.java||") JRE $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})|sed "s|\.java||") CLDR @@ -1534,13 +1448,86 @@ $JAVA_HOME/bin/java -Djava.locale.providers=CLDR $(echo $(basename %{SOURCE18})| %if %{include_staticlibs} # Check debug symbols in static libraries (smoke test) -export STATIC_LIBS_HOME=${top_dir_abs_main_build_path}/../../%{buildoutputdir -- ${suffix}%{staticlibs_suffix}}/images/static-libs/lib/ -readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet4AddressImpl.c -readelf --debug-dump $STATIC_LIBS_HOME/libnet.a | grep Inet6AddressImpl.c +export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} +ls -l $STATIC_LIBS_HOME +ls -l $STATIC_LIBS_HOME/lib +readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet4AddressImpl.c +readelf --debug-dump $STATIC_LIBS_HOME/lib/libnet.a | grep Inet6AddressImpl.c +%endif + +# Release builds strip the debug symbols into external .debuginfo files +if [ "x$suffix" = "x" ] ; then + so_suffix="debuginfo" +else + so_suffix="so" +fi +# Check debug symbols are present and can identify code +find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib +do + if [ -f "$lib" ] ; then + echo "Testing $lib for debug symbols" + # All these tests rely on RPM failing the build if the exit code of any set + # of piped commands is non-zero. + + # Test for .debug_* sections in the shared object. This is the main test + # Stripped objects will not contain these + eu-readelf -S "$lib" | grep "] .debug_" + test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 + + # Test FILE symbols. These will most likely be removed by anything that + # manipulates symbol tables because it's generally useless. So a nice test + # that nothing has messed with symbols + old_IFS="$IFS" + IFS=$'\n' + for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT") + do + # We expect to see .cpp and .S files, except for architectures like aarch64 and + # s390 where we expect .o and .oS files + echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|S|oS))?$" + done + IFS="$old_IFS" + + # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking + if [ "`basename $lib`" = "libjvm.so" ]; then + eu-readelf -s "$lib" | \ + grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$" + fi + + # Test that there are no .gnu_debuglink sections pointing to another + # debuginfo file. There shouldn't be any debuginfo files, so the link makes + # no sense either + eu-readelf -S "$lib" | grep 'gnu' + if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then + echo "bad .gnu_debuglink section." + eu-readelf -x .gnu_debuglink "$lib" + false + fi + fi +done + +# Make sure gdb can do a backtrace based on line numbers on libjvm.so +# javaCalls.cpp:58 should map to: +# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 +# Using line number 1 might cause build problems. See: +# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 +# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 +gdb -q "$JAVA_HOME/bin/java" < - 21.0.0.0.35-1 -- Rebuilt for MSVSphere 9.2 - -* Tue Aug 08 2023 Petra Alice Mikova 1:21.0.0.0.35-0.1.rolling -- updated to jdk-21+35, which is no longer EA - -* Tue Aug 08 2023 Petra Alice Mikova 1:21.0.0.0.34-0.1.ea.rolling -- initial update to jdk21 -- commented out fips patches -- updated to jdk21 ea -- updated patch 1001 - rh1648249-add_commented_out_nss_cfg_provider_to_java_security -- replace smoketests in staticlibs test, as the previous files used were removed by a patch in JDK -- require tzdata 2023c -- Update FIPS support to bring in latest changes -- * RH2048582: Support PKCS#12 keystores -- * RH2020290: Support TLS 1.3 in FIPS mode -- * Add nss.fips.cfg support to OpenJDK tree -- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode -- * Remove forgotten dead code from RH2020290 and RH2104724 -- * OJ1357: Fix issue on FIPS with a SecurityManager in place -- * RH2134669: Add missing attributes when registering services in FIPS mode. -- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class -- * RH1940064: Enable XML Signature provider in FIPS mode -- * Remove GCC minor versioning (JDK-8284772) to unbreak testing -- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build +%files misc +%{_jvmdir}/%{miscportablearchive} +%{_jvmdir}/%{miscportablearchive}.sha256sum -* Thu Aug 03 2023 Jiri Vanek - 1:20.0.2.0.9-1.rolling +%changelog +* Mon Aug 21 2023 Andrew Hughes - 1:21.0.0.0.35-1 +- Update to jdk-21.0.0+35 +- Update release notes to 21.0.0+35 +- Update system crypto policy & FIPS patch from new fips-21u tree +- Update generate_tarball.sh to sync with upstream vanilla script inc. no more ECC removal +- Drop fakefeaturever now it is no longer needed +- Hardcode buildjdkver while the build JDK is not yet 21 +- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball +- Use upstream release URL for OpenJDK source +- Re-enable tzdata tests now we are on the latest JDK and things are back in sync + +* Mon Aug 21 2023 Petra Alice Mikova - 1:21.0.0.0.35-1 +- Replace smoke test files used in the staticlibs test, as fdlibm was removed by JDK-8303798 + +* Wed Aug 16 2023 Andrew Hughes - 1:20.0.0.0.36-1 - Update to jdk-20.0.2+9 - Update release notes to 20.0.2+9 - -* Thu Jul 20 2023 Fedora Release Engineering - 1:20.0.1.0.9-5.rolling.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild - -* Tue Jun 27 2023 Kalev Lember - 1:20.0.1.0.9-5.rolling -- Simplify portable archive name macros - -* Mon May 15 2023 Jiri Vanek - 1:20.0.1.0.9-4.rolling -- Redeclared ForFiles release sections as %%nil no longer works with %%1 -- RPM 4.19 no longer accept our double percentaged %%{nil} passed to %%{1} -- so we have to pass in "" but evaluate it, otherwise files record will include it - -* Mon May 15 2023 Jiri Vanek - 1:20.0.1.0.9-3.rolling -- no longer using system cacerts during build -- they are already mv-ed as .upstream in rpms - -* Wed May 10 2023 Jiri Vanek - 1:20.0.1.0.9-2.rolling -- enabled all crypto - -* Wed Apr 26 2023 Andrew Hughes - 1:20.0.1.0.9-1.rolling -- Update to jdk-20.0.1+9 -- Update release notes to 20.0.1+9 - -* Fri Apr 14 2023 Jiri Vanek - 1:20.0.0.0.36-3.rolling -- introduced archfull src archive -- replaced nasty handling of icons. -- needed for icons and src reference for rpms (debuginfo, src subpkg) -- licences moved to proper sharable noarch - -* Mon Apr 10 2023 Andrew Hughes - 1:20.0.0.0.36-2.rolling -- Complete update to OpenJDK 20 -- Update NEWS - Update system crypto policy & FIPS patch from new fips-20u tree -- * RH2104724: Avoid import/export of DH private keys -- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode -- * Build the systemconf library on all platforms -- Update generate_tarball.sh ICEDTEA_VERSION and add support for passing a boot JDK to the configure run -- Revert changes to generate_tarball.sh which break error handling -- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace -- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs -- Revert changes to patch macro which break on older versions of rpm (4.16) -- Revert changes to configure run -- Revert RH1648429 patch changes +- Update generate_tarball.sh ICEDTEA_VERSION - Update CLDR reference data following update to 42 (Rocky Mountain-Normalzeit => Rocky-Mountain-Normalzeit) -- Re-enable disabled translation test -- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built +- Related: rhbz#2192749 + +* Wed Aug 16 2023 Jiri Vanek - 1:20.0.0.0.36-1 +- Dropped JDK-8295447, JDK-8296239 & JDK-8299439 patches now upstream +- Adapted rh1750419-redhat_alt_java.patch +- Related: rhbz#2192749 -* Tue Mar 28 2023 Jiri Vanek - 1:20.0.0.0.36-1.rolling -- moved to jdk20 -- remvoed already upstreamed patches patch2006,2007,2008,2009 -- commented out not yet adapted patch1001 - fips support -- removed --disable-sysconf-nss due to missing patch 1001 from configure --- todo return both patch1001 and disable-sysconf-nss! -- adapted rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch and rh1750419-redhat_alt_java.patch patches -- inverted fresh_libjvm behavior to be disabled by default. fails: --- See: https://koji.fedoraproject.org/koji/taskinfo?taskID=99242677 -- commented out tzdata tests -- moved from deprecated patchN to patch N - -* Tue Feb 07 2023 Jiri Vanel - 1:19.0.2.0.7-2.rolling -- added png icons from x11 source package, so they can be reused by rpms - - * Thu Jan 26 2023 Andrew Hughes - 1:19.0.2.0.7-1.rolling +* Tue Aug 15 2023 Andrew Hughes - 1:19.0.1.0.10-1 - Update to jdk-19.0.2 release - Update release notes to 19.0.2 -- Drop JDK-8293834 (CLDR update for Kyiv) which is now upstream -- Drop JDK-8294357 (tzdata2022d), JDK-8295173 (tzdata2022e) & JDK-8296108 (tzdata2022f) local patches which are now upstream -- Drop JDK-8296715 (CLDR update for 2022f) which is now upstream +- Rebase FIPS patches from fips-19u branch +- Remove references to sample directory removed by JDK-8284999 - Add local patch JDK-8295447 (javac NPE) which was accepted into 19u upstream but not in the GA tag - Add local patches for JDK-8296239 & JDK-8299439 (Croatia Euro update) which are present in 8u, 11u & 17u releases - -* Thu Jan 19 2023 Andrew Hughes - 1:19.0.1.0.10-3.rolling - - Update in-tree tzdata & CLDR to 2022g with JDK-8296108, JDK-8296715 & JDK-8297804 - - Update TestTranslations.java to test the new America/Ciudad_Juarez zone - -* Thu Jan 19 2023 Stephan Bergmann - 1:19.0.1.0.10-3.rolling - - Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat - -* Thu Jan 19 2023 Fedora Release Engineering - 1:19.0.1.0.10-3.rolling.1 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild - -* Thu Jan 12 2023 Jiri Vanel - 1:19.0.1.0.10-3.rolling -- keep system crypto policy honoring disabled (test adapted) -- keep upstream cacerts -- call installjdk also for jreimage. -- add alt-java man page conditionaly (se install openjdk for jre above) -- convert man pages to utf8 (conditionally, man pages are not in jre) -- stabilised permissions as was in rpms -- use NEWS both in tarball and outside -- for release sdk use javadoc archive. -- remove STRIP_KEEP_SYMTAB=libjvm* and all todo as it is going to continue in rpms only - (hopefully) - -* Thu Dec 01 2022 Petra Alice Mikova - 1:19.0.1.0.10-2.rolling -- initial import - +- Related: rhbz#2192749 + +* Thu Aug 10 2023 Andrew Hughes - 1:18.0.2.0.9-1 +- Update to jdk-18.0.2 release +- Update release notes to actually reflect OpenJDK 18 +- Support JVM variant zero following JDK-8273494 no longer installing Zero's libjvm.so in the server directory +- Rebase FIPS patches from fips-18u branch +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Automatically turn off building a fresh HotSpot first, if the bootstrap JDK is not the same major version as that being built +- Drop tzdata patches added for 17.0.7 which will eventually appear in the upstream tarball when we reach OpenJDK 21 +- Switch bootjdkver to java-21-openjdk +- Disable tzdata tests until we are on the latest JDK and things are back in sync +- Related: rhbz#2192749 + +* Thu Aug 10 2023 Petra Alice Mikova - 1:18.0.0.0.37-1 +- Update to ea version of jdk18 +- Adjust rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch +- Related: rhbz#2192749 + +* Mon May 15 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Create java-21-openjdk-portable package based on java-17-openjdk-portable +- Related: rhbz#2192749 + +* Tue Apr 25 2023 Andrew Hughes - 1:17.0.7.0.7-2 +- Update to jdk-17.0.7.0+7 +- Update release notes to 17.0.7.0+7 +- Require tzdata 2023c due to local inclusion of JDK-8274864 & JDK-8305113 +- Reintroduce generate_source_tarball.sh from RHEL 9 +- Update generate_tarball.sh to add support for passing a boot JDK to the configure run +- Add POSIX-friendly error codes to generate_tarball.sh and fix whitespace +- Remove .jcheck and GitHub support when generating tarballs, as done in upstream release tarballs +- Update FIPS support against 17.0.7+6 and bring in latest changes: +- * RH2134669: Add missing attributes when registering services in FIPS mode. +- * test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class +- * RH1940064: Enable XML Signature provider in FIPS mode +- * RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized +- Fix trailing '.' in tarball name +- Use rpmrelease in vendor version to avoid inclusion of dist tag +- ** This tarball is embargoed until 2023-04-18 @ 1pm PT. ** +- Resolves: rhbz#2185182 +- Resolves: rhbz#2134669 +- Resolves: rhbz#1940064 +- Resolves: rhbz#2173781 + +* Thu Apr 20 2023 Andrew Hughes - 1:17.0.6.0.10-7 +- Sync with existing RHEL 8 build, in order to start building portables on RHEL 8 +- Restore system bootstrap JDK (RHEL 8 has java-17-openjdk) +- Remove use of devtoolset (RHEL 8 native compilers should be sufficient) +- Explicitly exclude x86, as on RHEL RPMs + +* Tue Feb 21 2023 Andrew Hughes - 1:17.0.6.0.10-6 +- Add docs, icons and samples to the portable output +- Make sure generated checksums work and don't include full path +- The docs directory is a subdirectory of images, so remove confusing separate copying + +* Wed Feb 15 2023 Andrew Hughes - 1:17.0.6.0.10-5 +- Build with internal debuginfo as in RHEL and then create a stripped variant ourselves for the portable release build +- Restore compiler flags to those used in RHEL +- Drop unused static library patch +- Drop syslookup workaround which was fixed by JDK-8276572 over a year ago + +* Tue Feb 14 2023 Andrew Hughes - 1:17.0.6.0.10-4 +- Separate JDK packaging into a separate function +- Use variables to make it clearer what is going on +- Use a package output directory as we do for building and installing +- Workaround missing manpage directory in the JRE image + +* Sun Feb 12 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Adapt the portable build to use the same system library handling as RHEL builds + +* Sat Jan 14 2023 Andrew Hughes - 1:17.0.6.0.10-3 +- Add missing release note for JDK-8295687 +- Resolves: rhbz#2160111 + +* Fri Jan 13 2023 Andrew Hughes - 1:17.0.6.0.10-2 +- Update FIPS support to bring in latest changes +- * Add nss.fips.cfg support to OpenJDK tree +- * RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode +- * Remove forgotten dead code from RH2020290 and RH2104724 +- * OJ1357: Fix issue on FIPS with a SecurityManager in place +- Drop local nss.fips.cfg.in handling now this is handled in the patched OpenJDK build +- Resolves: rhbz#2118493 + +* Fri Jan 13 2023 Stephan Bergmann - 1:17.0.6.0.10-2 +- Fix flatpak builds by disabling TestTranslations test due to missing tzdb.dat +- Related: rhbz#2160111 + +* Wed Jan 11 2023 Andrew Hughes - 1:17.0.6.0.10-1 +- Update to jdk-17.0.6.0+10 +- Update release notes to 17.0.6.0+10 +- Re-enable EA upstream status check now it is being actively maintained. +- Drop JDK-8294357 (tzdata2022d) & JDK-8295173 (tzdata2022e) local patches which are now upstream +- Drop JDK-8275535 local patch now this has been accepted and backported upstream +- Drop local copy of JDK-8293834 now this is upstream +- Require tzdata 2022g due to inclusion of JDK-8296108, JDK-8296715 & JDK-8297804 +- Update TestTranslations.java to test the new America/Ciudad_Juarez zone +- ** This tarball is embargoed until 2023-01-17 @ 1pm PT. ** +- Resolves: rhbz#2160111 + +* Sat Oct 15 2022 Andrew Hughes - 1:17.0.5.0.8-2 +- Update in-tree tzdata to 2022e with JDK-8294357 & JDK-8295173 +- Update CLDR data with Europe/Kyiv (JDK-8293834) +- Drop JDK-8292223 patch which we found to be unnecessary +- Update TestTranslations.java to use public API based on TimeZoneNamesTest upstream +- Related: rhbz#2160111 + +* Thu Oct 13 2022 Andrew Hughes - 1:17.0.5.0.8-1 +- Update to jdk-17.0.5+8 (GA) +- Update release notes to 17.0.5+8 (GA) +- Switch to GA mode for final release. +- * This tarball is embargoed until 2022-10-18 @ 1pm PT. * +- Resolves: rhbz#2133695 + +* Fri Sep 02 2022 Andrew Hughes - 1:17.0.4.1.1-2 +- Update FIPS support to bring in latest changes +- * RH2023467: Enable FIPS keys export +- * RH2104724: Avoid import/export of DH private keys +- * RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode +- * Build the systemconf library on all platforms +- * RH2048582: Support PKCS#12 keystores +- * RH2020290: Support TLS 1.3 in FIPS mode +- Resolves: rhbz#2123579 +- Resolves: rhbz#2123580 +- Resolves: rhbz#2123581 +- Resolves: rhbz#2123583 +- Resolves: rhbz#2123584 + +* Sun Aug 21 2022 Jayashree Huttanagoudar - 1:17.0.4.1.1-1 +- Added a missing change to portable NEWS file from upstream. + +* Sun Aug 21 2022 Andrew Hughes - 1:17.0.4.1.1-1 +- Update to jdk-17.0.4.1+1 +- Update release notes to 17.0.4.1+1 +- Add patch to provide translations for Europe/Kyiv added in tzdata2022b +- Add test to ensure timezones can be translated +- Resolves: rhbz#2119532 + +* Mon Jul 18 2022 Jayashree Huttanagoudar - 1:17.0.4.0.8-1 +- Commented out: fipsver f8142a23d0a which was from rhel-9-main +- Picked 17.0.4+8 GA tag from rhel-9.0.0 +- For Jul 2022 CPU fipsver is 765f970aef1 on rhel-9.0.0 + +* Mon Jul 18 2022 Andrew Hughes - 1:17.0.4.0.8-1 +- Update to jdk-17.0.4.0+8 (GA) +- Update release notes to 17.0.4.0+8 +- Need to include the '.S' suffix in debuginfo checks after JDK-8284661 +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-07-19 @ 1pm PT. ** + +* Thu Jul 14 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.2.ea +- Fix issue where CheckVendor.java test erroneously passes when it should fail. +- Add proper quoting so '&' is not treated as a special character by the shell. +- Related: rhbz#2084779 + +* Tue Jul 12 2022 Jayashree Huttanagoudar - 1:17.0.4.0.1-0.1.ea +- Tweaked line to print release information for portable + +* Tue Jul 12 2022 Andrew Hughes - 1:17.0.4.0.1-0.1.ea +- Update to jdk-17.0.4.0+1 +- Update release notes to 17.0.4.0+1 +- Switch to EA mode for 17.0.4 pre-release builds. +- Print release file during build, which should now include a correct SOURCE value from .src-rev +- Update tarball script with IcedTea GitHub URL and .src-rev generation +- Include script to generate bug list for release notes +- Update tzdata requirement to 2022a to match JDK-8283350 +- Move EA designator check to prep so failures can be caught earlier +- Make EA designator check non-fatal while upstream is not maintaining it +- Related: rhbz#2084218 + +* Thu Jun 30 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-8 +- Comment line for portable: System security properties to be off by default + +* Thu Jun 30 2022 Francisco Ferrari Bihurriet - 1:17.0.3.0.7-8 +- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode +- Resolves: rhbz#2102433 + +* Wed Jun 29 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-7 +- System security properties are disabled by default on portable. +- Commented out lines which are not applicable for portable. + +* Wed Jun 29 2022 Andrew Hughes - 1:17.0.3.0.7-7 +- Update FIPS support to bring in latest changes +- * RH2036462: sun.security.pkcs11.wrapper.PKCS11.getInstance breakage +- * RH2090378: Revert to disabling system security properties and FIPS mode support together +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- Enable system security properties in the RPM (now disabled by default in the FIPS repo) +- Improve security properties test to check both enabled and disabled behaviour +- Run security properties test with property debugging on +- Resolves: rhbz#2099844 +- Resolves: rhbz#2100677 + +* Tue Jun 28 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-6 +- Removed upstreamed patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch + +* Sun Jun 12 2022 Andrew Hughes - 1:17.0.3.0.7-6 +- Rebase FIPS patches from fips-17u branch and simplify by using a single patch from that repository +- Rebase RH1648249 nss.cfg patch so it applies after the FIPS patch +- RH2023467: Enable FIPS keys export +- RH2094027: SunEC runtime permission for FIPS +- Resolves: rhbz#2029657 +- Resolves: rhbz#2096117 + +* Wed May 25 2022 Andrew Hughes - 1:17.0.3.0.7-5 +- Exclude s390x from the gdb test on RHEL 7 where we see failures with the portable build + +* Tue May 24 2022 Jiri Vanek - 1:17.0.3.0.7-4 +- to pass aqa, fixing genuie failure in : +- java/lang/SecurityManager/CheckAccessClassInPackagePermissions.java#CheckAccessClassInPackagePermissions +- javax/xml/crypto/dsig/FileSocketPermissions.java#FileSocketPermissions +- added and applied patch2001: aqaCheckSecurityAndProviderFileSocketPermissions.patch +- this, properly named, patch must go to all our jdk17 builds, and to the fips repo + +* Thu May 19 2022 Jiri Vanek - 1:17.0.3.0.7-3 +- to pass aqa: +- removed copy system tzdb in favour of in-tree +- removed Patch2: rh1648644-java_access_bridge_privileged_security.patch +- This is not intended to release untill we decide proper steps + +* Thu May 19 2022 Jayashree Huttanagoudar - 1:17.0.3.0.7-2 +- Include BOOT_JDK for s390x for portable +- BOOT_JDK downlaoded form hydra as + java-17-temurin-17.0.3.7-0.private.ojdk17~upstream.hotspot.release.sdk.el7.s390x.tarxz + and renamed +- Added cosmetic changes to bypass a failure for s390x + +* Wed Apr 20 2022 Andrew Hughes - 1:17.0.3.0.7-1 +- April 2022 security update to jdk 17.0.3+7 +- Remove JDK-8284548 and JDK-8284920 they are upstreamed now +- Resolves: rhbz#2073579 + +* Sat Apr 16 2022 Andrew Hughes - 1:17.0.3.0.6-3 +- Add JDK-8284920 fix for XPath regression +- Related: rhbz#2073575 + +* Fri Apr 15 2022 Andrew Hughes - 1:17.0.3.0.6-2 +- Remove the patch jdk8283911-default_promoted_version_pre.patch which missed in previous commit +- JDK-8275082 should be listed as also resolving JDK-8278008 & CVE-2022-21476 +- Related: rhbz#2073575 + +* Mon Apr 11 2022 Andrew Hughes - 1:17.0.3.0.6-1 +- April 2022 security update to jdk 17.0.3+6 +- Update to jdk-17.0.3.0+6 pre-release tarball (17usec.17.0.3+5-220408) +- Add JDK-8284548 regression fix missing from pre-release tarball but in jdk-17.0.3+6/jdk-17.0.3-ga +- Update release notes to 17.0.3.0+6 +- Add missing README.md and generate_source_tarball.sh +- Introduce tests/tests.yml, based on the one in java-11-openjdk +- JDK-8283911 patch no longer needed now we're GA... +- Switch to GA mode for release +- ** This tarball is embargoed until 2022-04-19 @ 1pm PT. ** +- Resolves: rhbz#2073575 + +* Wed Apr 06 2022 Andrew Hughes - 1:17.0.3.0.5-0.1.ea +- Update to jdk-17.0.3.0+5 +- Update release notes to 17.0.3.0+5 +- Resolves: rhbz#2050460 + +* Tue Mar 29 2022 Andrew Hughes - 1:17.0.3.0.1-0.1.ea +- Update to jdk-17.0.3.0+1 +- Update release notes to 17.0.3.0+1 +- Switch to EA mode for 17.0.3 pre-release builds. +- Add JDK-8283911 to fix bad DEFAULT_PROMOTED_VERSION_PRE value +- Related: rhbz#2050456 + +* Mon Feb 28 2022 Jayashree Huttanagoudar - 1:17.0.2.0.8-10 +- Update icedtea_sync.sh with suitable message for portable + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-10 +- Restructure the build so a minimal initial build is then used for the final build (with docs) +- This reduces pressure on the system JDK and ensures the JDK being built can do a full build +- Turn off bootstrapping for slow debug builds, which are particularly slow on ppc64le. +- Handle Fedora in distro conditionals that currently only pertain to RHEL. +- Run OpenJDK normalizer script on the spec file to fix further rogue whitespace +- Sync gdb test with java-1.8.0-openjdk and improve architecture restrictions. +- Introduce stapinstall variable to set SystemTap arch directory correctly (e.g. arm64 on aarch64) +- Need to support noarch for creating source RPMs for non-scratch builds. +- Replace -mstackrealign with -mincoming-stack-boundary=2 -mpreferred-stack-boundary=4 on x86_32 for stack alignment +- Support a HotSpot-only build so a freshly built libjvm.so can then be used in the bootstrap JDK. +- Explicitly list JIT architectures rather than relying on those with slowdebug builds +- Disable the serviceability agent on Zero architectures even when the architecture itself is supported +- Resolves: rhbz#2022822 + +* Mon Feb 28 2022 Andrew Hughes - 1:17.0.2.0.8-9 +- Enable AlgorithmParameters and AlgorithmParameterGenerator services in FIPS mode +- Correction to previous changelog entry +- Resolves: rhbz#2052070 + +* Sun Feb 27 2022 Andrew Hughes - 1:17.0.2.0.8-8 +- Detect NSS at runtime for FIPS detection +- Resolves: rhbz#2051605 + +* Wed Feb 23 2022 Andrew Hughes - 1:17.0.2.0.8-7 +- Add JDK-8275535 patch to fix LDAP authentication issue. +- Resolves: rhbz#2053521 + +* Tue Feb 08 2022 Andrew Hughes - 1:17.0.2.0.8-6 +- Minor cosmetic improvements to make spec more comparable between variants +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-5 +- Update tapsets from IcedTea 6.x repository with fix for JDK-8015774 changes (_heap->_heaps) and @JAVA_SPEC_VER@ +- Related: rhbz#2022822 + +* Thu Feb 03 2022 Andrew Hughes - 1:17.0.2.0.8-4 +- Extend LTS check to exclude EPEL. +- Related: rhbz#2022822 + +* Tue Jan 18 2022 Andrew Hughes - 1:17.0.2.0.8-3 +- Separate crypto policy initialisation from FIPS initialisation, now they are no longer interdependent + +* Mon Jan 17 2022 Andrew Hughes - 1:17.0.2.0.8-2 +- Fix FIPS issues in native code and with initialisation of java.security.Security +- Related: rhbz#2039366 + +* Wed Jan 12 2022 Andrew Hughes - 1:17.0.2.0.8-1 +- January 2022 security update to jdk 17.0.2+8 +- Rebase RH1995150 & RH1996182 patches following JDK-8275863 addition to module-info.java +- Resolves: rhbz#2039366 +- Minor change to the OUTPUT_FILE value to separate the name from the version with '-' + +* Mon Nov 29 2021 Severin Gehwolf - 1:17.0.1.0.12-3 +- Use 'sql:' prefix in nss.fips.cfg as F35+ no longer ship the legacy + secmod.db file as part of nss +- Resolves: rhbz#2023537 + +* Tue Oct 26 2021 Andrew Hughes - 1:17.0.1.0.12-2 +- Drop JDK-8272332/RH2004078 patch which is upstream in 17.0.1 +- October CPU update to jdk 17.0.1+12 +- Allow plain key import to be disabled with -Dcom.redhat.fips.plainKeySupport=false +- Add patch to allow plain key import. + +* Mon Oct 25 2021 Jiri Vanek - 1:17.0.0.0.35-5 +- cacerts symlink is resolved before passed to configure +- https://issues.redhat.com/browse/OPENJDK-487 +- Disable FIPS mode detection using NSS in favour of using /proc/sys/crypto/fips_enabled for now, so we don't link against NSS +-- effectively disabled Patch1008: rh1929465-improve_system_FIPS_detection.patch by settng --enable-sysconf-nss to --disable-sysconf-nss +-- the enable-sysconf-nss was bringing in hard depndence on nss. Without nss, even in non fips, jvm had not even started + +* Thu Sep 30 2021 Jiri Vanek - 1:17.0.0.0.35-4 +- initial import, based on jdk11 portbale, merged with jdk17 rpms and java-latest-openjdk for epel7