rpms
/
java-21-openjdk-portable
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync with upcoming java-21-openjdk package in RHEL 

- Update documentation (README.md, add missing JEP to release notes)
- Replace alt-java patch with a binary separate from the JDK
- Drop stale patches that are of little use any more:
- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
- * No accessibility subpackage to warrant RH1648242 patch any more
- * No use of system libjpeg turbo to warrant RH649512 patch any more
- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
- Update generate_tarball.sh to sync with upstream vanilla script
- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
- Use upstream release URL for OpenJDK source
- Port misc tarball from RHEL to house alt-java outside the JDK tree
- Port improved tarball creation and checking from RHEL so tarballs are verified
This commit is contained in:
Andrew John Hughes 2023-09-15 18:23:53 +01:00
parent fff7874101
commit 4ec83bb3a6
14 changed files with 383 additions and 289 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -36,3 +36,4 @@
/openjdk-jdk20u-jdk-20.0.2+9.tar.xz
/openjdk-jdk21u-jdk-21+34.tar.xz
/openjdk-jdk21u-jdk-21+35.tar.xz
/openjdk-21+35.tar.xz

21
NEWS
View File

@ -76,6 +76,20 @@ an underscore character, _.
This is a preview feature (http://openjdk.java.net/jeps/12) introduced
in OpenJDK 21 (JEP 443).
Unnamed Classes and Instance Main Methods
=========================================
https://openjdk.org/jeps/445
Evolve the Java language so that students can write their first
programs without needing to understand language features designed for
large programs. Far from using a separate dialect of Java, students
can write streamlined declarations for single-class programs and then
seamlessly expand their programs to use more advanced features as
their skills grow.
This is a preview feature (http://openjdk.java.net/jeps/12) introduced
in OpenJDK 21 (JEP 445).
Library Features
================
@ -128,14 +142,15 @@ Virtual Threads
===============
https://openjdk.org/jeps/425
https://openjdk.org/jeps/436
https://openjdk.org/jeps/444
Introduce virtual threads to the Java Platform. Virtual threads are
lightweight threads that dramatically reduce the effort of writing,
maintaining, and observing high-throughput concurrent applications.
This is a preview feature (http://openjdk.java.net/jeps/12) introduced
in OpenJDK 19 (JEP 425) and reaching its second preview in OpenJDK 20
(JEP 436).
This was a preview feature (http://openjdk.java.net/jeps/12)
introduced in OpenJDK 19 (JEP 425) and reaching its second preview in
OpenJDK 20 (JEP 436). It became final with OpenJDK 21 (JEP 444).
Structured Concurrency
======================

24
README.md
View File

@ -1,16 +1,14 @@
# java-latest-openjdk-portable
This package contains the latest rolling release of OpenJDK. OpenJDK
has a release cadence of six months, with a new release in March and
September each year.
The java-latest-openjdk-portable package
=======
Rolling release of (usually) STSs OpenJDK
OpenJDK has release cadence of 6 months, but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbor them. Currently it is build of OpenJDK 12. LTSs will go also as separate packages.
The current release is OpenJDK 21. For a list of major changes from
OpenJDK 20, see the NEWS file included in this package and the
upstream release page:
JDK21 is current release of Java platform. It is bringing many cool improvements - https://openjdk.org/projects/jdk/21/ and is landing to your Fedora. Where it will be maintained for f28 and newer. Unluckily, this package is STS (short term support) version. Between individual LTS there will be always several STS. Again, please see announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html and See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf . So this is rolling release of all STSs to come. Its fate during the release of fresh LTS is yet to be decided. You will always be allowed to install LTS in fedora build root, alongside with latest STS via alternatives.
https://openjdk.java.net/projects/jdk/21/
See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
https://bugzilla.redhat.com/show_bug.cgi?id=1557371#c0
https://fedoraproject.org/wiki/Changes/java-openjdk-10
https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview
This package is intended for those who want to follow the latest
OpenJDK releases. Long term support versions of OpenJDK are available
in the java-1.8.0-openjdk, java-11-openjdk and java-17-openjdk
packages.

100
alt-java.c Normal file
View File

@ -0,0 +1,100 @@
/*
* Copyright (C) 2023 Red Hat, Inc.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License version 2 only, as
* published by the Free Software Foundation. Red Hat designates this
* particular file as subject to the "Classpath" exception as provided
* by Red Hat in the LICENSE file that accompanied this code.
*
* This code is distributed in the hope that it will be useful, but WITHOUT
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* version 2 for more details (a copy is included in the LICENSE file that
* accompanied this code).
*
* You should have received a copy of the GNU General Public License version
* 2 along with this work; if not, write to the Free Software Foundation,
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
*
*/
#include <errno.h>
#include <libgen.h>
#include <linux/limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <unistd.h>
/* Per task speculation control */
#ifndef PR_GET_SPECULATION_CTRL
# define PR_GET_SPECULATION_CTRL 52
#endif
#ifndef PR_SET_SPECULATION_CTRL
# define PR_SET_SPECULATION_CTRL 53
#endif
/* Speculation control variants */
#ifndef PR_SPEC_STORE_BYPASS
# define PR_SPEC_STORE_BYPASS 0
#endif
/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
#ifndef PR_SPEC_NOT_AFFECTED
# define PR_SPEC_NOT_AFFECTED 0
#endif
#ifndef PR_SPEC_PRCTL
# define PR_SPEC_PRCTL (1UL << 0)
#endif
#ifndef PR_SPEC_ENABLE
# define PR_SPEC_ENABLE (1UL << 1)
#endif
#ifndef PR_SPEC_DISABLE
# define PR_SPEC_DISABLE (1UL << 2)
#endif
#ifndef PR_SPEC_FORCE_DISABLE
# define PR_SPEC_FORCE_DISABLE (1UL << 3)
#endif
#ifndef PR_SPEC_DISABLE_NOEXEC
# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
#endif
static void set_speculation() {
#if defined(__linux__) && defined(__x86_64__)
// PR_SPEC_DISABLE_NOEXEC doesn't survive execve, so we can't use it
// if ( prctl(PR_SET_SPECULATION_CTRL,
// PR_SPEC_STORE_BYPASS,
// PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
// return;
// }
prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
#else
#warning alt-java requested but SSB mitigation not available on this platform.
#endif
}
int main(int argc, char **argv) {
set_speculation();
char our_name[PATH_MAX], java_name[PATH_MAX];
ssize_t len = readlink("/proc/self/exe", our_name, PATH_MAX - 1);
if (len < 0) {
perror("I can't find myself");
exit(2);
}
our_name[len] = '\0'; // readlink(2) doesn't append a null byte
char *path = dirname(our_name);
strncpy(java_name, path, PATH_MAX - 1);
size_t remaining_bytes = PATH_MAX - strlen(path) - 1;
strncat(java_name, "/java", remaining_bytes);
execv(java_name, argv);
fprintf(stderr, "%s failed to launch: %s\n", java_name, strerror(errno));
exit(1);
}

48
generate_source_tarball.sh
View File

@ -30,19 +30,20 @@ set -e
OPENJDK_URL_DEFAULT=https://github.com
COMPRESSION_DEFAULT=xz
# Corresponding IcedTea version
ICEDTEA_VERSION=15.0
if [ "x$1" = "xhelp" ] ; then
if [ "x$VERSION" = "x" ] ; then
VERSION="<unspecified>";
fi
echo -e "Behaviour may be specified by setting the following variables:\n"
echo "VERSION - the version of the specified OpenJDK project"
echo "VERSION - the version of the specified OpenJDK project (current value: ${VERSION})"
echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)"
echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)"
echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to open${VERSION})"
echo "REPO_ROOT - the location of the Git repository to archive (optional; defaults to OPENJDK_URL/PROJECT_NAME/REPO_NAME)"
echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
echo "TO_COMPRESS - what part of clone to pack (default is ${VERSION})"
echo "BOOT_JDK - the bootstrap JDK to satisfy the configure run"
exit 1;
fi
@ -53,6 +54,7 @@ if [ "x$VERSION" = "x" ] ; then
exit 2
fi
echo "Version: ${VERSION}"
NUM_VER=${VERSION##jdk-}
RELEASE_VER=${NUM_VER%%+*}
BUILD_VER=${NUM_VER##*+}
@ -109,7 +111,7 @@ fi
echo "Creating a tar.${COMPRESSION} archive"
if [ "x$FILE_NAME_ROOT" = "x" ] ; then
FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
FILE_NAME_ROOT=open${VERSION}
echo "No file name root specified; default to ${FILE_NAME_ROOT}"
fi
if [ "x$REPO_ROOT" = "x" ] ; then
@ -118,7 +120,7 @@ if [ "x$REPO_ROOT" = "x" ] ; then
fi;
if [ "x$TO_COMPRESS" = "x" ] ; then
TO_COMPRESS="openjdk"
TO_COMPRESS="${VERSION}"
echo "No targets to be compressed specified, ; default to ${TO_COMPRESS}"
fi;
@ -141,35 +143,35 @@ else
mkdir "${FILE_NAME_ROOT}"
pushd "${FILE_NAME_ROOT}"
echo "Cloning ${VERSION} root repository from ${REPO_ROOT}"
git clone -b ${VERSION} ${REPO_ROOT} openjdk
git clone -b ${VERSION} ${REPO_ROOT} ${VERSION}
popd
fi
pushd "${FILE_NAME_ROOT}"
# Generate .src-rev so build has knowledge of the revision the tarball was created from
mkdir build
pushd build
sh ${PWD}/../openjdk/configure --with-boot-jdk=${BOOT_JDK}
sh ${PWD}/../${VERSION}/configure --with-boot-jdk=${BOOT_JDK}
make store-source-revision
popd
rm -rf build
# Remove commit checks
echo "Removing $(find openjdk -name '.jcheck' -print)"
find openjdk -name '.jcheck' -print0 | xargs -0 rm -rf
echo "Removing $(find ${VERSION} -name '.jcheck' -print)"
find ${VERSION} -name '.jcheck' -print0 | xargs -0 rm -r
# Remove history and GHA
echo "find openjdk -name '.hgtags'"
find openjdk -name '.hgtags' -exec rm -fv '{}' '+'
echo "find openjdk -name '.hgignore'"
find openjdk -name '.hgignore' -exec rm -fv '{}' '+'
echo "find openjdk -name '.gitattributes'"
find openjdk -name '.gitattributes' -exec rm -fv '{}' '+'
echo "find openjdk -name '.gitignore'"
find openjdk -name '.gitignore' -exec rm -fv '{}' '+'
echo "find openjdk -name '.git'"
find openjdk -name '.git' -exec rm -rfv '{}' '+'
echo "find openjdk -name '.github'"
find openjdk -name '.github' -exec rm -rfv '{}' '+'
echo "find ${VERSION} -name '.hgtags'"
find ${VERSION} -name '.hgtags' -exec rm -v '{}' '+'
echo "find ${VERSION} -name '.hgignore'"
find ${VERSION} -name '.hgignore' -exec rm -v '{}' '+'
echo "find ${VERSION} -name '.gitattributes'"
find ${VERSION} -name '.gitattributes' -exec rm -v '{}' '+'
echo "find ${VERSION} -name '.gitignore'"
find ${VERSION} -name '.gitignore' -exec rm -v '{}' '+'
echo "find ${VERSION} -name '.git'"
find ${VERSION} -name '.git' -exec rm -rv '{}' '+'
echo "find ${VERSION} -name '.github'"
find ${VERSION} -name '.github' -exec rm -rv '{}' '+'
echo "Compressing remaining forest"
if [ "X$COMPRESSION" = "Xxz" ] ; then

166
java-latest-openjdk-portable.spec
View File

@ -257,12 +257,6 @@
%global ourcppflags %(echo %ourflags | sed -e 's|-fexceptions||')
%global ourldflags %{__global_ldflags}
# With disabled nss is NSS deactivated, so NSS_LIBDIR can contain the wrong path
# the initialization must be here. Later the pkg-config have buggy behavior
# looks like openjdk RPM specific bug
# Always set this so the nss.cfg file is not broken
%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
# In some cases, the arch used by the JDK does
# not match _arch.
# Also, in some cases, the machine name used by SystemTap
@ -388,10 +382,10 @@
# Standard JPackage naming and versioning defines
%global origin openjdk
%global origin_nice OpenJDK
%global top_level_dir_name %{origin}
%global top_level_dir_name %{vcstag}
%global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 35
%global rpmrelease 2
%global rpmrelease 3
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -444,6 +438,7 @@
%global static_libs_install_dir %{static_libs_arch_dir}/glibc
# output dir stub
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
%global altjavaoutputdir install/altjava.install
# we can copy the javadoc to not arched dir, or make it not noarch
%define uniquejavadocdir() %{expand:%{fullversion}.%{_arch}%{?1}}
# main id and dir of this jdk
@ -464,6 +459,8 @@
# Intentionally use jdkportablenameimpl here since we want to have static-libs files overlayed on
# top of the JDK archive
%define staticlibsportablename() %{expand:%{jdkportablenameimpl -- %%{1}}}
%define miscportablename() %(echo %{uniquesuffix ""} | sed "s;%{version}-%{release};\\0.portable%{1}.misc;g" | sed "s;openjdkportable;el;g")
%define miscportablearchive() %{miscportablename}.tar.xz
# RPM 4.19 no longer accept our double percentaged %%{nil} passed to %%{1}
# so we have to pass in "" but evaluate it, otherwise files record will include it
@ -548,6 +545,8 @@ ExcludeArch: %{ix86}
%define java_static_libs_rpo() %{expand:
}
%define java_misc_rpo() %{expand:
}
# Prevent brp-java-repack-jars from being run
%global __jar_repack 0
@ -598,7 +597,7 @@ URL: http://openjdk.java.net/
# The source tarball, generated using generate_source_tarball.sh
Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
Source0: https://openjdk-sources.osci.io/openjdk%{featurever}/open%{vcstag}.tar.xz
# Use 'icedtea_sync.sh' to update the following
# They are based on code contained in the IcedTea project (6.x).
@ -613,8 +612,8 @@ Source0: openjdk-jdk%{featurever}u-%{vcstag}.tar.xz
# Release notes
Source10: NEWS
# nss configuration file
Source11: nss.cfg.in
# Source code for alt-java
Source11: alt-java.c
# Removed libraries that we link instead
# Disabled in portables
@ -649,20 +648,6 @@ Source1004: ojdk17-s390x-17.35.tar.gz
#
############################################
# NSS via SunPKCS11 Provider (disabled comment
# due to memory leak).
Patch1000: rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
# RH1750419: enable build of speculative store bypass hardened alt-java (CVE-2018-3639)
Patch600: rh1750419-redhat_alt_java.patch
# Ignore AWTError when assistive technologies are loaded
Patch1: rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
# Restrict access to java-atk-wrapper classes
Patch2: rh1648644-java_access_bridge_privileged_security.patch
Patch3: rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
# Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
# Crypto policy and FIPS support patches
# Patch is generated from the fips-21u tree at https://github.com/rh-openjdk/jdk/tree/fips-21u
# as follows: git diff %%{vcstag} src make test > fips-21u-$(git show -s --format=%h HEAD).patch
@ -688,7 +673,8 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# RH2090378: Revert to disabling system security properties and FIPS mode support together
# RH2104724: Avoid import/export of DH private keys
# RH2092507: P11Key.getEncoded does not work for DH keys in FIPS mode
# RH2048582: Support PKCS#12 keystores
# Build the systemconf library on all platforms
# RH2048582: Support PKCS#12 keystores [now part of JDK-8301553 upstream]
# RH2020290: Support TLS 1.3 in FIPS mode
# Add nss.fips.cfg support to OpenJDK tree
# RH2117972: Extend the support for NSS DBs (PKCS11) in FIPS mode
@ -697,15 +683,17 @@ Patch6: rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-d
# RH2134669: Add missing attributes when registering services in FIPS mode.
# test/jdk/sun/security/pkcs11/fips/VerifyMissingAttributes.java: fixed jtreg main class
# RH1940064: Enable XML Signature provider in FIPS mode
# Build the systemconf library on all platforms
# Remove GCC minor versioning (JDK-8284772) to unbreak testing
Patch1001: fips-21u-%{fipsver}.patch
# RH2173781: Avoid calling C_GetInfo() too early, before cryptoki is initialized [now part of JDK-8301553 upstream]
Patch1001: fips-%{featurever}u-%{fipsver}.patch
#############################################
#
# OpenJDK patches in need of upstreaming
#
#############################################
# JDK-8009550, RH910107: Depend on pcsc-lite-libs instead of pcsc-lite-devel as this is only in optional repo
# PR: https://github.com/openjdk/jdk/pull/15409
Patch6: jdk8009550-rh910107-fail_to_load_pcsc_library.patch
#############################################
#
@ -746,7 +734,7 @@ BuildRequires: libXrandr-devel
BuildRequires: libXrender-devel
BuildRequires: libXt-devel
BuildRequires: libXtst-devel
# Requirement for setting up nss.cfg and nss.fips.cfg
# Requirement for setting up nss.fips.cfg
BuildRequires: nss-devel
# Requirement for system security property test
%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
@ -916,6 +904,14 @@ The %{origin_nice} %{featurever} libraries for static linking - portable edition
# staticlibs
%endif
%package misc
Summary: %{origin_nice} %{featurever} miscellany
%{java_misc_rpo %{nil}}
%description misc
The %{origin_nice} %{featurever} miscellany.
%package sources
Summary: %{origin_nice} %{featurever} full patched sources of portable JDK
@ -979,18 +975,12 @@ sh %{SOURCE12} %{top_level_dir_name}
# Patch the JDK
pushd %{top_level_dir_name}
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch6 -p1
# Add crypto policy and FIPS support
%patch1001 -p1
# nss.cfg PKCS11 support; must come last as it also alters java.security
%patch1000 -p1
# Patches in need of upstreaming
%patch6 -p1
popd # openjdk
%patch600
# The OpenJDK version file includes the current
# upstream version information. For some reason,
# configure does not automatically use the
@ -1043,9 +1033,6 @@ done
# Prepare desktop files
# Portables do not have desktop integration
# Setup nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
%build
%if (0%{?rhel} > 0 && 0%{?rhel} < 8)
mkdir bootjdk
@ -1100,6 +1087,10 @@ EXTRA_CPP_FLAGS="$(echo ${EXTRA_CPP_FLAGS} | sed -e 's|-mstackrealign|-mincoming
%endif
export EXTRA_CFLAGS EXTRA_CPP_FLAGS
echo "Building %{SOURCE11}"
mkdir -p %{altjavaoutputdir}
gcc ${EXTRA_CFLAGS} -o %{altjavaoutputdir}/%{alt_java_name} %{SOURCE11}
function buildjdk() {
local outputdir=${1}
local buildjdk=${2}
@ -1204,9 +1195,6 @@ function installjdk() {
find ${imagepath} -iname '*.so' -exec chmod +x {} \;
find ${imagepath}/bin/ -exec chmod +x {} \;
# Install nss.cfg right away as we will be using the JRE above
install -m 644 nss.cfg ${imagepath}/conf/security/
# Create fake alt-java as a placeholder for future alt-java
if [ -d man/man1 ] ; then
pushd ${imagepath}
@ -1294,10 +1282,25 @@ EOF
fi
}
function genchecksum() {
local checkedfile=${1}
checkdir=$(dirname ${1})
checkfile=$(basename ${1})
echo "Generating checksum for ${checkfile} in ${checkdir}..."
pushd ${checkdir}
sha256sum ${checkfile} > ${checkfile}.sha256sum
sha256sum --check ${checkfile}.sha256sum
popd
}
packagesdir=$(pwd)/..
pwd
ls -l
tar -cJf ../%{jdkportablesourcesarchive -- ""} --transform "s|^|%{jdkportablesourcesname -- ""}/|" openjdk nss*
sha256sum ../%{jdkportablesourcesarchive -- ""} > ../%{jdkportablesourcesarchive -- ""}.sha256sum
tar -cJf ${packagesdir}/%{jdkportablesourcesarchive -- ""} --transform "s|^|%{jdkportablesourcesname -- ""}/|" %{top_level_dir_name}
genchecksum ${packagesdir}/%{jdkportablesourcesarchive -- ""}
%if %{build_hotspot_first}
# Build a fresh libjvm.so first and use it to bootstrap
@ -1410,12 +1413,12 @@ for suffix in %{build_loop} ; do
mv %{jdkimage} %{jdkportablename -- "$nameSuffix"}
mv %{jreimage} %{jreportablename -- "$nameSuffix"}
tar -cJf ../../../../%{jdkportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"}
sha256sum ../../../../%{jdkportablearchive -- "$nameSuffix"} > ../../../../%{jdkportablearchive -- "$nameSuffix"}.sha256sum
tar -cJf ../../../../%{jreportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"}
sha256sum ../../../../%{jreportablearchive -- "$nameSuffix"} > ../../../../%{jreportablearchive -- "$nameSuffix"}.sha256sum
tar -cJf ${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jdkportablename -- "$nameSuffix"}
genchecksum ${packagesdir}/%{jdkportablearchive -- "$nameSuffix"}
tar -cJf ${packagesdir}/%{jreportablearchive -- "$nameSuffix"} --exclude='**.debuginfo' %{jreportablename -- "$nameSuffix"}
genchecksum ${packagesdir}/%{jreportablearchive -- "$nameSuffix"}
# copy licenses so they are avialable out of tarball
cp -rf %{jdkportablename -- "$nameSuffix"}/legal ../../../../%{jdkportablearchive -- "%{normal_suffix}"}-legal
cp -rf %{jdkportablename -- "$nameSuffix"}/legal ${packagesdir}/%{jdkportablearchive -- "%{normal_suffix}"}-legal
mv %{jdkportablename -- "$nameSuffix"} %{jdkimage}
mv %{jreportablename -- "$nameSuffix"} %{jreimage}
popd #images
@ -1426,8 +1429,8 @@ for suffix in %{build_loop} ; do
# Tar as overlay. Transform to the JDK name, since we just want to "add"
# static libraries to that folder
portableJDKname=%{staticlibsportablename -- "$nameSuffix"}
tar -cJf ../../../../%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
sha256sum ../../../../%{staticlibsportablearchive -- "$nameSuffix"} > ../../../../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum
tar -cJf ${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} --transform "s|^%{static_libs_image}/lib/*|$portableJDKname/lib/static/linux-%{archinstall}/glibc/|" "%{static_libs_image}/lib"
genchecksum ${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}
popd #staticlibs-images
%endif
################################################################################
@ -1437,10 +1440,26 @@ for suffix in %{build_loop} ; do
# build cycles
done # end of release / debug cycle loop
# These are from the source tree so no debug variants
miscname=%{miscportablename}
miscarchive=${packagesdir}/%{miscportablearchive}
mkdir ${miscname}
cp -av %{altjavaoutputdir}/%{alt_java_name} ${miscname}
tar -cJf ${miscarchive} ${miscname}
genchecksum ${miscarchive}
%install
packagesdir=$(pwd)/..
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}
mv ../%{jdkportablesourcesarchive -- ""} $RPM_BUILD_ROOT%{_jvmdir}/
mv ../%{jdkportablesourcesarchive -- ""}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
# Install outside the loop as there are no debug variants
miscarchive=${packagesdir}/%{miscportablearchive}
mv ${packagesdir}/%{jdkportablesourcesarchive -- ""} $RPM_BUILD_ROOT%{_jvmdir}/
mv ${packagesdir}/%{jdkportablesourcesarchive -- ""}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
mv ${miscarchive} $RPM_BUILD_ROOT%{_jvmdir}/
mv ${miscarchive}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
@ -1451,13 +1470,13 @@ top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
else
nameSuffix=`echo "$suffix"| sed s/-/./`
fi
mv ../%{jdkportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
mv ../%{jdkportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
mv ../%{jreportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
mv ../%{jreportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
mv ${packagesdir}/%{jdkportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
mv ${packagesdir}/%{jdkportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
mv ${packagesdir}/%{jreportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
mv ${packagesdir}/%{jreportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
%if %{include_staticlibs}
mv ../%{staticlibsportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
mv ../%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
mv ${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"} $RPM_BUILD_ROOT%{_jvmdir}/
mv ${packagesdir}/%{staticlibsportablearchive -- "$nameSuffix"}.sha256sum $RPM_BUILD_ROOT%{_jvmdir}/
%endif
if [ "x$suffix" == "x" ] ; then
dnameSuffix="$nameSuffix".debuginfo
@ -1471,7 +1490,7 @@ done
################################################################################
# the licenses are packed onloy once and shared
mkdir -p $RPM_BUILD_ROOT%{unpacked_licenses}
mv ../%{jdkportablearchive -- "%{normal_suffix}"}-legal $RPM_BUILD_ROOT%{unpacked_licenses}/%{jdkportablesourcesarchive -- "%{normal_suffix}"}
mv ${packagesdir}/%{jdkportablearchive -- "%{normal_suffix}"}-legal $RPM_BUILD_ROOT%{unpacked_licenses}/%{jdkportablesourcesarchive -- "%{normal_suffix}"}
# To show sha in the build log
for file in `ls $RPM_BUILD_ROOT%{_jvmdir}/*.sha256sum` ; do ls -l $file ; cat $file ; done
################################################################################
@ -1513,10 +1532,11 @@ $JAVA_HOME/bin/java ${SEC_DEBUG} -Djava.security.disableSystemPropertiesFile=fal
if ! nm $JAVA_HOME/bin/java | grep set_speculation ; then true ; else false; fi
# Check alt-java launcher has SSB mitigation on supported architectures
# set_speculation function exists in both cases, so check for prctl call
%ifarch %{ssbd_arches}
nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation
nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl
%else
if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; else false; fi
if ! nm %{altjavaoutputdir}/%{alt_java_name} | grep prctl ; then true ; else false; fi
%endif
# Check correct vendor values have been set
@ -1627,7 +1647,25 @@ done
%{_jvmdir}/%{jdkportablesourcesarchiveForFiles}.sha256sum
%license %{unpacked_licenses}/%{jdkportablesourcesarchiveForFiles}
%files misc
%{_jvmdir}/%{miscportablearchive}
%{_jvmdir}/%{miscportablearchive}.sha256sum
%changelog
* Fri Sep 15 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-3.rolling
- Update documentation (README.md, add missing JEP to release notes)
- Replace alt-java patch with a binary separate from the JDK
- Drop stale patches that are of little use any more:
- * nss.cfg has been disabled since early PKCS11 work and long superseded by FIPS work
- * No accessibility subpackage to warrant RH1648242 patch any more
- * No use of system libjpeg turbo to warrant RH649512 patch any more
- Replace RH1684077 pcsc-lite-libs patch with better JDK-8009550 fix being upstreamed
- Update generate_tarball.sh to sync with upstream vanilla script
- Change top_level_dir_name to use the VCS tag, matching new upstream release style tarball
- Use upstream release URL for OpenJDK source
- Port misc tarball from RHEL to house alt-java outside the JDK tree
- Port improved tarball creation and checking from RHEL so tarballs are verified
* Thu Sep 14 2023 Andrew Hughes <gnu.andrew@redhat.com> - 1:21.0.0.0.35-2.rolling
- Bump buildjdkver now that java-21-openjdk is available in the buildroot

125
jdk8009550-rh910107-fail_to_load_pcsc_library.patch Normal file
View File

@ -0,0 +1,125 @@
commit d0523302416bc6507696f20d1068f16427bcf6b8
Author: Andrew Hughes <gnu.andrew@redhat.com>
Date: Thu Aug 24 01:23:49 2023 +0100
8009550: PlatformPCSC should load versioned so
diff --git a/src/java.base/share/classes/sun/security/util/Debug.java b/src/java.base/share/classes/sun/security/util/Debug.java
index bff273c6548..e5a6b288ff8 100644
--- a/src/java.base/share/classes/sun/security/util/Debug.java
+++ b/src/java.base/share/classes/sun/security/util/Debug.java
@@ -81,6 +81,7 @@ public static void Help()
System.err.println("logincontext login context results");
System.err.println("jca JCA engine class debugging");
System.err.println("keystore KeyStore debugging");
+ System.err.println("pcsc Smartcard library debugging");
System.err.println("policy loading and granting");
System.err.println("provider security provider debugging");
System.err.println("pkcs11 PKCS11 session manager debugging");
diff --git a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
index bacff32efbc..d9f605ada1e 100644
--- a/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+++ b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2005, 2021, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2023, Red Hat Inc. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -46,8 +47,13 @@ class PlatformPCSC {
private static final String PROP_NAME = "sun.security.smartcardio.library";
- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
+ private static final String[] LIB_TEMPLATES = { "/usr/$LIBISA/libpcsclite.so",
+ "/usr/local/$LIBISA/libpcsclite.so",
+ "/usr/lib/$ARCH-linux-gnu/libpcsclite.so",
+ "/usr/lib/arm-linux-gnueabi/libpcsclite.so",
+ "/usr/lib/arm-linux-gnueabihf/libpcsclite.so",
+ "/usr/lib/$ARCH-kfreebsd-gnu/libpcsclite.so" };
+ private static final String[] LIB_SUFFIXES = { ".1", ".0", "" };
private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
PlatformPCSC() {
@@ -73,23 +79,38 @@ public Throwable run() {
});
// expand $LIBISA to the system specific directory name for libraries
+ // expand $ARCH to the Debian system architecture in use
private static String expand(String lib) {
int k = lib.indexOf("$LIBISA");
- if (k == -1) {
- return lib;
+ if (k != -1) {
+ String libDir;
+ if ("64".equals(System.getProperty("sun.arch.data.model"))) {
+ // assume Linux convention
+ libDir = "lib64";
+ } else {
+ // must be 32-bit
+ libDir = "lib";
+ }
+ lib = lib.replace("$LIBISA", libDir);
}
- String s1 = lib.substring(0, k);
- String s2 = lib.substring(k + 7);
- String libDir;
- if ("64".equals(System.getProperty("sun.arch.data.model"))) {
- // assume Linux convention
- libDir = "lib64";
- } else {
- // must be 32-bit
- libDir = "lib";
+
+ k = lib.indexOf("$ARCH");
+ if (k != -1) {
+ String arch = System.getProperty("os.arch");
+ lib = lib.replace("$ARCH", getDebianArchitecture(arch));
}
- String s = s1 + libDir + s2;
- return s;
+
+ return lib;
+ }
+
+ private static String getDebianArchitecture(String jdkArch) {
+ return switch (jdkArch) {
+ case "amd64" -> "x86_64";
+ case "ppc" -> "powerpc";
+ case "ppc64" -> "powerpc64";
+ case "ppc64le" -> "powerpc64le";
+ default -> jdkArch;
+ };
}
private static String getLibraryName() throws IOException {
@@ -98,15 +119,18 @@ private static String getLibraryName() throws IOException {
if (lib.length() != 0) {
return lib;
}
- lib = expand(LIB1);
- if (new File(lib).isFile()) {
- // if LIB1 exists, use that
- return lib;
- }
- lib = expand(LIB2);
- if (new File(lib).isFile()) {
- // if LIB2 exists, use that
- return lib;
+
+ for (String template : LIB_TEMPLATES) {
+ for (String suffix : LIB_SUFFIXES) {
+ lib = expand(template) + suffix;
+ if (debug != null) {
+ debug.println("Looking for " + lib);
+ }
+ if (new File(lib).isFile()) {
+ // if library exists, use that
+ return lib;
+ }
+ }
}
// As of macos 11, framework libraries have been removed from the file

5
nss.cfg.in
View File

@ -1,5 +0,0 @@
name = NSS
nssLibraryDirectory = @NSS_LIBDIR@
nssDbMode = noDb
attributes = compatibility
handleStartupErrors = ignoreMultipleInitialisation

16
rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch
View File

@ -1,16 +0,0 @@
diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
--- a/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jun 13 19:37:49 2019 +0200
+++ b/src/java.desktop/share/classes/java/awt/Toolkit.java Thu Jul 04 10:35:42 2019 +0200
@@ -595,7 +595,11 @@
toolkit = new HeadlessToolkit(toolkit);
}
if (!GraphicsEnvironment.isHeadless()) {
- loadAssistiveTechnologies();
+ try {
+ loadAssistiveTechnologies();
+ } catch (AWTError error) {
+ // ignore silently
+ }
}
}
return toolkit;

13
rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch
View File

@ -1,13 +0,0 @@
diff --git openjdk.orig/src/java.base/share/conf/security/java.security openjdk/src/java.base/share/conf/security/java.security
index 68a9c1a2d08..7aa25eb2cb7 100644
--- openjdk.orig/src/java.base/share/conf/security/java.security
+++ openjdk/src/java.base/share/conf/security/java.security
@@ -78,6 +78,7 @@ security.provider.tbd=SunMSCAPI
security.provider.tbd=Apple
#endif
security.provider.tbd=SunPKCS11
+#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
#
# Security providers used when FIPS mode support is active

15
rh1684077-openjdk_should_depend_on_pcsc-lite-libs_instead_of_pcsc-lite-devel.patch
View File

@ -1,15 +0,0 @@
diff --git a/openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java b/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
index bacff32efbc..ff7b3dcc81c 100644
--- openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
+++ openjdk/src/java.smartcardio/unix/classes/sun/security/smartcardio/PlatformPCSC.java
@@ -46,8 +46,8 @@ class PlatformPCSC {
private static final String PROP_NAME = "sun.security.smartcardio.library";
- private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so";
- private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so";
+ private static final String LIB1 = "/usr/$LIBISA/libpcsclite.so.1";
+ private static final String LIB2 = "/usr/local/$LIBISA/libpcsclite.so.1";
private static final String PCSC_FRAMEWORK = "/System/Library/Frameworks/PCSC.framework/Versions/Current/PCSC";
PlatformPCSC() {

117
rh1750419-redhat_alt_java.patch
View File

@ -1,117 +0,0 @@
diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
index 700ddefda49..2882de68eb2 100644
--- openjdk.orig/make/modules/java.base/Launcher.gmk
+++ openjdk/make/modules/java.base/Launcher.gmk
@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
OPTIMIZATION := HIGH, \
))
+#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
+$(eval $(call SetupBuildLauncher, alt-java, \
+ CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
+ EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
+ VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
+ OPTIMIZATION := HIGH, \
+))
+
ifeq ($(call isTargetOs, windows), true)
$(eval $(call SetupBuildLauncher, javaw, \
CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
new file mode 100644
index 00000000000..697df2898ac
--- /dev/null
+++ openjdk/src/java.base/share/native/launcher/alt_main.h
@@ -0,0 +1,73 @@
+/*
+ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation. Oracle designates this
+ * particular file as subject to the "Classpath" exception as provided
+ * by Oracle in the LICENSE file that accompanied this code.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+#ifdef REDHAT_ALT_JAVA
+
+#include <sys/prctl.h>
+
+
+/* Per task speculation control */
+#ifndef PR_GET_SPECULATION_CTRL
+# define PR_GET_SPECULATION_CTRL 52
+#endif
+#ifndef PR_SET_SPECULATION_CTRL
+# define PR_SET_SPECULATION_CTRL 53
+#endif
+/* Speculation control variants */
+#ifndef PR_SPEC_STORE_BYPASS
+# define PR_SPEC_STORE_BYPASS 0
+#endif
+/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
+
+#ifndef PR_SPEC_NOT_AFFECTED
+# define PR_SPEC_NOT_AFFECTED 0
+#endif
+#ifndef PR_SPEC_PRCTL
+# define PR_SPEC_PRCTL (1UL << 0)
+#endif
+#ifndef PR_SPEC_ENABLE
+# define PR_SPEC_ENABLE (1UL << 1)
+#endif
+#ifndef PR_SPEC_DISABLE
+# define PR_SPEC_DISABLE (1UL << 2)
+#endif
+#ifndef PR_SPEC_FORCE_DISABLE
+# define PR_SPEC_FORCE_DISABLE (1UL << 3)
+#endif
+#ifndef PR_SPEC_DISABLE_NOEXEC
+# define PR_SPEC_DISABLE_NOEXEC (1UL << 4)
+#endif
+
+static void set_speculation() __attribute__((constructor));
+static void set_speculation() {
+ if ( prctl(PR_SET_SPECULATION_CTRL,
+ PR_SPEC_STORE_BYPASS,
+ PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
+ return;
+ }
+ prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
+}
+
+#endif // REDHAT_ALT_JAVA
diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
index b734fe2ba78..79dc8307650 100644
--- openjdk.orig/src/java.base/share/native/launcher/main.c
+++ openjdk/src/java.base/share/native/launcher/main.c
@@ -34,6 +34,14 @@
#include "jli_util.h"
#include "jni.h"
+#ifdef REDHAT_ALT_JAVA
+#if defined(__linux__) && defined(__x86_64__)
+#include "alt_main.h"
+#else
+#warning alt-java requested but SSB mitigation not available on this platform.
+#endif
+#endif
+
/*
* Entry point.
*/

19
rh649512-remove_uses_of_far_in_jpeg_libjpeg_turbo_1_4_compat_for_jdk10_and_up.patch
View File

@ -1,19 +0,0 @@
Remove uses of FAR in jpeg code
Upstream libjpeg-trubo removed the (empty) FAR macro:
http://sourceforge.net/p/libjpeg-turbo/code/1312/
Adjust our code to not use the undefined FAR macro anymore.
diff --git a/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c b/jdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
--- openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
+++ openjdk/src/java.desktop/share/native/libjavajpeg/imageioJPEG.c
@@ -1385,7 +1385,7 @@
/* and fill it in */
dst_ptr = icc_data;
for (seq_no = first; seq_no < last; seq_no++) {
- JOCTET FAR *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
+ JOCTET *src_ptr = icc_markers[seq_no]->data + ICC_OVERHEAD_LEN;
unsigned int length =
icc_markers[seq_no]->data_length - ICC_OVERHEAD_LEN;

2
sources
View File

@ -1 +1 @@
SHA512 (openjdk-jdk21u-jdk-21+35.tar.xz) = 5961f12ff9828856e5ce7847a06177a6761088dbefbcac05512a7c3433d45154f6d59872cd00268fecd987128e623bb343d9879b26f6c6c811e6d6713d1b17a2
SHA512 (openjdk-21+35.tar.xz) = 311e954cc8d28a336b85efc05baade8945fe5292ae2d91cc7ff71c6b3a1830b1a4b9fc641f87e68a4b3db175eb5c21a18664457715da9b37720c5d4b3eb67195