Add forgotten changelog

Generated new sources and removed obsoleted patch

.gitignore

@@ -1,2 +1,18 @@
 /jdk-jdk12-jdk-12+33.tar.xz
 /systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz
+/jdk-updates-jdk12u-jdk-12.0.1+12.tar.xz
+/jdk-updates-jdk12u-jdk-12.0.2+9.tar.xz
+/jdk-jdk13-jdk-13+27.tar.xz
+/jdk-jdk13-jdk-13+28.tar.xz
+/jdk-jdk13-jdk-13+33.tar.xz
+/jdk-updates-jdk13u-jdk-13.0.1+9.tar.xz
+/jdk-updates-jdk13u-jdk-13.0.2+8.tar.xz
+/jdk-jdk14-jdk-14+36.tar.xz
+/jdk-updates-jdk14u-jdk-14.0.1+7.tar.xz
+/jdk-updates-jdk14u-jdk-14.0.2+12.tar.xz
+/jdk-jdk15-jdk-15+36.tar.xz
+/jdk-updates-jdk15u-jdk-15.0.1+9.tar.xz
+/tapsets-icedtea-3.15.0.tar.xz
+/jdk-updates-jdk15u-jdk-15.0.2+7.tar.xz
+/openjdk-jdk16-jdk-16+36.tar.xz
+/openjdk-jdk16u-jdk-16.0.1+9.tar.xz

NEWS

@@ -0,0 +1,154 @@
+Key:
+
+JDK-X  - https://bugs.openjdk.java.net/browse/JDK-X
+CVE-XXXX-YYYY: https://cve.mitre.org/cgi-bin/cvename.cgi?name=XXXX-YYYY
+
+New in release OpenJDK 15.0.2 (2021-01-19):
+===========================================
+Live versions of these release notes can be found at:
+  * https://builds.shipilev.net/backports-monitor/release-notes-15.0.2.txt
+
+* Security fixes
+  - JDK-8247619: Improve Direct Buffering of Characters
+* Other changes
+  - JDK-8197981: Missing return statement in __sync_val_compare_and_swap_8
+  - JDK-8239105: Add exception for expiring Digicert root certificates to VerifyCACerts test
+  - JDK-8247741: Test test/hotspot/jtreg/runtime/7162488/TestUnrecognizedVmOption.java fails when -XX:+IgnoreUnrecognizedVMOptions is set
+  - JDK-8248411: [aarch64] Insufficient error handling when CodeBuffer is exhausted
+  - JDK-8248596: [TESTBUG] compiler/loopopts/PartialPeelingUnswitch.java times out with Graal enabled
+  - JDK-8248667: Need support for building native libraries located in the test/lib directory
+  - JDK-8249176: Update GlobalSignR6CA test certificates
+  - JDK-8249192: MonitorInfo stores raw oops across safepoints
+  - JDK-8249217: Unexpected StackOverflowError in "process reaper" thread still happens
+  - JDK-8249781: AArch64: AOT compiled code crashes if C2 allocates r27
+  - JDK-8250257: Bump release strings for JDK 15.0.2
+  - JDK-8251397: NPE on ClassValue.ClassValueMap.cacheArray
+  - JDK-8251859: sun/security/validator/PKIXValAndRevCheckTests.java fails
+  - JDK-8253191: C2: Masked byte comparisons with large masks produce wrong result on x86
+  - JDK-8253375: OSX build fails with Xcode 12.0 (12A7209)
+  - JDK-8253566: clazz.isAssignableFrom will return false for interface implementors
+  - JDK-8253756: C2 CompilerThread0 crash in Node::add_req(Node*)
+  - JDK-8253791: Issue with useAppleColor check in CSystemColors.m
+  - JDK-8253960: Memory leak in Java_java_lang_ClassLoader_defineClass0()
+  - JDK-8254081: java/security/cert/PolicyNode/GetPolicyQualifiers.java fails due to an expired certificate
+  - JDK-8254166: Zero: return-type warning in zeroInterpreter_zero.cpp
+  - JDK-8254177: (tz) Upgrade time-zone data to tzdata2020b
+  - JDK-8254319: Shenandoah: Interpreter native-LRB needs to activate during HAS_FORWARDED
+  - JDK-8254320: Shenandoah: C2 native LRB should activate for non-cset objects
+  - JDK-8254790: SIGSEGV in string_indexof_char and stringL_indexof_char intrinsics
+  - JDK-8254854: [cgroups v1] Metric limits not properly detected on some join controller combinations
+  - JDK-8254982: (tz) Upgrade time-zone data to tzdata2020c
+  - JDK-8255065: Zero: accessor_entry misses the IRIW case
+  - JDK-8255067: Restore Copyright line in file modified by 8253191
+  - JDK-8255226: (tz) Upgrade time-zone data to tzdata2020d
+  - JDK-8255599: Change jdk 15.0.2 milestone to fcs for build b04
+  - JDK-8255603: Memory/Performance regression after JDK-8210985
+  - JDK-8256051: nmethod_entry_barrier stub miscalculates xmm spill size on x86_32
+  - JDK-8256427: Test com/sun/jndi/dns/ConfigTests/PortUnreachable.java does not work on AIX
+  - JDK-8256618: Zero: Linux x86_32 build still fails
+  - JDK-8257181: s390x builds are very noisy with gc-sections messages
+  - JDK-8257641: Shenandoah: Query is_at_shenandoah_safepoint() from control thread should return false
+  - JDK-8257701: Shenandoah: objArrayKlass metadata is not marked with chunked arrays
+
+Notes on individual issues:
+===========================
+
+core-libs/java.time:
+
+JDK-8254177: US/Pacific-New Zone name removed as part of tzdata2020b
+====================================================================
+Following JDK's update to tzdata2020b, the long-obsolete files
+pacificnew and systemv have been removed. As a result, the
+"US/Pacific-New" zone name declared in the pacificnew data file is no
+longer available for use.
+
+Information regarding the update can be viewed at
+https://mm.icann.org/pipermail/tz-announce/2020-October/000059.html
+
+New in release OpenJDK 15.0.1 (2020-10-20):
+===========================================
+Live versions of these release notes can be found at:
+  * https://builds.shipilev.net/backports-monitor/release-notes-15.0.1.txt
+
+* Security fixes
+  - JDK-8233624: Enhance JNI linkage
+  - JDK-8236196: Improve string pooling
+  - JDK-8236862, CVE-2020-14779: Enhance support of Proxy class
+  - JDK-8237990, CVE-2020-14781: Enhanced LDAP contexts
+  - JDK-8237995, CVE-2020-14782: Enhance certificate processing
+  - JDK-8240124: Better VM Interning
+  - JDK-8241114, CVE-2020-14792: Better range handling
+  - JDK-8242680, CVE-2020-14796: Improved URI Support
+  - JDK-8242685, CVE-2020-14797: Better Path Validation
+  - JDK-8242695, CVE-2020-14798: Enhanced buffer support
+  - JDK-8243302: Advanced class supports
+  - JDK-8244136, CVE-2020-14803: Improved Buffer supports
+  - JDK-8244479: Further constrain certificates
+  - JDK-8244955: Additional Fix for JDK-8240124
+  - JDK-8245407: Enhance zoning of times
+  - JDK-8245412: Better class definitions
+  - JDK-8245417: Improve certificate chain handling
+  - JDK-8248574: Improve jpeg processing
+  - JDK-8249927: Specify limits of jdk.serialProxyInterfaceLimit
+  - JDK-8253019: Enhanced JPEG decoding
+* Other changes
+  - JDK-8232114: JVM crashed at imjpapi.dll in native code
+  - JDK-8243470: [macos] bring back O2 opt level for unsafe.cpp
+  - JDK-8247251: Assert '(_pcs_length == 0 || last_pc()->pc_offset() < pc_offset) failed: must specify a new, larger pc offset' failure
+  - JDK-8248495: [macos] zerovm is broken due to libffi headers location
+  - JDK-8248745: Add jarsigner and keytool tests for restricted algorithms
+  - JDK-8249165: Remove unneeded nops introduced by 8234160 changes
+  - JDK-8249183: JVM crash in "AwtFrame::WmSize" method
+  - JDK-8249266: Bump release strings for JDK 15.0.1
+  - JDK-8249266: Change jdk 15.0.1 milestone to fcs for build b02
+  - JDK-8250612: jvmciCompilerToVM.cpp declares jio_printf with "void" return type, should be "int"
+  - JDK-8250665: Wrong translation for the month name of May in ar_JO,LB,SY
+  - JDK-8250861: Crash in MinINode::Ideal(PhaseGVN*, bool)
+  - JDK-8250876: Fix issues with cross-compile on macos
+  - JDK-8250928: JFR: Improve hash algorithm for stack traces
+  - JDK-8251359: Shenandoah: filter null oops before calling enqueue/SATB barrier
+  - JDK-8251458: Parse::do_lookupswitch fails with "assert(_cnt >= 0) failed"
+  - JDK-8251859: sun/security/validator/PKIXValAndRevCheckTests.java fails
+  - JDK-8251910: Shenandoah: Handshake threads between weak-roots and reset phases
+  - JDK-8252120: compiler/oracle/TestCompileCommand.java misspells "occured"
+  - JDK-8252292: 8240795 may cause anti-dependence to be missed
+  - JDK-8252359: HotSpot Not Identifying it is Running in a Container
+  - JDK-8252367: Undo JDK-8245000: Windows GDI functions don't support large pages
+  - JDK-8252368: Undo JDK-8245002: Windows GDI functions don't support NUMA interleaving
+  - JDK-8252470: java/awt/dnd/DisposeFrameOnDragCrash/DisposeFrameOnDragTest.java fails on Windows
+  - JDK-8252660: Shenandoah: support manageable SoftMaxHeapSize option
+  - JDK-8252754: Hash code calculation of JfrStackTrace is inconsistent
+  - JDK-8253222: Shenandoah: unused AlwaysTrueClosure after JDK-8246591
+  - JDK-8253224: Shenandoah: ShenandoahStrDedupQueue destructor calls virtual num_queues()
+  - JDK-8253226: Shenandoah: remove unimplemented ShenandoahStrDedupQueue::verify
+  - JDK-8253284: Zero OrderAccess barrier mappings are incorrect
+  - JDK-8253714: [cgroups v2] Soft memory limit incorrectly using memory.high
+  - JDK-8253727: [cgroups v2] Memory and swap limits reported incorrectly
+  - JDK-8253778: ShenandoahSafepoint::is_at_shenandoah_safepoint should not access VMThread state from other threads
+  - JDK-8254144: Non-x86 Zero builds fail with return-type warning in os_linux_zero.cpp
+  - JDK-8254560: Shenandoah: Concurrent Strong Roots logging is incorrect
+
+Notes on individual issues:
+===========================
+
+security-libs/java.security:
+
+JDK-8250756: Added Entrust Root Certification Authority - G4 certificate
+========================================================================
+The Entrust root certificate has been added to the cacerts truststore:
+
+Alias Name: entrustrootcag4
+Distinguished Name: CN=Entrust Root Certification Authority - G4, OU="(c) 2015 Entrust,  Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
+
+JDK-8250860: Added 3 SSL Corporation Root CA Certificates
+=========================================================
+The following root certificates have been added to the cacerts truststore for the SSL Corporation:
+
+Alias Name: sslrootrsaca
+Distinguished Name: CN=SSL.com Root Certification Authority RSA, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrootevrsaca
+Distinguished Name: CN=SSL.com EV Root Certification Authority RSA R2, O=SSL Corporation, L=Houston, ST=Texas, C=US
+
+Alias Name: sslrooteccca
+Distinguished Name: CN=SSL.com Root Certification Authority ECC, O=SSL Corporation, L=Houston, ST=Texas, C=US

README.md

@@ -1,3 +1,12 @@
-# java-latest-openjdk
+Rolling release of (usually) STSs  OpenJDK
+OpenJDK has release cadence of 6 months, but 3/4 of them are Short Term Supported for 6 months only. This package is designed to harbor them. Currently it is build of OpenJDK 12. LTSs will go also as separate packages. 
 
-The java-latest-openjdk package
+JDK12 is current release of Java platform. It is bringing many cool improvements - https://openjdk.java.net/projects/jdk/12/ and is landing to your Fedora. Where it will be maintained for f28 and newer. Unluckily, this package is STS (short term support) version. Between individual LTS there will be always several STS. Again, please see announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html and See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf . So this is rolling release of all STSs to come. Its fate during the release of fresh LTS is yet to be decided. You will always be allowed to install LTS in fedora build root, alongside with latest STS via alternatives. 
+
+
+See announcement: http://mail.openjdk.java.net/pipermail/discuss/2017-September/004281.html
+See java SIG plans: https://jvanek.fedorapeople.org/devconf/2018/changesInjavaReleaseProcess.pdf
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1557371#c0
+https://fedoraproject.org/wiki/Changes/java-openjdk-10
+https://fedoraproject.org/wiki/Changes/java-11-openjdk-TechPreview

TestSecurityProperties.java

@@ -0,0 +1,43 @@
+import java.io.File;
+import java.io.FileInputStream;
+import java.security.Security;
+import java.util.Properties;
+
+public class TestSecurityProperties {
+    // JDK 11
+    private static final String JDK_PROPS_FILE_JDK_11 = System.getProperty("java.home") + "/conf/security/java.security";
+    // JDK 8
+    private static final String JDK_PROPS_FILE_JDK_8 = System.getProperty("java.home") + "/lib/security/java.security";
+
+    public static void main(String[] args) {
+        Properties jdkProps = new Properties();
+        loadProperties(jdkProps);
+        for (Object key: jdkProps.keySet()) {
+            String sKey = (String)key;
+            String securityVal = Security.getProperty(sKey);
+            String jdkSecVal = jdkProps.getProperty(sKey);
+            if (!securityVal.equals(jdkSecVal)) {
+                String msg = "Expected value '" + jdkSecVal + "' for key '" + 
+                             sKey + "'" + " but got value '" + securityVal + "'";
+                throw new RuntimeException("Test failed! " + msg);
+            } else {
+                System.out.println("DEBUG: " + sKey + " = " + jdkSecVal + " as expected.");
+            }
+        }
+        System.out.println("TestSecurityProperties PASSED!");
+    }
+    
+    private static void loadProperties(Properties props) {
+        String javaVersion = System.getProperty("java.version");
+        System.out.println("Debug: Java version is " + javaVersion);
+        String propsFile = JDK_PROPS_FILE_JDK_11;
+        if (javaVersion.startsWith("1.8.0")) {
+            propsFile = JDK_PROPS_FILE_JDK_8;
+        }
+        try (FileInputStream fin = new FileInputStream(new File(propsFile))) {
+            props.load(fin);
+        } catch (Exception e) {
+            throw new RuntimeException("Test failed!", e);
+        }
+    }
+}

generate_source_tarball.sh

@@ -0,0 +1,156 @@
+#!/bin/bash
+# Generates the 'source tarball' for JDK projects.
+#
+# Example:
+# When used from local repo set REPO_ROOT pointing to file:// with your repo
+# If your local repo follows upstream forests conventions, it may be enough to set OPENJDK_URL
+# If you want to use a local copy of patch PR3788, set the path to it in the PR3788 variable
+#
+# In any case you have to set PROJECT_NAME REPO_NAME and VERSION. eg:
+# PROJECT_NAME=openjdk
+# REPO_NAME=jdk16
+# VERSION=HEAD
+# or to eg prepare systemtap:
+# icedtea7's jstack and other tapsets
+# VERSION=6327cf1cea9e
+# REPO_NAME=icedtea7-2.6
+# PROJECT_NAME=release
+# OPENJDK_URL=http://icedtea.classpath.org/hg/
+# TO_COMPRESS="*/tapset"
+# 
+# They are used to create correct name and are used in construction of sources url (unless REPO_ROOT is set)
+
+# This script creates a single source tarball out of the repository
+# based on the given tag and removes code not allowed in fedora/rhel. For
+# consistency, the source tarball will always contain 'openjdk' as the top
+# level folder, name is created, based on parameter
+#
+
+if [ ! "x$PR3823" = "x" ] ; then
+  if [ ! -f "$PR3823" ] ; then
+    echo "You have specified PR3823 as $PR3823 but it does not exist. Exiting"
+    exit 1
+  fi
+fi
+
+set -e
+
+OPENJDK_URL_DEFAULT=https://github.com
+COMPRESSION_DEFAULT=xz
+
+if [ "x$1" = "xhelp" ] ; then
+    echo -e "Behaviour may be specified by setting the following variables:\n"
+    echo "VERSION - the version of the specified OpenJDK project"
+    echo "PROJECT_NAME -- the name of the OpenJDK project being archived (optional; only needed by defaults)"
+    echo "REPO_NAME - the name of the OpenJDK repository (optional; only needed by defaults)"
+    echo "OPENJDK_URL - the URL to retrieve code from (optional; defaults to ${OPENJDK_URL_DEFAULT})"
+    echo "COMPRESSION - the compression type to use (optional; defaults to ${COMPRESSION_DEFAULT})"
+    echo "FILE_NAME_ROOT - name of the archive, minus extensions (optional; defaults to PROJECT_NAME-REPO_NAME-VERSION)"
+    echo "TO_COMPRESS - what part of clone to pack (default is openjdk)"
+    echo "PR3823 - the path to the PR3823 patch to apply (optional; downloaded if unavailable)"
+    exit 1;
+fi
+
+
+if [ "x$VERSION" = "x" ] ; then
+    echo "No VERSION specified"
+    exit -2
+fi
+echo "Version: ${VERSION}"
+    
+# REPO_NAME is only needed when we default on REPO_ROOT and FILE_NAME_ROOT
+if [ "x$FILE_NAME_ROOT" = "x" -o "x$REPO_ROOT" = "x" ] ; then
+  if [ "x$PROJECT_NAME" = "x" ] ; then
+    echo "No PROJECT_NAME specified"
+    exit -1
+  fi
+  echo "Project name: ${PROJECT_NAME}"
+  if [ "x$REPO_NAME" = "x" ] ; then
+    echo "No REPO_NAME specified"
+    exit -3
+  fi
+  echo "Repository name: ${REPO_NAME}"
+fi
+
+if [ "x$OPENJDK_URL" = "x" ] ; then
+    OPENJDK_URL=${OPENJDK_URL_DEFAULT}
+    echo "No OpenJDK URL specified; defaulting to ${OPENJDK_URL}"
+else
+    echo "OpenJDK URL: ${OPENJDK_URL}"
+fi
+
+if [ "x$COMPRESSION" = "x" ] ; then
+    # rhel 5 needs tar.gz
+    COMPRESSION=${COMPRESSION_DEFAULT}
+fi
+echo "Creating a tar.${COMPRESSION} archive"
+
+if [ "x$FILE_NAME_ROOT" = "x" ] ; then
+    FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
+    echo "No file name root specified; default to ${FILE_NAME_ROOT}"
+fi
+if [ "x$REPO_ROOT" = "x" ] ; then
+    REPO_ROOT="${OPENJDK_URL}/${PROJECT_NAME}/${REPO_NAME}.git"
+    echo "No repository root specified; default to ${REPO_ROOT}"
+fi;
+
+if [ "x$TO_COMPRESS" = "x" ] ; then
+    TO_COMPRESS="openjdk"
+    echo "No to be compressed targets specified, ; default to ${TO_COMPRESS}"
+fi;
+
+if [ -d ${FILE_NAME_ROOT} ] ; then
+  echo "exists exists exists exists exists exists exists "
+  echo "reusing reusing reusing reusing reusing reusing "
+  echo ${FILE_NAME_ROOT}
+else
+  mkdir "${FILE_NAME_ROOT}"
+  pushd "${FILE_NAME_ROOT}"
+    echo "Cloning ${VERSION} root repository from ${REPO_ROOT}"
+    git clone -b ${VERSION} ${REPO_ROOT} openjdk
+  popd
+fi
+pushd "${FILE_NAME_ROOT}"
+    if [ -d openjdk/src ]; then 
+        pushd openjdk
+            echo "Removing EC source code we don't build"
+            CRYPTO_PATH=src/jdk.crypto.ec/share/native/libsunec/impl
+	    rm -vf ${CRYPTO_PATH}/ec2.h
+	    rm -vf ${CRYPTO_PATH}/ec2_163.c
+	    rm -vf ${CRYPTO_PATH}/ec2_193.c
+	    rm -vf ${CRYPTO_PATH}/ec2_233.c
+	    rm -vf ${CRYPTO_PATH}/ec2_aff.c
+	    rm -vf ${CRYPTO_PATH}/ec2_mont.c
+	    rm -vf ${CRYPTO_PATH}/ecp_192.c
+	    rm -vf ${CRYPTO_PATH}/ecp_224.c
+
+            echo "Syncing EC list with NSS"
+            if [ "x$PR3823" = "x" ] ; then
+                # originally for 8:
+                # get PR3823.patch (from http://icedtea.classpath.org/hg/icedtea16) from most correct tag
+                # Do not push it or publish it (see https://icedtea.classpath.org/bugzilla/show_bug.cgi?id=3823)
+		echo "PR3823 not found. Downloading..."
+		wget https://icedtea.classpath.org/hg/icedtea16/raw-file/tip/patches/pr3823.patch
+	        echo "Applying ${PWD}/pr3823.patch"
+		patch -Np1 < pr3823.patch
+		rm pr3823.patch
+	    else
+		echo "Applying ${PR3823}"
+		patch -Np1 < $PR3823
+            fi;
+            find . -name '*.orig' -exec rm -vf '{}' ';'
+        popd
+    fi
+
+    echo "Compressing remaining forest"
+    if [ "X$COMPRESSION" = "Xxz" ] ; then
+        SWITCH=cJf
+    else
+        SWITCH=czf
+    fi
+    tar --exclude-vcs -$SWITCH ${FILE_NAME_ROOT}.tar.${COMPRESSION} $TO_COMPRESS
+    mv ${FILE_NAME_ROOT}.tar.${COMPRESSION}  ..
+popd
+echo "Done. You may want to remove the uncompressed version - $FILE_NAME_ROOT."
+
+

icedtea_sync.sh

@@ -0,0 +1,97 @@
+#!/bin/bash
+
+# Copyright (C) 2019 Red Hat, Inc.
+# Written by Andrew John Hughes <gnu.andrew@redhat.com>.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU Affero General Public License as
+# published by the Free Software Foundation, either version 3 of the
+# License, or (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU Affero General Public License for more details.
+#
+# You should have received a copy of the GNU Affero General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+ICEDTEA_VERSION=3.15.0
+ICEDTEA_URL=https://icedtea.classpath.org/download/source
+ICEDTEA_SIGNING_KEY=CFDA0F9B35964222
+
+set -e
+
+if test "x${WGET}" = "x"; then
+    WGET=$(which wget);
+    if test "x${WGET}" = "x"; then
+	echo "wget not found";
+	exit 1;
+    fi
+fi
+
+if test "x${CHECKSUM}" = "x"; then
+    CHECKSUM=$(which sha256sum)
+    if test "x${CHECKSUM}" = "x"; then
+	echo "sha256sum not found";
+	exit 2;
+    fi
+fi
+
+if test "x${PGP}" = "x"; then
+    PGP=$(which gpg)
+    if test "x${PGP}" = "x"; then
+	echo "gpg not found";
+	exit 3;
+    fi
+fi
+
+if test "x${TAR}" = "x"; then
+    TAR=$(which tar)
+    if test "x${TAR}" = "x"; then
+	echo "tar not found";
+	exit 4;
+    fi
+fi
+
+echo "Dependencies:";
+echo -e "\tWGET: ${WGET}";
+echo -e "\tCHECKSUM: ${CHECKSUM}";
+echo -e "\tPGP: ${PGP}\n";
+echo -e "\tTAR: ${TAR}\n";
+
+echo "Checking for IcedTea signing key ${ICEDTEA_SIGNING_KEY}...";
+if ! gpg --list-keys ${ICEDTEA_SIGNING_KEY}; then
+    echo "IcedTea signing key ${ICEDTEA_SIGNING_KEY} not installed.";
+    exit 5;
+fi
+
+echo "Downloading IcedTea release tarball...";
+${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz
+echo "Downloading IcedTea tarball signature...";
+${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+echo "Downloading IcedTea tarball checksums...";
+${WGET} -v ${ICEDTEA_URL}/icedtea-${ICEDTEA_VERSION}.sha256
+
+echo "Verifying checksums...";
+${CHECKSUM} --check --ignore-missing icedtea-${ICEDTEA_VERSION}.sha256
+
+echo "Checking signature...";
+${PGP} --verify icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+
+echo "Extracting files...";
+${TAR} xJf icedtea-${ICEDTEA_VERSION}.tar.xz \
+       icedtea-${ICEDTEA_VERSION}/tapset \
+       icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in
+
+echo "Replacing desktop files...";
+mv -v icedtea-${ICEDTEA_VERSION}/jconsole.desktop.in .
+
+echo "Creating new tapset tarball...";
+mv -v icedtea-${ICEDTEA_VERSION} openjdk
+${TAR} cJf tapsets-icedtea-${ICEDTEA_VERSION}.tar.xz openjdk
+
+rm -rvf openjdk
+rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz
+rm -vf icedtea-${ICEDTEA_VERSION}.tar.xz.sig
+rm -vf icedtea-${ICEDTEA_VERSION}.sha256

pr1983-rh1565658-support_using_the_system_installation_of_nss_with_the_sunec_provider_jdk12.patch

@@ -1,649 +0,0 @@
-diff --git a/make/autoconf/jdk-options.m4 b/make/autoconf/jdk-options.m4
---- a/make/autoconf/jdk-options.m4
-+++ b/make/autoconf/jdk-options.m4
-@@ -267,9 +267,10 @@
- #
- AC_DEFUN_ONCE([JDKOPT_DETECT_INTREE_EC],
- [
-+  AC_REQUIRE([LIB_SETUP_MISC_LIBS])
-   AC_MSG_CHECKING([if elliptic curve crypto implementation is present])
- 
--  if test -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
-+  if test "x${system_nss}" = "xyes" -o -d "${TOPDIR}/src/jdk.crypto.ec/share/native/libsunec/impl"; then
-     ENABLE_INTREE_EC=true
-     AC_MSG_RESULT([yes])
-   else
-diff --git a/make/autoconf/libraries.m4 b/make/autoconf/libraries.m4
---- a/make/autoconf/libraries.m4
-+++ b/make/autoconf/libraries.m4
-@@ -178,6 +178,48 @@
-   AC_SUBST(LIBDL)
-   LIBS="$save_LIBS"
-
-+  ###############################################################################
-+  #
-+  # Check for the NSS libraries
-+  #
-+
-+  AC_MSG_CHECKING([whether to build the Sun EC provider against the system NSS libraries])
-+
-+  # default is bundled
-+  DEFAULT_SYSTEM_NSS=no
-+
-+  AC_ARG_ENABLE([system-nss], [AS_HELP_STRING([--enable-system-nss],
-+     [build the SunEC provider using the system NSS libraries @<:@disabled@:>@])],
-+  [
-+    case "${enableval}" in
-+      yes)
-+        system_nss=yes
-+        ;;
-+      *)
-+        system_nss=no
-+        ;;
-+    esac
-+  ],
-+  [
-+    system_nss=${DEFAULT_SYSTEM_NSS}
-+  ])
-+  AC_MSG_RESULT([$system_nss])
-+
-+  if test "x${system_nss}" = "xyes"; then
-+      PKG_CHECK_MODULES(NSS_SOFTTKN, nss-softokn >= 3.16.1, [NSS_SOFTOKN_FOUND=yes], [NSS_SOFTOKN_FOUND=no])
-+      PKG_CHECK_MODULES(NSS, nss >= 3.16.1, [NSS_FOUND=yes], [NSS_FOUND=no])
-+      if test "x${NSS_SOFTOKN_FOUND}" = "xyes" -a "x${NSS_FOUND}" = "xyes"; then
-+          NSS_LIBS="$NSS_SOFTOKN_LIBS $NSS_LIBS -lfreebl";
-+	  USE_EXTERNAL_NSS=true
-+      else
-+	  AC_MSG_ERROR([--enable-system-nss specified, but NSS not found.])
-+      fi
-+  else
-+      USE_EXTERNAL_NSS=false
-+  fi
-+  AC_SUBST(USE_EXTERNAL_NSS)
-+
-+
-   # Control if libzip can use mmap. Available for purposes of overriding.
-   LIBZIP_CAN_USE_MMAP=true
-   AC_SUBST(LIBZIP_CAN_USE_MMAP)
-diff --git a/make/autoconf/spec.gmk.in b/make/autoconf/spec.gmk.in
---- a/make/autoconf/spec.gmk.in
-+++ b/make/autoconf/spec.gmk.in
-@@ -795,6 +795,10 @@
- # Libraries
- #
- 
-+USE_EXTERNAL_NSS:=@USE_EXTERNAL_NSS@
-+NSS_LIBS:=@NSS_LIBS@
-+NSS_CFLAGS:=@NSS_CFLAGS@
-+
- USE_EXTERNAL_LCMS:=@USE_EXTERNAL_LCMS@
- LCMS_CFLAGS:=@LCMS_CFLAGS@
- LCMS_LIBS:=@LCMS_LIBS@
-diff --git a/make/lib/Lib-jdk.crypto.ec.gmk b/make/lib/Lib-jdk.crypto.ec.gmk
---- a/make/lib/Lib-jdk.crypto.ec.gmk
-+++ b/make/lib/Lib-jdk.crypto.ec.gmk
-@@ -28,19 +28,26 @@
- ################################################################################
- 
- ifeq ($(ENABLE_INTREE_EC), true)
-+  ifeq ($(USE_EXTERNAL_NSS), true)
-+    BUILD_LIBSUNEC_CFLAGS_JDKLIB := $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
-+    BUILD_LIBSUNEC_CXXFLAGS_JDKLIB := $(NSS_CFLAGS) -DSYSTEM_NSS -DNSS_ENABLE_ECC
-+  endif
-+
-   $(eval $(call SetupJdkLibrary, BUILD_LIBSUNEC, \
-       NAME := sunec, \
-       TOOLCHAIN := TOOLCHAIN_LINK_CXX, \
-       OPTIMIZATION := LOW, \
--      CFLAGS := $(CFLAGS_JDKLIB) \
-+      CFLAGS := $(BUILD_LIBSUNEC_CFLAGS_JDKLIB) $(CFLAGS_JDKLIB) \
-           -DMP_API_COMPATIBLE -DNSS_ECC_MORE_THAN_SUITE_B, \
--      CXXFLAGS := $(CXXFLAGS_JDKLIB), \
-+      CXXFLAGS := $(BUILD_LIBSUNEC_CXXFLAGS_JDKLIB) $(CXXFLAGS_JDKLIB), \
-       DISABLED_WARNINGS_gcc := sign-compare implicit-fallthrough unused-value, \
-       DISABLED_WARNINGS_clang := sign-compare, \
-       DISABLED_WARNINGS_microsoft := 4101 4244 4146 4018, \
--      LDFLAGS := $(LDFLAGS_JDKLIB) $(LDFLAGS_CXX_JDK), \
-+      LDFLAGS := $(subst -Xlinker --as-needed,, \
-+                 $(subst -Wl$(COMMA)--as-needed,, $(LDFLAGS_JDKLIB))) $(LDFLAGS_CXX_JDK), \
-       LDFLAGS_macosx := $(call SET_SHARED_LIBRARY_ORIGIN), \
-       LIBS := $(LIBCXX), \
-+      LIBS_linux := -lc $(NSS_LIBS), \
-   ))
- 
-   TARGETS += $(BUILD_LIBSUNEC)
-diff --git a/src/java.base/unix/native/include/jni_md.h b/src/java.base/unix/native/include/jni_md.h
---- a/src/java.base/unix/native/include/jni_md.h
-+++ b/src/java.base/unix/native/include/jni_md.h
-@@ -41,6 +41,11 @@
-   #define JNIEXPORT
-   #define JNIIMPORT
- #endif
-+#if (defined(__GNUC__)) || __has_attribute(unused)
-+  #define UNUSED(x) UNUSED_ ## x __attribute__((__unused__))
-+#else
-+  #define UNUSED(x) UNUSED_ ## x
-+#endif
- 
- #define JNICALL
- 
-diff --git a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
---- a/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-+++ b/src/jdk.crypto.ec/share/classes/sun/security/ec/SunEC.java
-@@ -61,6 +61,7 @@
-             AccessController.doPrivileged(new PrivilegedAction<Void>() {
-                 public Void run() {
-                     System.loadLibrary("sunec"); // check for native library
-+                    initialize();
-                     return null;
-                 }
-             });
-@@ -293,6 +294,11 @@
-             "ECDH", "sun.security.ec.ECDHKeyAgreement", null, ATTRS));
-     }
- 
-+    /**
-+     * Initialize the native code.
-+     */
-+    private static native void initialize();
-+
-     private void putXDHEntries() {
- 
-         HashMap<String, String> ATTRS = new HashMap<>(1);
-diff --git a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
---- a/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
-+++ b/src/jdk.crypto.ec/share/native/libsunec/ECC_JNI.cpp
-@@ -25,7 +25,11 @@
- 
- #include <jni.h>
- #include "jni_util.h"
-+#ifdef SYSTEM_NSS
-+#include "ecc_impl.h"
-+#else
- #include "impl/ecc_impl.h"
-+#endif
- #include "sun_security_ec_ECDHKeyAgreement.h"
- #include "sun_security_ec_ECKeyPairGenerator.h"
- #include "sun_security_ec_ECDSASignature.h"
-@@ -33,6 +37,13 @@
- #define INVALID_PARAMETER_EXCEPTION \
-         "java/security/InvalidParameterException"
- #define KEY_EXCEPTION   "java/security/KeyException"
-+#define INTERNAL_ERROR "java/lang/InternalError"
-+
-+#ifdef SYSTEM_NSS
-+#define SYSTEM_UNUSED(x) UNUSED(x)
-+#else
-+#define SYSTEM_UNUSED(x) x
-+#endif
- 
- extern "C" {
- 
-@@ -55,8 +66,13 @@
- /*
-  * Deep free of the ECParams struct
-  */
--void FreeECParams(ECParams *ecparams, jboolean freeStruct)
-+void FreeECParams(ECParams *ecparams, jboolean SYSTEM_UNUSED(freeStruct))
- {
-+#ifdef SYSTEM_NSS
-+    // Needs to be freed using the matching method to the one
-+    // that allocated it. PR_TRUE means the memory is zeroed.
-+    PORT_FreeArena(ecparams->arena, PR_TRUE);
-+#else
-     // Use B_FALSE to free the SECItem->data element, but not the SECItem itself
-     // Use B_TRUE to free both
- 
-@@ -70,6 +86,7 @@
-     SECITEM_FreeItem(&ecparams->curveOID, B_FALSE);
-     if (freeStruct)
-         free(ecparams);
-+#endif
- }
- 
- jbyteArray getEncodedBytes(JNIEnv *env, SECItem *hSECItem)
-@@ -139,7 +156,7 @@
-  */
- JNIEXPORT jobjectArray
- JNICALL Java_sun_security_ec_ECKeyPairGenerator_generateECKeyPair
--  (JNIEnv *env, jclass clazz, jint keySize, jbyteArray encodedParams, jbyteArray seed)
-+  (JNIEnv *env, jclass UNUSED(clazz), jint UNUSED(keySize), jbyteArray encodedParams, jbyteArray seed)
- {
-     ECPrivateKey *privKey = NULL; // contains both public and private values
-     ECParams *ecparams = NULL;
-@@ -171,8 +188,17 @@
-     env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
- 
-     // Generate the new keypair (using the supplied seed)
-+#ifdef SYSTEM_NSS
-+    if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
-+        != SECSuccess) {
-+        ThrowException(env, KEY_EXCEPTION);
-+        goto cleanup;
-+    }
-+    if (EC_NewKey(ecparams, &privKey) != SECSuccess) {    
-+#else    
-     if (EC_NewKey(ecparams, &privKey, (unsigned char *) pSeedBuffer,
-         jSeedLength, 0) != SECSuccess) {
-+#endif
-         ThrowException(env, KEY_EXCEPTION);
-         goto cleanup;
-     }
-@@ -219,10 +245,15 @@
-         }
-         if (privKey) {
-             FreeECParams(&privKey->ecParams, false);
-+#ifndef SYSTEM_NSS
-+	    // The entire ECPrivateKey is allocated in the arena
-+	    // when using system NSS, so only the in-tree version
-+	    // needs to clear these manually.
-             SECITEM_FreeItem(&privKey->version, B_FALSE);
-             SECITEM_FreeItem(&privKey->privateValue, B_FALSE);
-             SECITEM_FreeItem(&privKey->publicValue, B_FALSE);
-             free(privKey);
-+#endif
-         }
- 
-         if (pSeedBuffer) {
-@@ -240,7 +271,7 @@
-  */
- JNIEXPORT jbyteArray
- JNICALL Java_sun_security_ec_ECDSASignature_signDigest
--  (JNIEnv *env, jclass clazz, jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
-+  (JNIEnv *env, jclass UNUSED(clazz), jbyteArray digest, jbyteArray privateKey, jbyteArray encodedParams, jbyteArray seed, jint timing)
- {
-     jbyte* pDigestBuffer = NULL;
-     jint jDigestLength = env->GetArrayLength(digest);
-@@ -299,8 +330,18 @@
-     env->GetByteArrayRegion(seed, 0, jSeedLength, pSeedBuffer);
- 
-     // Sign the digest (using the supplied seed)
-+#ifdef SYSTEM_NSS
-+    if (RNG_RandomUpdate((unsigned char *) pSeedBuffer, jSeedLength)
-+        != SECSuccess) {
-+        ThrowException(env, KEY_EXCEPTION);
-+        goto cleanup;
-+    }
-+    if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item)
-+        != SECSuccess) {    
-+#else    
-     if (ECDSA_SignDigest(&privKey, &signature_item, &digest_item,
-         (unsigned char *) pSeedBuffer, jSeedLength, 0, timing) != SECSuccess) {
-+#endif
-         ThrowException(env, KEY_EXCEPTION);
-         goto cleanup;
-     }
-@@ -349,7 +390,7 @@
-  */
- JNIEXPORT jboolean
- JNICALL Java_sun_security_ec_ECDSASignature_verifySignedDigest
--  (JNIEnv *env, jclass clazz, jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
-+  (JNIEnv *env, jclass UNUSED(clazz), jbyteArray signedDigest, jbyteArray digest, jbyteArray publicKey, jbyteArray encodedParams)
- {
-     jboolean isValid = false;
- 
-@@ -406,9 +447,10 @@
- 
- cleanup:
-     {
--        if (params_item.data)
-+        if (params_item.data) {
-             env->ReleaseByteArrayElements(encodedParams,
-                 (jbyte *) params_item.data, JNI_ABORT);
-+	}
- 
-         if (pubKey.publicValue.data)
-             env->ReleaseByteArrayElements(publicKey,
-@@ -434,7 +476,7 @@
-  */
- JNIEXPORT jbyteArray
- JNICALL Java_sun_security_ec_ECDHKeyAgreement_deriveKey
--  (JNIEnv *env, jclass clazz, jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
-+  (JNIEnv *env, jclass UNUSED(clazz), jbyteArray privateKey, jbyteArray publicKey, jbyteArray encodedParams)
- {
-     jbyteArray jSecret = NULL;
-     ECParams *ecparams = NULL;
-@@ -510,9 +552,10 @@
-             env->ReleaseByteArrayElements(publicKey,
-                 (jbyte *) publicValue_item.data, JNI_ABORT);
- 
--        if (params_item.data)
-+        if (params_item.data) {
-             env->ReleaseByteArrayElements(encodedParams,
-                 (jbyte *) params_item.data, JNI_ABORT);
-+	}
- 
-         if (ecparams)
-             FreeECParams(ecparams, true);
-@@ -521,4 +564,28 @@
-     return jSecret;
- }
- 
-+JNIEXPORT void
-+JNICALL Java_sun_security_ec_SunEC_initialize
-+  (JNIEnv *env, jclass UNUSED(clazz))
-+{
-+#ifdef SYSTEM_NSS
-+    if (SECOID_Init() != SECSuccess) {
-+        ThrowException(env, INTERNAL_ERROR);
-+    }
-+    if (RNG_RNGInit() != SECSuccess) {
-+        ThrowException(env, INTERNAL_ERROR);
-+    }
-+#endif
-+}
-+
-+JNIEXPORT void
-+JNICALL JNI_OnUnload
-+  (JavaVM *vm, void *reserved)
-+{
-+#ifdef SYSTEM_NSS
-+    RNG_RNGShutdown();
-+    SECOID_Shutdown();
-+#endif
-+}
-+
- } /* extern "C" */
-diff --git a/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h
-new file mode 100644
---- /dev/null
-+++ b/src/jdk.crypto.ec/share/native/libsunec/ecc_impl.h
-@@ -0,0 +1,298 @@
-+/*
-+ * Copyright (c) 2007, 2017, Oracle and/or its affiliates. All rights reserved.
-+ * Use is subject to license terms.
-+ *
-+ * This library is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2.1 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public License
-+ * along with this library; if not, write to the Free Software Foundation,
-+ * Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-+ *
-+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-+ * or visit www.oracle.com if you need additional information or have any
-+ * questions.
-+ */
-+
-+/* *********************************************************************
-+ *
-+ * The Original Code is the Netscape security libraries.
-+ *
-+ * The Initial Developer of the Original Code is
-+ * Netscape Communications Corporation.
-+ * Portions created by the Initial Developer are Copyright (C) 1994-2000
-+ * the Initial Developer. All Rights Reserved.
-+ *
-+ * Contributor(s):
-+ *   Dr Vipul Gupta <vipul.gupta@sun.com> and
-+ *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
-+ *
-+ * Last Modified Date from the Original Code: May 2017
-+ *********************************************************************** */
-+
-+#ifndef _ECC_IMPL_H
-+#define _ECC_IMPL_H
-+
-+#ifdef __cplusplus
-+extern "C" {
-+#endif
-+
-+#include <sys/types.h>
-+
-+#ifdef SYSTEM_NSS
-+#include <secitem.h>
-+#include <secerr.h>
-+#include <keythi.h>
-+#ifdef LEGACY_NSS
-+#include <softoken.h>
-+#else
-+#include <blapi.h>
-+#endif
-+#else
-+#include "ecl-exp.h"
-+#endif
-+
-+/*
-+ * Multi-platform definitions
-+ */
-+#ifdef __linux__
-+#define B_FALSE FALSE
-+#define B_TRUE TRUE
-+typedef unsigned char uint8_t;
-+typedef unsigned long ulong_t;
-+typedef enum { B_FALSE, B_TRUE } boolean_t;
-+#endif /* __linux__ */
-+
-+#ifdef _ALLBSD_SOURCE
-+#include <stdint.h>
-+#define B_FALSE FALSE
-+#define B_TRUE TRUE
-+typedef unsigned long ulong_t;
-+typedef enum boolean { B_FALSE, B_TRUE } boolean_t;
-+#endif /* _ALLBSD_SOURCE */
-+
-+#ifdef AIX
-+#define B_FALSE FALSE
-+#define B_TRUE TRUE
-+typedef unsigned char uint8_t;
-+typedef unsigned long ulong_t;
-+#endif /* AIX */
-+
-+#ifdef _WIN32
-+typedef unsigned char uint8_t;
-+typedef unsigned long ulong_t;
-+typedef enum boolean { B_FALSE, B_TRUE } boolean_t;
-+#define strdup _strdup          /* Replace POSIX name with ISO C++ name */
-+#endif /* _WIN32 */
-+
-+#ifndef _KERNEL
-+#include <stdlib.h>
-+#endif  /* _KERNEL */
-+
-+#define EC_MAX_DIGEST_LEN 1024  /* max digest that can be signed */
-+#define EC_MAX_POINT_LEN 145    /* max len of DER encoded Q */
-+#define EC_MAX_VALUE_LEN 72     /* max len of ANSI X9.62 private value d */
-+#define EC_MAX_SIG_LEN 144      /* max signature len for supported curves */
-+#define EC_MIN_KEY_LEN  112     /* min key length in bits */
-+#define EC_MAX_KEY_LEN  571     /* max key length in bits */
-+#define EC_MAX_OID_LEN 10       /* max length of OID buffer */
-+
-+/*
-+ * Various structures and definitions from NSS are here.
-+ */
-+
-+#ifndef SYSTEM_NSS
-+#ifdef _KERNEL
-+#define PORT_ArenaAlloc(a, n, f)        kmem_alloc((n), (f))
-+#define PORT_ArenaZAlloc(a, n, f)       kmem_zalloc((n), (f))
-+#define PORT_ArenaGrow(a, b, c, d)      NULL
-+#define PORT_ZAlloc(n, f)               kmem_zalloc((n), (f))
-+#define PORT_Alloc(n, f)                kmem_alloc((n), (f))
-+#else
-+#define PORT_ArenaAlloc(a, n, f)        malloc((n))
-+#define PORT_ArenaZAlloc(a, n, f)       calloc(1, (n))
-+#define PORT_ArenaGrow(a, b, c, d)      NULL
-+#define PORT_ZAlloc(n, f)               calloc(1, (n))
-+#define PORT_Alloc(n, f)                malloc((n))
-+#endif
-+
-+#define PORT_NewArena(b)                (char *)12345
-+#define PORT_ArenaMark(a)               NULL
-+#define PORT_ArenaUnmark(a, b)
-+#define PORT_ArenaRelease(a, m)
-+#define PORT_FreeArena(a, b)
-+#define PORT_Strlen(s)                  strlen((s))
-+#define PORT_SetError(e)
-+
-+#define PRBool                          boolean_t
-+#define PR_TRUE                         B_TRUE
-+#define PR_FALSE                        B_FALSE
-+
-+#ifdef _KERNEL
-+#define PORT_Assert                     ASSERT
-+#define PORT_Memcpy(t, f, l)            bcopy((f), (t), (l))
-+#else
-+#define PORT_Assert                     assert
-+#define PORT_Memcpy(t, f, l)            memcpy((t), (f), (l))
-+#endif
-+
-+#endif
-+
-+#define CHECK_OK(func) if (func == NULL) goto cleanup
-+#define CHECK_SEC_OK(func) if (SECSuccess != (rv = func)) goto cleanup
-+
-+#ifndef SYSTEM_NSS
-+typedef enum {
-+        siBuffer = 0,
-+        siClearDataBuffer = 1,
-+        siCipherDataBuffer = 2,
-+        siDERCertBuffer = 3,
-+        siEncodedCertBuffer = 4,
-+        siDERNameBuffer = 5,
-+        siEncodedNameBuffer = 6,
-+        siAsciiNameString = 7,
-+        siAsciiString = 8,
-+        siDEROID = 9,
-+        siUnsignedInteger = 10,
-+        siUTCTime = 11,
-+        siGeneralizedTime = 12
-+} SECItemType;
-+
-+typedef struct SECItemStr SECItem;
-+
-+struct SECItemStr {
-+        SECItemType type;
-+        unsigned char *data;
-+        unsigned int len;
-+};
-+
-+typedef SECItem SECKEYECParams;
-+
-+typedef enum { ec_params_explicit,
-+               ec_params_named
-+} ECParamsType;
-+
-+typedef enum { ec_field_GFp = 1,
-+               ec_field_GF2m
-+} ECFieldType;
-+
-+struct ECFieldIDStr {
-+    int         size;   /* field size in bits */
-+    ECFieldType type;
-+    union {
-+        SECItem  prime; /* prime p for (GFp) */
-+        SECItem  poly;  /* irreducible binary polynomial for (GF2m) */
-+    } u;
-+    int         k1;     /* first coefficient of pentanomial or
-+                         * the only coefficient of trinomial
-+                         */
-+    int         k2;     /* two remaining coefficients of pentanomial */
-+    int         k3;
-+};
-+typedef struct ECFieldIDStr ECFieldID;
-+
-+struct ECCurveStr {
-+        SECItem a;      /* contains octet stream encoding of
-+                         * field element (X9.62 section 4.3.3)
-+                         */
-+        SECItem b;
-+        SECItem seed;
-+};
-+typedef struct ECCurveStr ECCurve;
-+
-+typedef void PRArenaPool;
-+
-+struct ECParamsStr {
-+    PRArenaPool * arena;
-+    ECParamsType  type;
-+    ECFieldID     fieldID;
-+    ECCurve       curve;
-+    SECItem       base;
-+    SECItem       order;
-+    int           cofactor;
-+    SECItem       DEREncoding;
-+    ECCurveName   name;
-+    SECItem       curveOID;
-+};
-+typedef struct ECParamsStr ECParams;
-+
-+struct ECPublicKeyStr {
-+    ECParams ecParams;
-+    SECItem publicValue;   /* elliptic curve point encoded as
-+                            * octet stream.
-+                            */
-+};
-+typedef struct ECPublicKeyStr ECPublicKey;
-+
-+struct ECPrivateKeyStr {
-+    ECParams ecParams;
-+    SECItem publicValue;   /* encoded ec point */
-+    SECItem privateValue;  /* private big integer */
-+    SECItem version;       /* As per SEC 1, Appendix C, Section C.4 */
-+};
-+typedef struct ECPrivateKeyStr ECPrivateKey;
-+
-+typedef enum _SECStatus {
-+        SECBufferTooSmall = -3,
-+        SECWouldBlock = -2,
-+        SECFailure = -1,
-+        SECSuccess = 0
-+} SECStatus;
-+#endif
-+
-+#ifdef _KERNEL
-+#define RNG_GenerateGlobalRandomBytes(p,l) ecc_knzero_random_generator((p), (l))
-+#else
-+/*
-+ This function is no longer required because the random bytes are now
-+ supplied by the caller. Force a failure.
-+*/
-+#ifndef SYSTEM_NSS
-+#define RNG_GenerateGlobalRandomBytes(p,l) SECFailure
-+#endif
-+#endif
-+#define CHECK_MPI_OK(func) if (MP_OKAY > (err = func)) goto cleanup
-+#define MP_TO_SEC_ERROR(err)
-+
-+#define SECITEM_TO_MPINT(it, mp)                                        \
-+        CHECK_MPI_OK(mp_read_unsigned_octets((mp), (it).data, (it).len))
-+
-+extern int ecc_knzero_random_generator(uint8_t *, size_t);
-+extern ulong_t soft_nzero_random_generator(uint8_t *, ulong_t);
-+
-+#ifdef SYSTEM_NSS
-+#define EC_DecodeParams(a,b,c) EC_DecodeParams(a,b)
-+#define ECDSA_VerifyDigest(a,b,c,d) ECDSA_VerifyDigest(a,b,c)
-+#define ECDH_Derive(a,b,c,d,e,f) ECDH_Derive(a,b,c,d,e)
-+#else
-+extern SECStatus EC_DecodeParams(const SECItem *, ECParams **, int);
-+
-+extern SECItem * SECITEM_AllocItem(PRArenaPool *, SECItem *, unsigned int, int);
-+extern SECStatus SECITEM_CopyItem(PRArenaPool *, SECItem *, const SECItem *,
-+    int);
-+extern void SECITEM_FreeItem(SECItem *, boolean_t);
-+
-+/* This function has been modified to accept an array of random bytes */
-+extern SECStatus EC_NewKey(ECParams *ecParams, ECPrivateKey **privKey,
-+    const unsigned char* random, int randomlen, int);
-+/* This function has been modified to accept an array of random bytes */
-+extern SECStatus ECDSA_SignDigest(ECPrivateKey *, SECItem *, const SECItem *,
-+    const unsigned char* random, int randomlen, int, int timing);
-+extern SECStatus ECDSA_VerifyDigest(ECPublicKey *, const SECItem *,
-+    const SECItem *, int);
-+extern SECStatus ECDH_Derive(SECItem *, ECParams *, SECItem *, boolean_t,
-+    SECItem *, int);
-+#endif
-+
-+#ifdef  __cplusplus
-+}
-+#endif
-+
-+#endif /* _ECC_IMPL_H */ 

remove-intree-libraries.sh

@@ -94,6 +94,9 @@ if [ ! -d ${PNG_SRC} ]; then
 fi	
 rm -rvf ${PNG_SRC}
 
+echo "Skipping removal of LCMS on rhel7. Internal will be used intentionally"
+exit 0
+
 echo "Removing lcms"
 if [ ! -d ${LCMS_SRC} ]; then
 	echo "${LCMS_SRC} does not exist. Refusing to proceed."

rh1648242-accessible_toolkit_crash_do_not_break_jvm.patch

@@ -1,10 +1,9 @@
-diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/src/java.desktop/share/classes/java/awt/Toolkit.java
---- openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
-+++ openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java
-@@ -883,9 +883,13 @@
-                     return null;
-                 }
-             });
+diff -r 618ad1237e73 src/java.desktop/share/classes/java/awt/Toolkit.java
+--- a/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jun 13 19:37:49 2019 +0200
++++ b/src/java.desktop/share/classes/java/awt/Toolkit.java	Thu Jul 04 10:35:42 2019 +0200
+@@ -595,7 +595,11 @@
+                 toolkit = new HeadlessToolkit(toolkit);
+             }
              if (!GraphicsEnvironment.isHeadless()) {
 -                loadAssistiveTechnologies();
 +                try {
@@ -15,4 +14,3 @@ diff -uNr openjdk/src/java.desktop/share/classes/java/awt/Toolkit.java jdk8/jdk/
              }
          }
          return toolkit;
-     }

rh1648249-add_commented_out_nss_cfg_provider_to_java_security.patch

@@ -1,10 +1,11 @@
-diff -r 5b86f66575b7 src/share/lib/security/java.security-linux
---- openjdk/src/java.base/share/conf/security/java.security	Tue May 16 13:29:05 2017 -0700
-+++ openjdk/src/java.base/share/conf/security/java.security	Tue Jun 06 14:05:12 2017 +0200
-@@ -83,6 +83,7 @@
- #ifndef solaris
- security.provider.tbd=SunPKCS11
+diff -r e3f940bd3c8f src/java.base/share/conf/security/java.security
+--- openjdk/src/java.base/share/conf/security/java.security	Thu Jun 11 21:54:51 2020 +0530
++++ openjdk/src/java.base/share/conf/security/java.security	Mon Aug 24 10:14:31 2020 +0200
+@@ -77,7 +77,7 @@
+ #ifdef macosx
+ security.provider.tbd=Apple
  #endif
+-security.provider.tbd=SunPKCS11
 +#security.provider.tbd=SunPKCS11 ${java.home}/lib/security/nss.cfg
  
  #

rh1750419-redhat_alt_java.patch

@@ -0,0 +1,117 @@
+diff --git openjdk.orig/make/modules/java.base/Launcher.gmk openjdk/make/modules/java.base/Launcher.gmk
+index 700ddefda49..2882de68eb2 100644
+--- openjdk.orig/make/modules/java.base/Launcher.gmk
++++ openjdk/make/modules/java.base/Launcher.gmk
+@@ -41,6 +41,14 @@ $(eval $(call SetupBuildLauncher, java, \
+     OPTIMIZATION := HIGH, \
+ ))
+ 
++#Wno-error=cpp is present to allow commented warning in ifdef part of main.c
++$(eval $(call SetupBuildLauncher, alt-java, \
++    CFLAGS := -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES -DREDHAT_ALT_JAVA -Wno-error=cpp, \
++    EXTRA_RCFLAGS := $(JAVA_RCFLAGS), \
++    VERSION_INFO_RESOURCE := $(JAVA_VERSION_INFO_RESOURCE), \
++    OPTIMIZATION := HIGH, \
++))
++
+ ifeq ($(call isTargetOs, windows), true)
+   $(eval $(call SetupBuildLauncher, javaw, \
+       CFLAGS := -DJAVAW -DEXPAND_CLASSPATH_WILDCARDS -DENABLE_ARG_FILES, \
+diff --git openjdk.orig/src/java.base/share/native/launcher/alt_main.h openjdk/src/java.base/share/native/launcher/alt_main.h
+new file mode 100644
+index 00000000000..697df2898ac
+--- /dev/null
++++ openjdk/src/java.base/share/native/launcher/alt_main.h
+@@ -0,0 +1,73 @@
++/*
++ * Copyright (c) 2019, Red Hat, Inc. All rights reserved.
++ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
++ *
++ * This code is free software; you can redistribute it and/or modify it
++ * under the terms of the GNU General Public License version 2 only, as
++ * published by the Free Software Foundation.  Oracle designates this
++ * particular file as subject to the "Classpath" exception as provided
++ * by Oracle in the LICENSE file that accompanied this code.
++ *
++ * This code is distributed in the hope that it will be useful, but WITHOUT
++ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
++ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
++ * version 2 for more details (a copy is included in the LICENSE file that
++ * accompanied this code).
++ *
++ * You should have received a copy of the GNU General Public License version
++ * 2 along with this work; if not, write to the Free Software Foundation,
++ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
++ *
++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
++ * or visit www.oracle.com if you need additional information or have any
++ * questions.
++ */
++
++#ifdef REDHAT_ALT_JAVA
++
++#include <sys/prctl.h>
++
++
++/* Per task speculation control */
++#ifndef PR_GET_SPECULATION_CTRL
++# define PR_GET_SPECULATION_CTRL    52
++#endif
++#ifndef PR_SET_SPECULATION_CTRL
++# define PR_SET_SPECULATION_CTRL    53
++#endif
++/* Speculation control variants */
++#ifndef PR_SPEC_STORE_BYPASS
++# define PR_SPEC_STORE_BYPASS          0
++#endif
++/* Return and control values for PR_SET/GET_SPECULATION_CTRL */
++
++#ifndef PR_SPEC_NOT_AFFECTED
++# define PR_SPEC_NOT_AFFECTED          0
++#endif
++#ifndef PR_SPEC_PRCTL
++# define PR_SPEC_PRCTL                 (1UL << 0)
++#endif
++#ifndef PR_SPEC_ENABLE
++# define PR_SPEC_ENABLE                (1UL << 1)
++#endif
++#ifndef PR_SPEC_DISABLE
++# define PR_SPEC_DISABLE               (1UL << 2)
++#endif
++#ifndef PR_SPEC_FORCE_DISABLE
++# define PR_SPEC_FORCE_DISABLE         (1UL << 3)
++#endif
++#ifndef PR_SPEC_DISABLE_NOEXEC
++# define PR_SPEC_DISABLE_NOEXEC        (1UL << 4)
++#endif
++
++static void set_speculation() __attribute__((constructor));
++static void set_speculation() {
++  if ( prctl(PR_SET_SPECULATION_CTRL,
++             PR_SPEC_STORE_BYPASS,
++             PR_SPEC_DISABLE_NOEXEC, 0, 0) == 0 ) {
++    return;
++  }
++  prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_STORE_BYPASS, PR_SPEC_DISABLE, 0, 0);
++}
++
++#endif // REDHAT_ALT_JAVA
+diff --git openjdk.orig/src/java.base/share/native/launcher/main.c openjdk/src/java.base/share/native/launcher/main.c
+index b734fe2ba78..79dc8307650 100644
+--- openjdk.orig/src/java.base/share/native/launcher/main.c
++++ openjdk/src/java.base/share/native/launcher/main.c
+@@ -34,6 +34,14 @@
+ #include "jli_util.h"
+ #include "jni.h"
+ 
++#ifdef REDHAT_ALT_JAVA
++#if defined(__linux__) && defined(__x86_64__)
++#include "alt_main.h"
++#else
++#warning alt-java requested but SSB mitigation not available on this platform.
++#endif
++#endif
++
+ #ifdef _MSC_VER
+ #if _MSC_VER > 1400 && _MSC_VER < 1600
+ 

sources

@@ -1,2 +1,2 @@
-SHA512 (jdk-jdk12-jdk-12+33.tar.xz) = e2dea9585fe07ae87fb313d090e9850a547e2ba84a7447d42acd0a04874599ef240f7b6ccaa69955cab5d12f646711cb4467e1b24e090af476e9ff708cc168fe
-SHA512 (systemtap_3.2_tapsets_hg-icedtea8-9d464368e06d.tar.xz) = cf578221b77d8c7e019f69909bc86c419c5fb5e10bceba9592ff6e7f96887b0a7f07c9cefe90800975247a078785ca190fdec5c2d0f841bb447cee784b570f7d
+SHA512 (tapsets-icedtea-3.15.0.tar.xz) = c752a197cb3d812d50c35e11e4722772be40096c81d2a57933e0d9b8a3c708b9c157b8108a4e33a06ca7bb81648170994408c75d6f69d5ff12785d0c31009671
+SHA512 (openjdk-jdk16u-jdk-16.0.1+9.tar.xz) = ff06d5c97377cac4d5e8921766c61d4d96dc0c968913263b5371f0d3d0e98bb6a5ccf5b1cbb3ddaff3380bf4499ff6501e73f96e0e922b2294d1f7c1ec3eee23

update_package.sh

@@ -0,0 +1,69 @@
+#!/bin/bash -x
+#  this file contains defaults for currently generated source tarballs
+
+set -e
+
+# TAPSET
+export PROJECT_NAME="hg"
+export REPO_NAME="icedtea8"
+export VERSION="9d464368e06d"
+export COMPRESSION=xz
+export OPENJDK_URL=http://icedtea.classpath.org
+export FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
+export TO_COMPRESS="*/tapset"
+# warning, filename  and filenameroot creation is duplicated here from generate_source_tarball.sh
+CLONED_FILENAME=${FILE_NAME_ROOT}.tar.${COMPRESSION}
+TAPSET_VERSION=3.2
+TAPSET=systemtap_"$TAPSET_VERSION"_tapsets_$CLONED_FILENAME
+if [ ! -f ${TAPSET} ] ; then
+  if [ ! -f ${CLONED_FILENAME} ] ; then
+  echo "Generating ${CLONED_FILENAME}"
+    sh ./generate_source_tarball.sh
+  else 
+    echo "exists exists exists exists exists exists exists "
+    echo "reusing reusing reusing reusing reusing reusing "
+    echo ${CLONED_FILENAME}
+  fi
+  mv -v $CLONED_FILENAME  $TAPSET
+else 
+  echo "exists exists exists exists exists exists exists "
+  echo "reusing reusing reusing reusing reusing reusing "
+  echo ${TAPSET}
+fi
+
+# OpenJDK from Shenandoah project
+export PROJECT_NAME="jdk"
+export REPO_NAME="jdk15"
+export VERSION="jdk-15+36"
+export COMPRESSION=xz
+# unset tapsets overrides
+export OPENJDK_URL=""
+export TO_COMPRESS=""
+# warning, filename  and filenameroot creation is duplicated here from generate_source_tarball.sh
+export FILE_NAME_ROOT=${PROJECT_NAME}-${REPO_NAME}-${VERSION}
+FILENAME=${FILE_NAME_ROOT}.tar.${COMPRESSION}
+
+if [ ! -f ${FILENAME} ] ; then
+echo "Generating ${FILENAME}"
+  sh ./generate_source_tarball.sh
+else 
+  echo "exists exists exists exists exists exists exists "
+  echo "reusing reusing reusing reusing reusing reusing "
+  echo ${FILENAME}
+fi
+
+set +e
+
+major=`echo $REPO_NAME | sed 's/[a-zA-Z]*//g'`
+build=`echo $VERSION | sed 's/.*+//g'`
+name_helper=`echo $FILENAME | sed s/$major/'%{majorver}'/g `
+name_helper=`echo $name_helper | sed s/$build/'%{buildver}'/g `
+echo "align specfile acordingly:" 
+echo " sed 's/^Source0:.*/Source0: $name_helper/' -i *.spec"
+echo " sed 's/^Source8:.*/Source8: $TAPSET/'   -i *.spec"
+echo " sed 's/^%global buildver.*/%global buildver        $build/'   -i *.spec"
+echo " sed 's/Release:.*/Release: 1%{?dist}/'   -i *.spec"
+echo "and maybe others...."
+echo "you should fedpkg/rhpkg new-sources $TAPSET $FILENAME"
+echo "you should fedpkg/rhpkg prep --arch XXXX on all architectures: x86_64 i386 i586 i686 ppc ppc64 ppc64le s390 s390x aarch64 armv7hl"
+