Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package java-11-openjdk for openSUSE:Factory
checked in at 2021-03-24 16:10:03
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/java-11-openjdk (Old)
and /work/SRC/openSUSE:Factory/.java-11-openjdk.new.2401 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "java-11-openjdk"
Wed Mar 24 16:10:03 2021 rev:43 rq:880084 version:11.0.10.0
Changes:
--------
--- /work/SRC/openSUSE:Factory/java-11-openjdk/java-11-openjdk.changes
2021-01-25 18:23:22.364407563 +0100
+++
/work/SRC/openSUSE:Factory/.java-11-openjdk.new.2401/java-11-openjdk.changes
2021-03-24 16:10:03.995757312 +0100
@@ -1,0 +2,14 @@
+Fri Mar 19 11:55:12 UTC 2021 - Fridrich Strba <[email protected]>
+
+- Added patches:
+ * system-crypto-policy.patch
+ + Let OpenJDK use system crypto policies unless explicitely told
+ not to
+ * nss-security-provider.patch
+ + Add the NSS security provider with configuration in generated
+ nss.cfg file
+ * keytool-default-rsa.patch
+ + Make keytool generate RSA keys by default, since only the
+ LEGACY system crypto policy allows DSA
+
+-------------------------------------------------------------------
Old:
----
nss.cfg
New:
----
keytool-default-rsa.patch
nss-security-provider.patch
nss.cfg.in
system-crypto-policy.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ java-11-openjdk.spec ++++++
--- /var/tmp/diff_new_pack.GnxXjl/_old 2021-03-24 16:10:06.095759516 +0100
+++ /var/tmp/diff_new_pack.GnxXjl/_new 2021-03-24 16:10:06.099759520 +0100
@@ -134,6 +134,7 @@
%global tapsetroot %{_datadir}/systemtap
%global tapsetdir %{tapsetroot}/tapset/%{_build_cpu}
%endif
+%global NSS_LIBDIR %(pkg-config --variable=libdir nss)
%if %{with_systemtap}
# Where to install systemtap tapset (links)
# We would like these to be in a package specific subdir,
@@ -164,7 +165,7 @@
# Desktop files. Adapted from IcedTea.
Source11: jconsole.desktop.in
# nss configuration file
-Source13: nss.cfg
+Source13: nss.cfg.in
# Ensure we aren't using the limited crypto policy
Source14: TestCryptoLevel.java
# Ensure ECDSA is working
@@ -210,8 +211,11 @@
# Fix: implicit-pointer-decl
Patch13: implicit-pointer-decl.patch
#
+Patch14: system-crypto-policy.patch
Patch15: system-pcsclite.patch
Patch16: missing-return.patch
+Patch17: nss-security-provider.patch
+Patch18: keytool-default-rsa.patch
#
Patch20: loadAssistiveTechnologies.patch
#
@@ -260,6 +264,7 @@
BuildRequires: libpng-devel
BuildRequires: libtool
BuildRequires: libxslt
+BuildRequires: mozilla-nss-devel
BuildRequires: pkgconfig
BuildRequires: unzip
BuildRequires: update-desktop-files
@@ -350,7 +355,7 @@
# Post requires update-alternatives to install tool update-alternatives.
Requires(post): update-alternatives
# Postun requires update-alternatives to uninstall tool update-alternatives.
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
Recommends: tzdata-java8
# Standard JPackage base provides.
Provides: java-%{javaver}-headless = %{version}-%{release}
@@ -385,7 +390,7 @@
# Post requires update-alternatives to install tool update-alternatives.
Requires(post): update-alternatives
# Postun requires update-alternatives to uninstall tool update-alternatives.
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
# Standard JPackage devel provides.
Provides: java-%{javaver}-devel = %{version}
Provides: java-10-openjdk-devel = %{version}-%{release}
@@ -437,7 +442,7 @@
# Post requires update-alternatives to install javadoc alternative.
Requires(post): update-alternatives
# Postun requires update-alternatives to uninstall javadoc alternative.
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
# Standard JPackage javadoc provides.
Provides: java-%{javaver}-javadoc = %{version}-%{release}
Provides: java-10-openjdk-javadoc = %{version}-%{release}
@@ -504,12 +509,15 @@
%patch10 -p1
%patch12 -p1
%patch13 -p1
+%patch14 -p1
%if %{with_system_pcsc}
%patch15 -p1
%endif
%patch16 -p1
+%patch17 -p1
+%patch18 -p1
%patch20 -p1
@@ -568,6 +576,9 @@
sed -i -e s:@VERSION@:%{javaver}:g $OUTPUT_FILE
done
+# Setup nss.cfg
+sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE13} > nss.cfg
+
%build
%ifarch s390x sparc64 alpha ppc64 ppc64le %{aarch64}
@@ -665,7 +676,10 @@
export JAVA_HOME=$(pwd)/%{buildoutputdir}/%{imagesdir}/jdk
-# Copy tz.properties
+# Install nss.cfg right away as we will be using the JRE above
+install -m 644 nss.cfg $JAVA_HOME/conf/security/
+
+ # Copy tz.properties
echo "sun.zoneinfo.dir=%{_datadir}/javazi" >> $JAVA_HOME/conf/tz.properties
%if %{with_pulseaudio}
@@ -942,9 +956,6 @@
popd
-# Install nss.cfg
-install -m 644 %{SOURCE13} %{buildroot}%{_jvmdir}/%{sdkdir}/lib/security/
-
# Install Javadoc documentation.
install -d -m 755 %{buildroot}%{_javadocdir}
cp -a %{buildoutputdir}/images/docs %{buildroot}%{_javadocdir}/%{sdklnk}
@@ -1302,7 +1313,7 @@
%{_jvmdir}/%{sdkdir}/lib/*/Xusage.txt
%config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/blacklisted.certs
-%config(noreplace) %{_jvmdir}/%{sdkdir}/lib/security/nss.cfg
+%config(noreplace) %{_jvmdir}/%{sdkdir}/conf/security/nss.cfg
%{_jvmdir}/%{sdkdir}/lib/security/default.policy
%{_jvmdir}/%{sdkdir}/lib/security/public_suffix_list.dat
++++++ keytool-default-rsa.patch ++++++
--- openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
2021-03-16 07:15:49.790093601 +0100
+++ openjdk/src/java.base/share/classes/sun/security/tools/keytool/Main.java
2021-03-18 16:35:12.103576694 +0100
@@ -1135,7 +1135,7 @@
}
} else if (command == GENKEYPAIR) {
if (keyAlgName == null) {
- keyAlgName = "DSA";
+ keyAlgName = "RSA";
}
doGenKeyPair(alias, dname, keyAlgName, keysize, groupName,
sigAlgName);
kssave = true;
++++++ nss-security-provider.patch ++++++
--- openjdk/src/java.base/share/conf/security/java.security 2021-03-16
07:15:49.798093653 +0100
+++ openjdk/src/java.base/share/conf/security/java.security 2021-03-16
11:38:01.416893125 +0100
@@ -84,6 +84,7 @@
#ifndef solaris
security.provider.tbd=SunPKCS11
#endif
+security.provider.tbd=SunPKCS11 ${java.home}/conf/security/nss.cfg
#
# A list of preferred providers for specific algorithms. These providers will
++++++ nss.cfg.in ++++++
name = NSS
nssLibraryDirectory = @NSS_LIBDIR@
nssDbMode = noDb
attributes = compatibility
handleStartupErrors = ignoreMultipleInitialisation
++++++ system-crypto-policy.patch ++++++
--- openjdk/src/java.base/share/classes/java/security/Security.java
2021-03-16 07:15:49.742093294 +0100
+++ openjdk/src/java.base/share/classes/java/security/Security.java
2021-03-16 07:16:54.394507360 +0100
@@ -47,6 +47,9 @@
* implementation-specific location, which is typically the properties file
* {@code conf/security/java.security} in the Java installation directory.
*
+ * <p>Additional default values of security properties are read from a
+ * system-specific location, if available.</p>
+ *
* @author Benjamin Renaud
* @since 1.1
*/
@@ -57,6 +60,10 @@
private static final Debug sdebug =
Debug.getInstance("properties");
+ /* System property file*/
+ private static final String SYSTEM_PROPERTIES =
+ "/etc/crypto-policies/back-ends/java.config";
+
/* The java.security properties */
private static Properties props;
@@ -98,6 +105,7 @@
if (sdebug != null) {
sdebug.println("reading security properties file: " +
propFile);
+ sdebug.println(props.toString());
}
} catch (IOException e) {
if (sdebug != null) {
@@ -183,6 +191,33 @@
}
}
}
+
+ String disableSystemProps =
System.getProperty("java.security.disableSystemPropertiesFile");
+ if (disableSystemProps == null &&
+ "true".equalsIgnoreCase(props.getProperty
+ ("security.useSystemPropertiesFile"))) {
+
+ // now load the system file, if it exists, so its values
+ // will win if they conflict with the earlier values
+ try (BufferedInputStream bis =
+ new BufferedInputStream(new
FileInputStream(SYSTEM_PROPERTIES))) {
+ props.load(bis);
+ loadedProps = true;
+
+ if (sdebug != null) {
+ sdebug.println("reading system security properties file " +
+ SYSTEM_PROPERTIES);
+ sdebug.println(props.toString());
+ }
+ } catch (IOException e) {
+ if (sdebug != null) {
+ sdebug.println
+ ("unable to load security properties from " +
+ SYSTEM_PROPERTIES);
+ e.printStackTrace();
+ }
+ }
+ }
if (!loadedProps) {
initializeStatic();
--- openjdk/src/java.base/share/conf/security/java.security 2021-03-16
07:15:49.798093653 +0100
+++ openjdk/src/java.base/share/conf/security/java.security 2021-03-16
11:38:01.416893125 +0100
@@ -336,6 +336,13 @@
security.overridePropertiesFile=true
#
+# Determines whether this properties file will be appended to
+# using the system properties file stored at
+# /etc/crypto-policies/back-ends/java.config
+#
+security.useSystemPropertiesFile=true
+
+#
# Determines the default key and trust manager factory algorithms for
# the javax.net.ssl package.
#
