On Tue, 5 May 2026 18:22:43 GMT, Francisco Ferrari Bihurriet
<[email protected]> wrote:
>> I've been thinking more about this. The `include` option as specified above
>> always adds the `include` statement as the last line of the `java.security`
>> file. An equivalent way to support this would to be allow the `include`
>> statement to be specified in the property file of the `props` option, but
>> always add it at the end of the `java.security` file, thus making the
>> `include` option unnecessary. This would simplify the syntax and
>> implementation. Thoughts?
>
> @seanjmullan one problem would be with the order of the property file passed
> as the `props` option. For example, with `jlink --security-properties
> props.security`:
>
> `props.security` contents:
>
>
> include /path/to/other.properties
>
> # Stricter keystore checking
> keystore.type.compat=false
>
>
> `/path/to/other.properties` might define `keystore.type.compat`, but its
> value is overriden.
>
> However, the linked image would have the following `java.security`:
>
>
> # [...] other properties from the runtime's java.security
> keystore.type.compat=false
> # [...] other properties from the runtime's java.security
> include=/path/to/other.properties
>
>
> `/path/to/other.properties` might define (and now override)
> `keystore.type.compat`.
In case it helps to get more inspiration, I had also thought an alternative
that should address all the problems and concerns. But I didn't mention it
earlier because it is equally or more complex as the current solution.
1. Append the properties and includes from both `java.security` and
`props.security` to an ordered collection
* NOTE: the properties parser logic would need to be extended to expose an
internal API that returns an ordered `List` of `Prop(String name, String
value)` records where the name can repeat, and `include` is simply treated as a
standard repeated name
2. Remove the overridden properties, keeping only the latest definition:
* Traverse the `List<Prop>` from last to first, updating a `Set<String>` of
defined property names
* When a property name re-appears, remove that entry
* The `include` directive is allowed to repeat, so do not put it in the
`Set<String>` nor remove any entry
3. Dump this ordered collection as the resulting image's `java.security`
For example:
* `java.security` in the runtime:
```properties
# Explanatory comment for property 'a'
a=value1
# Explanatory comment for property 'b'
b=value2
```
* `props.security` passed to `jlink --security-properties props.security`:
```properties
include /path/to/other.properties
# Comment explaining why we override 'a'
a=value3
include /path/to/another.properties
```
* Interim `List<Prop>` after step 1:
```java
[
Prop[name="a", value="value1"], // <<< gets removed at step 2
Prop[name="b", value="value2"],
Prop[name="include", value="/path/to/other.properties"],
Prop[name="a", value="value3"],
Prop[name="include", value="/path/to/another.properties"],
]
```
* Final `java.security` for the image after step 3:
```properties
b=value2
include=/path/to/other.properties
a=value3
include=/path/to/another.properties
```
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/30635#discussion_r3190704935
