On Aug 28, 2009, at 9:56 AM, Andrew John Hughes wrote:
2009/8/28 Max (Weijun) Wang <weijun.w...@sun.com>:
On Aug 27, 2009, at 9:52 PM, Andrew John Hughes wrote:
The problem is more the fact that it's an additional copy rather
than
using the system installation, which means it has to be patched for
bugs and security fixes separately. For IcedTea, I'll look at
providing and using the option of using the system NSS and will also
submit this for review here if there is interest in providing such
an
option.
Since Java security is already provider based, I guess you can
simply write
one provider named NSS and remove all other security.provider.<n>
lines in
jre/lib/security/java.security.
Max
Sounds like the JDK6 solution :)
No, this is the real Java solution. :)
I think the simpler fix is to just provide an option for the calls to
the native code to use the system library rather than the included
copy (some of the new files appear to be verbatim copies of files from
NSS AFAICS). But I need to look at this in more detail.
This only redirects native calls to your centralized ones, but JRE
includes a lot of pure Java providers. If they are still listed in the
java.security file, your so called "Fedora Crypto Consolidation" is
not 100% complete.
Thanks
Max
Thanks,
--
Andrew :-)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
