It seems fine with me. But I think someone from the security team should chime in on this.
-kto On Sep 18, 2012, at 7:39 AM, Andrew Hughes wrote: > This is an issue that has been with us for a while. See: > > https://bugs.openjdk.java.net/show_bug.cgi?id=100062 > http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7188845 > > for some background. > > The original proposed patch goes to far in removing most of the > infrastructure for restricting crypto levels and signing of crypto > jars. > > The following simple webrev will achieve what I think is needed: > > http://cr.openjdk.java.net/~andrew/100062/webrev.01/ > > allowing OpenJDK to be built with the unlimited rather than limited > crypto policy in place. > > The build is only altered if both an OpenJDK build is being performed > and UNLIMITED_CRYPTO is defined. In this case, the install-unlimited > rule is used to install policies. Without UNLIMITED_CRYPTO being set, > OpenJDK builds still depend on install-limited as now. > > I believe this is a fairly unintrusive change which should allow GNU/Linux > distros to ship without crypto restrictions while still using upstream > OpenJDK rather than a variant with several classes removed. > > It's not clear to me why this approach wasn't taken before, so I hope I > haven't > missed something. > > If this looks ok, I'll push it as the resolution for bug 7188845. > -- > Andrew :) > > Free Java Software Engineer > Red Hat, Inc. (http://www.redhat.com) > > PGP Key: 248BDC07 (https://keys.indymedia.org/) > Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07 >
