On Fri, Dec 1, 2017 at 6:22 PM, Alan Bateman <alan.bate...@oracle.com> wrote: > > > On 01/12/2017 17:16, Volker Simonis wrote: >> >> Hi Rajan, >> >> great to see this finally happen! >> >> I have just a quick question related to the tests. As far as I can >> see, the tests will only succeed if the OpenJDK will be build with the >> new open sourced, Oracle root certificates. But what if somebody is >> building the OpenJDK with his own set of root certificates (by using >> the --with-cacerts-file option)? Do you see any possibility of >> restricting these tests only to builds which used the original, >> checked in cacerts file? > > If needed, you could add a keyword (@key tag) on these tests, or any tests > that depend on the OpenJDK cacerts file, so can you control if the tests are > run or not. >
Yes, but as far as I know @key tags are implemented by querying VM properties. In this case however there's no VM property which indicates how the VM has been configured. --with-cacerts-file is just changing the copy rule which copies the cacerts fine into the final image. If we would like to query this information at runtime, we must save the --with-cacerts-file configuration option in a property. I'm not sure if that is worth it. Maybe everybody will use the new Oracle JDK Root Certificates once they are available? Or maybe we should just make the tests manual tests which are not automatically executed? I just think if you build your own version of OpenJDK with --with-cacerts-file and run the JTreg tests afterwards, it will be confusing to get test errors because of your trust store. > -Alan >