Hi, I am asking this because I am not able to find information on if openjdk uses signed tags/commits & because those of us without commit access cannot use ssh to clone the openjdk mercurial repositories hosted on http://hg.openjdk.java.net/ . Also, hg.openjdk.java.net is not available over https. As a result it appears to me that projects like AdoptOpenJDK have to insecurely obtain openjdk sources over http[0].
Thank you in advance. [0] https://github.com/AdoptOpenJDK/openjdk-build/blob/master/git-hg/update-without-modules.sh#L36 -- David Black / Security Engineer.