Hi, On Wed, 2019-04-17 at 22:43 +0000, Bernd Eckenfels wrote: > hello, > > I think it was discussed on security-dev before but did not result in > some action as far as I understand it. Currently the „cacert“ file > shipped with 8u upstream builds is a bit outdated. It contains > multiple expired certificates and misses latest additions.
Are you referring to these builds? https://adoptopenjdk.net/upstream.html The reason for this is that for OpenJDK 8u upstream builds the cacerts file will be empty unless the --with-cacerts-file configure option is being used. That's the case for the above 8u builds[1]. > Also I noted there are multiple vendors struggling with this file. There is bound to be divergence as no cacerts file is included upstream in OpenJDK 8u. > Since the later Java releases have a canonical source for that file > with vetted licensing it totally would make sense to refresh I.e. > backport the changes. Is there anything planned in that direction? There has been a proposal and IMO it would make sense to backport JEP319 to JDK 8u: http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-March/008975.html Thanks, Severin [1] https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/blob/master/build-openjdk8.sh#L36