Hello,

Yes I would have expected the RH „upstream“ builds to have an empty cacerts 
file as they are described to be „pristine“. However thanks for the pointer 
that this is not entirely the case.

So 8u cacerts is still empty, which is I guess better than outdated.

I would consider the content of the cacert file to be somewhat related to the 
security baseline version of Java and backporting the JEP (or actually 
refreshing the file before each release) would help a lot.

Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: Severin Gehwolf <sgehw...@redhat.com>
Gesendet: Donnerstag, April 18, 2019 10:34 AM
An: Bernd Eckenfels; jdk8u-...@openjdk.java.net
Cc: security-dev@openjdk.java.net
Betreff: Re: Refresh cacert File?

Hi,

On Wed, 2019-04-17 at 22:43 +0000, Bernd Eckenfels wrote:
> hello,
>
> I think it was discussed on security-dev before but did not result in
> some action as far as I understand it. Currently the „cacert“ file
> shipped with 8u upstream builds is a bit outdated. It contains
> multiple expired certificates and misses latest additions.

Are you referring to these builds?
https://adoptopenjdk.net/upstream.html

The reason for this is that for OpenJDK 8u upstream builds the cacerts
file will be empty unless the --with-cacerts-file configure option is
being used. That's the case for the above 8u builds[1].

> Also I noted there are multiple vendors struggling with this file.

There is bound to be divergence as no cacerts file is included upstream
in OpenJDK 8u.

> Since the later Java releases have a canonical source for that file
> with vetted licensing it totally would make sense to refresh I.e.
> backport the changes. Is there anything planned in that direction?

There has been a proposal and IMO it would make sense to backport
JEP319 to JDK 8u:
http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-March/008975.html

Thanks,
Severin

[1] 
https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/blob/master/build-openjdk8.sh#L36

Reply via email to