Hello, Yes I would have expected the RH „upstream“ builds to have an empty cacerts file as they are described to be „pristine“. However thanks for the pointer that this is not entirely the case.
So 8u cacerts is still empty, which is I guess better than outdated. I would consider the content of the cacert file to be somewhat related to the security baseline version of Java and backporting the JEP (or actually refreshing the file before each release) would help a lot. Gruss Bernd -- http://bernd.eckenfels.net ________________________________ Von: Severin Gehwolf <sgehw...@redhat.com> Gesendet: Donnerstag, April 18, 2019 10:34 AM An: Bernd Eckenfels; jdk8u-...@openjdk.java.net Cc: security-dev@openjdk.java.net Betreff: Re: Refresh cacert File? Hi, On Wed, 2019-04-17 at 22:43 +0000, Bernd Eckenfels wrote: > hello, > > I think it was discussed on security-dev before but did not result in > some action as far as I understand it. Currently the „cacert“ file > shipped with 8u upstream builds is a bit outdated. It contains > multiple expired certificates and misses latest additions. Are you referring to these builds? https://adoptopenjdk.net/upstream.html The reason for this is that for OpenJDK 8u upstream builds the cacerts file will be empty unless the --with-cacerts-file configure option is being used. That's the case for the above 8u builds[1]. > Also I noted there are multiple vendors struggling with this file. There is bound to be divergence as no cacerts file is included upstream in OpenJDK 8u. > Since the later Java releases have a canonical source for that file > with vetted licensing it totally would make sense to refresh I.e. > backport the changes. Is there anything planned in that direction? There has been a proposal and IMO it would make sense to backport JEP319 to JDK 8u: http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-March/008975.html Thanks, Severin [1] https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/blob/master/build-openjdk8.sh#L36