On 17/12/2019 19:30, Severin Gehwolf wrote: > Hi, > > Could I please get a review of this OpenJDK 8u backport of 8232019. The > JDK 11 patch did not apply cleanly for a couple of reasons: > > 1. 8u still has the binary blob for cacerts (JDK-8193255 not > backported, yet). Instead, I've updated to the revision in jdk11u, > performed a build and copied the cacerts binary to 8u. > 2. JDK-8225392 not present in 8u, which added the checksum to > VerifyCACerts.java. Thus, the 8u backport does not include this > hunk. @bug annotation modified manually for the same reason. > > Everything else is the same. > > Bug: https://bugs.openjdk.java.net/browse/JDK-8232019 > webrev: > http://cr.openjdk.java.net/~sgehwolf/webrevs/JDK-8232019/jdk8/01/webrev/ > > Testing: sun/security/lib/cacerts/VerifyCACerts.java and > security/infra/java/security/cert/CertPathValidator/certification > Pass, except for ActalisCA.java which is problem-listed and still > broken in HEAD (JDK-8224768) > > Thoughts? > > If reviewed, I'll try to get this in 8u242 via the critical fix request > label workflow. > > Thanks, > Severin >
Going on this & the similar Amazon fix, I'd say we should backport JDK-8193255 & JDK-8225392 first. The previous updates which alter a binary file have been pretty much unreviewable and, if there's a better solution to that, I'd rather we had it sooner rather than later. Likewise, judging by the comment on JDK-8234245, I'd say that needs to be applied between the LuxTrust & Amazon ones: "This fixes an issue after JDK-8232019, so it needs to be included. Patch applies cleanly." Thanks, -- Andrew :) Senior Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com) PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net) Fingerprint = 5132 579D D154 0ED2 3E04 C5A0 CFDA 0F9B 3596 4222 https://keybase.io/gnu_andrew
signature.asc
Description: OpenPGP digital signature
