[PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
Kelly O'Hair
kelly.ohair at oracle.com
Thu Sep 20 02:34:05 UTC 2012
It seems fine with me.
But I think someone from the security team should chime in on this.
-kto
On Sep 18, 2012, at 7:39 AM, Andrew Hughes wrote:
> This is an issue that has been with us for a while. See:
>
> https://bugs.openjdk.java.net/show_bug.cgi?id=100062
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7188845
>
> for some background.
>
> The original proposed patch goes to far in removing most of the
> infrastructure for restricting crypto levels and signing of crypto
> jars.
>
> The following simple webrev will achieve what I think is needed:
>
> http://cr.openjdk.java.net/~andrew/100062/webrev.01/
>
> allowing OpenJDK to be built with the unlimited rather than limited
> crypto policy in place.
>
> The build is only altered if both an OpenJDK build is being performed
> and UNLIMITED_CRYPTO is defined. In this case, the install-unlimited
> rule is used to install policies. Without UNLIMITED_CRYPTO being set,
> OpenJDK builds still depend on install-limited as now.
>
> I believe this is a fairly unintrusive change which should allow GNU/Linux
> distros to ship without crypto restrictions while still using upstream
> OpenJDK rather than a variant with several classes removed.
>
> It's not clear to me why this approach wasn't taken before, so I hope I haven't
> missed something.
>
> If this looks ok, I'll push it as the resolution for bug 7188845.
> --
> Andrew :)
>
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
>
> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
>
More information about the build-dev
mailing list