RFR: JDK-8225392: Comparison builds are failing due to cacerts file

Erik Joelsson erik.joelsson at oracle.com
Tue Jun 11 14:48:50 UTC 2019 

New webrev: http://cr.openjdk.java.net/~erikj/8225392/webrev.02

Filtering out the date and adding a sort. All my builds yesterday 
resulted in cacerts files with the same order of the keys, but today the 
order changed. Looking through the source (JavaKeyStore.engineStore()), 
the store method just iterates over the keys of a Hashtable, so the 
order is indeed random. I think it would be a good idea to add a sort 
there to make our tools better at reproducible output.

I also fixed a bug in compare.sh which prevented me from running a 
compare of just the cacerts files using the filter functionality.

/Erik

On 2019-06-10 19:17, David Holmes wrote:
> On 11/06/2019 12:11 pm, Oracle wrote:
>> But you should see the date on the same line as the alias and the type.
>
> Ah I see. I was looking at the output from an old version of cacerts 
> that shows things like:
>
> verisignclass2g2ca [jdk], Jun 12, 2018, trustedCertEntry, ...
> digicertassuredidg3 [jdk], Nov 30, 2017, trustedCertEntry,...
>
> but now all those old dates are the current build date:
>
> verisignclass2g2ca [jdk], Jun 10, 2019, trustedCertEntry, ...
> digicertassuredidg3 [jdk], Jun 10, 2019, trustedCertEntry, ...
>
> I'm not sure exactly what gets compared with these comparison builds, 
> so can't say if this is an issue.
>
> Thanks,
> David
>
>> —Max
>>
>> 获取 Outlook for iOS <https://aka.ms/o0ukef>
>>
>>
>>
>> On Tue, Jun 11, 2019 at 10:09 AM +0800, "David Holmes" 
>> <david.holmes at oracle.com <mailto:david.holmes at oracle.com>> wrote:
>>
>>     Hi Max,
>>
>>     On 11/06/2019 11:05 am, Weijun Wang wrote:
>>     > keytool -keystore .. -storepass changeit -list -rfc | grep -v 
>> "Creation date"
>>     >     > would exclude the date (which has its own line).
>>
>>     I don't see any "Creation Date" entry when I run the tool:
>>
>>       > ./build/linux-x64-debug/images/jdk/bin/keytool -list -keystore
>> build/linux-x64-debug/support/interim-image/lib/security/cacerts
>>     -storepass changeit | grep Creat
>>       >
>>
>>     It only appears with the -rfc option which Erik hasn't used.
>>
>>     David
>>     -----
>>
>>     > --Max
>>     >     >> On Jun 11, 2019, at 8:39 AM, Weijun Wang wrote: >> >> 
>> The "keytool -list" output contains a creation data (I
>>     know it's useless now), so if THIS_FILE and THAT_FILE happen to be
>>     created on different dates then you will see difference. >> >> --Max
>>      >> >>> On Jun 11, 2019, at 7:37 AM, Erik Joelsson wrote: >>> >>>
>>      >>> On 2019-06-10 16:23, David Holmes wrote: >>>> Hi Erik, >>>>
>>      >>>> On 11/06/2019 5:37 am, Erik Joelsson wrote: >>>>> Since
>>     JDK-8193255, when we started generating the cacerts file in the
>>     build, the build compare baseline builds have started failing. It
>>     seems the cacerts binary file has some non determinism built in so
>>     it doesn't get generated exactly the same given the same input. This
>>     patch adds special handling when comparing that file by comparing
>>     the output of "keytool -list" on the files instead. >>>> >>>> Seems
>>     a reasonable approach. >>>> >>>>> Bug:
>>     https://bugs.openjdk.java.net/browse/JDK-8225392 >>>>> >>>>> Webrev:
>>     http://cr.openjdk.java.net/~erikj/8225392/webrev.01/ >>>> >>>> Code
>>     changes seem fine. >>> Thanks! >>>> I'm assuming this formulation
>>     doesn't run into the: >>>> >>>> Warning: use -cacerts option to
>>     access cacerts keystore >>>> >>>> that you get if you actually point
>>     keytool to the cacerts files in the JDK image: >>>> >>>>>
>>     ./build/linux-x64-debug/images/jdk/bin/keytool -list -keystore
>>     build/linux-x64-debug/images/jdk/lib/security/cacerts -storepass
>>     changeit > certs.1 >>>> Warning: use -cacerts option to access
>>     cacerts keystore >>>> >>> I did not see that. I would guess it's
>>     because I'm not running keytool from the images/jdk/bin dir, but in
>>     most cases from the jdk/bin dir (the exploded image), or in the
>>     cross compilation case, it's running from the buildjdk. I just tried
>>     it manually, and it seems the warning is only printed if trying to
>>     list the cacerts file from the same image. >>> >>> /Erik >>> >>>>
>>     Thanks, >>>> David >>>> ----- >>>> >>>>> /Erik >>>>> >> >
>>

More information about the build-dev mailing list