RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation [v2]
Andrew Leonard
aleonard at openjdk.java.net
Thu Dec 2 15:15:29 UTC 2021
On Thu, 2 Dec 2021 14:29:00 GMT, Sean Mullan <mullan at openjdk.org> wrote:
> I don’t have any major concerns with this change, as long as the default cacerts are still the ones that are in the JDK. As an aside, using Mozilla's root certificates might be fine for TLS certificates, but if you need to support code signing certificates you may run into issues with missing CAs as Mozilla's Root program does not support that use case. Also, by overriding the roots included in the JDK, you are taking on the responsibility (which is significant, in my opinion) of ensuring that those roots are trusted and have not been compromised, revoked, have weak keys, etc.
@seanjmullan Thanks Sean, I'll pass your comment on, cheers Andrew
-------------
PR: https://git.openjdk.java.net/jdk/pull/6647
More information about the build-dev
mailing list