RFR: 8369454: Verify checksums of downloaded source bundles when creating devkit
Erik Joelsson
erikj at openjdk.org
Thu Oct 9 17:17:45 UTC 2025
On Wed, 8 Oct 2025 22:45:42 GMT, Mikael Vidstedt <mikael at openjdk.org> wrote:
> Let's verify that the downloaded source bundles (tar balls) are sound by computing a checksum and verifying against the baked in one.
>
> This change also introduces a way to provide alternative mirrors for the source bundles, e.g. by setting `GCC_BASE_URL` or `GNU_BASE_URL`.
>
> Testing:
>
> * Built devkit on linux-x64
> * Tested that overriding `GNU_BASE_URL` works as expected
> * Verified that the JDK builds with the new devkit
make/devkit/Tools.gmk line 224:
> 222:
> 223: # Generate downloading + unpacking of sources.
> 224: define DownloadVerifyUnpack
It's not actually unpacking is it?
Suggestion:
define DownloadVerify
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27708#discussion_r2417429155
More information about the build-dev
mailing list