hg: build-infra/jdk8/jdk: 8005355: build-infra: Java security signing (need a top-level make target).

Fri Jan 4 04:03:21 PST 2013

On 4/01/2013 9:58 PM, Erik Joelsson wrote:
> On 2013-01-04 12:38, David Holmes wrote:
>> On 4/01/2013 7:13 PM, Erik Joelsson wrote:
>>> Yes, now that I've looked closely at the profiles work I understand the
>>> issue. The old build did behave this way though, the jars were built
>>> even if they weren't needed, just to exercise the code. I would ask the
>>> security team if that's a requirement or not. Perhaps the list of
>>> unsigned jars could be made into a special target, still included when
>>> building "images" but not for "profiles"?
>>
>> If it must be built then it is simpler I think to always set the
>> unsigned jar as being a dependency of the actual jar.
>>
> That sounds reasonable to me. Do you want me to fix this or can you do
> it as part of profiles?

I'll fix it as part of profiles. I'll try just leaving the

JARS =+ <unsigned jar>

and see if that works.

Thanks,
David

> /Erik
>> Personally it seems very suspicious to me to always build a jar needed
>> for OPENJDK only when OPENJDK is not in fact set. The RI builds should
>> be sufficient to exercise this code.
>>
>> Anyway needs to be resolved ...
>>
>> Thanks,
>> David
>> -----
>>
>>> /Erik
>>>
>>> On 2013-01-04 07:30, David Holmes wrote:
>>>> Hit send too soon. Of course all the "unsigned jar" additions to JARS
>>>> cause the same problem.
>>>>
>>>> David
>>>>
>>>> On 4/01/2013 4:27 PM, David Holmes wrote:
>>>>> Hi Erik,
>>>>>
>>>>> This change to CreateJars.gmk causes me a problem with the Profiles
>>>>> work:
>>>>>
>>>>> +JARS += $(SUNPKCS11_JAR_DST) $(SUNPKCS11_JAR_UNSIGNED)
>>>>>
>>>>> This causes the "unsigned" jar to always be built even if not needed
>>>>> because we are copying the signed one. There is only one real jar file
>>>>> target here: $(SUNPKCS11_JAR_DST) and it will either be built or
>>>>> copied
>>>>> depending on the type of build.
>>>>>
>>>>> In Profiles the JARS variable is built up based on the actual list of
>>>>> jars needed in the final image. So there is no
>>>>> $(SUNPKCS11_JAR_UNSIGNED)
>>>>> on that list.
>>>>>
>>>>> I'm yet to try building with only the equivalent of
>>>>>
>>>>> JARS += $(SUNPKCS11_JAR_DST)
>>>>>
>>>>> as I'm still merging other changes. But I'm hopeful that this will
>>>>> still
>>>>> work.
>>>>>
>>>>> In the meantime I wanted to flag this with you.
>>>>>
>>>>> Thanks,
>>>>> David
>>>>>
>>>>>
>>>>> On 30/12/2012 4:57 AM, erik.joelsson at oracle.com wrote:
>>>>>> Changeset: d03b9a9ca8de
>>>>>> Author: erikj
>>>>>> Date: 2012-12-29 19:55 +0100
>>>>>> URL: http://hg.openjdk.java.net/build-infra/jdk8/jdk/rev/d03b9a9ca8de
>>>>>>
>>>>>> 8005355: build-infra: Java security signing (need a top-level make
>>>>>> target).
>>>>>> Summary: Added sign-jars top level target. Made closed build always
>>>>>> build jars for verification and signing.
>>>>>>
>>>>>> ! makefiles/BuildJdk.gmk
>>>>>> ! makefiles/CreateJars.gmk
>>>>>> + makefiles/SignJars.gmk
>>>>>>