From henri.gomez at gmail.com Fri Jun 1 07:20:44 2012 From: henri.gomez at gmail.com (Henri Gomez) Date: Fri, 1 Jun 2012 09:20:44 +0200 Subject: cacerts bundled with OpenJDK In-Reply-To: <4FC7E580.2000001@oracle.com> References: <4FC7E580.2000001@oracle.com> Message-ID: > Disclaimer that I haven't read the thread to which you're referring. > > I think a key difference between Mozilla and OpenJDK is that Mozilla > distributes packaged products to end users whereas OpenJDK is a > collaboration of platform providers at the source code level. ?Whereas > cacerts are fundamentally a packaged product thing, and not entirely > necessary, and fundamentally tied to whoever is distributing the binary, I > don't think it would or should apply. ?Whereas Mozilla is shipping product > almost exclusively to end users in the form of Firefox, Thunderbird, etc, > then I can understand why they would maintain certs with the products. Yep. Providing a default cacerts in OpenJDK with a set of well-known ROOT CAs would help packagers avoiding duplicate works on all distributions. I guess there is some packagers here, at least Andrew Hughes, what do you think about this ? From donald.smith at oracle.com Fri Jun 1 12:47:21 2012 From: donald.smith at oracle.com (Donald Smith) Date: Fri, 01 Jun 2012 08:47:21 -0400 Subject: cacerts bundled with OpenJDK In-Reply-To: References: <4FC7E580.2000001@oracle.com> Message-ID: <4FC8B9D9.9080700@oracle.com> I don't know if it's a case that I know too much about the world of CAs, and am scared about what this would mean; or if it's a case I don't know enough, so I'm scared about what this would mean. :) I'm not convinced it would help avoid duplication. In many cases CAs won't be wanted or needed, and I believe in most cases where CAs are wanted by packagers (your case notwithstanding) they'll be wanting it from the OS perspective, or using their own corporate certs. You use Mozilla as an example (which I see more as a consumer/end user product than most OSS). To which I would counter example with OpenSSL - http://www.openssl.org/support/faq.html#USER16. I would be interested in hearing other opinions. - Don On 01/06/2012 3:20 AM, Henri Gomez wrote: >> Disclaimer that I haven't read the thread to which you're referring. >> >> I think a key difference between Mozilla and OpenJDK is that Mozilla >> distributes packaged products to end users whereas OpenJDK is a >> collaboration of platform providers at the source code level. Whereas >> cacerts are fundamentally a packaged product thing, and not entirely >> necessary, and fundamentally tied to whoever is distributing the binary, I >> don't think it would or should apply. Whereas Mozilla is shipping product >> almost exclusively to end users in the form of Firefox, Thunderbird, etc, >> then I can understand why they would maintain certs with the products. > Yep. > > Providing a default cacerts in OpenJDK with a set of well-known ROOT > CAs would help packagers avoiding duplicate works on all > distributions. > > I guess there is some packagers here, at least Andrew Hughes, what do > you think about this ? From dbhole at redhat.com Fri Jun 1 13:52:27 2012 From: dbhole at redhat.com (Deepak Bhole) Date: Fri, 1 Jun 2012 09:52:27 -0400 Subject: cacerts bundled with OpenJDK In-Reply-To: <4FC8B9D9.9080700@oracle.com> References: <4FC7E580.2000001@oracle.com> <4FC8B9D9.9080700@oracle.com> Message-ID: <20120601135226.GP14732@redhat.com> * Donald Smith [2012-06-01 08:57]: > I don't know if it's a case that I know too much about the world of > CAs, and am scared about what this would mean; or if it's a case I > don't know enough, so I'm scared about what this would mean. :) > > I'm not convinced it would help avoid duplication. In many cases > CAs won't be wanted or needed, and I believe in most cases where CAs > are wanted by packagers (your case notwithstanding) they'll be > wanting it from the OS perspective, or using their own corporate > certs. > > You use Mozilla as an example (which I see more as a consumer/end > user product than most OSS). To which I would counter example with > OpenSSL - http://www.openssl.org/support/faq.html#USER16. > > I would be interested in hearing other opinions. > Just to chime in from a Fedora perspective, we link jre/lib/security/cacerts to /etc/pki/java/cacerts which are certs provided by Mozilla. Other applications too make use of this bundle. It makes it easier to have everything in one place via one provider package. The ability to at least provide a cacerts location during build might be helpful by a little bit, but not by much really. It'd just save an extra ln/cp command after the build. Cheers, Deepak > - Don > > On 01/06/2012 3:20 AM, Henri Gomez wrote: > >>Disclaimer that I haven't read the thread to which you're referring. > >> > >>I think a key difference between Mozilla and OpenJDK is that Mozilla > >>distributes packaged products to end users whereas OpenJDK is a > >>collaboration of platform providers at the source code level. Whereas > >>cacerts are fundamentally a packaged product thing, and not entirely > >>necessary, and fundamentally tied to whoever is distributing the binary, I > >>don't think it would or should apply. Whereas Mozilla is shipping product > >>almost exclusively to end users in the form of Firefox, Thunderbird, etc, > >>then I can understand why they would maintain certs with the products. > >Yep. > > > >Providing a default cacerts in OpenJDK with a set of well-known ROOT > >CAs would help packagers avoiding duplicate works on all > >distributions. > > > >I guess there is some packagers here, at least Andrew Hughes, what do > >you think about this ? From mark at klomp.org Mon Jun 4 12:04:40 2012 From: mark at klomp.org (Mark Wielaard) Date: Mon, 04 Jun 2012 14:04:40 +0200 Subject: cacerts bundled with OpenJDK In-Reply-To: <4FC8B9D9.9080700@oracle.com> References: <4FC7E580.2000001@oracle.com> <4FC8B9D9.9080700@oracle.com> Message-ID: <1338811480.3154.23.camel@springer.wildebeest.org> On Fri, 2012-06-01 at 08:47 -0400, Donald Smith wrote: > I don't know if it's a case that I know too much about the world of CAs, > and am scared about what this would mean; or if it's a case I don't know > enough, so I'm scared about what this would mean. :) I think that is a good attitude to take wrt CA authorities :) > I'm not convinced it would help avoid duplication. In many cases CAs > won't be wanted or needed, and I believe in most cases where CAs are > wanted by packagers (your case notwithstanding) they'll be wanting it > from the OS perspective, or using their own corporate certs. I don't agree here though. Almost anybody using java will want at least ssl/https to the public internet to work. Which defines a pretty well defined base set of root CAs to provide. > You use Mozilla as an example (which I see more as a consumer/end user > product than most OSS). I think almost any free software project is end user oriented. Why else would we hack on it? :) Picking the set Mozilla root CAs and/or making it easy/trivial to integrate them in a build (when NSS is installed already anyway) seems the right thing to do. Which is already what every distro does anyway, so better to make the default build be as close as possible to that. Mozilla seems to have figured this one out (or at least as the best public policy around this), so it makes sense to by default adopt the Mozilla/NSS bundle. https://www.mozilla.org/projects/security/certs/ Cheers, Mark From henri.gomez at gmail.com Tue Jun 5 11:42:19 2012 From: henri.gomez at gmail.com (Henri Gomez) Date: Tue, 5 Jun 2012 13:42:19 +0200 Subject: cacerts bundled with OpenJDK In-Reply-To: <1338811480.3154.23.camel@springer.wildebeest.org> References: <4FC7E580.2000001@oracle.com> <4FC8B9D9.9080700@oracle.com> <1338811480.3154.23.camel@springer.wildebeest.org> Message-ID: >> I don't know if it's a case that I know too much about the world of CAs, >> and am scared about what this would mean; or if it's a case I don't know >> enough, so I'm scared about what this would mean. :) > > I think that is a good attitude to take wrt CA authorities :) Of course, it mandatory. > I don't agree here though. Almost anybody using java will want at least > ssl/https to the public internet to work. Which defines a pretty well > defined base set of root CAs to provide. +100 >> You use Mozilla as an example (which I see more as a consumer/end user >> product than most OSS). > > I think almost any free software project is end user oriented. Why else > would we hack on it? :) Picking the set Mozilla root CAs and/or making > it easy/trivial to integrate them in a build (when NSS is installed > already anyway) seems the right thing to do. Which is already what every > distro does anyway, so better to make the default build be as close as > possible to that. > > Mozilla seems to have figured this one out (or at least as the best > public policy around this), so it makes sense to by default adopt the > Mozilla/NSS bundle. https://www.mozilla.org/projects/security/certs/ That's the way I followed in OpenJDK for OSX : This script will grab cacerts from Mozilla pre-processed by curl team and transform them into cacerts. http://openjdk-osx-build.googlecode.com/svn/trunk/cacerts-gen.sh At build time, cacerts is rebuild if older than one week and provided to OpenJDK build via ALT_CACERTS_FILE http://openjdk-osx-build.googlecode.com/svn/trunk/buildjdk7u-osx.sh Cheers. From mark at talios.com Fri Jun 8 02:37:24 2012 From: mark at talios.com (Mark Derricutt) Date: Fri, 8 Jun 2012 14:37:24 +1200 Subject: Possible Annotation Processor JavaC Bug Message-ID: Hey all, Whilst trying to diagnose a strange problem with annotation processors and maven we came across a potential javac bug and was wondering if its legit, and how/where the best place to report this is: https://gist.github.com/2893027 It looks like javac is doing a double assignment rather than a comparison check, looks like someone missed a = character. Mark -- "Great artists are extremely selfish and arrogant things" ? Steven Wilson, Porcupine Tree From fweimer at redhat.com Wed Jun 13 07:28:13 2012 From: fweimer at redhat.com (Florian Weimer) Date: Wed, 13 Jun 2012 09:28:13 +0200 Subject: JEP submission Message-ID: <4FD8410D.7080204@redhat.com> Hi, on 2012-05-30, I submitted a new JEP to the jep-submit address, but haven't heard back anything yet. Is this address still current? Florian -- Florian Weimer / Red Hat Product Security Team From senseneyj at mail.nih.gov Wed Jun 13 12:29:11 2012 From: senseneyj at mail.nih.gov (Senseney, Justin (NIH/CIT) [E]) Date: Wed, 13 Jun 2012 08:29:11 -0400 Subject: JEP submission In-Reply-To: <4FD8410D.7080204@redhat.com> References: <4FD8410D.7080204@redhat.com> Message-ID: <0CADA15E942196438C242C19FA72B4FC047776D514@NIHMLBX01.nih.gov> I don't think so. I have also submitted to that address twice in the past two months, with no response. -Justin -----Original Message----- From: Florian Weimer [mailto:fweimer at redhat.com] Sent: Wednesday, June 13, 2012 3:28 AM To: discuss at openjdk.java.net Subject: JEP submission Hi, on 2012-05-30, I submitted a new JEP to the jep-submit address, but haven't heard back anything yet. Is this address still current? Florian -- Florian Weimer / Red Hat Product Security Team From joe.osborne at swiftkey.net Wed Jun 13 13:15:59 2012 From: joe.osborne at swiftkey.net (Joe Osborne) Date: Wed, 13 Jun 2012 14:15:59 +0100 Subject: JNI query in OpenJDK Message-ID: Hi all, I'm trying to track down a wrinkle we've discovered - and so far my Google-foo hasn't turned up much info. We've recently switched from using the Sun's JDK to OpenJDK6, and found something a little troubling when using JNI. In our native code, we do various forms of memory analysis for debugging, and somewhat unsurprisingly, this includes overriding the global 'operator new' set of methods. However, running with the OpenJDK6 JRE, our methods are never hit. Does the JVM deliberately redirect these when linking, or is something else going on? I've reproduced this in a trivial program, which elicits the same behaviour - it's fine under Sun, but not OpenJDK.. We can't be the first to have stumbled across this, so apologies if this has already been asked! Joe From aph at redhat.com Wed Jun 13 14:12:03 2012 From: aph at redhat.com (Andrew Haley) Date: Wed, 13 Jun 2012 15:12:03 +0100 Subject: JNI query in OpenJDK In-Reply-To: References: Message-ID: <4FD89FB3.2030506@redhat.com> On 06/13/2012 02:15 PM, Joe Osborne wrote: > Hi all, > > I'm trying to track down a wrinkle we've discovered - and so far my > Google-foo hasn't turned up much info. > > We've recently switched from using the Sun's JDK to OpenJDK6, and found > something a little troubling when using JNI. > > In our native code, we do various forms of memory analysis for debugging, > and somewhat unsurprisingly, this includes overriding the global 'operator > new' set of methods. > However, running with the OpenJDK6 JRE, our methods are never hit. Does the > JVM deliberately redirect these when linking, or is something else going on? > > I've reproduced this in a trivial program, which elicits the same behaviour > - it's fine under Sun, but not OpenJDK.. > > We can't be the first to have stumbled across this, so apologies if this > has already been asked! It's the same VM, so I find it hard to understand. Can you please send a simple test case? Andrew. From mark.reinhold at oracle.com Wed Jun 13 14:22:04 2012 From: mark.reinhold at oracle.com (mark.reinhold at oracle.com) Date: Wed, 13 Jun 2012 07:22:04 -0700 Subject: JEP submission In-Reply-To: fweimer@redhat.com; Wed, 13 Jun 2012 09:28:13 +0200; <4FD8410D.7080204@redhat.com> Message-ID: <20120613142204.E13D4427@eggemoggin.niobe.net> 2012/6/13 0:28 -0700, fweimer at redhat.com: > on 2012-05-30, I submitted a new JEP to the jep-submit address, but haven't > heard back anything yet. Is this address still current? Yes, that address is still current, I'm just a bit behind in reviewing incoming requests. I expect to clear the queue this week. - Mark From david.holmes at oracle.com Thu Jun 14 02:39:53 2012 From: david.holmes at oracle.com (David Holmes) Date: Thu, 14 Jun 2012 12:39:53 +1000 Subject: JNI query in OpenJDK In-Reply-To: <4FD89FB3.2030506@redhat.com> References: <4FD89FB3.2030506@redhat.com> Message-ID: <4FD94EF9.4080806@oracle.com> I'm moving this discussion to hotspot-runtime-dev. Please follow up there and not on the discuss list. Thanks, David Holmes On 14/06/2012 12:12 AM, Andrew Haley wrote: > On 06/13/2012 02:15 PM, Joe Osborne wrote: >> Hi all, >> >> I'm trying to track down a wrinkle we've discovered - and so far my >> Google-foo hasn't turned up much info. >> >> We've recently switched from using the Sun's JDK to OpenJDK6, and found >> something a little troubling when using JNI. >> >> In our native code, we do various forms of memory analysis for debugging, >> and somewhat unsurprisingly, this includes overriding the global 'operator >> new' set of methods. >> However, running with the OpenJDK6 JRE, our methods are never hit. Does the >> JVM deliberately redirect these when linking, or is something else going on? >> >> I've reproduced this in a trivial program, which elicits the same behaviour >> - it's fine under Sun, but not OpenJDK.. >> >> We can't be the first to have stumbled across this, so apologies if this >> has already been asked! > > It's the same VM, so I find it hard to understand. Can you please > send a simple test case? > > Andrew. > From nagappan at gmail.com Wed Jun 20 05:24:58 2012 From: nagappan at gmail.com (Nagappan Alagappan) Date: Tue, 19 Jun 2012 22:24:58 -0700 Subject: [Announce] Java API to write LDTP (GUI Automation) tests Message-ID: Hello, I'm happy to announce, we have added Java API support to write GUI tests using LDTP [1] API. Java LDTP client source: http://cgit.freedesktop.org/ldtp/ldtp2/tree/ldtp/Java Dependency: Apache XML-RPC library (http://ws.apache.org/xmlrpc/) Apache codec base 64 library (http://commons.apache.org/codec/) LDTP binaries (Python on Linux, CobraWinLDTP.msi on Windows) Tested on both Windows and Linux. To compile set the CLASSPATH of the following jar files: commons-codec-1.6.jar ws-commons-utils-1.0.2.jar xmlrpc-client-3.1.3.jar xmlrpc-common-3.1.3.jar Java documentation available here - http://ldtp.freedesktop.org/javadoc/ Thanks to team of people in VMware, helping me in creating the jar file and bundling it with Cobra msi. Get the latest MSI from - http://download.freedesktop.org/ldtp/cobra-latest/CobraWinLDTP.msi Thanks Nagappan [1] - http://ldtp.freedesktop.org/ (Right now its down, filed bug [2]) [2] - https://bugs.freedesktop.org/show_bug.cgi?id=51155 -- Linux Desktop (GUI Application) Testing Project - http://ldtp.freedesktop.org Cobra - Windows GUI Automation tool - https://github.com/ldtp/cobra http://nagappanal.blogspot.com From youdwei at linux.vnet.ibm.com Mon Jun 25 07:36:05 2012 From: youdwei at linux.vnet.ibm.com (Deven You) Date: Mon, 25 Jun 2012 15:36:05 +0800 Subject: How to reset my cr.openjdk.java.net ssh key pairs? Message-ID: <4FE814E5.2080007@linux.vnet.ibm.com> Hi All, I hope there is any one who could help me solve this problem. I have an account for cr.openjdk.java.net. However for some reason I reinstalled my laptop without backing up my ssh keys for cr.openjdk.java.ent by accident. Now I have re-generated a ssh key pairs, I wonder to know how can I resend my public key to openjdk and get access privilege to cr.openjdk.java.net for my account again? Thanks a lot! -- Best Regards, Deven From martijnverburg at gmail.com Mon Jun 25 07:45:07 2012 From: martijnverburg at gmail.com (Martijn Verburg) Date: Mon, 25 Jun 2012 08:45:07 +0100 Subject: Proposed update to the OpenJDK Web Site Terms of Use In-Reply-To: <20120620191048.9B6579AC@eggemoggin.niobe.net> References: <20120620191048.9B6579AC@eggemoggin.niobe.net> Message-ID: Hi Mark, A few LJC folks looked at this in detail and are happy with it, it aligns things nicely. Good to see some click through barriers dropped :-) It would be nice if the OCA was grandfathered into the JSPA somehow, but we realise that it is not practical at this time and requires lengthy discussion. Cheers, Martijn On 20 June 2012 20:10, wrote: > A proposed update to the OpenJDK Web Site Terms of Use is available for > review: > > ? ?http://openjdk.java.net/legal/tou/ > > Please send comments and questions regarding this proposal to the general > discussion list [1] by Thursday, 5 July 2012. > > The primary goal of this update is to allow work on specifications for > Java SE JSRs to take place in the OpenJDK Community, right alongside the > work on their reference implementations. ?The Expert Groups for such JSRs > will hold their technical discussions in the open, for all to see. ?The > specifications they create will continue to be licensed under terms > similar to those used in the past [2], but no click-through agreement > will be required in order to access specification materials. ?This change > enables the specification leads of such JSRs to satisfy the transparency > requirements of version 2.8 of the Java Community Process [3]. > > Two other changes in this update are to specify explicitly that the > default outbound license for all code is GPLv2 (previously it was > unspecified), and to align the rest of the text more closely with > Oracle's standard Terms-of-Use document. > > For details, please see: > > ?- A Plain-English summary of the ToU > ? ?http://openjdk.java.net/legal/tou/openjdk-tou-pe > > ?- The full legal ToU document > ? ?http://openjdk.java.net/legal/tou/openjdk-tou > > ?- Frequently-asked questions (FAQ) > ? ?http://openjdk.java.net/legal/tou/openjdk-tou-faq > > - Mark > > > [1] http://mail.openjdk.java.net/mailman/listinfo/discuss > [2] http://jcp.org/aboutJava/communityprocess/licenses/SE7_Specv2.doc > [3] https://blogs.oracle.com/pcurran/entry/no_more_smoke_filled_rooms From sean.mullan at oracle.com Mon Jun 25 14:13:15 2012 From: sean.mullan at oracle.com (Sean Mullan) Date: Mon, 25 Jun 2012 10:13:15 -0400 Subject: How to reset my cr.openjdk.java.net ssh key pairs? In-Reply-To: <4FE814E5.2080007@linux.vnet.ibm.com> References: <4FE814E5.2080007@linux.vnet.ibm.com> Message-ID: <4FE871FB.9090303@oracle.com> On 06/25/2012 03:36 AM, Deven You wrote: > Hi All, > > I hope there is any one who could help me solve this problem. > > I have an account for cr.openjdk.java.net. However for some reason I > reinstalled my laptop without backing up my ssh keys for > cr.openjdk.java.ent by accident. > > Now I have re-generated a ssh key pairs, I wonder to know how can I > resend my public key to openjdk and get access privilege to > cr.openjdk.java.net for my account again? Try sending the new public key (the contents of ~/.ssh/id_rsa.pub) and your JDK username to keys at openjdk.java.net --Sean From mark.reinhold at oracle.com Mon Jun 25 15:35:27 2012 From: mark.reinhold at oracle.com (mark.reinhold at oracle.com) Date: Mon, 25 Jun 2012 08:35:27 -0700 Subject: Proposed update to the OpenJDK Web Site Terms of Use In-Reply-To: martijnverburg@gmail.com; Mon, 25 Jun 2012 08:45:07 BST; Message-ID: <20120625153527.174AD78B@eggemoggin.niobe.net> 2012/6/25 0:45 -0700, martijnverburg at gmail.com: > A few LJC folks looked at this in detail and are happy with it, it > aligns things nicely. Good! Thanks for reviewing it. > Good to see some click through barriers dropped > :-) Yes, personally I'm very happy about that change. > It would be nice if the OCA was grandfathered into the JSPA somehow, > but we realise that it is not practical at this time and requires > lengthy discussion. Indeed. - Mark