cacerts bundled with OpenJDK
Henri Gomez
henri.gomez at gmail.com
Tue Jun 5 11:42:19 UTC 2012
>> I don't know if it's a case that I know too much about the world of CAs,
>> and am scared about what this would mean; or if it's a case I don't know
>> enough, so I'm scared about what this would mean. :)
>
> I think that is a good attitude to take wrt CA authorities :)
Of course, it mandatory.
> I don't agree here though. Almost anybody using java will want at least
> ssl/https to the public internet to work. Which defines a pretty well
> defined base set of root CAs to provide.
+100
>> You use Mozilla as an example (which I see more as a consumer/end user
>> product than most OSS).
>
> I think almost any free software project is end user oriented. Why else
> would we hack on it? :) Picking the set Mozilla root CAs and/or making
> it easy/trivial to integrate them in a build (when NSS is installed
> already anyway) seems the right thing to do. Which is already what every
> distro does anyway, so better to make the default build be as close as
> possible to that.
>
> Mozilla seems to have figured this one out (or at least as the best
> public policy around this), so it makes sense to by default adopt the
> Mozilla/NSS bundle. https://www.mozilla.org/projects/security/certs/
That's the way I followed in OpenJDK for OSX :
This script will grab cacerts from Mozilla pre-processed by curl team
and transform them into cacerts.
http://openjdk-osx-build.googlecode.com/svn/trunk/cacerts-gen.sh
At build time, cacerts is rebuild if older than one week and provided
to OpenJDK build via ALT_CACERTS_FILE
http://openjdk-osx-build.googlecode.com/svn/trunk/buildjdk7u-osx.sh
Cheers.
More information about the discuss
mailing list