/hg/icedtea6: Be verbose wether the NSS-based security provider ...

Andrew John Hughes ahughes at redhat.com
Sun Apr 11 13:48:16 PDT 2010 

On 10 April 2010 17:23,  <doko at icedtea.classpath.org> wrote:
> changeset cb06ab3e6d36 in /hg/icedtea6
> details: http://icedtea.classpath.org/hg/icedtea6?cmd=changeset;node=cb06ab3e6d36
> author: doko at ubuntu.com
> date: Sat Apr 10 17:56:55 2010 +0200
>
>        Be verbose wether the NSS-based security provider is enabled or
>        disabled by default.
>
>        2010-04-10 Matthias Klose <doko at ubuntu.com>
>
>         * Makefile.am (ICEDTEA_PATCHES): Always apply icedtea-
>        nss-6763530.patch. Apply icedtea-nss-not-enabled-config.patch
>        if the NSS-based security provider is disabled by default.
>               * Makefile.am: Be verbose wether the NSS-based security provider
>        is enabled or disabled by default.
>               * patches/icedtea-nss-not-enabled-config.patch: New.
>
>
> diffstat:
>
> 4 files changed, 34 insertions(+), 5 deletions(-)
> ChangeLog                                    |    9 +++++++++
> Makefile.am                                  |    6 ++++--
> configure.ac                                 |   11 ++++++++---
> patches/icedtea-nss-not-enabled-config.patch |   13 +++++++++++++
>
> diffs (84 lines):
>
> diff -r 1af407faae6d -r cb06ab3e6d36 ChangeLog
> --- a/ChangeLog Fri Apr 09 12:54:33 2010 +0200
> +++ b/ChangeLog Sat Apr 10 17:56:55 2010 +0200
> @@ -1,3 +1,12 @@ 2010-04-09  Xerxes Rånby  <xerxes at zafen
> +2010-04-10  Matthias Klose  <doko at ubuntu.com>
> +
> +       * Makefile.am (ICEDTEA_PATCHES): Always apply
> +       icedtea-nss-6763530.patch. Apply icedtea-nss-not-enabled-config.patch
> +       if the NSS-based security provider is disabled by default.
> +       * Makefile.am: Be verbose wether the NSS-based security provider
> +       is enabled or disabled by default.
> +       * patches/icedtea-nss-not-enabled-config.patch: New.
> +
>  2010-04-09  Xerxes Rånby  <xerxes at zafena.se>
>
>        * Makefile.am (ICEDTEA_PATCHES):
> diff -r 1af407faae6d -r cb06ab3e6d36 Makefile.am
> --- a/Makefile.am       Fri Apr 09 12:54:33 2010 +0200
> +++ b/Makefile.am       Sat Apr 10 17:56:55 2010 +0200
> @@ -386,9 +386,11 @@ ICEDTEA_PATCHES += patches/icedtea-syste
>  ICEDTEA_PATCHES += patches/icedtea-systemtap.patch
>  endif
>
> +ICEDTEA_PATCHES += patches/icedtea-nss-6763530.patch
>  if ENABLE_NSS
> -ICEDTEA_PATCHES += patches/icedtea-nss-config.patch \
> -                  patches/icedtea-nss-6763530.patch
> +ICEDTEA_PATCHES += patches/icedtea-nss-config.patch
> +else
> +ICEDTEA_PATCHES += patches/icedtea-nss-not-enabled-config.patch
>  endif
>
>  if WITH_ALT_HSBUILD
> diff -r 1af407faae6d -r cb06ab3e6d36 configure.ac
> --- a/configure.ac      Fri Apr 09 12:54:33 2010 +0200
> +++ b/configure.ac      Sat Apr 10 17:56:55 2010 +0200
> @@ -144,13 +144,20 @@ AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test
>  AM_CONDITIONAL([ENABLE_SYSTEMTAP], [test x$ENABLE_SYSTEMTAP = xyes])
>  AC_MSG_RESULT(${ENABLE_SYSTEMTAP})
>
> +IT_LOCATE_NSS
> +
>  AC_MSG_CHECKING([whether to include the NSS-based security provider])
>  AC_ARG_ENABLE([nss],
>              [AS_HELP_STRING([--enable-nss],
>                              [Enable inclusion of NSS security provider])],
>              [ENABLE_NSS="${enableval}"], [ENABLE_NSS='no'])
>  AM_CONDITIONAL([ENABLE_NSS], [test x$ENABLE_NSS = xyes])
> -AC_MSG_RESULT(${ENABLE_NSS})
> +if test "x${ENABLE_NSS}" = "xyes"
> +then
> +  AC_MSG_RESULT([yes])
> +else
> +  AC_MSG_RESULT([yes, disabled by default (edit java.security to enable)])
> +fi
>
>  IT_GET_PKGVERSION
>  IT_GET_LSB_DATA
> @@ -408,8 +415,6 @@ then
>   AC_SUBST(LIBPULSE_LIBS)
>  fi
>
> -IT_LOCATE_NSS
> -
>  if test "x${ZERO_BUILD_TRUE}" = x || test "x${ADD_ZERO_BUILD_TRUE}" = x; then
>   dnl Check for libffi headers and libraries.
>   PKG_CHECK_MODULES(LIBFFI, libffi,[LIBFFI_FOUND=yes],[LIBFFI_FOUND=no])
> diff -r 1af407faae6d -r cb06ab3e6d36 patches/icedtea-nss-not-enabled-config.patch
> --- /dev/null   Thu Jan 01 00:00:00 1970 +0000
> +++ b/patches/icedtea-nss-not-enabled-config.patch      Sat Apr 10 17:56:55 2010 +0200
> @@ -0,0 +1,13 @@
> +--- openjdk.orig/jdk/src/share/lib/security/java.security      2009-08-25 11:43:59.000000000 +0100
> ++++ openjdk/jdk/src/share/lib/security/java.security           2009-08-27 14:23:54.000000000 +0100
> +@@ -51,6 +51,10 @@
> + security.provider.6=com.sun.security.sasl.Provider
> + security.provider.7=org.jcp.xml.dsig.internal.dom.XMLDSigRI
> + security.provider.8=sun.security.smartcardio.SunPCSC
> ++# the NSS security provider was not enabled for this build; it can be enabled
> ++# if NSS (libnss3) is available on the machine. The nss.cfg file may need
> ++# editing to reflect the location of the NSS installation.
> ++#security.provider.9=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/security/nss.cfg
> +
> + #
> + # Select the source of seed data for SecureRandom. By default an
>

If 6763530 is always on now, it should be with the big block of
patches rather than supplemented afterwards.  Just for clarity.
6763530 will be in b19 so it's fine to make it default for 1.8 (patch
has already been removed on the -hg branch).

I think the ENABLE_NSS output is a little confusing.  I think:

> +if test "x${ENABLE_NSS}" = "xyes"
> +then
> +  AC_MSG_RESULT([enabled by default (edit java.security to disable)])
> +else
> +  AC_MSG_RESULT([disabled by default (edit java.security to enable)])
> +fi

would be clearer than including 'yes' in both options (at least it
would confuse me if I'd passed --disable-nss...)

-- 
Andrew :-)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net

PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint: F8EF F1EA 401E 2E60 15FA  7927 142C 2591 94EF D9D8

More information about the distro-pkg-dev mailing list