For users of --with-openjdk
Dr Andrew John Hughes
ahughes at redhat.com
Tue Aug 31 07:34:15 PDT 2010
On 19:55 Sat 28 Aug , DJ Lucas wrote:
> On 08/25/2010 10:34 AM, Dr Andrew John Hughes wrote:
> > On 13:08 Sat 14 Aug , DJ Lucas wrote:
> >> On 08/13/2010 02:57 PM, Dr Andrew John Hughes wrote:
>
> <lots of smippage>
>
> > I think I found a simpler fix for this. At least, it works when bootstrapping
> > with both IcedTea6 1.8 and gcj 4.5.1. Basically, instead of trying to build
> > the whole of javax.swing.plaf.synth, we just build NimbusLookAndFeel which is
> > the class this is outdated in 1.8:
> >
> > http://icedtea.classpath.org/hg/icedtea6/rev/6f017e9047ab
> >
> <Snip>
>
> >> Attached patch will have to be moved appropriately for 1.9 branch (if
> >> accepted) and could be done in the same location for 1.10 in FIND_JAVAC.
> >>
> >
> > These changes will just be in 1.10. I want them to have plenty of soak
> > time before being used generally.
> >
>
> I was referring only to the name of the patch, as I am planning on doing
> for 1.9 locally, but it doesn't matter now as you've already put in a
> smaller (better) fix in both 1.9 and 1.10 (as quoted above) which works
> great BTW. Sorry I hadn't replied on that yet, haven't had a chance to
> test with GCJ, but that was already done anyway.
>
Well, I've put the fix in HEAD which will become 1.10. I'm not applying any of
this to 1.9, as I've mentioned before.
> >
> > Pavel has been looking into the Xrender test breakages which also affect
> > OpenJDK7:
> >
> > http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2010-August/009988.html
> >
> > So it looks like Oracle made changes without fixing the tests. Pavel now has
> > a fix which should be committed shortly.
> >
>
> Pavel's fix and additionally creating a populated cacerts file (which
> Pavel was working on back in May) has reduced the number of failures
> considerably. On the second fix, I've written a bash script to account
> for both CADIR and CAFILE. AC check accounts for distros who's certs I
> know about. ATM that would be RedHat and Debian derivatives, and BLFS,
> but if you look at the check, it should easily extended. If you all
> would be interested in a single upstream solution that accounts for both
> certificates directory and a single bundle file, feel free (attached).
> I did the check for the files unconditionally, as I wasn't exactly sure
> how to (properly) do a conditional check based on another (where if
> --genertate-cacerts should be set yes by another switch). Additionally,
> the mkcacerts.sh script could be written much differently (and probably
> better/faster in perl rather than bash/sed/grep but it should in account
> for both variants from the command line).
>
Thanks. I'll take a look at the patch. I don't know what's happened to Pavel's
work on this. It's been three months.
> > On JDK, I don't think there's ever been a 100% pass, and some aren't even
> > stable tests. So you're looking more for regressions between builds.
> >
> > To my knowledge, the HotSpot and langtools suites should all pass (and
> > take a considerably shorter time to run).
> >
>
> Is there a central place to share and view previous test results, or
> just search the distro-pkg-dev and openjdk-dev lists?
>
See Mark's e-mail; I was going to include the link myself but couldn't find
a reference to it and Mark wasn't online.
> -- DJ Lucas
>
> --
> This message has been scanned for viruses and
> dangerous content, and is believed to be clean.
>
> diff -Naurp icedtea6-1-9-d59cbcab0fe4-orig/acinclude.m4 icedtea6-1-9-d59cbcab0fe4-new/acinclude.m4
> --- icedtea6-1-9-d59cbcab0fe4-orig/acinclude.m4 2010-08-26 00:25:14.000000000 -0500
> +++ icedtea6-1-9-d59cbcab0fe4-new/acinclude.m4 2010-08-28 19:09:44.000000000 -0500
> @@ -316,6 +316,66 @@ AC_DEFUN_ONCE([IT_CAN_HARDLINK_TO_SOURCE
> AM_CONDITIONAL([SRC_DIR_HARDLINKABLE], test x"${it_cv_hardlink_src}" = "xyes")
> ])
>
> +AC_DEFUN([IT_CHECK_GENERATE_CACERTS],
> +[
> + AC_MSG_CHECKING([for a local x509 certificate directory])
> + AC_ARG_WITH([ca-dir],
> + [AS_HELP_STRING(--with-ca-dir=DIR, specify a top-level local x509 certificate directory)],
> + [
> + if test -d "${withval}"; then
> + CADIR="${withval}"
> + fi
> + ],
> + [
> + CADIR=
> + ])
> + if test -z "${CADIR}"; then
> + for dir in /etc/pki/tls/certs \
> + /usr/share/ca-certificates \
> + /etc/ssl/certs \
> + /etc/certs ; do
> + if test -d "${dir}"; then
> + CADIR="${dir}"
> + break
> + fi
> + done
> + if test -z "${CADIR}"; then
> + CADIR=no
> + fi
> + fi
> + AC_MSG_RESULT(${CADIR})
> + AC_SUBST(CADIR)
> +
> + AC_MSG_CHECKING([for a local x509 certificate file])
> + AC_ARG_WITH([ca-file],
> + [AS_HELP_STRING(--with-ca-file=FILE, specify a local x509 certificate file)],
> + [
> + if test -f "${withval}"; then
> + CAFILE="${withval}"
> + fi
> + ],
> + [
> + CAFILE=
> + ])
> + if test -z "${CAFILE}"; then
> + for file in /etc/pki/tls/certs/ca-bundle.crt \
> + /etc/ssl/certs/ca-bundle.crt \
> + /etc/ssl/ca-bundle.crt \
> + /etc/ca-bundle.crt ; do
> + if test -e "${file}"; then
> + CAFILE=$file
> + break
> + fi
> + done
> + if test -z "${CAFILE}"; then
> + CAFILE=no
> + fi
> + fi
> + AC_MSG_RESULT(${CAFILE})
> + AC_SUBST(CAFILE)
> + AM_CONDITIONAL(GENERATE_CACERTS, test "${CADIR}x" != "nox" -a "${CAFILE}x" != "nox")
> +])
> +
> AC_DEFUN([FIND_ECJ_JAR],
> [
> AC_MSG_CHECKING([for an ecj JAR file])
> diff -Naurp icedtea6-1-9-d59cbcab0fe4-orig/configure.ac icedtea6-1-9-d59cbcab0fe4-new/configure.ac
> --- icedtea6-1-9-d59cbcab0fe4-orig/configure.ac 2010-08-26 00:25:14.000000000 -0500
> +++ icedtea6-1-9-d59cbcab0fe4-new/configure.ac 2010-08-28 19:10:33.000000000 -0500
> @@ -135,6 +135,8 @@ else
> AC_MSG_RESULT([disabled by default (edit java.security to enable)])
> fi
>
> +IT_CHECK_GENERATE_CACERTS
> +
> IT_GET_PKGVERSION
> IT_GET_LSB_DATA
>
> diff -Naurp icedtea6-1-9-d59cbcab0fe4-orig/Makefile.am icedtea6-1-9-d59cbcab0fe4-new/Makefile.am
> --- icedtea6-1-9-d59cbcab0fe4-orig/Makefile.am 2010-08-26 01:07:58.000000000 -0500
> +++ icedtea6-1-9-d59cbcab0fe4-new/Makefile.am 2010-08-28 19:13:15.000000000 -0500
> @@ -1273,6 +1273,19 @@ if WITH_TZDATA_DIR
> cp $(abs_top_builddir)/tz.properties \
> $(BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib;
> endif
> +
> +if GENERATE_CACERTS
> + if test -n "${CADIR}"; then
> + sh scripts/mkcacerts.sh -d "${CADIR}" \
> + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
> + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
> + else
> + sh scripts/mkcacerts.sh -f "${CAFILE}" \
> + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
> + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
> + fi
> +endif
> +
> @echo "IcedTea is served:" $(BUILD_OUTPUT_DIR)
> mkdir -p stamps
> touch stamps/icedtea.stamp
> @@ -1337,6 +1350,19 @@ if WITH_TZDATA_DIR
> cp $(abs_top_builddir)/tz.properties \
> $(DEBUG_BUILD_OUTPUT_DIR)/j2sdk-image/jre/lib;
> endif
> +
> +if GENERATE_CACERTS
> + if test -n "${CADIR}"; then
> + sh scripts/mkcacerts.sh -d "${CADIR}" \
> + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
> + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
> + else
> + sh scripts/mkcacerts.sh -f "${CAFILE}" \
> + -k $(BUILD_OUTPUT_DIR)/j2sdk-image/bin/keytool \
> + -o $(BUILD_OUTPUT_DIR)/j2re-image/lib/security/cacerts
> + fi
> +endif
> +
> @echo "IcedTea (debug build) is served:" \
> $(DEBUG_BUILD_OUTPUT_DIR)
> mkdir -p stamps
> diff -Naurp icedtea6-1-9-d59cbcab0fe4-orig/scripts/mkcacerts.sh icedtea6-1-9-d59cbcab0fe4-new/scripts/mkcacerts.sh
> --- icedtea6-1-9-d59cbcab0fe4-orig/scripts/mkcacerts.sh 1969-12-31 18:00:00.000000000 -0600
> +++ icedtea6-1-9-d59cbcab0fe4-new/scripts/mkcacerts.sh 2010-08-28 19:07:09.000000000 -0500
> @@ -0,0 +1,154 @@
> +#!/bin/sh
> +# Simple script to extract individual pem-files from a bundle and create
> +# JRE cacerts file.
> +
> +get_args()
> + {
> + if test -z "${@}" ; then
> + showhelp
> + exit 1
> + fi
> +
> + while test -n "$1" ; do
> + case "${1}" in
> + -f | --cafile)
> + check_arg $1 $2
> + CAFILE="${2}"
> + shift 2
> + ;;
> + -d | --cadir)
> + check_arg $1 $2
> + CADIR="${2}"
> + shift 2
> + ;;
> + -o | --outfile)
> + check_arg $1 $2
> + OUTFILE="${2}"
> + shift 2
> + ;;
> + -k | --keytool)
> + check_arg $1 $2
> + KEYTOOL="${2}"
> + shift 2
> + ;;
> + -h | --help)
> + showhelp
> + exit 0
> + ;;
> + *)
> + showhelp
> + exit 1
> + ;;
> + esac
> + done
> + }
> +
> +check_arg()
> + {
> + echo "${2}" | grep -v "^-" > /dev/null
> + if [ -z "$?" -o ! -n "$2" ]; then
> + echo "Error: $1 requires a valid argument."
> + exit 1
> + fi
> + }
> +
> +
> +showhelp()
> + {
> + echo "`basename ${0}` creates a valid cacerts file for use with IcedTea."
> + echo ""
> + echo " -f --cafile The path to a file containing PEM formated CA"
> + echo " certificates. May not be used with -d/--cadir."
> + echo " -d --cadir The path to a diectory of PEM formatted CA"
> + echo " certificates. May not be used with -f/--cafile."
> + echo " -o --outfile The path to the output file."
> + echo ""
> + echo " -k --keytool The path to the java keytool utility."
> + echo ""
> + echo " -h --help Show this help message and exit."
> + echo ""
> + echo ""
> + }
> +
> +# Initialize empty variables so that the shell does not polute the script
> +CAFILE=""
> +CADIR=""
> +OUTFILE=""
> +KEYTOOL=""
> +
> +# Process command line arguments
> +get_args ${@}
> +
> +# Handle common errors
> +if test "${CAFILE}x" == "x" -a "${CADIR}x" == "x" ; then
> + echo "ERROR! You must provide an x509 certificate store!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +if test "${CAFILE}x" != "x" -a "${CADIR}x" != "x" ; then
> + echo "ERROR! You cannot provide two x509 certificate stores!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +if test "${KEYTOOL}x" == "x" ; then
> + echo "ERROR! You must provide a valid keytool program!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +if test "${OUTFILE}x" == "x" ; then
> + echo "ERROR! You must provide a valid output file!"
> + echo "\'$(basename ${0}) --help\' for more info."
> + echo ""
> + exit 1
> +fi
> +
> +# Get on with the work
> +
> +# If using a CAFILE, split it into individual files in a temp directory
> +if test "${CAFILE}x" != "x" ; then
> + TEMPDIR=`mktemp -d`
> + CADIR="${TEMPDIR}"
> +
> + # Get a list of staring lines for each cert
> + CERTLIST=`grep -n "^-----BEGIN" "${CAFILE}" | cut -d ":" -f 1`
> +
> + # Get a list of ending lines for each cert
> + ENDCERTLIST=`grep -n "^-----END" "${CAFILE}" | cut -d ":" -f 1`
> +
> + # Start a loop
> + for certbegin in `echo "${CERTLIST}"` ; do
> + for certend in `echo "${ENDCERTLIST}"` ; do
> + if test "${certend}" -gt "${certbegin}"; then
> + break
> + fi
> + done
> + sed -n "${certbegin},${certend}p" "${CAFILE}" > "${CADIR}/${certbegin}"
> + keyhash=`openssl x509 -noout -in "${CADIR}/${certbegin}" -hash`
> + echo "Generated PEM file with hash: ${keyhash}."
> + mv "${CADIR}/${certbegin}" "${CADIR}/${keyhash}.pem"
> + done
> +fi
> +
> +# Write the output file
> +for cert in `find "${CADIR}" -type f -name "*.pem" -name "*.crt"`
> +do
> + tempfile=`mktemp`
> + certbegin=`grep -n "^-----BEGIN" "${cert}" | cut -d ":" -f 1`
> + certend=`grep -n "^-----END" "${cert}" | cut -d ":" -f 1`
> + sed -n "${certbegin},${certend}p" "${cert}" > "${tempfile}"
> + echo yes | "${KEYTOOL}" -import -alias `basename "${cert}"` -keystore \
> + "${OUTFILE}" -storepass 'changeit' -file "${tempfile}"
> + rm "${tempfile}"
> +done
> +
> +if test "${TEMPDIR}x" != "x" ; then
> + rm -rf "${TEMPDIR}"
> +fi
> +exit 0
> +
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
Support Free Java!
Contribute to GNU Classpath and the OpenJDK
http://www.gnu.org/software/classpath
http://openjdk.java.net
PGP Key: 94EFD9D8 (http://subkeys.pgp.net)
Fingerprint = F8EF F1EA 401E 2E60 15FA 7927 142C 2591 94EF D9D8
More information about the distro-pkg-dev
mailing list