Backport JPopupMenu fixes to release branches.

Dr Andrew John Hughes ahughes at redhat.com
Wed Feb 23 13:43:51 PST 2011 

On 15:50 Wed 23 Feb     , Omair Majid wrote:
> On 02/23/2011 03:14 PM, Denis Lila wrote:
> >> >  It might be a good idea to update the copyright (Sun ->  Oracle).
> > Done.
> > Also, I noticed that the old patches I posted were bad because
> > they were against some very old clones of the release branches.
> > I fixed that.
> >
> > Ok to push now?
> >
> 
> Some comments inline.
> 

Sorry, I'm getting mixed up here.  I thought this was the one for HEAD and just
straight backports.

> 
> > hgexport1.7.patch
> >
> 
> > diff -r 6a127ad66978 -r d780d2efc830 patches/openjdk/6691503-malicious-applet-always-on-top.patch
> > --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
> > +++ b/patches/openjdk/6691503-malicious-applet-always-on-top.patch	Wed Feb 23 14:00:24 2011 -0500
> > @@ -0,0 +1,173 @@
> > +diff -r dd66920b2d51 src/share/classes/javax/swing/Popup.java
> > +--- openjdk.orig/jdk/src/share/classes/javax/swing/Popup.java	Fri Apr 18 18:21:02 2008 +0400
> > ++++ openjdk/jdk/src/share/classes/javax/swing/Popup.java	Wed Feb 23 13:50:58 2011 -0500
> > +@@ -1,12 +1,12 @@
> > + /*
> > +- * Copyright 1999-2007 Sun Microsystems, Inc.  All Rights Reserved.
> > ++ * Copyright (c) 1999, 2008, Oracle and/or its affiliates. All rights reserved.
> > +  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
> > +  *
> > +  * This code is free software; you can redistribute it and/or modify it
> > +  * under the terms of the GNU General Public License version 2 only, as
> > +- * published by the Free Software Foundation.  Sun designates this
> > ++ * published by the Free Software Foundation.  Oracle designates this
> > +  * particular file as subject to the "Classpath" exception as provided
> > +- * by Sun in the LICENSE file that accompanied this code.
> > ++ * by Oracle in the LICENSE file that accompanied this code.
> > +  *
> > +  * This code is distributed in the hope that it will be useful, but WITHOUT
> > +  * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
> > +@@ -18,9 +18,9 @@
> > +  * 2 along with this work; if not, write to the Free Software Foundation,
> > +  * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
> > +  *
> > +- * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
> > +- * CA 95054 USA or visitwww.sun.com  if you need additional information or
> > +- * have any questions.
> > ++ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
> > ++ * or visitwww.oracle.com  if you need additional information or have any
> > ++ * questions.
> > +  */
> > +
> > + package javax.swing;
> 
> Normally we only fix copyrights in new files; not files being modified. 
> Also, you are not doing this for 1.9. Any particular reason why?
> 

1.7 and 1.8 are Sun copyrighted.  1.9 is Oracle copyrighted.
Please don't change the copyright on existing files; for one thing, it's pointless work :-)

The only change needed is for new files in a backport with Sun copyright to be modified
to the Oracle copyright when going into 1.9, 1.10 or HEAD.  This is to make it easier
to get it upstream later as Joe requires this for OpenJDK6 (so we don't revert back to
Sun copyrights there).

If it's done now, it doesn't matter.  But don't waste your time changing them in future :-)

> >
> >
> > hgexport1.8.patch
> >
> >
> 
> > diff -r 326f7589d7e8 -r 934d7afe1f52 NEWS
> > --- a/NEWS	Tue Feb 15 23:02:33 2011 +0000
> > +++ b/NEWS	Wed Feb 23 14:11:39 2011 -0500
> > @@ -10,6 +10,10 @@
> >
> >   New in release 1.8.8 (20XX-XX-XX):
> >
> > +* Backports
> > +  - S6675802: Regression: heavyweight popups cause SecurityExceptions in applets
> > +  - S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
> > +
> >   New in release 1.8.7 (2011-02-15):
> >
> >   * Security updates
> > @@ -21,6 +25,8 @@
> >     - S6985453, CVE-2010-4471: Java2D font-related system property leak
> >     - S6927050, CVE-2010-4470: JAXP untrusted component state manipulation
> >     - RH677332, CVE-2011-0706: Multiple signers privilege escalation
> > +  - S6675802: Regression: heavyweight popups cause SecurityExceptions in applets
> > +  - S6691503: Malicious applet can show always-on-top popup menu which has whole screen size
> >   * Bug fixes
> >     - RH676659: Pass -export-dynamic flag to linker using -Wl, as option in gcc 4.6+ is broken
> >     - Fix latent JAXP bug caused by missing import
> 
> You are listing the same bugs twice in the NEWS file. I dont think 
> that's right.
> 

There seems to be some patching error here.  They should be listed once under the yet-to-be released
1.8.8, 1.7.11 and 1.9.8.  All the others should be considered read-only sections as they are copies
of release notes for releases that have been and gone.

> Rest looks fine to me.
> 
> Cheers,
> OMair

-- 
Andrew :)

Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

Support Free Java!
Contribute to GNU Classpath and IcedTea
http://www.gnu.org/software/classpath
http://icedtea.classpath.org
PGP Key: F5862A37 (https://keys.indymedia.org/)
Fingerprint = EA30 D855 D50F 90CD F54D  0698 0713 C3ED F586 2A37

More information about the distro-pkg-dev mailing list