Plans for IcedTea6 1.11

DJ Lucas dj at lucasit.com
Mon Mar 7 14:16:34 PST 2011 

Pavel Tisnovsky <ptisnovs at redhat.com> wrote:

>DJ Lucas wrote:
>> On 03/01/2011 05:22 PM, Dr Andrew John Hughes wrote:
>>> Some features I would like to see in 1.11 and issues that should be
>>> fixed.
>>> I'd expect 1.11 to appear in July/August; we've had an over-long
>>> development
>>> period for 1.10 (Sep-Mar).
>>>
>>> * 'make install'
>>>    http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=94
>>>    It should be possible for an end user to install the resulting
>JDK
>>> image,
>>>    rather than having this solely devolved to distros (distros are
>of
>>> course still welcome
>>>    to do their own thing and not use it).  This includes:
>>>      - cacerts generation:
>>> http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=26
>> 
>> Regarding cacerts generation, I've attached the latest diff to the
>bug,
>> but I did not catch Pavel's logic change (mentioned in the previous
>> thread). I was unable to see the failure (probably something just
>> blindingly obvious), but it'd have to be accounted for. I also added
>a
>> --with-cacerts switch which should cover distribution maintainers who
>> have a pregenerated cacerts file so that distros can easily continue
>to
>> "do their own thing", but nothing in the patch modifies the default
>> configure behavior. Also changed to --enable-generate-cacerts to make
>it
>> a bit more clear as to the purpose. As far as the failing tests (also
>> mentioned previously), I've found that either expired or invalid
>> certificates do cause the tests to fail (used an old set of
>unsanitized
>> mozilla certificates for the input file). Probably need to guard
>against
>> that in some way with the generate-cacerts.sh script (or whichever
>> preferred script is used).
>
>Hi Lucas,
>
>I would be good to filter out old and/or invalid certificates, but how
>to solve that? What about to include all known-to-be-good certificates
>directly into IcedTea?
>

The script I used already uses openssl, so check expiration prior to running through keytool. As far as including certs in IcedTea, that might be overstepping bounds a bit, but distros should already have their own certificate policy and cacerts file anyway, so not a bad idea to include a default set. Defining policy is the kicker, who decides what authorities to trust? For LFS, I divert to Mozilla.org and state that explictly in the installation instructions.

-- DJ Lucas 


-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

-- 
This message has been scanned for viruses and
dangerous content, and is believed to be clean.

More information about the distro-pkg-dev mailing list