[Bug 2888] New: [IcedTea8] OpenJDK should check for system cacerts database (e.g. /etc/pki/java/cacerts)

bugzilla-daemon at icedtea.classpath.org bugzilla-daemon at icedtea.classpath.org
Mon Mar 21 18:16:11 UTC 2016 

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2888

            Bug ID: 2888
           Summary: [IcedTea8] OpenJDK should check for system cacerts
                    database (e.g. /etc/pki/java/cacerts)
           Product: IcedTea
           Version: 8-hg
          Hardware: all
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: IcedTea
          Assignee: gnu.andrew at redhat.com
          Reporter: gnu.andrew at redhat.com
                CC: unassigned at icedtea.classpath.org

If the JDK is updated while an instance of the JVM is running, the JVM can lose
access to files it needs to use, if the updated JVM is installed in a
differently named directory.

This is particularly noticeable with the cacerts database, as is loaded
multiple times (see bug 8129988: JSSE should create a single instance of the
cacerts KeyStore [0]). If a running JVM tries to load the cacerts file after
the JDK is moved, the old cacerts file will no longer exist as it is referenced
as java.home/jre/lib/security/cacerts. This is visible in the CentOS bug, 9088.
[1]

As cacerts is actually just a symlink to /etc/pki/java/cacerts, we could fix
the JDK to look to this location first, in the same way that the default.sf2
symlink was replaced by direct access to the soundfont [2].

We can try proposing this to upstream OpenJDK as well, but, given their
reactions to doing a similar thing with the timezone database, it seems
unlikely it would be accepted, so this may have to be kept as a local fix, at
least until S8129988 is fixed.

[0] https://bugs.openjdk.java.net/browse/JDK-8129988
[1] https://bugs.centos.org/view.php?id=9088
[2] https://bugs.openjdk.java.net/browse/JDK-8140620

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openjdk.java.net/pipermail/distro-pkg-dev/attachments/20160321/6586c115/attachment-0001.html>

More information about the distro-pkg-dev mailing list