cacerts and OSX

Henri Gomez henri.gomez at gmail.com
Thu May 31 12:39:42 PDT 2012 

2012/5/31 Bradford Wetmore <bradford.wetmore at oracle.com>:
> Taking 2 responses in reverse order, Henri wrote:
>
>> Ok, so I'll have to mimic OpenJDKs packaging performed on Linux
>> distribution, using Mozilla provided CA certs.
>
> I felt the need to respond to this thread after seeing this statement.
>
> You need to check with Mozilla and your lawyers as to whether you can just
> use theirs for an OpenJDK-based build.  CA certs are not something to just
> grab just so your impl works.  There are legal issues involved here, which
> is the reason we (Oracle) had to include an empty CA file in the first
> place.
>
> It is your responsibility as an OpenJDK builder to resolve the legal issues.
>  Please don't take this lightly.
>
>
> On 5/31/2012 8:29 AM, Scott Kovatch wrote:
>>
>> On May 31, 2012, at 7:39 AM, Henri Gomez<henri.gomez at gmail.com>  wrote:
>>
>>>> CA certificate management is non-trivial matter. Right now it's
>>>> pretty much orthogonal to OpenJDK development, and it's something
>>>> for downstream distributors to handle.
>>>>
>>>> Personally, I'd like to keep it that way for OpenJDK 7 updates as
>>>> I don't see the need for doing it in this Project, given that OpenJDK
>>>> 7u distributors as well as organizations building their own JDKs
>>>> based on OpenJDK 7u typically have their own ways of managing CA
>>>> certificates in place specific to their needs.
>>>
>>>
>>> My question wasn't clear.
>>> cacerts inclusion for OSX was at packaging level, ie like those I
>>> didn't on openjdk-osx-build, so after stock OpenJDK build process.
>>
>>
>> Henri, I think this is something you would have to bring up with Apple.
>> The cacerts file in Apple's JDK was generated from the certificates in the
>> 'System Roots' keychain (or, it was the last time I was responsible for
>> doing it), so you may not have the legal right to redistribute it. As usual,
>> there are no lawyers here.
>>
>> As Dalibor says, each JDK distributor or licensee is responsible for
>> obtaining their own root certificates, and in Apple's case, they are already
>> distributed via the OS, so the JDK was covered by those licenses.
>
>
> This is probably moot now, but if I squinted, tilted my head to a certain
> angle, and created some ambiguity in pronouns :) , I could potentially
> misread what I think Scott was trying to say here.  What might be clearer:
>
>    ... and in Apple's case, the CA certs are already distributed via
>    the *Apple OS*, so *Apple's* JDK was covered by those licenses.
>
> Your *OpenJDK*-based build likely is not covered by those Apple licenses,
> and thus you need to check with Apple if you could use theirs.
>
> Hope this helps, I didn't want you to think "since I didn't hear anything
> further, my approach must be ok."

May be a symlink could fix this issue.
Using Apple OSX certs and don't providing it by myself :)

More information about the jdk7u-dev mailing list