[8u] RFR: 8232019: Add LuxTrust certificate updates to the existing root program

Andrew John Hughes gnu.andrew at redhat.com
Thu Jan 2 04:10:29 UTC 2020 


On 20/12/2019 09:38, Severin Gehwolf wrote:

snip...

>>
>> There's an option #4:
>>
>> 4. Propose these backports for 8u242 and do the correct backports, with
>> JDK-8193255 and friends, in 8u252.
> 
> OK.
> 
>> 8193255 is sensitive to the status of cacerts at the time it is applied.
>> It needs to be backported with cacerts containing the same certificates
>> as it did when applied in later versions, so that the textual
>> replacements match. By applying these backports in 8u252, we'd
>> complicate the 8193255 backport further by having to effectively include
>> backports of the Amazon & LuxTrust updates in it.
>>
>> So what I'd suggest is:
>>
>> 1. Do the full backport series in 8u252 from 8193255 on.
>> 2. Create a separate bug for 8u242 to add the new certificates and apply
>> for jdk8u-critical-request for that.
> 
> Can you clarify why a separate bug for 8u242 would be needed? Why can't
> we just use 8232019 and 8233223? I'd include mentioning 8232019 and
> 8233223 for the backport of 8193255 for it to be clear that it has been
> taken care of those additional cert updates. The 8193255 backport would
> only start once 8u242 backports got merged back into jdk8u-dev. At no
> point we'd miss inclusion of those. Saves creation of extra bugs.
> 
> Thanks,
> Severin
> 
>> When the two are merged together, the webrev changes in 8u242 should be
>> the same as those in 8u252, and the changed cacerts binary can just be
>> deleted.
>>
>> Thanks,
> 

It seems you misunderstood what I was suggesting with option #4.

The two backports should be independent. The one for 8u252 should take
place with all necessary dependencies. It should not wait for anything
coming from 8u242.

We'll apply the minimal one in 8u242, but that's only for reasons of
tardiness. 8u252 will have the complete backport when 8u242 is merged
back into 8u-dev at the time of release, effectively obsoleting the
version in 8u242.

I suggest using separate bugs for 8u242 as I thought it might be
confusing to have two different backports for 8u referenced from the
same bug. But, on second thoughts, they are equally benefits to having
everything in one place, so we'll use the existing IDs.

Thanks,
-- 
Andrew :)

Senior Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)

PGP Key: ed25519/0xCFDA0F9B35964222 (hkp://keys.gnupg.net)
Fingerprint = 5132 579D D154 0ED2 3E04  C5A0 CFDA 0F9B 3596 4222
https://keybase.io/gnu_andrew

More information about the jdk8u-dev mailing list