[PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy

Kelly O'Hair kelly.ohair at oracle.com
Wed Sep 19 19:34:05 PDT 2012


It seems fine with me.
But I think someone from the security team should chime in on this.

-kto

On Sep 18, 2012, at 7:39 AM, Andrew Hughes wrote:

> This is an issue that has been with us for a while.  See:
> 
> https://bugs.openjdk.java.net/show_bug.cgi?id=100062
> http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7188845
> 
> for some background.
> 
> The original proposed patch goes to far in removing most of the
> infrastructure for restricting crypto levels and signing of crypto
> jars.
> 
> The following simple webrev will achieve what I think is needed:
> 
> http://cr.openjdk.java.net/~andrew/100062/webrev.01/
> 
> allowing OpenJDK to be built with the unlimited rather than limited
> crypto policy in place.
> 
> The build is only altered if both an OpenJDK build is being performed
> and UNLIMITED_CRYPTO is defined.  In this case, the install-unlimited
> rule is used to install policies.  Without UNLIMITED_CRYPTO being set,
> OpenJDK builds still depend on install-limited as now.
> 
> I believe this is a fairly unintrusive change which should allow GNU/Linux
> distros to ship without crypto restrictions while still using upstream
> OpenJDK rather than a variant with several classes removed.
> 
> It's not clear to me why this approach wasn't taken before, so I hope I haven't
> missed something.
> 
> If this looks ok, I'll push it as the resolution for bug 7188845.
> -- 
> Andrew :)
> 
> Free Java Software Engineer
> Red Hat, Inc. (http://www.redhat.com)
> 
> PGP Key: 248BDC07 (https://keys.indymedia.org/)
> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F  8F91 3B96 A578 248B DC07
> 




More information about the security-dev mailing list