[PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
Andrew Hughes
gnu.andrew at redhat.com
Tue Sep 25 17:39:34 UTC 2012
----- Original Message -----
> On Tue, 2012-09-18 at 10:39 -0400, Andrew Hughes wrote:
> > This is an issue that has been with us for a while. See:
> >
> > https://bugs.openjdk.java.net/show_bug.cgi?id=100062
> > http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=7188845
> >
> > for some background.
> > [...]
> > It's not clear to me why this approach wasn't taken before, so I
> > hope I haven't
> > missed something.
>
> The original reason is described in those two references you found
> and
> explained a bit more in:
> http://mail.openjdk.java.net/pipermail/security-dev/2009-June/000916.html
> The summary is that it was just easier to remove unused classes that
> made the code tricky to understand for no good reason except for some
> secret proprietary code. Of course that is an explanation from 3
> years
> ago, and the original patch was made 4 years ago... Maybe the code
> base
> has been simplified since. In general it has just been impossible to
> get
> anybody to make time to review it :{
>
Yes, I understand that much. But such a patch is never going to be upstreamable,
so we have to make a compromise for Oracle's proprietary builds.
I'm sure it would be easy enough to dump those classes if Oracle started producing
OpenJDK binaries licensed under the GPL, rather than binaries from their proprietary
fork. But I don't see that happening.
> Cheers,
>
> Mark
>
--
Andrew :)
Free Java Software Engineer
Red Hat, Inc. (http://www.redhat.com)
PGP Key: 248BDC07 (https://keys.indymedia.org/)
Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
More information about the security-dev
mailing list