RFR 8189131: Open-source the Oracle JDK Root Certificates
Volker Simonis
volker.simonis at gmail.com
Fri Dec 1 18:17:40 UTC 2017
On Fri, Dec 1, 2017 at 7:09 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
> On 12/1/17 12:22 PM, Alan Bateman wrote:
>>
>>
>>
>> On 01/12/2017 17:16, Volker Simonis wrote:
>>>
>>> Hi Rajan,
>>>
>>> great to see this finally happen!
>>>
>>> I have just a quick question related to the tests. As far as I can
>>> see, the tests will only succeed if the OpenJDK will be build with the
>>> new open sourced, Oracle root certificates. But what if somebody is
>>> building the OpenJDK with his own set of root certificates (by using
>>> the --with-cacerts-file option)? Do you see any possibility of
>>> restricting these tests only to builds which used the original,
>>> checked in cacerts file?
>>
>> If needed, you could add a keyword (@key tag) on these tests, or any tests
>> that depend on the OpenJDK cacerts file, so can you control if the tests are
>> run or not.
>
>
> Also, the interop tests are not part of any of the 3 tiers, so they won't be
> run unless you specifically include the jdk_security_infra group.
>
> So only the VerifyCACerts test would potentially fail by default (it is part
> of tier2). If this becomes a big issue, we can follow-up later and
> investigate more with some sort of fix, but I don't think this should hold
> up the current fix.
>
No, I didn't want to hold up this fix - I'm quite happy to finally see
it in the OpenJDK. I just wanted to point out potential issues but I
agree that we can handle them later, when they become real.
Regards,
Volker
> Thanks,
> Sean
>
More information about the security-dev
mailing list