RFR 8189131: Open-source the Oracle JDK Root Certificates
Rajan Halade
rajan.halade at oracle.com
Fri Dec 1 19:12:38 UTC 2017
Thanks for your reviews. I have updated webrev -
http://cr.openjdk.java.net/~rhalade/8189131/webrev.01/
I realized an error in my script which missed 7 new root certs listed in
JEP, these are added now. Update also includes some code enhancements
in VerifyCACerts.java to get rid of un-ncessary code as per Jamil's
suggestions.
Thanks,
Rajan
On 12/1/17 10:17 AM, Volker Simonis wrote:
> On Fri, Dec 1, 2017 at 7:09 PM, Sean Mullan <sean.mullan at oracle.com> wrote:
>> On 12/1/17 12:22 PM, Alan Bateman wrote:
>>>
>>>
>>> On 01/12/2017 17:16, Volker Simonis wrote:
>>>> Hi Rajan,
>>>>
>>>> great to see this finally happen!
>>>>
>>>> I have just a quick question related to the tests. As far as I can
>>>> see, the tests will only succeed if the OpenJDK will be build with the
>>>> new open sourced, Oracle root certificates. But what if somebody is
>>>> building the OpenJDK with his own set of root certificates (by using
>>>> the --with-cacerts-file option)? Do you see any possibility of
>>>> restricting these tests only to builds which used the original,
>>>> checked in cacerts file?
>>> If needed, you could add a keyword (@key tag) on these tests, or any tests
>>> that depend on the OpenJDK cacerts file, so can you control if the tests are
>>> run or not.
>>
>> Also, the interop tests are not part of any of the 3 tiers, so they won't be
>> run unless you specifically include the jdk_security_infra group.
>>
>> So only the VerifyCACerts test would potentially fail by default (it is part
>> of tier2). If this becomes a big issue, we can follow-up later and
>> investigate more with some sort of fix, but I don't think this should hold
>> up the current fix.
>>
> No, I didn't want to hold up this fix - I'm quite happy to finally see
> it in the OpenJDK. I just wanted to point out potential issues but I
> agree that we can handle them later, when they become real.
>
> Regards,
> Volker
>
>> Thanks,
>> Sean
>>
More information about the security-dev
mailing list