Refresh cacert File?

Severin Gehwolf sgehwolf at redhat.com
Thu Apr 18 08:34:16 UTC 2019


Hi,

On Wed, 2019-04-17 at 22:43 +0000, Bernd Eckenfels wrote:
>  hello,
> 
> I think it was discussed on security-dev before but did not result in
> some action as far as I understand it. Currently the „cacert“ file
> shipped with 8u upstream builds is a bit outdated. It contains
> multiple expired certificates and misses latest additions.

Are you referring to these builds?
https://adoptopenjdk.net/upstream.html

The reason for this is that for OpenJDK 8u upstream builds the cacerts
file will be empty unless the --with-cacerts-file configure option is
being used. That's the case for the above 8u builds[1].

> Also I noted there are multiple vendors struggling with this file. 

There is bound to be divergence as no cacerts file is included upstream
in OpenJDK 8u.

> Since the later Java releases have a canonical source for that file
> with vetted licensing it totally would make sense to refresh I.e.
> backport the changes. Is there anything planned in that direction?

There has been a proposal and IMO it would make sense to backport
JEP319 to JDK 8u:
http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-March/008975.html

Thanks,
Severin

[1] https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/blob/master/build-openjdk8.sh#L36




More information about the security-dev mailing list