Refresh cacert File?
Severin Gehwolf
sgehwolf at redhat.com
Thu Apr 18 08:34:16 UTC 2019
Hi,
On Wed, 2019-04-17 at 22:43 +0000, Bernd Eckenfels wrote:
> hello,
>
> I think it was discussed on security-dev before but did not result in
> some action as far as I understand it. Currently the „cacert“ file
> shipped with 8u upstream builds is a bit outdated. It contains
> multiple expired certificates and misses latest additions.
Are you referring to these builds?
https://adoptopenjdk.net/upstream.html
The reason for this is that for OpenJDK 8u upstream builds the cacerts
file will be empty unless the --with-cacerts-file configure option is
being used. That's the case for the above 8u builds[1].
> Also I noted there are multiple vendors struggling with this file.
There is bound to be divergence as no cacerts file is included upstream
in OpenJDK 8u.
> Since the later Java releases have a canonical source for that file
> with vetted licensing it totally would make sense to refresh I.e.
> backport the changes. Is there anything planned in that direction?
There has been a proposal and IMO it would make sense to backport
JEP319 to JDK 8u:
http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-March/008975.html
Thanks,
Severin
[1] https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/blob/master/build-openjdk8.sh#L36
More information about the security-dev
mailing list