Refresh cacert File?
Bernd Eckenfels
ecki at zusammenkunft.net
Thu Apr 18 08:52:48 UTC 2019
Hello,
Yes I would have expected the RH „upstream“ builds to have an empty cacerts file as they are described to be „pristine“. However thanks for the pointer that this is not entirely the case.
So 8u cacerts is still empty, which is I guess better than outdated.
I would consider the content of the cacert file to be somewhat related to the security baseline version of Java and backporting the JEP (or actually refreshing the file before each release) would help a lot.
Gruss
Bernd
--
http://bernd.eckenfels.net
________________________________
Von: Severin Gehwolf <sgehwolf at redhat.com>
Gesendet: Donnerstag, April 18, 2019 10:34 AM
An: Bernd Eckenfels; jdk8u-dev at openjdk.java.net
Cc: security-dev at openjdk.java.net
Betreff: Re: Refresh cacert File?
Hi,
On Wed, 2019-04-17 at 22:43 +0000, Bernd Eckenfels wrote:
> hello,
>
> I think it was discussed on security-dev before but did not result in
> some action as far as I understand it. Currently the „cacert“ file
> shipped with 8u upstream builds is a bit outdated. It contains
> multiple expired certificates and misses latest additions.
Are you referring to these builds?
https://adoptopenjdk.net/upstream.html
The reason for this is that for OpenJDK 8u upstream builds the cacerts
file will be empty unless the --with-cacerts-file configure option is
being used. That's the case for the above 8u builds[1].
> Also I noted there are multiple vendors struggling with this file.
There is bound to be divergence as no cacerts file is included upstream
in OpenJDK 8u.
> Since the later Java releases have a canonical source for that file
> with vetted licensing it totally would make sense to refresh I.e.
> backport the changes. Is there anything planned in that direction?
There has been a proposal and IMO it would make sense to backport
JEP319 to JDK 8u:
http://mail.openjdk.java.net/pipermail/jdk8u-dev/2019-March/008975.html
Thanks,
Severin
[1] https://github.com/AdoptOpenJDK/openjdk8-upstream-binaries/blob/master/build-openjdk8.sh#L36
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.org/pipermail/security-dev/attachments/20190418/20dc46bc/attachment.htm>
More information about the security-dev
mailing list