[8u] Is it possible to bring root certificates to OpenJDK 8 [JEP319] ?

Mon Mar 25 19:47:19 UTC 2019

We basically pulled in the JEP 319 certs from 11 and put them into 8. Happy
to create a patch if that helps, might be a slightly different set to what
you are proposing though?

Cheers,
Martijn

On Mon, 25 Mar 2019 at 07:22, Langer, Christoph <christoph.langer at sap.com>
wrote:

> Hi Martijn,
>
>
>
> as far as I understand the AdoptOpenJDK infrastructure, you have created a
> cacerts file from the Mozilla certificates which you are using in the
> AdoptOpenJDK 8 build via configure option [1]. Is that correct or am I
> missing something?
>
>
>
> I was planning to bring the cacerts file from jdk/jdk down to 8 with the
> associated tests. Your build setup should still work then, I guess.
>
>
>
> However, if somebody from AdoptOpenJDK wants to do the work of bringing it
> into OpenJDK8 updates, feel free. It’s not the very first thing on my todo
> list ��
>
>
>
> Thanks & Best regards
>
> Christoph
>
>
>
> [1] https://github.com/AdoptOpenJDK/openjdk-build/tree/master/security
>
>
>
>
>
> *From:* Martijn Verburg <martijnverburg at gmail.com>
> *Sent:* Freitag, 22. März 2019 20:38
> *To:* Sean Mullan <sean.mullan at oracle.com>
> *Cc:* Langer, Christoph <christoph.langer at sap.com>;
> jdk8u-dev at openjdk.java.net; OpenJDK Dev list <
> security-dev at openjdk.java.net>
> *Subject:* Re: [8u] Is it possible to bring root certificates to OpenJDK
> 8 [JEP319] ?
>
>
>
> FWIW - we backported these in the AdoptOpenJDK 8 builds and could provide
> a patch to upstream that change.
>
>
> Cheers,
> Martijn
>
>
>
>
>
> On Fri, 22 Mar 2019 at 19:35, Sean Mullan <sean.mullan at oracle.com> wrote:
>
> Hi Christoph,
>
> On 3/21/19 6:20 AM, Langer, Christoph wrote:
> > Hi,
> >
> > I recently came across a scenario where I wanted to use a self-built
> OpenJDK 8 in a maven build and it could not download artefacts due to
> missing root certificates. I helped myself by replacing the cacerts with
> some other version from a later OpenJDK and came over the issue. However,
> I’ve asked myself whether it was possible/worthwhile to get the root
> certificates also into an OpenJDK 8 update?
> >
> > With JEP 319 [0], Oracle has open-sourced the root certificates into
> OpenJDK. The initial check-in was done for jdk10, via bug JDK-8189131 [1].
> After that, several commits have been made to update the set of root
> certificates and improve the tests.
> >
> > Now my questions are: Is it legally possible to bring these root
> certificates also into OpenJDK 8? Since it is a JEP, can the “feature” be
> added to OpenJDK 8 via an update release? And, last but not least, would
> there be interest in the community for that at all?
>
> I can answer the first two questions. I talked to one of our Product
> Managers who was involved with this JEP and he said that we have
> permission to release these certificates as open source at OpenJDK (much
> as Mozilla has roots in Firefox).  Therefore there should be no concerns
> using with OpenJDK 8 or other versions for that matter.  If you mean the
> jdk8u project specifically, you should check with the current
> maintainers for interest in this as I think they currently use other
> means for their builds.
>
> --Sean
>
> >
> > Just trying to start a discussion… ��
> >
> > Best regards
> > Christoph
> >
> > [0] http://openjdk.java.net/jeps/319
> > [1] https://bugs.openjdk.java.net/browse/JDK-8189131
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.openjdk.java.net/pipermail/security-dev/attachments/20190325/83c0822a/attachment.html>