RFR 8193255: Root Certificates should be stored in text format and assembled at build time

Erik Joelsson erik.joelsson at oracle.com
Thu May 30 14:01:30 UTC 2019 

Hello Max,

Looking in ToolsJdk.gmk, I realize that the BUILD_TOOLS variable was 
renamed back when we unified the repositories and is now called 
BUILD_TOOLS_JDK. It seems like I missed updating the references to this 
variable in the gendata dir. If you use the new variable name in the 
prerequisites list, you get a rebuild. Feel free to update the other 
references in make/gendata if you want to.

In my experience, using directories for dependencies in make does not 
work well. Since all the files in make/data/cacerts are in a flat 
structure, I would recommend expressing the prerequisites as:

$(wildcard $(GENDATA_CACERTS_SRC)/*)

This will not cover the case where a file is removed, but that case is 
rarely handled well in make based build systems.

Some minor notes.

The current recommended macro for creating the target directory in a 
recipe is $(call MakeTargetDir).

For logical indent (Gendata-java.base.gmk:75 and Copy-java.base.gmk:173) 
please use 2 spaces [1].

I also think it would be good with a comment in Copy-java.base.gmk 
explaining that CACERTS_FILE is optionally set in configure to override 
the default cacerts which is otherwise generated in Gendata-java.base.gmk.

Thanks,

/Erik

[1] http://openjdk.java.net/groups/build/doc/code-conventions.html

On 2019-05-30 06:34, Weijun Wang wrote:
> Since I need to track all added, removed, updated files in that directory, I thought depending on the directory itself is more correct. If I use the FindFiles function, then if some files are removed the cacerts will not be rebuilt.
>
> --Max
>
>> On May 30, 2019, at 9:11 PM, David Holmes <david.holmes at oracle.com> wrote:
>>
>> Hi Max,
>>
>> Not a review :)
>>
>> On 30/05/2019 11:01 pm, Weijun Wang wrote:
>>> Please take a review at
>>>     http://cr.openjdk.java.net/~weijun/8193255/webrev.00/
>>> Please pay attention to the 1st 3 and the last 2 files. Others are PEM files for all certs inside the original cacerts.
>>> There is one thing I cannot get correct. If I update the GenerateCacerts.java file and rerun make, the cacerts file is unchanged. I thought the following line
>>>     $(GENDATA_CACERTS): $(BUILD_TOOLS) $(GENDATA_CACERTS_SRC)
>>> means when when the tool is changed, GENDATA_CACERTS will be called.
>> I think you have set a dependency on the directory, not the files within it. If you look at make/gensrc/Gensrc-jdk.internal.vm.compiler.gmk for example you'll see this rule:
>>
>> $(GENSRC_DIR)/_gensrc_proc_done: $(PROC_SRCS) $(PROCESSOR_JARS)
>>
>> but PROC_SRCS is defined as
>>
>> PROC_SRCS := $(filter %.java, $(call FindFiles, $(PROC_SRC_DIRS)))
>>
>> which is all the .java files in the src directory.
>>
>> David
>>
>>> Thanks,
>>> Max

More information about the security-dev mailing list