RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation

Sergey Bylokhov serb at openjdk.java.net
Fri Dec 3 18:58:16 UTC 2021

On Thu, 2 Dec 2021 10:55:57 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:

> This is the case at Adoptium for example, which uses the Mozilla trusted CA certs.

But they didn't think skipping this test was too strong a step? For example validation of the certs expiration is quite useful. I tried to update the test to take into account additional certs, but it caused a merge conflict each time the certs in OpenJDK are updated. Probably we can add a config file that can inject/override some info in the test(at least skip the checksum validation)? By default this config file will be empty and will not be modified in the OpenJDK, but the vendors will be able to modify it. @wangweij @rhalade what do you think?


PR: https://git.openjdk.java.net/jdk/pull/6647

More information about the security-dev mailing list