RFR: 8278080: Add --with-cacerts-src='user cacerts folder' to enable deterministic cacerts generation
Sergey Bylokhov
serb at openjdk.java.net
Fri Dec 3 18:58:16 UTC 2021
On Thu, 2 Dec 2021 10:55:57 GMT, Andrew Leonard <aleonard at openjdk.org> wrote:
> This is the case at Adoptium for example, which uses the Mozilla trusted CA certs.
But they didn't think skipping this test was too strong a step? For example validation of the certs expiration is quite useful. I tried to update the test to take into account additional certs, but it caused a merge conflict each time the certs in OpenJDK are updated. Probably we can add a config file that can inject/override some info in the test(at least skip the checksum validation)? By default this config file will be empty and will not be modified in the OpenJDK, but the vendors will be able to modify it. @wangweij @rhalade what do you think?
-------------
PR: https://git.openjdk.java.net/jdk/pull/6647
More information about the security-dev
mailing list