On Mon, 13 Apr 2026 10:08:53 GMT, Severin Gehwolf <[email protected]> wrote:
>>> Why don't you get the error in a jmod JDK? Just trying to understand the >>> distinction. >> >> In a jmod JDK, the `lib/modules` image doesn't contain the checksums. >> Instead, `jlink` obtains a pristine `java.security` copy from >> `jmods/java.base.jmod`, ignoring any change to >> `conf/security/java.security`. So we don't get an error, but, as with a >> jmod-less JDK, there's no way to propagate the `conf/security/java.security` >> changes to the image. >> >> I think an alternative to point to a whole `java.security` replacement, or >> an option to pass-trhough `conf/security/java.security` with its >> modifications into the image would be great for our use-case. > >> > Why don't you get the error in a jmod JDK? Just trying to understand the >> > distinction. >> >> In a jmod JDK, the `lib/modules` image doesn't contain the checksums. > > Just to clarify. A build with `--enable-linkable-runtime` and > `--enable-keep-packaged-modules` would include the checksum of the > `conf/security/java.security` file in the `jdk.jlink` module (in > `lib/modules`). As @franferrax pointed out, though, with a `jlink` run with > packaged modules present, the integrity check isn't done and the source of > the `conf/security/java.security` is the `java.base.jmod` file instead of the > runtime image. > > A corollary of this is that any modifications of > `conf/security/java.security` done **after** `jlink` ran, needs to be redone > in the custom run-time when a JMOD-full link is being done. The JEP 493 > enabled link would fail with an error (as the unmodified source file is not > available). > I think an alternative to point to a whole `java.security` replacement, or an > option to pass-trhough `conf/security/java.security` with its modifications > into the image would be great for our use-case. I don't want to support a whole java.security file replacement. That is too fragile as any property you miss can end up having no value as the default. I am not sure what you mean by your second sentence, what is a pass-through option? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/30635#discussion_r3075276723
