Taking 2 responses in reverse order, Henri wrote:
> Ok, so I'll have to mimic OpenJDKs packaging performed on Linux
> distribution, using Mozilla provided CA certs.
I felt the need to respond to this thread after seeing this statement.
You need to check with Mozilla and your lawyers as to whether you can
just use theirs for an OpenJDK-based build. CA certs are not something
to just grab just so your impl works. There are legal issues involved
here, which is the reason we (Oracle) had to include an empty CA file in
the first place.
It is your responsibility as an OpenJDK builder to resolve the legal
issues. Please don't take this lightly.
On 5/31/2012 8:29 AM, Scott Kovatch wrote:
On May 31, 2012, at 7:39 AM, Henri Gomez<[email protected]> wrote:
CA certificate management is non-trivial matter. Right now it's
pretty much orthogonal to OpenJDK development, and it's something
for downstream distributors to handle.
Personally, I'd like to keep it that way for OpenJDK 7 updates as
I don't see the need for doing it in this Project, given that OpenJDK
7u distributors as well as organizations building their own JDKs
based on OpenJDK 7u typically have their own ways of managing CA
certificates in place specific to their needs.
My question wasn't clear.
cacerts inclusion for OSX was at packaging level, ie like those I
didn't on openjdk-osx-build, so after stock OpenJDK build process.
Henri, I think this is something you would have to bring up with Apple. The
cacerts file in Apple's JDK was generated from the certificates in the 'System
Roots' keychain (or, it was the last time I was responsible for doing it), so
you may not have the legal right to redistribute it. As usual, there are no
lawyers here.
As Dalibor says, each JDK distributor or licensee is responsible for obtaining
their own root certificates, and in Apple's case, they are already distributed
via the OS, so the JDK was covered by those licenses.
This is probably moot now, but if I squinted, tilted my head to a
certain angle, and created some ambiguity in pronouns :) , I could
potentially misread what I think Scott was trying to say here. What
might be clearer:
... and in Apple's case, the CA certs are already distributed via
the *Apple OS*, so *Apple's* JDK was covered by those licenses.
Your *OpenJDK*-based build likely is not covered by those Apple
licenses, and thus you need to check with Apple if you could use theirs.
Hope this helps, I didn't want you to think "since I didn't hear
anything further, my approach must be ok."
Brad
