2012/5/31 Bradford Wetmore <[email protected]>: > Taking 2 responses in reverse order, Henri wrote: > >> Ok, so I'll have to mimic OpenJDKs packaging performed on Linux >> distribution, using Mozilla provided CA certs. > > I felt the need to respond to this thread after seeing this statement. > > You need to check with Mozilla and your lawyers as to whether you can just > use theirs for an OpenJDK-based build. CA certs are not something to just > grab just so your impl works. There are legal issues involved here, which > is the reason we (Oracle) had to include an empty CA file in the first > place. > > It is your responsibility as an OpenJDK builder to resolve the legal issues. > Please don't take this lightly. > > > On 5/31/2012 8:29 AM, Scott Kovatch wrote: >> >> On May 31, 2012, at 7:39 AM, Henri Gomez<[email protected]> wrote: >> >>>> CA certificate management is non-trivial matter. Right now it's >>>> pretty much orthogonal to OpenJDK development, and it's something >>>> for downstream distributors to handle. >>>> >>>> Personally, I'd like to keep it that way for OpenJDK 7 updates as >>>> I don't see the need for doing it in this Project, given that OpenJDK >>>> 7u distributors as well as organizations building their own JDKs >>>> based on OpenJDK 7u typically have their own ways of managing CA >>>> certificates in place specific to their needs. >>> >>> >>> My question wasn't clear. >>> cacerts inclusion for OSX was at packaging level, ie like those I >>> didn't on openjdk-osx-build, so after stock OpenJDK build process. >> >> >> Henri, I think this is something you would have to bring up with Apple. >> The cacerts file in Apple's JDK was generated from the certificates in the >> 'System Roots' keychain (or, it was the last time I was responsible for >> doing it), so you may not have the legal right to redistribute it. As usual, >> there are no lawyers here. >> >> As Dalibor says, each JDK distributor or licensee is responsible for >> obtaining their own root certificates, and in Apple's case, they are already >> distributed via the OS, so the JDK was covered by those licenses. > > > This is probably moot now, but if I squinted, tilted my head to a certain > angle, and created some ambiguity in pronouns :) , I could potentially > misread what I think Scott was trying to say here. What might be clearer: > > ... and in Apple's case, the CA certs are already distributed via > the *Apple OS*, so *Apple's* JDK was covered by those licenses. > > Your *OpenJDK*-based build likely is not covered by those Apple licenses, > and thus you need to check with Apple if you could use theirs. > > Hope this helps, I didn't want you to think "since I didn't hear anything > further, my approach must be ok."
May be a symlink could fix this issue. Using Apple OSX certs and don't providing it by myself :)
