Hi Christoph,
On 3/21/19 6:20 AM, Langer, Christoph wrote:
Hi,
I recently came across a scenario where I wanted to use a self-built OpenJDK 8
in a maven build and it could not download artefacts due to missing root
certificates. I helped myself by replacing the cacerts with some other version
from a later OpenJDK and came over the issue. However, I’ve asked myself
whether it was possible/worthwhile to get the root certificates also into an
OpenJDK 8 update?
With JEP 319 [0], Oracle has open-sourced the root certificates into OpenJDK.
The initial check-in was done for jdk10, via bug JDK-8189131 [1]. After that,
several commits have been made to update the set of root certificates and
improve the tests.
Now my questions are: Is it legally possible to bring these root certificates
also into OpenJDK 8? Since it is a JEP, can the “feature” be added to OpenJDK 8
via an update release? And, last but not least, would there be interest in the
community for that at all?
I can answer the first two questions. I talked to one of our Product
Managers who was involved with this JEP and he said that we have
permission to release these certificates as open source at OpenJDK (much
as Mozilla has roots in Firefox). Therefore there should be no concerns
using with OpenJDK 8 or other versions for that matter. If you mean the
jdk8u project specifically, you should check with the current
maintainers for interest in this as I think they currently use other
means for their builds.
--Sean
Just trying to start a discussion… 😊
Best regards
Christoph
[0] http://openjdk.java.net/jeps/319
[1] https://bugs.openjdk.java.net/browse/JDK-8189131
