Hi Martijn, as far as I understand the AdoptOpenJDK infrastructure, you have created a cacerts file from the Mozilla certificates which you are using in the AdoptOpenJDK 8 build via configure option [1]. Is that correct or am I missing something?
I was planning to bring the cacerts file from jdk/jdk down to 8 with the associated tests. Your build setup should still work then, I guess. However, if somebody from AdoptOpenJDK wants to do the work of bringing it into OpenJDK8 updates, feel free. It’s not the very first thing on my todo list 😊 Thanks & Best regards Christoph [1] https://github.com/AdoptOpenJDK/openjdk-build/tree/master/security From: Martijn Verburg <[email protected]> Sent: Freitag, 22. März 2019 20:38 To: Sean Mullan <[email protected]> Cc: Langer, Christoph <[email protected]>; [email protected]; OpenJDK Dev list <[email protected]> Subject: Re: [8u] Is it possible to bring root certificates to OpenJDK 8 [JEP319] ? FWIW - we backported these in the AdoptOpenJDK 8 builds and could provide a patch to upstream that change. Cheers, Martijn On Fri, 22 Mar 2019 at 19:35, Sean Mullan <[email protected]<mailto:[email protected]>> wrote: Hi Christoph, On 3/21/19 6:20 AM, Langer, Christoph wrote: > Hi, > > I recently came across a scenario where I wanted to use a self-built OpenJDK > 8 in a maven build and it could not download artefacts due to missing root > certificates. I helped myself by replacing the cacerts with some other > version from a later OpenJDK and came over the issue. However, I’ve asked > myself whether it was possible/worthwhile to get the root certificates also > into an OpenJDK 8 update? > > With JEP 319 [0], Oracle has open-sourced the root certificates into OpenJDK. > The initial check-in was done for jdk10, via bug JDK-8189131 [1]. After that, > several commits have been made to update the set of root certificates and > improve the tests. > > Now my questions are: Is it legally possible to bring these root certificates > also into OpenJDK 8? Since it is a JEP, can the “feature” be added to OpenJDK > 8 via an update release? And, last but not least, would there be interest in > the community for that at all? I can answer the first two questions. I talked to one of our Product Managers who was involved with this JEP and he said that we have permission to release these certificates as open source at OpenJDK (much as Mozilla has roots in Firefox). Therefore there should be no concerns using with OpenJDK 8 or other versions for that matter. If you mean the jdk8u project specifically, you should check with the current maintainers for interest in this as I think they currently use other means for their builds. --Sean > > Just trying to start a discussion… 😊 > > Best regards > Christoph > > [0] http://openjdk.java.net/jeps/319 > [1] https://bugs.openjdk.java.net/browse/JDK-8189131 >
