We basically pulled in the JEP 319 certs from 11 and put them into 8. Happy to create a patch if that helps, might be a slightly different set to what you are proposing though?
Cheers, Martijn On Mon, 25 Mar 2019 at 07:22, Langer, Christoph <[email protected]> wrote: > Hi Martijn, > > > > as far as I understand the AdoptOpenJDK infrastructure, you have created a > cacerts file from the Mozilla certificates which you are using in the > AdoptOpenJDK 8 build via configure option [1]. Is that correct or am I > missing something? > > > > I was planning to bring the cacerts file from jdk/jdk down to 8 with the > associated tests. Your build setup should still work then, I guess. > > > > However, if somebody from AdoptOpenJDK wants to do the work of bringing it > into OpenJDK8 updates, feel free. It’s not the very first thing on my todo > list 😊 > > > > Thanks & Best regards > > Christoph > > > > [1] https://github.com/AdoptOpenJDK/openjdk-build/tree/master/security > > > > > > *From:* Martijn Verburg <[email protected]> > *Sent:* Freitag, 22. März 2019 20:38 > *To:* Sean Mullan <[email protected]> > *Cc:* Langer, Christoph <[email protected]>; > [email protected]; OpenJDK Dev list < > [email protected]> > *Subject:* Re: [8u] Is it possible to bring root certificates to OpenJDK > 8 [JEP319] ? > > > > FWIW - we backported these in the AdoptOpenJDK 8 builds and could provide > a patch to upstream that change. > > > Cheers, > Martijn > > > > > > On Fri, 22 Mar 2019 at 19:35, Sean Mullan <[email protected]> wrote: > > Hi Christoph, > > On 3/21/19 6:20 AM, Langer, Christoph wrote: > > Hi, > > > > I recently came across a scenario where I wanted to use a self-built > OpenJDK 8 in a maven build and it could not download artefacts due to > missing root certificates. I helped myself by replacing the cacerts with > some other version from a later OpenJDK and came over the issue. However, > I’ve asked myself whether it was possible/worthwhile to get the root > certificates also into an OpenJDK 8 update? > > > > With JEP 319 [0], Oracle has open-sourced the root certificates into > OpenJDK. The initial check-in was done for jdk10, via bug JDK-8189131 [1]. > After that, several commits have been made to update the set of root > certificates and improve the tests. > > > > Now my questions are: Is it legally possible to bring these root > certificates also into OpenJDK 8? Since it is a JEP, can the “feature” be > added to OpenJDK 8 via an update release? And, last but not least, would > there be interest in the community for that at all? > > I can answer the first two questions. I talked to one of our Product > Managers who was involved with this JEP and he said that we have > permission to release these certificates as open source at OpenJDK (much > as Mozilla has roots in Firefox). Therefore there should be no concerns > using with OpenJDK 8 or other versions for that matter. If you mean the > jdk8u project specifically, you should check with the current > maintainers for interest in this as I think they currently use other > means for their builds. > > --Sean > > > > > Just trying to start a discussion… 😊 > > > > Best regards > > Christoph > > > > [0] http://openjdk.java.net/jeps/319 > > [1] https://bugs.openjdk.java.net/browse/JDK-8189131 > > > >
