On Thu, 2 Dec 2021 12:13:03 GMT, Andrew Leonard <aleon...@openjdk.org> wrote:
>> Addition of a configure option --with-cacerts-src='user cacerts folder' to >> allow developers to specify their own cacerts PEM folder for generation of >> the cacerts store using the deterministic openjdk GenerateCacerts tool. >> >> Signed-off-by: Andrew Leonard <anleo...@redhat.com> > > Andrew Leonard has updated the pull request with a new target base due to a > merge or a rebase. The incremental webrev excludes the unrelated changes > brought in by the merge/rebase. The pull request contains four additional > commits since the last revision: > > - 8278080: Add --with-cacerts-src='user cacerts folder' to enable > deterministic cacerts generation > > Signed-off-by: Andrew Leonard <anleo...@redhat.com> > - Merge branch 'master' of https://github.com/openjdk/jdk into cacertssrc > - 8278080: Add --with-cacerts-src='user cacerts folder' to enable > determinsitic cacerts generation > > Signed-off-by: Andrew Leonard <anleo...@redhat.com> > - 8278080: Add --with-cacerts-src='user cacerts folder' to enable > determinsitic cacerts generation > > Signed-off-by: Andrew Leonard <anleo...@redhat.com> I don’t have any major concerns with this change, as long as the default cacerts are still the ones that are in the JDK. As an aside, using Mozilla's root certificates might be fine for TLS certificates, but if you need to support code signing certificates you may run into issues with missing CAs as Mozilla's Root program does not support that use case. Also, by overriding the roots included in the JDK, you are taking on the responsibility (which is significant, in my opinion) of ensuring that those roots are trusted and have not been compromised, revoked, have weak keys, etc. ------------- PR: https://git.openjdk.java.net/jdk/pull/6647