RFE/RFC reproducible policies

Jiri Vanek jvanek at redhat.com
Fri May 20 07:25:40 UTC 2016


Thank you for quick answer.

However. .not exactly the one I hoped for:(

Generally - IMHO the CreateSecurityJars.gmk is never used to generate policies, only the 
GendataPolicyJars.gmk is used for that.

Thats why my unhappy patch is here.

In one way or another - the GendataPolicyJars should be removed, or he lines regarding policies' 
jars from CreateSecurityJars should e removed (second is probably more correct way, If you light on 
green light to this patch, I will remove the lines from CreateSecurityJars and test)

jmod? jlink? Crap :) The policies had remained simple jars, and are nothing but copied into image. 
I was looking to Images.gmk pretty much, and found quite a usages of JLINK_TOOL but found much less 
looking to it,, not its usages nor it documentation did not resolved how the jars get to the old 
good.../lib/security/ directory. It does not have much to do with modules....

And even if the jlink tool should be responsible for copying the jars (which is pretty obfuscated 
way) then perhaps it should keep time stamps? (just thought)

I'm much much more troubled about way how the GendataPolicyJars and CreateSecurityJars are mixed up:(

Again, thank you very much for looking into it!

On 05/19/2016 07:07 PM, Erik Joelsson wrote:
> Hello Jiri,
> If I understand the question correctly, you are wondering how the policy files from
> CreateSecurityJars.gmk end up in the final image? This is done in two steps. First the new JDK 9
> tool jmod packages each module into a distribution format (typically java.base.jmod). Then the next
> new tool jlink links all the jmods together to create an image. Somewhere inside those tools, I
> assume timestamps are changing.
> /Erik
> On 2016-05-19 18:52, Jiri Vanek wrote:
>> Hello again!
>> webrev https://jvanek.fedorapeople.org/oracle/jdk9/webrevs/reproduciblePolicies/v1/
>> Recent Feature Complete milestone have scared me, as I have long-time persisting issue when
>> packaging openjdk (6..7...8 and 9)
>> The policy jars, always from same source, never the same. As they are considered as configure
>> files, the RPM update treat them alike.
>> Not so do jdk build system, and every build have its "special" but still the same. .policies.
>> This is fixed in my RPMS since [1] like [2]
>> Well, not nice. I checked icedtea, and they since [3] already have this change [4]
>> So I looked into JDK9 and.. it ahave teh change in CreateSecurityJars.gmk ! Not whole, but
>> definitely not used. I really do not understand why.
>> So there is patch for jdk9's -
>> https://jvanek.fedorapeople.org/oracle/jdk9/webrevs/reproduciblePolicies/v1/ which is making the
>> policies truly static even with all this necessary stamping.
>> However, I must apologise for missing part, which I had not found how to solve.
>> Up to "make" (build) everything is ok. but "make images" corrupts the timestamps,  I did not
>> found, where the built files flow to images:(to stamp them again, and last time)
>> Best regards from CZ
>>   J.
>> [1]
>> http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/commit/?h=f21&id=ae70e5d64fbe2fb042c0cee088316b39ee8bf8c9
>> [2]http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/tree/repackReproduciblePolycies
>> [3]
>> http://icedtea.classpath.org/hg/icedtea8-forest/jdk/rev/afd392dfaed5
>> http://icedtea.classpath.org/hg/icedtea8-forest/jdk/rev/edf1cacfe015
>> http://icedtea.classpath.org/hg/icedtea8-forest/jdk/rev/9b6cfe5f5078
>> [4]
>> http://icedtea.classpath.org/hg/icedtea8-forest/jdk/file/tip/make/CreateSecurityJars.gmk

More information about the build-dev mailing list