RFR 8189131: Open-source the Oracle JDK Root Certificates

dalibor topic dalibor.topic at oracle.com
Tue Dec 5 09:52:48 UTC 2017

On 05.12.2017 10:08, Magnus Ihse Bursie wrote:
>> I think the folks from the AdoptOpenJDK project are using this option
>> (CC-ed adoption-discuss). I'm not sure if they want to drop their root
>> certificates in favor of the new ones.
> Maybe they can upstream their root certs as well, if it seems prudent?

Afaik, pretty much all downstream builds use the Mozilla PKI 
certificates. It already has a very active upstream at Mozilla, so 
upstreaming it into OpenJDK doesn't make a lot of sense. ;)

> The only reason this was made an option is 
> that the OpenJDK distribution didn't include a root store at all by 
> default, so *all* users needed to provide one for it to be usable. Now 
> that this changes, the need to have build support to replace it 
> diminishes greatly.

Fwiw, it can still be easily replaced on installation of a package by a 
symbolic link to (or a copy of) the Mozilla root certificates, for 
example. So I don't think that it's necessary for the build support to 
remain, once this change goes in.

dalibor topic

<http://www.oracle.com> Dalibor Topic | Principal Product Manager
Phone: +494089091214 <tel:+494089091214> | Mobile: +491737185961

ORACLE Deutschland B.V. & Co. KG | Kühnehöfe 5 | 22761 Hamburg

ORACLE Deutschland B.V. & Co. KG
Hauptverwaltung: Riesstr. 25, D-80992 München
Registergericht: Amtsgericht München, HRA 95603

Komplementärin: ORACLE Deutschland Verwaltung B.V.
Hertogswetering 163/167, 3543 AS Utrecht, Niederlande
Handelsregister der Handelskammer Midden-Niederlande, Nr. 30143697
Geschäftsführer: Alexander van der Ven, Jan Schultheiss, Val Maher

<http://www.oracle.com/commitment> Oracle is committed to developing
practices and products that help protect the environment

More information about the build-dev mailing list