[PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy (original) (raw)
Andrew Hughes gnu.andrew at redhat.com
Thu Sep 20 14:57:29 UTC 2012
- Previous message (by thread): [PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
- Next message (by thread): [PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
----- Original Message -----
> But I think someone from the security team should chime in on this.
I plan to look closer at this. On the surface, it looks acceptable to me, but I've been heads down in the SNI code: likely for one more day. Wanted to also run this by one of my other colleagues. One thought: I'm wondering if we might want to have this switch in both Open and Closed. As long as default is off, I don't immediately see a reason to not have it.
I've no problem with that. I just placed it within the OPENJDK ifdef so it won't interfere with the proprietary build at all, as obviously I can't test it ;-)
But, either way, if it's not set, there's no change in behaviour.
Brad
On 9/19/2012 7:34 PM, Kelly O'Hair wrote: > It seems fine with me. > But I think someone from the security team should chime in on this. > > -kto > > On Sep 18, 2012, at 7:39 AM, Andrew Hughes wrote: > >> This is an issue that has been with us for a while. See: >> >> https://bugs.openjdk.java.net/showbug.cgi?id=100062 >> http://bugs.sun.com/bugdatabase/viewbug.do?bugid=7188845 >> >> for some background. >> >> The original proposed patch goes to far in removing most of the >> infrastructure for restricting crypto levels and signing of crypto >> jars. >> >> The following simple webrev will achieve what I think is needed: >> >> http://cr.openjdk.java.net/~andrew/100062/webrev.01/ >> >> allowing OpenJDK to be built with the unlimited rather than >> limited >> crypto policy in place. >> >> The build is only altered if both an OpenJDK build is being >> performed >> and UNLIMITEDCRYPTO is defined. In this case, the >> install-unlimited >> rule is used to install policies. Without UNLIMITEDCRYPTO being >> set, >> OpenJDK builds still depend on install-limited as now. >> >> I believe this is a fairly unintrusive change which should allow >> GNU/Linux >> distros to ship without crypto restrictions while still using >> upstream >> OpenJDK rather than a variant with several classes removed. >> >> It's not clear to me why this approach wasn't taken before, so I >> hope I haven't >> missed something. >> >> If this looks ok, I'll push it as the resolution for bug 7188845. >> -- >> Andrew :) >> >> Free Java Software Engineer >> Red Hat, Inc. (http://www.redhat.com) >> >> PGP Key: 248BDC07 (https://keys.indymedia.org/) >> Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07 >> >
-- Andrew :)
Free Java Software Engineer Red Hat, Inc. (http://www.redhat.com)
PGP Key: 248BDC07 (https://keys.indymedia.org/) Fingerprint = EC5A 1F5E C0AD 1D15 8F1F 8F91 3B96 A578 248B DC07
- Previous message (by thread): [PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
- Next message (by thread): [PATCH FOR REVIEW] Allow OpenJDK to be built with the unlimited crypto policy
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]