On Wed, 26 Mar 2025 09:53:51 GMT, Severin Gehwolf <sgehw...@openjdk.org> wrote:
> The cacerts issue mentioned in the JBS issue relates to an RPM installation
> of the JDK where the cacerts file is a symlink to the distro provided one. So
> I think that's "use system" issue.
>
> TZ updates would potentially break this too. If an external tool updates
> `tzdb.dat` then the hash sum computed at JDK build-time will no longer match.
> I believe this could also be solved with a sha-override (e.g. by coming from
> a file `@${java.home}/sha-override.txt`) which would get the update along
> with `tzdb.dat`.
I think one direction to explore is configuring which files or directory are
"upgradable". Upgradable modules aren't excluded from the hash computation to
allow upgrade via the upgrade module path. Something similar here would allow
jlink to report that tzdb.dat has been upgraded. Maybe cacerts is the same but
need to look closer as the hash computation shouldn't be following sym links
outside of the runtime image.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24190#issuecomment-2753876700
