On Wed, 26 Mar 2025 14:50:11 GMT, Alan Bateman <al...@openjdk.org> wrote:
>>> > The cacerts issue mentioned in the JBS issue relates to an RPM
>>> > installation of the JDK where the cacerts file is a symlink to the distro
>>> > provided one. So I think that's "use system" issue.
>>> > TZ updates would potentially break this too. If an external tool updates
>>> > `tzdb.dat` then the hash sum computed at JDK build-time will no longer
>>> > match. I believe this could also be solved with a sha-override (e.g. by
>>> > coming from a file `@${java.home}/sha-override.txt`) which would get the
>>> > update along with `tzdb.dat`.
>>>
>>> I think one direction to explore is configuring which files or directory
>>> are "upgradable". Upgradable modules aren't excluded from the hash
>>> computation to allow upgrade via the upgrade module path. Something similar
>>> here would allow jlink to report that tzdb.dat has been upgraded. Maybe
>>> cacerts is the same but need to look closer as the hash computation
>>> shouldn't be following sym links outside of the runtime image.
>>
>> I'll keep looking into this specific case. However, it sounds a bit
>> orthogonal to the patch at hand which I do believe we still need for the
>> original reasons mentioned (RPM changing binaries after the JDK build is
>> long done and the windows issue of the JDK build itself placing different
>> *.pdb files into the image than was present at jlink time). So perhaps we
>> should explore this in parallel?
>
>> I'll keep looking into this specific case. However, it sounds a bit
>> orthogonal to the patch at hand which I do believe we still need for the
>> original reasons mentioned (RPM changing binaries after the JDK build is
>> long done and the windows issue of the JDK build itself placing different
>> *.pdb files into the image than was present at jlink time). So perhaps we
>> should explore this in parallel?
>
> I think upgradable files is something we can deal with. I'm not sure yet on
> the PDB issue, need to think more about about the scenarios to see what might
> make sense.
> @AlanBateman Any more thoughts on this? We'd need to include a patch like
> this one for getting the Fedora JDK 24+ builds to work with JEP 493 enabled.
> Thanks!
Allowing for a small number of upgradable files is needed, I see you have a JBS
issue for that. I have not warmed to the proposal to have override or have alt
hashes, I think we need to think spend more time thinking about the issues
there.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/24190#issuecomment-2769890734
