On Thu, 3 Apr 2025 10:25:28 GMT, Severin Gehwolf <sgehw...@openjdk.org> wrote:
> I'm not entirely sure what you are suggesting. Is it keeping a list of > "upgradeable" files in a properties file. Files listed in that properties > file aren't checked for hash sums (i.e. even if it's not modified)? That is, > the explicit opt-in is not needed? Fine by me, but it's a weaker check. If we > don't need the explicit opt-in, the patch becomes simpler as well. Yes, I think keep simple. We always want to allow tzdb.dat be upgraded by the TZ updater tool. I think treating cacerts the same way is okay. As you note, it has to be kept up to date too. I was thinking keytool import and wasn't sure if the Linux distros configure with `-with-cacerts-file` or did something else. Thanks for the clarification on this point. Starting with a simple list of two files won't preclude us from re-visiting it again in the future. ------------- PR Comment: https://git.openjdk.org/jdk/pull/24388#issuecomment-2777859174
