> For JEP 493-enabled builds there are no JMODs. Certain files come from the > installed JDK image when a user creates a custom run-time from it. This is > problematic for example for files that often come from a different package > (e.g. `cacerts` file for Linux distro builds of OpenJDK packaged as RPMs), or > more generally when they get updated out-of-band of the JDK build itself like > the tzupdater tool. > > When that happens the hash sum recorded at JDK build time of those files no > longer match, causing `jlink` to fail. I propose to allow for those files to > get "upgraded" should this happen. The way this works is as follows: > > 1. The list of upgradeable files is hard-coded to `lib/tzdb.dat` and > `lib/security/cacerts`. Only those two files from the `java.base` module will > be allowed to be upgraded with a link from the current run-time image. > 2. The upgrade needs to be opt-in. Similar to `--ignore-signing-information` > for signed modular JARs. A user needs to add > `--upgrade-files=<module>/<file-path>` for it to succeed. > > `--upgrade-files` is a hidden `jlink` option since it only does anything for > JEP 493 enabled builds. Users get a hint to apply the option if they so > desire: > > Example: > > > $ ./bin/jlink --add-modules java.base --output java.base-jdk > Error: [..]/lib/security/cacerts has been modified > Hint: lib/security/cacerts is an upgradeable file. Add > --upgrade-files=java.base/lib/security/cacerts to allow the upgrade. > > > using the hint we get: > > > $ ./bin/jlink --add-modules java.base --output java.base-jdk > --upgrade-files=java.base/lib/security/cacerts > $ ./java.base-jdk/bin/java --list-modules > java.base@25-internal > $ sha512sum ./java.base-jdk/lib/security/cacerts > cf2b4c17161e79001c8e07def3de36c0d523f00a2a6b6e33893a2a3669d930957c11ac765dd29d5ff80e63ad100ef0258291891377f7133b997111ba97b15146 > ./java.base-jdk/lib/security/cacerts > $ sha512sum ./lib/security/cacerts > cf2b4c17161e79001c8e07def3de36c0d523f00a2a6b6e33893a2a3669d930957c11ac765dd29d5ff80e63ad100ef0258291891377f7133b997111ba97b15146 > ./lib/security/cacerts > > > **Testing** > > - [x] GHA > - [x] `jdk/tools/jlink` jtreg tests > - [x] Some manual tests with updated `tzdb.dat` and `cacerts` files. > > Thoughts?
Severin Gehwolf has updated the pull request with a new target base due to a merge or a rebase. The incremental webrev excludes the unrelated changes brought in by the merge/rebase. The pull request contains four additional commits since the last revision: - Reboot upgradeable files approach - Revert "8353185: Introduce the concept of upgradeable files in context of JEP 493" This reverts commit bfbfbcb8212ed0f9825549b02b4b52e930c379a7. - Merge branch 'master' into jdk-8353185-upgradable-files-jep493 - 8353185: Introduce the concept of upgradeable files in context of JEP 493 ------------- Changes: - all: https://git.openjdk.org/jdk/pull/24388/files - new: https://git.openjdk.org/jdk/pull/24388/files/bfbfbcb8..74b6bfe1 Webrevs: - full: https://webrevs.openjdk.org/?repo=jdk&pr=24388&range=01 - incr: https://webrevs.openjdk.org/?repo=jdk&pr=24388&range=00-01 Stats: 7234 lines in 379 files changed: 4450 ins; 2088 del; 696 mod Patch: https://git.openjdk.org/jdk/pull/24388.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/24388/head:pull/24388 PR: https://git.openjdk.org/jdk/pull/24388
