Bug 1142153

Summary: *policy.jar files should be repacked to not include version and timestamp
Product: [Fedora] Fedora Reporter: jiri vanek <jvanek>
Component: java-1.8.0-openjdkAssignee: jiri vanek <jvanek>
Status: CLOSED EOL QA Contact: Lukáš Zachar <lzachar>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: ahughes, dbhole, jpokorny, jvanek, omajid, philip
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 12:08:21 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description jiri vanek 2014-09-16 09:14:03 UTC 
Description of problem:
Although *policy.jar files are marked as config(norpalce) [correctly],  they are regenerated each build [also correctly]. However, the md5sum differs in 99% percent only due to version in maifest and timestamp in jar. However the 1% is very important (policy change) so can not be ignored.

Version-Release number of selected component (if applicable):
all rhels and fedoras, all javas

How reproducible:
always.

Steps to Reproduce:
1. update any openjdk. It will complain a bit and create *policy.jar.rpmsave

Expected results:
the *policy.jars are repalced only when the policies really changes


Additional info:
Looing into openjdk makefiles, I doubt the patch to this will be ever accepted by upstream. However, in rpm we can repack context of those files, and so achive the goal.
Comment 1 jiri vanek 2014-09-16 10:25:36 UTC 
something like this:

#!/bin/sh
M=META-INF/MANIFEST.MF
for f in local_policy.jar US_export_policy.jar ; do
echo "processing $f"
d=`mktemp -d`
  pushd $d
    jar  xf   /usr/lib/jvm/java/jre/lib/security/$f
    cat $M
    sed -i "s/Created-By.*/Created-By: 1.7.0/g"  $M
    cat $M
    find . -exec touch -t 201401010000 {} +
    zip -rX  $f *
    md5sum    $f
    sha256sum $f
  popd
done


can be torepack policies?
Comment 2 Andrew John Hughes 2014-09-19 01:39:04 UTC 
Equivalent IcedTea bug for 7:

http://icedtea.classpath.org/bugzilla/show_bug.cgi?id=2009
Comment 3 jiri vanek 2014-09-22 12:09:47 UTC 
note: This have been pushed to icedtea7-forest head and 2.5 so "fixed upstream" for jdk7
Comment 4 jiri vanek 2015-02-12 18:53:14 UTC 
jdk8 still no way, going with spec patches:

f20-f23:
http://pkgs.fedoraproject.org/cgit/java-1.8.0-openjdk.git/commit/?id=fb001ce997e7fc95c1eeca02d3ed004dc59035a1
Comment 5 Jan Pokorný [poki] 2015-04-09 17:41:18 UTC 
Jiří,

is this supposed to silence following "yum update" warnings I just got
when updating:

  java-1.8.0-openjdk-headless.x86_64 1:1.8.0.40-21.b25.fc21 

to

  java-1.8.0-openjdk-headless.x86_64 1:1.8.0.40-24.b25.fc21


I am asking as I got this warning:

>   Cleanup    : 1:java-1.8.0-openjdk-headless-1.8.0.40-21.b25.fc21.x86_64
> warning:
>   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.40-21.b25.fc21.x86_64/jre/lib/security/local_policy.jar
>   saved as
>   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.40-21.b25.fc21.x86_64/jre/lib/security/local_policy.jar.rpmsave
> warning:
>   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.40-21.b25.fc21.x86_64/jre/lib/security/US_export_policy.jar
>   saved as
>   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.40-21.b25.fc21.x86_64/jre/lib/security/US_export_policy.jar.rpmsave


IIUIC, the referred patch was introduced in -20.b25 build.
It means that the patch should definitely play its role for both original
package and the one being installed as an update.

So, am I hitting this issue, [bug 1141443] or something else?
Comment 6 jiri vanek 2015-04-10 08:26:56 UTC 
Yes it will fix the issu eyou ar emntioning.

The fix is  in u45. So *next* update will finally stop complaining.
Comment 7 Jan Pokorný [poki] 2015-05-06 21:08:18 UTC 
I am not sure about the previous statement, but unfortunately any evidence
is lost (closed the respective terminal since then and /var/log/yum.log
doesn't appear to track the error messages from the RPM scriptlets),
except for:

$ cd /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.45-31.b13.fc21.x86_64
$ ls jre/lib/security/local_policy.jar*
local_policy.jar  local_policy.jar.rpmnew

So it still seems to be quite the same.
Comment 8 jiri vanek 2015-05-07 08:16:35 UTC 
yes. timestamp went wrong.
Comment 9 Jan Pokorný [poki] 2015-06-01 13:05:16 UTC 
Still observed:

# yum update -y
> [...]
> ---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.45-35.b13.fc21 will be updated
> ---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.45-38.b14.fc21 will be an update
> [...]
>   Updating   : 1:java-1.8.0-openjdk-headless-1.8.0.45-38.b14.fc21.x86_64                                                                                                                 9/426 
> warning: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.45-38.b14.fc21.x86_64/jre/lib/security/US_export_policy.jar created as /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.45-38.b14.fc21.x86_64/jre/lib/security/US_export_policy.jar.rpmnew
> warning: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.45-38.b14.fc21.x86_64/jre/lib/security/java.security created as /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.45-38.b14.fc21.x86_64/jre/lib/security/java.security.rpmnew
> warning: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.45-38.b14.fc21.x86_64/jre/lib/security/local_policy.jar created as /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.45-38.b14.fc21.x86_64/jre/lib/security/local_policy.jar.rpmnew
> [...]
Comment 10 Jan Pokorný [poki] 2015-06-23 13:48:44 UTC 
Still observed with Fedora 22:

> Jun 23 14:04:25 DEBUG ---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.45-39.b14.fc22 will be upgraded
> Jun 23 14:04:25 DEBUG ---> Package java-1.8.0-openjdk-headless.x86_64 1:1.8.0.45-40.b14.fc22 will be an upgrade
Comment 11 Jan Kurik 2015-07-15 14:37:44 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Comment 12 jiri vanek 2015-07-28 09:12:00 UTC 
Tbh, I dont know what to change. The md5sum is correct, also timestamp is correct.

So probably the different path is the key thing and I dont know how to workaround it. Without yum/dnf support it may be impossible.
Comment 13 jiri vanek 2016-01-13 13:15:43 UTC 
this was resolved.
Comment 14 Jan Pokorný [poki] 2016-03-16 13:14:24 UTC 
Don't think so:

# dnf -y update
> [...]
>   Upgrading   : java-1.8.0-openjdk-headless-1:1.8.0.72-1.b15.fc22.x86_64                                                                                              138/622 
> warning:
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.72-1.b15.fc22.x86_64/jre/lib/security/US_export_policy.jar
> created as
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.72-1.b15.fc22.x86_64/jre/lib/security/US_export_policy.jar.rpmnew
> warning:
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.72-1.b15.fc22.x86_64/jre/lib/security/local_policy.jar
> created as
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.72-1.b15.fc22.x86_64/jre/lib/security/local_policy.jar.rpmnew
> [...]
>   Cleanup     : java-1.8.0-openjdk-1:1.8.0.71-1.b15.fc22.x86_64                                                                                                       526/622 
>   Cleanup     : java-1.8.0-openjdk-headless-1:1.8.0.71-1.b15.fc22.x86_64                                                                                              527/622 
> warning:
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-1.b15.fc22.x86_64/jre/lib/security/local_policy.jar
> saved as
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-1.b15.fc22.x86_64/jre/lib/security/local_policy.jar.rpmsave
> warning:
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-1.b15.fc22.x86_64/jre/lib/security/US_export_policy.jar
> saved as
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.71-1.b15.fc22.x86_64/jre/lib/security/US_export_policy.jar.rpmsave
Comment 15 jiri vanek 2016-03-16 14:51:00 UTC 
It was fixed since  u45 (since then was u51, u71 and u72)
http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/tree/java-1.8.0-openjdk.spec?h=f22#n784
http://pkgs.fedoraproject.org/cgit/rpms/java-1.8.0-openjdk.git/tree/java-1.8.0-openjdk.spec?h=f22#n1535

And I'm not encountering the issue since that. I have jsut chekced on clean machine and it is fixed.

Have it occured in u51->u71?

May you try
 - to remove all your openjdks, install u71 and update to u72?
 - to remove all possible invalid /usr/lib/jvm/java-1.8.0-openjdk-* directories?
 - to remove various /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.*/jre/lib/security/*_policy.jar.*


If none of those helped, may you posted md5sums and timestamps of old ones before update and new ones after update?
Comment 16 Fedora End Of Life 2016-07-19 12:08:21 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.