Support Adoptium "bootcycle-images" building to enhance reproducible builds and secure dev #815
Comments
|
Please note that the results of the bootcycle build (which I recommend as the final product of the build) appear in a different directory inside the ./build directory. |
|
A point to note, is this process is not enabled for cross-compiled builds. |
|
I believe that macOS building on Apple Silicon and shipping on x86_64 should be supported. |
|
A potential issue, is also the way Adoptium signs embedded Mac jmod dylib's using a dual pass "exploded-image", then sign, then "assemble-image", which is potentially not comaptible with bootcycle. |
|
To alleviate the issue of jrt-fs.jar being non-reporducible with different bootjdk, we need to investigate if upstream can re-build jrt-fs.jar after the "Build JDK" generation. |
So we can't quite(!), as the "Build JDK" or more accurately the "interim compiler" used with the standard build which then compiles the product modules, is just a compiler, as jdk-11+ versions do not build any jars (other than jrt-fs.jar). |
|
The other option to consider, to address the enhancement of a secure "bootcycle", would be to simply do 2 builds, and pass the output JDK from the first into the 2nd via --with-boot-jdk=<1st JDK> |
|
This issue has been mitigated upstream in jdk21+ by changing the jrt-fs build to use the interim compiler: openjdk/jdk21u@e2b89c7 |
Investigate the option of building openjdk using the "bootcycle-images" target, see: https://openjdk.org/groups/build/doc/building.html
This builds the JDK twice, the first time with the user chosen BootJDK, and then the final time using the JDK it just built.
So in essence the resulting jdk-nn is built using the same jdk-nn as the BootJDK.
This could have some advantages for reproducible builds and secure-dev:
The text was updated successfully, but these errors were encountered: