oracle{jdk,jre}: drop

"Unmaintained security disaster" -anonymous Nixpkgs maintainer
2024-11-02 02:42:27 +00:00 · 2024-11-02 02:42:27 +00:00 · d6eb9f1515
commit d6eb9f1515
parent c0d9ad3ec4
7 changed files with 14 additions and 338 deletions
--- a/nixos/doc/manual/release-notes/rl-2411.section.md
+++ b/nixos/doc/manual/release-notes/rl-2411.section.md
@ -333,6 +333,11 @@
  This change requires granting access to the repositories to this user or
  setting the appropriate one through `services.cgit.some-instance.user`.

+- All Oracle JDKs and JREs (`oraclejdk`, `oraclejdk8`, `oraclejre`, `oraclejre8`,
+  `jrePlugin`, `jre8Plugin`, `jdkdistro`, `oraclejdk8distro`, and `oraclejdk11`)
+  were dropped due to being unmaintained and heavily insecure. OpenJDK provides
+  compatible replacements for JDKs and JREs.
+
 - `gradle_6` was removed due to being [unsupported upstream as of 10 Feb 2023](https://endoflife.date/gradle).
  Additionally, it had numerous security vulnerabilities that were only patched
  in later versions, such as [CVE-2021-29429](https://nvd.nist.gov/vuln/detail/CVE-2021-32751),
--- a/pkgs/development/compilers/oraclejdk/dlj-bundle-builder.sh
+++ b/pkgs/development/compilers/oraclejdk/dlj-bundle-builder.sh
@ -1,60 +0,0 @@
-source $stdenv/setup
-
-echo "Unpacking distribution"
-unzip ${src} || true
-
-# set the dynamic linker of unpack200, necessary for construct script
-echo "patching unpack200"
-patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" --set-rpath "" */bin/unpack200
-
-echo "constructing JDK and JRE installations"
-if test -z "$installjdk"; then
-  sh ${construct} . tmp-linux-jdk tmp-linux-jre
-  mkdir -p $out
-  cp -R tmp-linux-jre/* $out
-else
-  sh ${construct} . $out tmp-linux-jre
-fi
-
-echo "removing files at top level of installation"
-for file in $out/*
-do
-  if test -f $file ; then
-    rm $file
-  fi
-done
-rm -rf $out/docs
-
-# construct the rpath
-rpath=
-for i in $libraries; do
-    rpath=$rpath${rpath:+:}$i/lib
-done
-
-if test -z "$installjdk"; then
-  jrePath=$out
-else
-  jrePath=$out/jre
-fi
-
-if test -n "$jce"; then
-  unzip $jce
-  cp -v jce/*.jar $jrePath/lib/security
-fi
-
-rpath=$rpath${rpath:+:}$jrePath/lib/$architecture/jli
-
-# set all the dynamic linkers
-find $out -type f -perm -0100 \
-    -exec patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
-    --set-rpath "$rpath" {} \;
-
-find $out -name "*.so" -exec patchelf --set-rpath "$rpath" {} \;
-
-if test -z "$pluginSupport"; then
-    rm -f $out/bin/javaws
-fi
-
-mkdir $jrePath/lib/$architecture/plugins
-ln -s $jrePath/lib/$architecture/libnpjp2.so $jrePath/lib/$architecture/plugins
-
--- a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix
+++ b/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix
@ -1,193 +0,0 @@
-{ productVersion
-, patchVersion
-, sha256
-, jceName
-, sha256JCE
-}:
-
-{ swingSupport ? true
-, lib, stdenv
-, requireFile
-, makeWrapper
-, unzip
-, file
-, xorg ? null
-, installjdk ? true
-, pluginSupport ? true
-, installjce ? false
-, config
-, glib
-, libxml2
-, ffmpeg
-, libxslt
-, libGL
-, freetype
-, fontconfig
-, gtk2
-, pango
-, cairo
-, alsa-lib
-, atk
-, gdk-pixbuf
-, setJavaClassPath
-}:
-
-assert swingSupport -> xorg != null;
-
-let
-
-  /**
-   * The JRE libraries are in directories that depend on the CPU.
-   */
-  architecture = {
-    i686-linux    = "i386";
-    x86_64-linux  = "amd64";
-    armv7l-linux  = "arm";
-    aarch64-linux = "aarch64";
-  }.${stdenv.hostPlatform.system} or (throw "unsupported system ${stdenv.hostPlatform.system}");
-
-  jce =
-    if installjce then
-      requireFile {
-        name = jceName;
-        url = "http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html";
-        sha256 = sha256JCE;
-      }
-    else
-      "";
-
-  rSubPaths = [
-    "lib/${architecture}/jli"
-    "lib/${architecture}/server"
-    "lib/${architecture}/xawt"
-    "lib/${architecture}"
-  ];
-
-in
-
-let result = stdenv.mkDerivation rec {
-  pname = if installjdk then "oraclejdk" else "oraclejre" + lib.optionalString pluginSupport "-with-plugin";
-  version = "${productVersion}u${patchVersion}";
-
-  src =
-    let
-      platformName = {
-        i686-linux    = "linux-i586";
-        x86_64-linux  = "linux-x64";
-        armv7l-linux  = "linux-arm32-vfp-hflt";
-        aarch64-linux = "linux-aarch64";
-      }.${stdenv.hostPlatform.system} or (throw "unsupported system ${stdenv.hostPlatform.system}");
-    in requireFile {
-      name = "jdk-${productVersion}u${patchVersion}-${platformName}.tar.gz";
-      url = "http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html";
-      sha256 = sha256.${stdenv.hostPlatform.system} or (throw "unsupported system ${stdenv.hostPlatform.system}");
-    };
-
-  nativeBuildInputs = [ file makeWrapper ]
-    ++ lib.optional installjce unzip;
-
-  # See: https://github.com/NixOS/patchelf/issues/10
-  dontStrip = 1;
-
-  installPhase = ''
-    cd ..
-
-    if test -z "$installjdk"; then
-      mv $sourceRoot/jre $out
-    else
-      mv $sourceRoot $out
-    fi
-
-    shopt -s extglob
-    for file in $out/!(*src.zip)
-    do
-      if test -f $file ; then
-        rm $file
-      fi
-    done
-
-    if test -n "$installjdk"; then
-      for file in $out/jre/*
-      do
-        if test -f $file ; then
-          rm $file
-        fi
-      done
-    fi
-
-    if test -z "$installjdk"; then
-      jrePath=$out
-    else
-      jrePath=$out/jre
-    fi
-
-    if test -n "${jce}"; then
-      unzip ${jce}
-      cp -v UnlimitedJCEPolicy*/*.jar $jrePath/lib/security
-    fi
-
-    if test -z "$pluginSupport"; then
-      rm -f $out/bin/javaws
-      if test -n "$installjdk"; then
-        rm -f $out/jre/bin/javaws
-      fi
-    fi
-
-    mkdir $jrePath/lib/${architecture}/plugins
-    ln -s $jrePath/lib/${architecture}/libnpjp2.so $jrePath/lib/${architecture}/plugins
-
-    mkdir -p $out/nix-support
-    printWords ${setJavaClassPath} > $out/nix-support/propagated-build-inputs
-
-    # Set JAVA_HOME automatically.
-    cat <<EOF >> $out/nix-support/setup-hook
-    if [ -z "\''${JAVA_HOME-}" ]; then export JAVA_HOME=$out; fi
-    EOF
-  '';
-
-  postFixup = ''
-    rpath+="''${rpath:+:}${lib.concatStringsSep ":" (map (a: "$jrePath/${a}") rSubPaths)}"
-
-    # set all the dynamic linkers
-    find $out -type f -perm -0100 \
-        -exec patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \
-        --set-rpath "$rpath" {} \;
-
-    find $out -name "*.so" -exec patchelf --set-rpath "$rpath" {} \;
-
-    # Oracle Java Mission Control needs to know where libgtk-x11 and related is
-    if test -n "$installjdk" -a -x $out/bin/jmc; then
-      wrapProgram "$out/bin/jmc" \
-          --suffix-each LD_LIBRARY_PATH ':' "$rpath"
-    fi
-  '';
-
-  inherit installjdk pluginSupport;
-
-  /**
-   * libXt is only needed on amd64
-   */
-  libraries =
-    [stdenv.cc.libc glib libxml2 ffmpeg libxslt libGL xorg.libXxf86vm alsa-lib fontconfig freetype pango gtk2 cairo gdk-pixbuf atk] ++
-    lib.optionals swingSupport [xorg.libX11 xorg.libXext xorg.libXtst xorg.libXi xorg.libXp xorg.libXt xorg.libXrender stdenv.cc.cc];
-
-  rpath = lib.strings.makeLibraryPath libraries;
-
-  passthru.mozillaPlugin = if installjdk then "/jre/lib/${architecture}/plugins" else "/lib/${architecture}/plugins";
-
-  passthru.jre = result; # FIXME: use multiple outputs or return actual JRE package
-
-  passthru.home = result;
-
-  passthru.architecture = architecture;
-
-  meta = with lib; {
-    license = licenses.unfree;
-    platforms = [ "i686-linux" "x86_64-linux" "armv7l-linux" "aarch64-linux" ]; # some inherit jre.meta.platforms
-    mainProgram = "java";
-    knownVulnerabilities = [
-      "The Oracle JDKs included with Nixpkgs have not been updated since 2021. They contain many known vulnerabilities (https://openjdk.org/groups/vulnerability/advisories/). OpenJDK provides a comparable alternative."
-    ];
-  };
-
-}; in result
--- a/pkgs/development/compilers/oraclejdk/jdk11-linux.nix
+++ b/pkgs/development/compilers/oraclejdk/jdk11-linux.nix
@ -1,54 +0,0 @@
-{ lib, stdenv
-, requireFile
-, xorg
-, zlib
-, freetype
-, alsa-lib
-, setJavaClassPath
-}:
-
-let result = stdenv.mkDerivation rec {
-  pname = "oraclejdk";
-  version = "11.0.10";
-
-  src = requireFile {
-    name = "jdk-${version}_linux-x64_bin.tar.gz";
-    url = "https://www.oracle.com/java/technologies/javase-jdk11-downloads.html";
-    sha256 = "94bd34f85ee38d3ef59e5289ec7450b9443b924c55625661fffe66b03f2c8de2";
-  };
-
-  installPhase = ''
-    mv ../$sourceRoot $out
-
-    mkdir -p $out/nix-support
-    printWords ${setJavaClassPath} > $out/nix-support/propagated-build-inputs
-
-    # Set JAVA_HOME automatically.
-    cat <<EOF >> $out/nix-support/setup-hook
-    if [ -z "\''${JAVA_HOME-}" ]; then export JAVA_HOME=$out; fi
-    EOF
-  '';
-
-  postFixup = ''
-    rpath="$out/lib/jli:$out/lib/server:$out/lib:${lib.strings.makeLibraryPath [ zlib xorg.libX11 xorg.libXext xorg.libXtst xorg.libXi xorg.libXrender freetype alsa-lib]}"
-
-    for f in $(find $out -name "*.so") $(find $out -type f -perm -0100); do
-      patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" "$f" || true
-      patchelf --set-rpath   "$rpath"                                    "$f" || true
-    done
-
-    for f in $(find $out -name "*.so") $(find $out -type f -perm -0100); do
-      if ldd "$f" | fgrep 'not found'; then echo "in file $f"; fi
-    done
-  '';
-
-  passthru.jre = result;
-  passthru.home = result;
-
-  dontStrip = true; # See: https://github.com/NixOS/patchelf/issues/10
-
-  meta = with lib; {
-    license = licenses.unfree;
-    platforms = [ "x86_64-linux" ];
-  };
-}; in result
--- a/pkgs/development/compilers/oraclejdk/jdk8-linux.nix
+++ b/pkgs/development/compilers/oraclejdk/jdk8-linux.nix
@ -1,10 +0,0 @@
-import ./jdk-linux-base.nix {
-  productVersion = "8";
-  patchVersion = "281";
-  sha256.i686-linux = "/yEY5O6MYNyjS5YSGZtgydb8th6jHQLNvI9tNPIh3+0=";
-  sha256.x86_64-linux = "hejH2nJIx0UPsQVWeniEHQlzWXhQd2wkpSf+sC7z5YY=";
-  sha256.armv7l-linux = "oXbW8hZxesDqwV79ANB4SdnS71O51ZApKbQhqq4i/EM=";
-  sha256.aarch64-linux = "oFH3TeIzVsFk6IZcDEHVDVJC7dSbGcwhdUH/WUXSNDM=";
-  jceName = "jce_policy-8.zip";
-  sha256JCE = "19n5wadargg3v8x76r7ayag6p2xz1bwhrgdzjs9f4i6fvxz9jr4w";
-}
--- a/pkgs/top-level/aliases.nix
+++ b/pkgs/top-level/aliases.nix
@ -900,6 +900,15 @@ mapAliases {
  onlyoffice-bin_7_2 = throw "onlyoffice-bin_7_2 has been removed. Please use the latest version available under onlyoffice-bin"; # Added 2024-07-03
  onlyoffice-bin_7_5 = throw "onlyoffice-bin_7_5 has been removed. Please use the latest version available under onlyoffice-bin"; # Added 2024-07-03
  openvswitch-lts = throw "openvswitch-lts has been removed. Please use the latest version available under openvswitch"; # Added 2024-08-24
+  oraclejdk = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
+  oraclejdk8 = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
+  oraclejre = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
+  oraclejre8 = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
+  jrePlugin = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
+  jre8Plugin = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
+  jdkdistro = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
+  oraclejdk8distro = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
+  oraclejdk11 = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01
  OSCAR = oscar; # Added 2024-06-12
  osxfuse = throw "'osxfuse' has been renamed to/replaced by 'macfuse-stubs'"; # Converted to throw 2024-10-17
  ovn-lts = throw "ovn-lts has been removed. Please use the latest version available under ovn"; # Added 2024-08-24
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -15012,27 +15012,6 @@ with pkgs;

  openspin = callPackage ../development/compilers/openspin { };

-  oraclejdk = jdkdistro true false;
-
-  oraclejdk8 = oraclejdk8distro true false;
-
-  oraclejre = lowPrio (jdkdistro false false);
-
-  oraclejre8 = lowPrio (oraclejdk8distro false false);
-
-  jrePlugin = jre8Plugin;
-
-  jre8Plugin = lowPrio (oraclejdk8distro false true);
-
-  jdkdistro = oraclejdk8distro;
-
-  oraclejdk8distro = installjdk: pluginSupport:
-    (callPackage ../development/compilers/oraclejdk/jdk8-linux.nix {
-      inherit installjdk pluginSupport;
-    });
-
-  oraclejdk11 = callPackage ../development/compilers/oraclejdk/jdk11-linux.nix { };
-
  jasmin = callPackage ../development/compilers/jasmin { };

  java-service-wrapper = callPackage ../tools/system/java-service-wrapper { };