From d6eb9f15156c62f801e53ad62d04041a98205107 Mon Sep 17 00:00:00 2001 From: Tomo Date: Sat, 2 Nov 2024 02:42:27 +0000 Subject: [PATCH] oracle{jdk,jre}: drop "Unmaintained security disaster" -anonymous Nixpkgs maintainer --- .../manual/release-notes/rl-2411.section.md | 5 + .../compilers/oraclejdk/dlj-bundle-builder.sh | 60 ------ .../compilers/oraclejdk/jdk-linux-base.nix | 193 ------------------ .../compilers/oraclejdk/jdk11-linux.nix | 54 ----- .../compilers/oraclejdk/jdk8-linux.nix | 10 - pkgs/top-level/aliases.nix | 9 + pkgs/top-level/all-packages.nix | 21 -- 7 files changed, 14 insertions(+), 338 deletions(-) delete mode 100644 pkgs/development/compilers/oraclejdk/dlj-bundle-builder.sh delete mode 100644 pkgs/development/compilers/oraclejdk/jdk-linux-base.nix delete mode 100644 pkgs/development/compilers/oraclejdk/jdk11-linux.nix delete mode 100644 pkgs/development/compilers/oraclejdk/jdk8-linux.nix diff --git a/nixos/doc/manual/release-notes/rl-2411.section.md b/nixos/doc/manual/release-notes/rl-2411.section.md index c5d1395ebb6a..0b3a160e28e7 100644 --- a/nixos/doc/manual/release-notes/rl-2411.section.md +++ b/nixos/doc/manual/release-notes/rl-2411.section.md @@ -333,6 +333,11 @@ This change requires granting access to the repositories to this user or setting the appropriate one through `services.cgit.some-instance.user`. +- All Oracle JDKs and JREs (`oraclejdk`, `oraclejdk8`, `oraclejre`, `oraclejre8`, + `jrePlugin`, `jre8Plugin`, `jdkdistro`, `oraclejdk8distro`, and `oraclejdk11`) + were dropped due to being unmaintained and heavily insecure. OpenJDK provides + compatible replacements for JDKs and JREs. + - `gradle_6` was removed due to being [unsupported upstream as of 10 Feb 2023](https://endoflife.date/gradle). Additionally, it had numerous security vulnerabilities that were only patched in later versions, such as [CVE-2021-29429](https://nvd.nist.gov/vuln/detail/CVE-2021-32751), diff --git a/pkgs/development/compilers/oraclejdk/dlj-bundle-builder.sh b/pkgs/development/compilers/oraclejdk/dlj-bundle-builder.sh deleted file mode 100644 index 459bfce50988..000000000000 --- a/pkgs/development/compilers/oraclejdk/dlj-bundle-builder.sh +++ /dev/null @@ -1,60 +0,0 @@ -source $stdenv/setup - -echo "Unpacking distribution" -unzip ${src} || true - -# set the dynamic linker of unpack200, necessary for construct script -echo "patching unpack200" -patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" --set-rpath "" */bin/unpack200 - -echo "constructing JDK and JRE installations" -if test -z "$installjdk"; then - sh ${construct} . tmp-linux-jdk tmp-linux-jre - mkdir -p $out - cp -R tmp-linux-jre/* $out -else - sh ${construct} . $out tmp-linux-jre -fi - -echo "removing files at top level of installation" -for file in $out/* -do - if test -f $file ; then - rm $file - fi -done -rm -rf $out/docs - -# construct the rpath -rpath= -for i in $libraries; do - rpath=$rpath${rpath:+:}$i/lib -done - -if test -z "$installjdk"; then - jrePath=$out -else - jrePath=$out/jre -fi - -if test -n "$jce"; then - unzip $jce - cp -v jce/*.jar $jrePath/lib/security -fi - -rpath=$rpath${rpath:+:}$jrePath/lib/$architecture/jli - -# set all the dynamic linkers -find $out -type f -perm -0100 \ - -exec patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - --set-rpath "$rpath" {} \; - -find $out -name "*.so" -exec patchelf --set-rpath "$rpath" {} \; - -if test -z "$pluginSupport"; then - rm -f $out/bin/javaws -fi - -mkdir $jrePath/lib/$architecture/plugins -ln -s $jrePath/lib/$architecture/libnpjp2.so $jrePath/lib/$architecture/plugins - diff --git a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix b/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix deleted file mode 100644 index 05045f9bccd2..000000000000 --- a/pkgs/development/compilers/oraclejdk/jdk-linux-base.nix +++ /dev/null @@ -1,193 +0,0 @@ -{ productVersion -, patchVersion -, sha256 -, jceName -, sha256JCE -}: - -{ swingSupport ? true -, lib, stdenv -, requireFile -, makeWrapper -, unzip -, file -, xorg ? null -, installjdk ? true -, pluginSupport ? true -, installjce ? false -, config -, glib -, libxml2 -, ffmpeg -, libxslt -, libGL -, freetype -, fontconfig -, gtk2 -, pango -, cairo -, alsa-lib -, atk -, gdk-pixbuf -, setJavaClassPath -}: - -assert swingSupport -> xorg != null; - -let - - /** - * The JRE libraries are in directories that depend on the CPU. - */ - architecture = { - i686-linux = "i386"; - x86_64-linux = "amd64"; - armv7l-linux = "arm"; - aarch64-linux = "aarch64"; - }.${stdenv.hostPlatform.system} or (throw "unsupported system ${stdenv.hostPlatform.system}"); - - jce = - if installjce then - requireFile { - name = jceName; - url = "http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html"; - sha256 = sha256JCE; - } - else - ""; - - rSubPaths = [ - "lib/${architecture}/jli" - "lib/${architecture}/server" - "lib/${architecture}/xawt" - "lib/${architecture}" - ]; - -in - -let result = stdenv.mkDerivation rec { - pname = if installjdk then "oraclejdk" else "oraclejre" + lib.optionalString pluginSupport "-with-plugin"; - version = "${productVersion}u${patchVersion}"; - - src = - let - platformName = { - i686-linux = "linux-i586"; - x86_64-linux = "linux-x64"; - armv7l-linux = "linux-arm32-vfp-hflt"; - aarch64-linux = "linux-aarch64"; - }.${stdenv.hostPlatform.system} or (throw "unsupported system ${stdenv.hostPlatform.system}"); - in requireFile { - name = "jdk-${productVersion}u${patchVersion}-${platformName}.tar.gz"; - url = "http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html"; - sha256 = sha256.${stdenv.hostPlatform.system} or (throw "unsupported system ${stdenv.hostPlatform.system}"); - }; - - nativeBuildInputs = [ file makeWrapper ] - ++ lib.optional installjce unzip; - - # See: https://github.com/NixOS/patchelf/issues/10 - dontStrip = 1; - - installPhase = '' - cd .. - - if test -z "$installjdk"; then - mv $sourceRoot/jre $out - else - mv $sourceRoot $out - fi - - shopt -s extglob - for file in $out/!(*src.zip) - do - if test -f $file ; then - rm $file - fi - done - - if test -n "$installjdk"; then - for file in $out/jre/* - do - if test -f $file ; then - rm $file - fi - done - fi - - if test -z "$installjdk"; then - jrePath=$out - else - jrePath=$out/jre - fi - - if test -n "${jce}"; then - unzip ${jce} - cp -v UnlimitedJCEPolicy*/*.jar $jrePath/lib/security - fi - - if test -z "$pluginSupport"; then - rm -f $out/bin/javaws - if test -n "$installjdk"; then - rm -f $out/jre/bin/javaws - fi - fi - - mkdir $jrePath/lib/${architecture}/plugins - ln -s $jrePath/lib/${architecture}/libnpjp2.so $jrePath/lib/${architecture}/plugins - - mkdir -p $out/nix-support - printWords ${setJavaClassPath} > $out/nix-support/propagated-build-inputs - - # Set JAVA_HOME automatically. - cat <> $out/nix-support/setup-hook - if [ -z "\''${JAVA_HOME-}" ]; then export JAVA_HOME=$out; fi - EOF - ''; - - postFixup = '' - rpath+="''${rpath:+:}${lib.concatStringsSep ":" (map (a: "$jrePath/${a}") rSubPaths)}" - - # set all the dynamic linkers - find $out -type f -perm -0100 \ - -exec patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" \ - --set-rpath "$rpath" {} \; - - find $out -name "*.so" -exec patchelf --set-rpath "$rpath" {} \; - - # Oracle Java Mission Control needs to know where libgtk-x11 and related is - if test -n "$installjdk" -a -x $out/bin/jmc; then - wrapProgram "$out/bin/jmc" \ - --suffix-each LD_LIBRARY_PATH ':' "$rpath" - fi - ''; - - inherit installjdk pluginSupport; - - /** - * libXt is only needed on amd64 - */ - libraries = - [stdenv.cc.libc glib libxml2 ffmpeg libxslt libGL xorg.libXxf86vm alsa-lib fontconfig freetype pango gtk2 cairo gdk-pixbuf atk] ++ - lib.optionals swingSupport [xorg.libX11 xorg.libXext xorg.libXtst xorg.libXi xorg.libXp xorg.libXt xorg.libXrender stdenv.cc.cc]; - - rpath = lib.strings.makeLibraryPath libraries; - - passthru.mozillaPlugin = if installjdk then "/jre/lib/${architecture}/plugins" else "/lib/${architecture}/plugins"; - - passthru.jre = result; # FIXME: use multiple outputs or return actual JRE package - - passthru.home = result; - - passthru.architecture = architecture; - - meta = with lib; { - license = licenses.unfree; - platforms = [ "i686-linux" "x86_64-linux" "armv7l-linux" "aarch64-linux" ]; # some inherit jre.meta.platforms - mainProgram = "java"; - knownVulnerabilities = [ - "The Oracle JDKs included with Nixpkgs have not been updated since 2021. They contain many known vulnerabilities (https://openjdk.org/groups/vulnerability/advisories/). OpenJDK provides a comparable alternative." - ]; - }; - -}; in result diff --git a/pkgs/development/compilers/oraclejdk/jdk11-linux.nix b/pkgs/development/compilers/oraclejdk/jdk11-linux.nix deleted file mode 100644 index a232b796a068..000000000000 --- a/pkgs/development/compilers/oraclejdk/jdk11-linux.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ lib, stdenv -, requireFile -, xorg -, zlib -, freetype -, alsa-lib -, setJavaClassPath -}: - -let result = stdenv.mkDerivation rec { - pname = "oraclejdk"; - version = "11.0.10"; - - src = requireFile { - name = "jdk-${version}_linux-x64_bin.tar.gz"; - url = "https://www.oracle.com/java/technologies/javase-jdk11-downloads.html"; - sha256 = "94bd34f85ee38d3ef59e5289ec7450b9443b924c55625661fffe66b03f2c8de2"; - }; - - installPhase = '' - mv ../$sourceRoot $out - - mkdir -p $out/nix-support - printWords ${setJavaClassPath} > $out/nix-support/propagated-build-inputs - - # Set JAVA_HOME automatically. - cat <> $out/nix-support/setup-hook - if [ -z "\''${JAVA_HOME-}" ]; then export JAVA_HOME=$out; fi - EOF - ''; - - postFixup = '' - rpath="$out/lib/jli:$out/lib/server:$out/lib:${lib.strings.makeLibraryPath [ zlib xorg.libX11 xorg.libXext xorg.libXtst xorg.libXi xorg.libXrender freetype alsa-lib]}" - - for f in $(find $out -name "*.so") $(find $out -type f -perm -0100); do - patchelf --interpreter "$(cat $NIX_CC/nix-support/dynamic-linker)" "$f" || true - patchelf --set-rpath "$rpath" "$f" || true - done - - for f in $(find $out -name "*.so") $(find $out -type f -perm -0100); do - if ldd "$f" | fgrep 'not found'; then echo "in file $f"; fi - done - ''; - - passthru.jre = result; - passthru.home = result; - - dontStrip = true; # See: https://github.com/NixOS/patchelf/issues/10 - - meta = with lib; { - license = licenses.unfree; - platforms = [ "x86_64-linux" ]; - }; -}; in result diff --git a/pkgs/development/compilers/oraclejdk/jdk8-linux.nix b/pkgs/development/compilers/oraclejdk/jdk8-linux.nix deleted file mode 100644 index 206df75b9ebf..000000000000 --- a/pkgs/development/compilers/oraclejdk/jdk8-linux.nix +++ /dev/null @@ -1,10 +0,0 @@ -import ./jdk-linux-base.nix { - productVersion = "8"; - patchVersion = "281"; - sha256.i686-linux = "/yEY5O6MYNyjS5YSGZtgydb8th6jHQLNvI9tNPIh3+0="; - sha256.x86_64-linux = "hejH2nJIx0UPsQVWeniEHQlzWXhQd2wkpSf+sC7z5YY="; - sha256.armv7l-linux = "oXbW8hZxesDqwV79ANB4SdnS71O51ZApKbQhqq4i/EM="; - sha256.aarch64-linux = "oFH3TeIzVsFk6IZcDEHVDVJC7dSbGcwhdUH/WUXSNDM="; - jceName = "jce_policy-8.zip"; - sha256JCE = "19n5wadargg3v8x76r7ayag6p2xz1bwhrgdzjs9f4i6fvxz9jr4w"; -} diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 7db3127df523..6603b96b8191 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -900,6 +900,15 @@ mapAliases { onlyoffice-bin_7_2 = throw "onlyoffice-bin_7_2 has been removed. Please use the latest version available under onlyoffice-bin"; # Added 2024-07-03 onlyoffice-bin_7_5 = throw "onlyoffice-bin_7_5 has been removed. Please use the latest version available under onlyoffice-bin"; # Added 2024-07-03 openvswitch-lts = throw "openvswitch-lts has been removed. Please use the latest version available under openvswitch"; # Added 2024-08-24 + oraclejdk = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 + oraclejdk8 = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 + oraclejre = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 + oraclejre8 = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 + jrePlugin = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 + jre8Plugin = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 + jdkdistro = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 + oraclejdk8distro = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 + oraclejdk11 = throw "All Oracle JDKs and JREs were dropped due to being unmaintained and heavily insecure. OpenJDK provides compatible replacements for JDKs and JREs."; # Added 2024-11-01 OSCAR = oscar; # Added 2024-06-12 osxfuse = throw "'osxfuse' has been renamed to/replaced by 'macfuse-stubs'"; # Converted to throw 2024-10-17 ovn-lts = throw "ovn-lts has been removed. Please use the latest version available under ovn"; # Added 2024-08-24 diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index a6992f6a702c..a1d0b7aca1b1 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -15012,27 +15012,6 @@ with pkgs; openspin = callPackage ../development/compilers/openspin { }; - oraclejdk = jdkdistro true false; - - oraclejdk8 = oraclejdk8distro true false; - - oraclejre = lowPrio (jdkdistro false false); - - oraclejre8 = lowPrio (oraclejdk8distro false false); - - jrePlugin = jre8Plugin; - - jre8Plugin = lowPrio (oraclejdk8distro false true); - - jdkdistro = oraclejdk8distro; - - oraclejdk8distro = installjdk: pluginSupport: - (callPackage ../development/compilers/oraclejdk/jdk8-linux.nix { - inherit installjdk pluginSupport; - }); - - oraclejdk11 = callPackage ../development/compilers/oraclejdk/jdk11-linux.nix { }; - jasmin = callPackage ../development/compilers/jasmin { }; java-service-wrapper = callPackage ../tools/system/java-service-wrapper { };