This small patch makes it possible to control java's truststore path through
the environment. This lets you add (system- or session-wide) CAs that should
be allowed by Java. Java users can still use -Djavax.net.ssl.truststore to
override the truststore set by JAVAX_NET_SSL_TRUSTSTORE.
Something like this can be used to build the truststore (in this example just
using the standard pkgs.cacert CA-bundle):
{
environment.variables.JAVAX_NET_SSL_TRUSTSTORE = "${
pkgs.runCommand "cacerts" {} ''
${pkgs.perl}/bin/perl \
${pkgs.path}/pkgs/development/compilers/openjdk/generate-cacerts.pl \
${pkgs.jre}/bin/keytool \
${pkgs.cacert}/etc/ca-bundle.crt
mv cacerts $out
''
}";
}
Ideally, the dependency on pkgs.cacert should also be removed from pkgs.openjdk
to avoid rebuilding java each time the standard CA-bundle changes. Something
along the example above must then be added to NixOS (however, it would be
nice to not depend on ${pkgs.jre}/bin/keytool to generate that environment
variable).
HotSpot uses the absolute path of libjvm.so to determine the java.home
property (ignoring $JAVA_HOME), which is in turn used by
ToolProvider.getSystemJavaCompiler() to load tools.jar. So we need to
do some trickery to ensure that if java gets invoked from the jdk
output (ratherthan the jre output), it finds libjvm.so in the jdk output.
This unifies the "openjdk" and "openjre" packages. The JDK is placed
in the "out" output, the JRE in "jre".
Also, everything is now stored in $prefix/lib/openjdk, so the JDK/JRE
no longer pollute user environments with files like
"ASSEMBLY_EXCEPTION" at top-level.
The openjdk BOOT_CYCLE bootstrap doesn't use the binaries built in the first stage for the second stage, so we get a bunch of errors like:
/bin/sh: /nix/store/wdgl7xl9b72hn212l0672ad5sn7vh44y-openjdk-bootstrap/bin/native2ascii: No such file or directory
Instead, just build each stage as a separate derivation
Note that this is almost completely useless for now, when openjdk is built a separate store path containing only the jre will be built but it will not be added to the environment nor as a gc root. If you want to install just the jre, for now build openjre (which uses the jreOnly parameter). Once multiple outputs are more feature-complete, this should hopefully be useful and remove the need for the jreOnly parameter
svn path=/nixpkgs/trunk/; revision=28481
