changeset 12600:54f9a4d2496f

Merge
author asaha
date Tue, 20 Dec 2016 13:28:30 -0800
parents e9c7ecc5a9fc e946652b3807
children d120d2010cc9
files .hgtags test/sun/security/tools/jarsigner/ts.sh
diffstat 104 files changed, 3624 insertions(+), 2018 deletions(-) [+]
line wrap: on
line diff
--- a/.hgtags	Tue Dec 13 12:52:17 2016 -0800
+++ b/.hgtags	Tue Dec 20 13:28:30 2016 -0800
@@ -663,11 +663,21 @@
 d2d8b67021a0f41e0eabd711bfd87a943dc0a8d5 jdk8u112-b14
 60767ec3909b3d0cb26dd7b3f952c62053719dda jdk8u112-b15
 5dd7e4bae5c2f1ee4f80c5570e7e3e2f715f7a32 jdk8u112-b16
+41fac11792c1ee6945f56721ee558a7424395a81 jdk8u112-b31
 ab5ff8f1e52c5e3ca02e988f4d978af63ceca5b8 jdk8u121-b00
 5f0839ac7e0d25dd1ae705df496b12ca76c26d59 jdk8u121-b01
 f91e3aa155b3c6774afb456db15fb358313d5771 jdk8u121-b02
 ecdb635eaf4886829089b987c339e35dfb5ea0e8 jdk8u121-b03
 d54219144844fb358f87f4a37255242aae9782fa jdk8u121-b04
+fb4e3a7375c91e02bd1c0a764dfb53fba3839c18 jdk8u121-b05
+3bc671481026decc460e636e8b2f19a36bfe89af jdk8u121-b06
+a2c2fbc61674869e85d5345804cff4834cc010d1 jdk8u121-b07
+392209fbe127896df2749344ea127f2c0a62da55 jdk8u121-b08
+494d27357b8cfc6b6c4346a814c8717a8502d769 jdk8u121-b09
+d66de7e2f672a1ff6947846818412fa899456972 jdk8u121-b10
+ec72a941be0a50ab77f5375cf710bc06e4f118d3 jdk8u121-b11
+9561afc12df843ef21ecd9d7b3633371e7a2bfc4 jdk8u121-b12
+2974746e56192cdd14fc2dd43179bcf28e4faf4a jdk8u121-b13
 032874d46bf95478cb86690b3c91d335c0764b0b jdk8u131-b00
 a160009bbe1417d85f1c0eec890fdb17391b3637 jdk8u141-b00
 072e084bceeedeb75467e40ca77786ac9ef5227a jdk8u151-b00
--- a/make/data/tzdata/VERSION	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/VERSION	Tue Dec 20 13:28:30 2016 -0800
@@ -21,4 +21,4 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
-tzdata2016f
+tzdata2016i
--- a/make/data/tzdata/africa	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/africa	Tue Dec 20 13:28:30 2016 -0800
@@ -487,7 +487,7 @@
 # http://www.libyaherald.com/2013/10/24/correction-no-time-change-tomorrow/
 #
 # From Paul Eggert (2013-10-25):
-# For now, assume they're reverting to the pre-2012 rules of permanent UTC+2.
+# For now, assume they're reverting to the pre-2012 rules of permanent UT +02.
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Libya	1951	only	-	Oct	14	2:00	1:00	S
--- a/make/data/tzdata/antarctica	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/antarctica	Tue Dec 20 13:28:30 2016 -0800
@@ -33,9 +33,7 @@
 # http://www.spri.cam.ac.uk/bob/periant.htm
 # for information.
 # Unless otherwise specified, we have no time zone information.
-#
-# Except for the French entries,
-# I made up all time zone abbreviations mentioned here; corrections welcome!
+
 # FORMAT is '-00' and GMTOFF is 0 for locations while uninhabited.
 
 # Argentina - year-round bases
@@ -52,7 +50,7 @@
 #	previously sealers and scientific personnel wintered
 #	Margaret Turner reports
 #	http://web.archive.org/web/20021204222245/http://www.dstc.qut.edu.au/DST/marg/daylight.html
-#	(1999-09-30) that they're UTC+5, with no DST;
+#	(1999-09-30) that they're UT +05, with no DST;
 #	presumably this is when they have visitors.
 #
 # year-round bases
@@ -89,25 +87,29 @@
 # Background:
 # http://www.timeanddate.com/news/time/antartica-time-changes-2010.html
 
+# From Steffen Thorsen (2016-10-28):
+# Australian Antarctica Division informed us that Casey changed time
+# zone to UTC+11 in "the morning of 22nd October 2016".
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Casey	0	-	-00	1969
-			8:00	-	AWST	2009 Oct 18  2:00
-						# Australian Western Std Time
-			11:00	-	CAST	2010 Mar  5  2:00  # Casey Time
-			8:00	-	AWST	2011 Oct 28  2:00
-			11:00	-	CAST	2012 Feb 21 17:00u
-			8:00	-	AWST
+			8:00	-	+08	2009 Oct 18  2:00
+			11:00	-	+11	2010 Mar  5  2:00
+			8:00	-	+08	2011 Oct 28  2:00
+			11:00	-	+11	2012 Feb 21 17:00u
+			8:00	-	+08	2016 Oct 22
+			11:00	-	+11
 Zone Antarctica/Davis	0	-	-00	1957 Jan 13
-			7:00	-	DAVT	1964 Nov    # Davis Time
+			7:00	-	+07	1964 Nov
 			0	-	-00	1969 Feb
-			7:00	-	DAVT	2009 Oct 18  2:00
-			5:00	-	DAVT	2010 Mar 10 20:00u
-			7:00	-	DAVT	2011 Oct 28  2:00
-			5:00	-	DAVT	2012 Feb 21 20:00u
-			7:00	-	DAVT
+			7:00	-	+07	2009 Oct 18  2:00
+			5:00	-	+05	2010 Mar 10 20:00u
+			7:00	-	+07	2011 Oct 28  2:00
+			5:00	-	+05	2012 Feb 21 20:00u
+			7:00	-	+07
 Zone Antarctica/Mawson	0	-	-00	1954 Feb 13
-			6:00	-	MAWT	2009 Oct 18  2:00 # Mawson Time
-			5:00	-	MAWT
+			6:00	-	+06	2009 Oct 18  2:00
+			5:00	-	+05
 # References:
 # Casey Weather (1998-02-26)
 # http://www.antdiv.gov.au/aad/exop/sfo/casey/casey_aws.html
@@ -161,7 +163,7 @@
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Indian/Kerguelen	0	-	-00	1950 # Port-aux-Français
-			5:00	-	TFT	# ISO code TF Time
+			5:00	-	+05
 #
 # year-round base in the main continent
 # Dumont d'Urville, Île des Pétrels, -6640+14001, since 1956-11
@@ -172,9 +174,9 @@
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/DumontDUrville 0 -	-00	1947
-			10:00	-	PMT	1952 Jan 14 # Port-Martin Time
+			10:00	-	+10	1952 Jan 14
 			0	-	-00	1956 Nov
-			10:00	-	DDUT	# Dumont-d'Urville Time
+			10:00	-	+10
 
 # France & Italy - year-round base
 # Concordia, -750600+1232000, since 2005
@@ -200,7 +202,7 @@
 # station of Japan, it's appropriate for the principal location.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Syowa	0	-	-00	1957 Jan 29
-			3:00	-	SYOT	# Syowa Time
+			3:00	-	+03
 # See:
 # NIPR Antarctic Research Activities (1999-08-17)
 # http://www.nipr.ac.jp/english/ara01.html
@@ -237,17 +239,17 @@
 # correct, but they should be quite close to the actual dates.
 #
 # From Paul Eggert (2014-03-21):
-# The CET-switching Troll rules require zic from tzcode 2014b or later, so as
+# The CET-switching Troll rules require zic from tz 2014b or later, so as
 # suggested by Bengt-Inge Larsson comment them out for now, and approximate
 # with only UTC and CEST.  Uncomment them when 2014b is more prevalent.
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-#Rule	Troll	2005	max	-	Mar	 1	1:00u	1:00	CET
-Rule	Troll	2005	max	-	Mar	lastSun	1:00u	2:00	CEST
-#Rule	Troll	2005	max	-	Oct	lastSun	1:00u	1:00	CET
-#Rule	Troll	2004	max	-	Nov	 7	1:00u	0:00	UTC
+#Rule	Troll	2005	max	-	Mar	 1	1:00u	1:00	+01
+Rule	Troll	2005	max	-	Mar	lastSun	1:00u	2:00	+02
+#Rule	Troll	2005	max	-	Oct	lastSun	1:00u	1:00	+01
+#Rule	Troll	2004	max	-	Nov	 7	1:00u	0:00	+00
 # Remove the following line when uncommenting the above '#Rule' lines.
-Rule	Troll	2004	max	-	Oct	lastSun	1:00u	0:00	UTC
+Rule	Troll	2004	max	-	Oct	lastSun	1:00u	0:00	+00
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Troll	0	-	-00	2005 Feb 12
 			0:00	Troll	%s
@@ -288,10 +290,10 @@
 # changes during the year and does not necessarily correspond to mean
 # solar noon.  So the Vostok time might have been whatever the clocks
 # happened to be during their visit.  So we still don't really know what time
-# it is at Vostok.  But we'll guess UTC+6.
+# it is at Vostok.  But we'll guess +06.
 #
 Zone Antarctica/Vostok	0	-	-00	1957 Dec 16
-			6:00	-	VOST	# Vostok time
+			6:00	-	+06
 
 # S Africa - year-round bases
 # Marion Island, -4653+03752
@@ -324,7 +326,7 @@
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Rothera	0	-	-00	1976 Dec  1
-			-3:00	-	ROTT	# Rothera time
+			-3:00	-	-03
 
 # Uruguay - year round base
 # Artigas, King George Island, -621104-0585107
--- a/make/data/tzdata/asia	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/asia	Tue Dec 20 13:28:30 2016 -0800
@@ -139,13 +139,11 @@
 # http://www.worldtimezone.com/dst_news/dst_news_armenia03.html
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Yerevan	2:58:00 -	LMT	1924 May  2
-			3:00	-	YERT	1957 Mar    # Yerevan Time
-			4:00 RussiaAsia YER%sT	1991 Mar 31  2:00s
-			3:00	1:00	YERST	1991 Sep 23 # independence
-			3:00 RussiaAsia	AM%sT	1995 Sep 24  2:00s
-			4:00	-	AMT	1997
-			4:00 RussiaAsia	AM%sT	2012 Feb  9
-			4:00	-	AMT
+			3:00	-	+03	1957 Mar
+			4:00 RussiaAsia +04/+05	1991 Mar 31  2:00s
+			3:00 RussiaAsia	+03/+04	1995 Sep 24  2:00s
+			4:00	-	+04	1997
+			4:00 RussiaAsia	+04/+05
 
 # Azerbaijan
 
@@ -166,13 +164,12 @@
 Rule	Azer	1997	2015	-	Oct	lastSun	 5:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Baku	3:19:24 -	LMT	1924 May  2
-			3:00	-	BAKT	1957 Mar    # Baku Time
-			4:00 RussiaAsia BAK%sT	1991 Mar 31  2:00s
-			3:00	1:00	BAKST	1991 Aug 30 # independence
-			3:00 RussiaAsia	AZ%sT	1992 Sep lastSun  2:00s
-			4:00	-	AZT	1996     # Azerbaijan Time
-			4:00	EUAsia	AZ%sT	1997
-			4:00	Azer	AZ%sT
+			3:00	-	+03	1957 Mar
+			4:00 RussiaAsia +04/+05	1991 Mar 31  2:00s
+			3:00 RussiaAsia	+03/+04	1992 Sep lastSun  2:00s
+			4:00	-	+04	1996
+			4:00	EUAsia	+04/+05	1997
+			4:00	Azer	+04/+05
 
 # Bahrain
 # See Asia/Qatar.
@@ -291,7 +288,7 @@
 # Milne says 6:24:40 was the meridian of the time ball observatory at Rangoon.
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Asia/Rangoon	6:24:40 -	LMT	1880        # or Yangon
+Zone	Asia/Yangon	6:24:40 -	LMT	1880        # or Rangoon
 			6:24:40	-	RMT	1920        # Rangoon Mean Time?
 			6:30	-	BURT	1942 May    # Burma Time
 			9:00	-	JST	1945 May  3
@@ -406,7 +403,7 @@
 # Lewiston (ME) Daily Sun (1939-05-29), p 17, said "Even the time is
 # different - the occupied districts going by Tokyo time, an hour
 # ahead of that prevailing in the rest of Shanghai."  Guess that the
-# Xujiahui Observatory was under French control and stuck with UT+8.
+# Xujiahui Observatory was under French control and stuck with UT +08.
 #
 # In earlier versions of this file, China had many separate Zone entries, but
 # this was based on what were apparently incorrect data in Shanks & Pottenger.
@@ -415,26 +412,26 @@
 # Proposed in 1918 and theoretically in effect until 1949 (although in practice
 # mainly observed in coastal areas), the five zones were:
 #
-# Changbai Time ("Long-white Time", Long-white = Heilongjiang area) UT+8.5
+# Changbai Time ("Long-white Time", Long-white = Heilongjiang area) UT +08:30
 # Asia/Harbin (currently a link to Asia/Shanghai)
 # Heilongjiang (except Mohe county), Jilin
 #
-# Zhongyuan Time ("Central plain Time") UT+8
+# Zhongyuan Time ("Central plain Time") UT +08
 # Asia/Shanghai
 # most of China
 # This currently represents most other zones as well,
 # as apparently these regions have been the same since 1970.
 # Milne gives 8:05:43.2 for Xujiahui Observatory time; round to nearest.
-# Guo says Shanghai switched to UT+8 "from the end of the 19th century".
+# Guo says Shanghai switched to UT +08 "from the end of the 19th century".
 #
-# Long-shu Time (probably due to Long and Shu being two names of that area) UT+7
+# Long-shu Time (probably due to Long and Shu being two names of the area) UT +07
 # Asia/Chongqing (currently a link to Asia/Shanghai)
 # Guangxi, Guizhou, Hainan, Ningxia, Sichuan, Shaanxi, and Yunnan;
 # most of Gansu; west Inner Mongolia; west Qinghai; and the Guangdong
 # counties Deqing, Enping, Kaiping, Luoding, Taishan, Xinxing,
 # Yangchun, Yangjiang, Yu'nan, and Yunfu.
 #
-# Xin-zang Time ("Xinjiang-Tibet Time") UT+6
+# Xin-zang Time ("Xinjiang-Tibet Time") UT +06
 # Asia/Urumqi
 # This currently represents Kunlun Time as well,
 # as apparently the two regions have been the same since 1970.
@@ -447,7 +444,7 @@
 # Shihezi, Changji, Yanqi, Heshuo, Tuokexun, Tulufan, Shanshan, Hami,
 # Fukang, Kuitun, Kumukuli, Miquan, Qitai, and Turfan.
 #
-# Kunlun Time UT+5.5
+# Kunlun Time UT +05:30
 # Asia/Kashgar (currently a link to Asia/Urumqi)
 # West Tibet, including Pulan, Aheqi, Shufu, Shule;
 # West Xinjiang, including Aksu, Atushi, Yining, Hetian, Cele, Luopu, Nileke,
@@ -463,7 +460,7 @@
 #
 # On the other hand, ethnic Uyghurs, who make up about half the
 # population of Xinjiang, typically use "Xinjiang time" which is two
-# hours behind Beijing time, or UTC +0600. The government of the Xinjiang
+# hours behind Beijing time, or UT +06. The government of the Xinjiang
 # Uyghur Autonomous Region, (XAUR, or just Xinjiang for short) as well as
 # local governments such as the Ürümqi city government use both times in
 # publications, referring to what is popularly called Xinjiang time as
@@ -519,8 +516,8 @@
 # having the same time as Beijing.
 
 # From Paul Eggert (2014-06-30):
-# In the early days of the PRC, Tibet was given its own time zone (UT+6) but
-# this was withdrawn in 1959 and never reinstated; see Tubten Khétsun,
+# In the early days of the PRC, Tibet was given its own time zone (UT +06)
+# but this was withdrawn in 1959 and never reinstated; see Tubten Khétsun,
 # Memories of life in Lhasa under Chinese Rule, Columbia U Press, ISBN
 # 978-0231142861 (2008), translator's introduction by Matthew Akester, p x.
 # As this is before our 1970 cutoff, Tibet doesn't need a separate zone.
@@ -534,12 +531,12 @@
 # Republics, the Soviet Union, the Kuomintang, and the People's Republic of
 # China, and tracking down all these organizations' timekeeping rules would be
 # quite a trick.  Approximate this lost history by a transition from LMT to
-# XJT at the start of 1928, the year of accession of the warlord Jin Shuren,
+# UT +06 at the start of 1928, the year of accession of the warlord Jin Shuren,
 # which happens to be the date given by Shanks & Pottenger (no doubt as a
-# guess) as the transition from LMT.  Ignore the usage of UT+8 before
-# 1986-02-01 under the theory that the transition date to UT+8 is unknown and
+# guess) as the transition from LMT.  Ignore the usage of +08 before
+# 1986-02-01 under the theory that the transition date to +08 is unknown and
 # that the sort of users who prefer Asia/Urumqi now typically ignored the
-# UT+8 mandate back then.
+# +08 mandate back then.
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 # Beijing time, used throughout China; represented by Shanghai.
@@ -744,7 +741,7 @@
 # be found from historical government announcement database.
 
 # From Paul Eggert (2014-07-03):
-# As per Yu-Cheng Chuang, say that Taiwan was at UT+9 from 1937-10-01
+# As per Yu-Cheng Chuang, say that Taiwan was at UT +09 from 1937-10-01
 # until 1945-09-21 at 01:00, overriding Shanks & Pottenger.
 # Likewise, use Yu-Cheng Chuang's data for DST in Taiwan.
 
@@ -797,9 +794,19 @@
 ###############################################################################
 
 # Cyprus
+
+# Milne says the Eastern Telegraph Company used 2:14:00.  Stick with LMT.
+# IATA SSIM (1998-09) has Cyprus using EU rules for the first time.
+
+# From Paul Eggert (2016-09-09):
+# Yesterday's Cyprus Mail reports that Northern Cyprus followed Turkey's
+# lead and switched from +02/+03 to +03 year-round.
+# http://cyprus-mail.com/2016/09/08/two-time-zones-cyprus-turkey-will-not-turn-clocks-back-next-month/
 #
-# Milne says the Eastern Telegraph Company used 2:14:00.  Stick with LMT.
-#
+# From Even Scharning (2016-10-31):
+# Looks like the time zone split in Cyprus went through last night.
+# http://cyprus-mail.com/2016/10/30/cyprus-new-division-two-time-zones-now-reality/
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Cyprus	1975	only	-	Apr	13	0:00	1:00	S
 Rule	Cyprus	1975	only	-	Oct	12	0:00	0	-
@@ -814,7 +821,10 @@
 Zone	Asia/Nicosia	2:13:28 -	LMT	1921 Nov 14
 			2:00	Cyprus	EE%sT	1998 Sep
 			2:00	EUAsia	EE%sT
-# IATA SSIM (1998-09) has Cyprus using EU rules for the first time.
+Zone	Asia/Famagusta	2:15:48	-	LMT	1921 Nov 14
+			2:00	Cyprus	EE%sT	1998 Sep
+			2:00	EUAsia	EE%sT	2016 Sep  8
+			3:00	-	+03
 
 # Classically, Cyprus belongs to Asia; e.g. see Herodotus, Histories, I.72.
 # However, for various reasons many users expect to find it under Europe.
@@ -858,16 +868,15 @@
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Tbilisi	2:59:11 -	LMT	1880
 			2:59:11	-	TBMT	1924 May  2 # Tbilisi Mean Time
-			3:00	-	TBIT	1957 Mar    # Tbilisi Time
-			4:00 RussiaAsia TBI%sT	1991 Mar 31  2:00s
-			3:00	1:00	TBIST	1991 Apr  9 # independence
-			3:00 RussiaAsia GE%sT	1992        # Georgia Time
-			3:00 E-EurAsia	GE%sT	1994 Sep lastSun
-			4:00 E-EurAsia	GE%sT	1996 Oct lastSun
-			4:00	1:00	GEST	1997 Mar lastSun
-			4:00 E-EurAsia	GE%sT	2004 Jun 27
-			3:00 RussiaAsia	GE%sT	2005 Mar lastSun  2:00
-			4:00	-	GET
+			3:00	-	+03	1957 Mar
+			4:00 RussiaAsia +04/+05	1991 Mar 31  2:00s
+			3:00 RussiaAsia +03/+04	1992
+			3:00 E-EurAsia	+03/+04	1994 Sep lastSun
+			4:00 E-EurAsia	+04/+05	1996 Oct lastSun
+			4:00	1:00	+05	1997 Mar lastSun
+			4:00 E-EurAsia	+04/+05	2004 Jun 27
+			3:00 RussiaAsia	+03/+04	2005 Mar lastSun  2:00
+			4:00	-	+04
 
 # East Timor
 
@@ -944,7 +953,7 @@
 # These would be the earliest possible times for a change.
 # Régimes horaires pour le monde entier, by Henri Le Corre, (Éditions
 # Traditionnelles, 1987, Paris) says that Java and Madura switched
-# from JST to UTC+07:30 on 1945-09-23, and gives 1944-09-01 for Jayapura
+# from UT +09 to +07:30 on 1945-09-23, and gives 1944-09-01 for Jayapura
 # (Hollandia).  For now, assume all Indonesian locations other than Jayapura
 # switched on 1945-09-23.
 #
@@ -955,11 +964,11 @@
 # summary published by the Time and Frequency Laboratory of the
 # Research Center for Calibration, Instrumentation and Metrology,
 # Indonesia, <http://time.kim.lipi.go.id/time-eng.php> (2006-09-29).
-# The abbreviations are:
+# The time zone abbreviations and UT offsets are:
 #
-# WIB  - UTC+7 - Waktu Indonesia Barat (Indonesia western time)
-# WITA - UTC+8 - Waktu Indonesia Tengah (Indonesia central time)
-# WIT  - UTC+9 - Waktu Indonesia Timur (Indonesia eastern time)
+# WIB  - +07 - Waktu Indonesia Barat (Indonesia western time)
+# WITA - +08 - Waktu Indonesia Tengah (Indonesia central time)
+# WIT  - +09 - Waktu Indonesia Timur (Indonesia eastern time)
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 # Java, Sumatra
@@ -1848,11 +1857,11 @@
 Rule	Kyrgyz	1997	2004	-	Oct	lastSun	2:30	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Bishkek	4:58:24 -	LMT	1924 May  2
-			5:00	-	FRUT	1930 Jun 21 # Frunze Time
-			6:00 RussiaAsia FRU%sT	1991 Mar 31  2:00s
-			5:00	1:00	FRUST	1991 Aug 31  2:00 # independence
-			5:00	Kyrgyz	KG%sT	2005 Aug 12 # Kyrgyzstan Time
-			6:00	-	KGT
+			5:00	-	+05	1930 Jun 21
+			6:00 RussiaAsia +06/+07	1991 Mar 31  2:00s
+			5:00 RussiaAsia	+05/+06	1991 Aug 31  2:00
+			5:00	Kyrgyz	+05/+06	2005 Aug 12
+			6:00	-	+06
 
 ###############################################################################
 
@@ -1891,25 +1900,24 @@
 Rule	ROK	1987	1988	-	May	Sun>=8	2:00	1:00	D
 Rule	ROK	1987	1988	-	Oct	Sun>=8	3:00	0	S
 
-# From Paul Eggert (2014-10-30):
+# From Paul Eggert (2016-08-23):
 # The Korean Wikipedia entry gives the following sources for UT offsets:
 #
-# 1908: Official Journal Article No. 3994 (Edict No. 5)
+# 1908: Official Journal Article No. 3994 (decree No. 5)
 # 1912: Governor-General of Korea Official Gazette Issue No. 367
 #       (Announcement No. 338)
 # 1954: Presidential Decree No. 876 (1954-03-17)
 # 1961: Law No. 676 (1961-08-07)
-# 1987: Law No. 3919 (1986-12-31)
 #
-# The Wikipedia entry also has confusing information about a change
-# to UT+9 in April 1910, but then what would be the point of the later change
-# to UT+9 on 1912-01-01?  Omit the 1910 change for now.
+# (Another source "1987: Law No. 3919 (1986-12-31)" was in the 2014-10-30
+# edition of the Korean Wikipedia entry.)
 #
 # I guessed that time zone abbreviations through 1945 followed the same
 # rules as discussed under Taiwan, with nominal switches from JST to KST
 # when the respective cities were taken over by the Allies after WWII.
 #
-# For Pyongyang we have no information; guess no changes since World War II.
+# For Pyongyang, guess no changes from World War II until 2015, as we
+# have no information otherwise.
 
 # From Steffen Thorsen (2015-08-07):
 # According to many news sources, North Korea is going to change to
@@ -2069,7 +2077,7 @@
 # Bill Bonnet (2005-05-19) reports that the US Embassy in Ulaanbaatar says
 # there is only one time zone and that DST is observed, citing Microsoft
 # Windows XP as the source.  Risto Nykänen (2005-05-16) reports that
-# travelmongolia.org says there are two time zones (UTC+7, UTC+8) with no DST.
+# travelmongolia.org says there are two time zones (UT +07, +08) with no DST.
 # Oscar van Vlijmen (2005-05-20) reports that the Mongolian Embassy in
 # Washington, DC says there are two time zones, with DST observed.
 # He also found
@@ -2572,11 +2580,6 @@
 # From Paul Eggert (2015-03-03):
 # http://www.timeanddate.com/time/change/west-bank/ramallah?year=2014
 # says that the fall 2014 transition was Oct 23 at 24:00.
-# For future dates, guess the last Friday in March at 24:00 through
-# the first Friday on or after October 21 at 00:00.  This is consistent with
-# the predictions in today's editions of the following URLs:
-# http://www.timeanddate.com/time/change/gaza-strip/gaza
-# http://www.timeanddate.com/time/change/west-bank/hebron
 
 # From Hannah Kreitem (2016-03-09):
 # http://www.palestinecabinet.gov.ps/WebSite/ar/ViewDetails?ID=31728
@@ -2586,7 +2589,21 @@
 #
 # From Paul Eggert (2016-03-12):
 # Predict spring transitions on March's last Saturday at 01:00 from now on.
-# Leave fall predictions alone for now.
+
+# From Sharef Mustafa (2016-10-19):
+# [T]he Palestinian cabinet decision (Mar 8th 2016) published on
+# http://www.palestinecabinet.gov.ps/WebSite/Upload/Decree/GOV_17/16032016134830.pdf
+# states that summer time will end on Oct 29th at 01:00.
+#
+# From Tim Parenti (2016-10-19):
+# Predict fall transitions on October's last Saturday at 01:00 from now on.
+# This is consistent with the 2016 transition as well as our spring
+# predictions.
+#
+# From Paul Eggert (2016-10-19):
+# It's also consistent with predictions in the following URLs today:
+# http://www.timeanddate.com/time/change/gaza-strip/gaza
+# http://www.timeanddate.com/time/change/west-bank/hebron
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
@@ -2615,9 +2632,10 @@
 Rule Palestine	2012	2014	-	Mar	lastThu	24:00	1:00	S
 Rule Palestine	2012	only	-	Sep	21	1:00	0	-
 Rule Palestine	2013	only	-	Sep	Fri>=21	0:00	0	-
-Rule Palestine	2014	max	-	Oct	Fri>=21	0:00	0	-
+Rule Palestine	2014	2015	-	Oct	Fri>=21	0:00	0	-
 Rule Palestine	2015	only	-	Mar	lastFri	24:00	1:00	S
 Rule Palestine	2016	max	-	Mar	lastSat	1:00	1:00	S
+Rule Palestine	2016	max	-	Oct	lastSat	1:00	0	-
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
@@ -2705,7 +2723,7 @@
 # earlier date.
 #
 # Shanks & Pottenger also state that until 1968-05-01 Saudi Arabia had two
-# time zones; the other zone, at UTC+4, was in the far eastern part of
+# time zones; the other zone, at UT +04, was in the far eastern part of
 # the country.  Ignore this, as it's before our 1970 cutoff.
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -2767,45 +2785,31 @@
 # People who live in regions under Tamil control can use [TZ='Asia/Kolkata'],
 # as that zone has agreed with the Tamil areas since our cutoff date of 1970.
 
-# From K Sethu (2006-04-25):
-# I think the abbreviation LKT originated from the world of computers at
-# the time of or subsequent to the time zone changes by SL Government
-# twice in 1996 and probably SL Government or its standardization
-# agencies never declared an abbreviation as a national standard.
+# From Sadika Sumanapala (2016-10-19):
+# According to http://www.sltime.org (maintained by Measurement Units,
+# Standards & Services Department, Sri Lanka) abbreviation for Sri Lanka
+# standard time is SLST.
 #
-# I recollect before the recent change the government announcements
-# mentioning it as simply changing Sri Lanka Standard Time or Sri Lanka
-# Time and no mention was made about the abbreviation.
-#
-# If we look at Sri Lanka Department of Government's "Official News
-# Website of Sri Lanka" ... http://www.news.lk/ we can see that they
-# use SLT as abbreviation in time stamp at the beginning of each news
-# item....
-#
-# Within Sri Lanka I think LKT is well known among computer users and
-# administrators.  In my opinion SLT may not be a good choice because the
-# nation's largest telcom / internet operator Sri Lanka Telcom is well
-# known by that abbreviation - simply as SLT (there IP domains are
-# slt.lk and sltnet.lk).
-#
-# But if indeed our government has adopted SLT as standard abbreviation
-# (that we have not known so far) then  it is better that it be used for
-# all computers.
-
-# From Paul Eggert (2006-04-25):
-# One possibility is that we wait for a bit for the dust to settle down
-# and then see what people actually say in practice.
+# From Paul Eggert (2016-10-18):
+# "SLST" seems to be reasonably recent and rarely-used outside time
+# zone nerd sources.  I searched Google News and found three uses of
+# it in the International Business Times of India in February and
+# March of this year when discussing cricket match times, but nothing
+# since then (though there has been a lot of cricket) and nothing in
+# other English-language news sources.  Our old abbreviation "LKT" is
+# even worse.  For now, let's use a numeric abbreviation; we can
+# switch to "SLST" if it catches on.
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Colombo	5:19:24 -	LMT	1880
 			5:19:32	-	MMT	1906        # Moratuwa Mean Time
-			5:30	-	IST	1942 Jan  5
-			5:30	0:30	IHST	1942 Sep
-			5:30	1:00	IST	1945 Oct 16  2:00
-			5:30	-	IST	1996 May 25  0:00
-			6:30	-	LKT	1996 Oct 26  0:30
-			6:00	-	LKT	2006 Apr 15  0:30
-			5:30	-	IST
+			5:30	-	+0530	1942 Jan  5
+			5:30	0:30	+0530/+06 1942 Sep
+			5:30	1:00	+0530/+0630 1945 Oct 16  2:00
+			5:30	-	+0530	1996 May 25  0:00
+			6:30	-	+0630	1996 Oct 26  0:30
+			6:00	-	+06	2006 Apr 15  0:30
+			5:30	-	+0530
 
 # Syria
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
@@ -2974,10 +2978,10 @@
 # From Shanks & Pottenger.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Dushanbe	4:35:12 -	LMT	1924 May  2
-			5:00	-	DUST	1930 Jun 21 # Dushanbe Time
-			6:00 RussiaAsia DUS%sT	1991 Mar 31  2:00s
-			5:00	1:00	DUSST	1991 Sep  9  2:00s
-			5:00	-	TJT	# Tajikistan Time
+			5:00	-	+05	1930 Jun 21
+			6:00 RussiaAsia +06/+07	1991 Mar 31  2:00s
+			5:00	1:00	+05/+06	1991 Sep  9  2:00s
+			5:00	-	+05
 
 # Thailand
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -2991,11 +2995,10 @@
 # From Shanks & Pottenger.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Ashgabat	3:53:32 -	LMT	1924 May  2 # or Ashkhabad
-			4:00	-	ASHT	1930 Jun 21 # Ashkhabad Time
-			5:00 RussiaAsia	ASH%sT	1991 Mar 31  2:00
-			4:00 RussiaAsia	ASH%sT	1991 Oct 27 # independence
-			4:00 RussiaAsia	TM%sT	1992 Jan 19  2:00
-			5:00	-	TMT
+			4:00	-	+04	1930 Jun 21
+			5:00 RussiaAsia	+05/+06	1991 Mar 31  2:00
+			4:00 RussiaAsia	+04/+05	1992 Jan 19  2:00
+			5:00	-	+05
 
 # United Arab Emirates
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -3007,20 +3010,18 @@
 # Byalokoz 1919 says Uzbekistan was 4:27:53.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Samarkand	4:27:53 -	LMT	1924 May  2
-			4:00	-	SAMT	1930 Jun 21 # Samarkand Time
-			5:00	-	SAMT	1981 Apr  1
-			5:00	1:00	SAMST	1981 Oct  1
-			6:00	-	TAST	1982 Apr  1 # Tashkent Time
-			5:00 RussiaAsia	SAM%sT	1991 Sep  1 # independence
-			5:00 RussiaAsia	UZ%sT	1992
-			5:00	-	UZT
+			4:00	-	+04	1930 Jun 21
+			5:00	-	+05	1981 Apr  1
+			5:00	1:00	+06	1981 Oct  1
+			6:00	-	+06	1982 Apr  1
+			5:00 RussiaAsia	+05/+06	1992
+			5:00	-	+05
 # Milne says Tashkent was 4:37:10.8; round to nearest.
 Zone	Asia/Tashkent	4:37:11 -	LMT	1924 May  2
-			5:00	-	TAST	1930 Jun 21 # Tashkent Time
-			6:00 RussiaAsia	TAS%sT	1991 Mar 31  2:00
-			5:00 RussiaAsia	TAS%sT	1991 Sep  1 # independence
-			5:00 RussiaAsia	UZ%sT	1992
-			5:00	-	UZT
+			5:00	-	+05	1930 Jun 21
+			6:00 RussiaAsia	+06/+07	1991 Mar 31  2:00
+			5:00 RussiaAsia	+05/+06	1992
+			5:00	-	+05
 
 # Vietnam
 
--- a/make/data/tzdata/australasia	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/australasia	Tue Dec 20 13:28:30 2016 -0800
@@ -373,7 +373,13 @@
 # commencing at 2.00 am on Sunday 1st November, 2015 and ending at
 # 3.00 am on Sunday 17th January, 2016.
 
-# From Paul Eggert (2015-09-01):
+# From Raymond Kumar (2016-10-04):
+# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVING-STARTS-ON-6th-NOVEMBER,-2016.aspx
+# "Fiji's daylight savings will begin on Sunday, 6 November 2016, when
+# clocks go forward an hour at 2am to 3am....  Daylight Saving will
+# end at 3.00am on Sunday 15th January 2017."
+
+# From Paul Eggert (2016-10-03):
 # For now, guess DST from 02:00 the first Sunday in November to
 # 03:00 the third Sunday in January.  Although ad hoc, it matches
 # transitions since late 2014 and seems more likely to match future
@@ -568,7 +574,7 @@
 # Base the Bougainville entry on the Arawa-Kieta region, which appears to have
 # the most people even though it was devastated in the Bougainville Civil War.
 #
-# Although Shanks gives 1942-03-15 / 1943-11-01 for JST, these dates
+# Although Shanks gives 1942-03-15 / 1943-11-01 for UT +09, these dates
 # are apparently rough guesswork from the starts of military campaigns.
 # The World War II entries below are instead based on Arawa-Kieta.
 # The Japanese occupied Kieta in July 1942,
@@ -576,8 +582,8 @@
 # http://pwencycl.kgbudge.com/B/o/Bougainville.htm
 # and seem to have controlled it until their 1945-08-21 surrender.
 #
-# The Autonomous Region of Bougainville plans to switch from UTC+10 to UTC+11
-# on 2014-12-28 at 02:00.  They call UTC+11 "Bougainville Standard Time";
+# The Autonomous Region of Bougainville switched from UT +10 to +11
+# on 2014-12-28 at 02:00.  They call +11 "Bougainville Standard Time";
 # abbreviate this as BST.  See:
 # http://www.bougainville24.com/bougainville-issues/bougainville-gets-own-timezone/
 #
@@ -643,7 +649,7 @@
 # From Paul Eggert (2014-06-27):
 # The International Date Line Act 2011
 # http://www.parliament.gov.ws/images/ACTS/International_Date_Line_Act__2011_-_Eng.pdf
-# changed Samoa from UTC-11 to UTC+13, effective "12 o'clock midnight, on
+# changed Samoa from UT -11 to +13, effective "12 o'clock midnight, on
 # Thursday 29th December 2011".  The International Date Line was adjusted
 # accordingly.
 
@@ -719,11 +725,13 @@
 Rule	Tonga	2000	only	-	Mar	19	2:00s	0	-
 Rule	Tonga	2000	2001	-	Nov	Sun>=1	2:00	1:00	S
 Rule	Tonga	2001	2002	-	Jan	lastSun	2:00	0	-
+Rule	Tonga	2016	max	-	Nov	Sun>=1	2:00	1:00	S
+Rule	Tonga	2017	max	-	Jan	Sun>=15	3:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Pacific/Tongatapu	12:19:20 -	LMT	1901
-			12:20	-	TOT	1941 # Tonga Time
-			13:00	-	TOT	1999
-			13:00	Tonga	TO%sT
+			12:20	-	+1220	1941
+			13:00	-	+13	1999
+			13:00	Tonga	+13/+14
 
 # Tuvalu
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -738,7 +746,7 @@
 # 1886-1891; Baker was similar but exact dates are not known.
 # Inhabited by civilians 1935-1942; U.S. military bases 1943-1944;
 # uninhabited thereafter.
-# Howland observed Hawaii Standard Time (UT-10:30) in 1937;
+# Howland observed Hawaii Standard Time (UT -10:30) in 1937;
 # see page 206 of Elgen M. Long and Marie K. Long,
 # Amelia Earhart: the Mystery Solved, Simon & Schuster (2000).
 # So most likely Howland and Baker observed Hawaii Time from 1935
@@ -1496,7 +1504,7 @@
 # Zealand time.  I understand that is the time they keep locally, anyhow."
 # For now, assume this practice goes back to the introduction of standard time
 # in New Zealand, as this would make Chatham Islands time almost exactly match
-# LMT back when New Zealand was at UTC+11:30; also, assume Chatham Islands did
+# LMT back when New Zealand was at UT +11:30; also, assume Chatham Islands did
 # not observe New Zealand's prewar DST.
 
 ###############################################################################
@@ -1552,7 +1560,7 @@
 # For now, we assume the Ladrones switched at the same time as the Philippines;
 # see Asia/Manila.
 
-# US Public Law 106-564 (2000-12-23) made UTC+10 the official standard time,
+# US Public Law 106-564 (2000-12-23) made UT +10 the official standard time,
 # under the name "Chamorro Standard Time".  There is no official abbreviation,
 # but Congressman Robert A. Underwood, author of the bill that became law,
 # wrote in a press release (2000-12-27) that he will seek the use of "ChST".
@@ -1564,15 +1572,15 @@
 # "I am certain, having lived there for the past decade, that 'Truk'
 # (now properly known as Chuuk) ... is in the time zone GMT+10."
 #
-# Shanks & Pottenger write that Truk switched from UTC+10 to UTC+11
+# Shanks & Pottenger write that Truk switched from UT +10 to +11
 # on 1978-10-01; ignore this for now.
 
 # From Paul Eggert (1999-10-29):
 # The Federated States of Micronesia Visitors Board writes in
 # The Federated States of Micronesia - Visitor Information (1999-01-26)
 # http://www.fsmgov.org/info/clocks.html
-# that Truk and Yap are UTC+10, and Ponape and Kosrae are UTC+11.
-# We don't know when Kosrae switched from UTC+12; assume January 1 for now.
+# that Truk and Yap are UT +10, and Ponape and Kosrae are +11.
+# We don't know when Kosrae switched from +12; assume January 1 for now.
 
 
 # Midway
@@ -1638,11 +1646,11 @@
 # ordaining - by a masterpiece of diplomatic flattery - that
 # the Fourth of July should be celebrated twice in that year."
 
-# Although Shanks & Pottenger says they both switched to UTC-11:30
-# in 1911, and to UTC-11 in 1950. many earlier sources give UTC-11
+# Although Shanks & Pottenger says they both switched to UT -11:30
+# in 1911, and to -11 in 1950. many earlier sources give -11
 # for American Samoa, e.g., the US National Bureau of Standards
 # circular "Standard Time Throughout the World", 1932.
-# Assume American Samoa switched to UTC-11 in 1911, not 1950,
+# Assume American Samoa switched to -11 in 1911, not 1950,
 # and that after 1950 they agreed until (western) Samoa skipped a
 # day in 2011.  Assume also that the Samoas follow the US and New
 # Zealand's "ST"/"DT" style of daylight-saving abbreviations.
@@ -1729,9 +1737,17 @@
 # of January the standard time in the Kingdom shall be moved backward by one
 # hour to 1:00am.
 
-# From Pulu 'Anau (2002-11-05):
+# From Pulu ʻAnau (2002-11-05):
 # The law was for 3 years, supposedly to get renewed.  It wasn't.
 
+# From Pulu ʻAnau (2016-10-27):
+# http://mic.gov.to/news-today/press-releases/6375-daylight-saving-set-to-run-from-6-november-2016-to-15-january-2017
+# Cannot find anyone who knows the rules, has seen the duration or has seen
+# the cabinet decision, but it appears we are following Fiji's rule set.
+#
+# From Tim Parenti (2016-10-26):
+# Assume Tonga will observe DST from the first Sunday in November at 02:00
+# through the third Sunday in January at 03:00, like Fiji, for now.
 
 # Wake
 
--- a/make/data/tzdata/backward	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/backward	Tue Dec 20 13:28:30 2016 -0800
@@ -59,6 +59,7 @@
 Link	Asia/Urumqi		Asia/Kashgar
 Link	Asia/Kathmandu		Asia/Katmandu
 Link	Asia/Macau		Asia/Macao
+Link	Asia/Yangon		Asia/Rangoon
 Link	Asia/Ho_Chi_Minh	Asia/Saigon
 Link	Asia/Jerusalem		Asia/Tel_Aviv
 Link	Asia/Thimphu		Asia/Thimbu
--- a/make/data/tzdata/etcetera	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/etcetera	Tue Dec 20 13:28:30 2016 -0800
@@ -31,6 +31,13 @@
 # need now for the entries that are not on UTC are for ships at sea
 # that cannot use POSIX TZ settings.
 
+# Starting with POSIX 1003.1-2001, the entries below are all
+# unnecessary as settings for the TZ environment variable.  E.g.,
+# instead of TZ='Etc/GMT+4' one can use the POSIX setting TZ='<-04>+4'.
+#
+# Do not use a POSIX TZ setting like TZ='GMT+4', which is four hours
+# behind GMT but uses the completely misleading abbreviation "GMT".
+
 Zone	Etc/GMT		0	-	GMT
 Zone	Etc/UTC		0	-	UTC
 Zone	Etc/UCT		0	-	UCT
@@ -49,23 +56,13 @@
 Link	Etc/GMT				Etc/GMT+0
 Link	Etc/GMT				Etc/GMT0
 
-# We use POSIX-style signs in the Zone names and the output abbreviations,
+# Be consistent with POSIX TZ settings in the Zone names,
 # even though this is the opposite of what many people expect.
 # POSIX has positive signs west of Greenwich, but many people expect
 # positive signs east of Greenwich.  For example, TZ='Etc/GMT+4' uses
-# the abbreviation "GMT+4" and corresponds to 4 hours behind UT
+# the abbreviation "-04" and corresponds to 4 hours behind UT
 # (i.e. west of Greenwich) even though many people would expect it to
 # mean 4 hours ahead of UT (i.e. east of Greenwich).
-#
-# In the draft 5 of POSIX 1003.1-200x, the angle bracket notation allows for
-# TZ='<GMT-4>+4'; if you want time zone abbreviations conforming to
-# ISO 8601 you can use TZ='<-0400>+4'.  Thus the commonly-expected
-# offset is kept within the angle bracket (and is used for display)
-# while the POSIX sign is kept outside the angle bracket (and is used
-# for calculation).
-#
-# Do not use a TZ setting like TZ='GMT+4', which is four hours behind
-# GMT but uses the completely misleading abbreviation "GMT".
 
 # Earlier incarnations of this package were not POSIX-compliant,
 # and had lines such as
@@ -74,30 +71,31 @@
 # way does a
 #		zic -l GMT-12
 # so we moved the names into the Etc subdirectory.
+# Also, the time zone abbreviations are now compatible with %z.
 
-Zone	Etc/GMT-14	14	-	GMT-14	# 14 hours ahead of GMT
-Zone	Etc/GMT-13	13	-	GMT-13
-Zone	Etc/GMT-12	12	-	GMT-12
-Zone	Etc/GMT-11	11	-	GMT-11
-Zone	Etc/GMT-10	10	-	GMT-10
-Zone	Etc/GMT-9	9	-	GMT-9
-Zone	Etc/GMT-8	8	-	GMT-8
-Zone	Etc/GMT-7	7	-	GMT-7
-Zone	Etc/GMT-6	6	-	GMT-6
-Zone	Etc/GMT-5	5	-	GMT-5
-Zone	Etc/GMT-4	4	-	GMT-4
-Zone	Etc/GMT-3	3	-	GMT-3
-Zone	Etc/GMT-2	2	-	GMT-2
-Zone	Etc/GMT-1	1	-	GMT-1
-Zone	Etc/GMT+1	-1	-	GMT+1
-Zone	Etc/GMT+2	-2	-	GMT+2
-Zone	Etc/GMT+3	-3	-	GMT+3
-Zone	Etc/GMT+4	-4	-	GMT+4
-Zone	Etc/GMT+5	-5	-	GMT+5
-Zone	Etc/GMT+6	-6	-	GMT+6
-Zone	Etc/GMT+7	-7	-	GMT+7
-Zone	Etc/GMT+8	-8	-	GMT+8
-Zone	Etc/GMT+9	-9	-	GMT+9
-Zone	Etc/GMT+10	-10	-	GMT+10
-Zone	Etc/GMT+11	-11	-	GMT+11
-Zone	Etc/GMT+12	-12	-	GMT+12
+Zone	Etc/GMT-14	14	-	+14
+Zone	Etc/GMT-13	13	-	+13
+Zone	Etc/GMT-12	12	-	+12
+Zone	Etc/GMT-11	11	-	+11
+Zone	Etc/GMT-10	10	-	+10
+Zone	Etc/GMT-9	9	-	+09
+Zone	Etc/GMT-8	8	-	+08
+Zone	Etc/GMT-7	7	-	+07
+Zone	Etc/GMT-6	6	-	+06
+Zone	Etc/GMT-5	5	-	+05
+Zone	Etc/GMT-4	4	-	+04
+Zone	Etc/GMT-3	3	-	+03
+Zone	Etc/GMT-2	2	-	+02
+Zone	Etc/GMT-1	1	-	+01
+Zone	Etc/GMT+1	-1	-	-01
+Zone	Etc/GMT+2	-2	-	-02
+Zone	Etc/GMT+3	-3	-	-03
+Zone	Etc/GMT+4	-4	-	-04
+Zone	Etc/GMT+5	-5	-	-05
+Zone	Etc/GMT+6	-6	-	-06
+Zone	Etc/GMT+7	-7	-	-07
+Zone	Etc/GMT+8	-8	-	-08
+Zone	Etc/GMT+9	-9	-	-09
+Zone	Etc/GMT+10	-10	-	-10
+Zone	Etc/GMT+11	-11	-	-11
+Zone	Etc/GMT+12	-12	-	-12
--- a/make/data/tzdata/europe	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/europe	Tue Dec 20 13:28:30 2016 -0800
@@ -98,8 +98,7 @@
 #        1:00       CET CEST CEMT Central Europe
 #        1:00:14    SET           Swedish (1879-1899)*
 #        2:00       EET EEST      Eastern Europe
-#        3:00       FET           Further-eastern Europe (2011-2014)*
-#        3:00       MSK MSD  MSM* Minsk, Moscow
+#        3:00       MSK MSD       Moscow
 
 # From Peter Ilieve (1994-12-04),
 # The original six [EU members]: Belgium, France, (West) Germany, Italy,
@@ -606,16 +605,33 @@
 Rule	E-Eur	1981	max	-	Mar	lastSun	 0:00	1:00	S
 Rule	E-Eur	1996	max	-	Oct	lastSun	 0:00	0	-
 
+
+# Daylight saving time for Russia and the Soviet Union
+#
+# The 1917-1921 decree URLs are from Alexander Belopolsky (2016-08-23).
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Russia	1917	only	-	Jul	 1	23:00	1:00	MST  # Moscow Summer Time
+#
+# Decree No. 142 (1917-12-22) http://istmat.info/node/28137
 Rule	Russia	1917	only	-	Dec	28	 0:00	0	MMT  # Moscow Mean Time
+#
+# Decree No. 497 (1918-05-30) http://istmat.info/node/30001
 Rule	Russia	1918	only	-	May	31	22:00	2:00	MDST # Moscow Double Summer Time
 Rule	Russia	1918	only	-	Sep	16	 1:00	1:00	MST
+#
+# Decree No. 258 (1919-05-29) http://istmat.info/node/37949
 Rule	Russia	1919	only	-	May	31	23:00	2:00	MDST
-Rule	Russia	1919	only	-	Jul	 1	 2:00	1:00	MSD
+#
+Rule	Russia	1919	only	-	Jul	 1	 0:00u	1:00	MSD
 Rule	Russia	1919	only	-	Aug	16	 0:00	0	MSK
+#
+# Decree No. 63 (1921-02-03) http://istmat.info/node/45840
 Rule	Russia	1921	only	-	Feb	14	23:00	1:00	MSD
-Rule	Russia	1921	only	-	Mar	20	23:00	2:00	MSM  # Midsummer
+#
+# Decree No. 121 (1921-03-07) http://istmat.info/node/45949
+Rule	Russia	1921	only	-	Mar	20	23:00	2:00	+05
+#
 Rule	Russia	1921	only	-	Sep	 1	 0:00	1:00	MSD
 Rule	Russia	1921	only	-	Oct	 1	 0:00	0	-
 # Act No. 925 of the Council of Ministers of the USSR (1980-10-24):
@@ -798,8 +814,6 @@
 # From Alexander Bokovoy (2014-10-09):
 # Belarussian government decided against changing to winter time....
 # http://eng.belta.by/all_news/society/Belarus-decides-against-adjusting-time-in-Russias-wake_i_76335.html
-# From Paul Eggert (2014-10-08):
-# Hence Belarus can share time zone abbreviations with Moscow again.
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Minsk	1:50:16 -	LMT	1880
@@ -810,8 +824,7 @@
 			3:00	Russia	MSK/MSD	1990
 			3:00	-	MSK	1991 Mar 31  2:00s
 			2:00	Russia	EE%sT	2011 Mar 27  2:00s
-			3:00	-	FET	2014 Oct 26  1:00s
-			3:00	-	MSK
+			3:00	-	+03
 
 # Belgium
 #
@@ -1319,7 +1332,7 @@
 # http://www.parlament-berlin.de/pds-fraktion.nsf/727459127c8b66ee8525662300459099/defc77cb784f180ac1256c2b0030274b/$FILE/bersarint.pdf
 # says that Bersarin issued an order to use Moscow time on May 20.
 # However, Moscow did not observe daylight saving in 1945, so
-# this was equivalent to CEMT (GMT+3), not GMT+4.
+# this was equivalent to UT +03, not +04.
 
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
@@ -1510,73 +1523,84 @@
 # But these events all occurred before the 1970 cutoff,
 # so record only the time in Rome.
 #
-# From Paul Eggert (2006-03-22):
-# For Italian DST we have three sources: Shanks & Pottenger, Whitman, and
-# F. Pollastri
-# Day-light Saving Time in Italy (2006-02-03)
-# http://toi.iriti.cnr.it/uk/ienitlt.html
-# ('FP' below), taken from an Italian National Electrotechnical Institute
-# publication. When the three sources disagree, guess who's right, as follows:
+# From Michael Deckers (2016-10-24):
+# http://www.ac-ilsestante.it/MERIDIANE/ora_legale quotes a law of 1893-08-10
+# ... [translated as] "The preceding dispositions will enter into
+# force at the instant at which, according to the time specified in
+# the 1st article, the 1st of November 1893 will begin...."
 #
-# year	FP	Shanks&P. (S)	Whitman (W)	Go with:
-# 1916	06-03	06-03 24:00	06-03 00:00	FP & W
-#	09-30	09-30 24:00	09-30 01:00	FP; guess 24:00s
-# 1917	04-01	03-31 24:00	03-31 00:00	FP & S
-#	09-30	09-29 24:00	09-30 01:00	FP & W
-# 1918	03-09	03-09 24:00	03-09 00:00	FP & S
-#	10-06	10-05 24:00	10-06 01:00	FP & W
-# 1919	03-01	03-01 24:00	03-01 00:00	FP & S
-#	10-04	10-04 24:00	10-04 01:00	FP; guess 24:00s
-# 1920	03-20	03-20 24:00	03-20 00:00	FP & S
-#	09-18	09-18 24:00	10-01 01:00	FP; guess 24:00s
-# 1944	04-02	04-03 02:00			S (see C-Eur)
-#	09-16	10-02 03:00			FP; guess 24:00s
-# 1945	09-14	09-16 24:00			FP; guess 24:00s
-# 1970	05-21	05-31 00:00			S
-#	09-20	09-27 00:00			S
+# From Pierpaolo Bernardi (2016-10-20):
+# The authoritative source for time in Italy is the national metrological
+# institute, which has a summary page of historical DST data at
+# http://www.inrim.it/res/tf/ora_legale_i.shtml
+# (2016-10-24):
+# http://www.renzobaldini.it/le-ore-legali-in-italia/
+# has still different data for 1944.  It divides Italy in two, as
+# there were effectively two governments at the time, north of Gothic
+# Line German controlled territory, official government RSI, and south
+# of the Gothic Line, controlled by allied armies.
+#
+# From Brian Inglis (2016-10-23):
+# Viceregal LEGISLATIVE DECREE. 14 September 1944, no. 219.
+# Restoration of Standard Time. (044U0219) (OJ 62 of 30.9.1944) ...
+# Given the R. law decreed on 1944-03-29, no. 92, by which standard time is
+# advanced to sixty minutes later starting at hour two on 1944-04-02; ...
+# Starting at hour three on the date 1944-09-17 standard time will be resumed.
+#
+# From Paul Eggert (2016-10-27):
+# Go with INRiM for DST rules, except as corrected by Inglis for 1944
+# for the Kingdom of Italy.  This is consistent with Renzo Baldini.
+# Model Rome's occupation by using using C-Eur rules from 1943-09-10
+# to 1944-06-04; although Rome was an open city during this period, it
+# was effectively controlled by Germany.
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-Rule	Italy	1916	only	-	Jun	 3	0:00s	1:00	S
-Rule	Italy	1916	only	-	Oct	 1	0:00s	0	-
-Rule	Italy	1917	only	-	Apr	 1	0:00s	1:00	S
-Rule	Italy	1917	only	-	Sep	30	0:00s	0	-
-Rule	Italy	1918	only	-	Mar	10	0:00s	1:00	S
-Rule	Italy	1918	1919	-	Oct	Sun>=1	0:00s	0	-
-Rule	Italy	1919	only	-	Mar	 2	0:00s	1:00	S
-Rule	Italy	1920	only	-	Mar	21	0:00s	1:00	S
-Rule	Italy	1920	only	-	Sep	19	0:00s	0	-
-Rule	Italy	1940	only	-	Jun	15	0:00s	1:00	S
-Rule	Italy	1944	only	-	Sep	17	0:00s	0	-
-Rule	Italy	1945	only	-	Apr	 2	2:00	1:00	S
-Rule	Italy	1945	only	-	Sep	15	0:00s	0	-
-Rule	Italy	1946	only	-	Mar	17	2:00s	1:00	S
-Rule	Italy	1946	only	-	Oct	 6	2:00s	0	-
-Rule	Italy	1947	only	-	Mar	16	0:00s	1:00	S
-Rule	Italy	1947	only	-	Oct	 5	0:00s	0	-
-Rule	Italy	1948	only	-	Feb	29	2:00s	1:00	S
-Rule	Italy	1948	only	-	Oct	 3	2:00s	0	-
-Rule	Italy	1966	1968	-	May	Sun>=22	0:00	1:00	S
-Rule	Italy	1966	1969	-	Sep	Sun>=22	0:00	0	-
-Rule	Italy	1969	only	-	Jun	 1	0:00	1:00	S
-Rule	Italy	1970	only	-	May	31	0:00	1:00	S
-Rule	Italy	1970	only	-	Sep	lastSun	0:00	0	-
-Rule	Italy	1971	1972	-	May	Sun>=22	0:00	1:00	S
-Rule	Italy	1971	only	-	Sep	lastSun	1:00	0	-
-Rule	Italy	1972	only	-	Oct	 1	0:00	0	-
-Rule	Italy	1973	only	-	Jun	 3	0:00	1:00	S
-Rule	Italy	1973	1974	-	Sep	lastSun	0:00	0	-
-Rule	Italy	1974	only	-	May	26	0:00	1:00	S
-Rule	Italy	1975	only	-	Jun	 1	0:00s	1:00	S
-Rule	Italy	1975	1977	-	Sep	lastSun	0:00s	0	-
-Rule	Italy	1976	only	-	May	30	0:00s	1:00	S
-Rule	Italy	1977	1979	-	May	Sun>=22	0:00s	1:00	S
-Rule	Italy	1978	only	-	Oct	 1	0:00s	0	-
-Rule	Italy	1979	only	-	Sep	30	0:00s	0	-
+Rule	Italy	1916	only	-	Jun	 3	24:00	1:00	S
+Rule	Italy	1916	1917	-	Sep	30	24:00	0	-
+Rule	Italy	1917	only	-	Mar	31	24:00	1:00	S
+Rule	Italy	1918	only	-	Mar	 9	24:00	1:00	S
+Rule	Italy	1918	only	-	Oct	 6	24:00	0	-
+Rule	Italy	1919	only	-	Mar	 1	24:00	1:00	S
+Rule	Italy	1919	only	-	Oct	 4	24:00	0	-
+Rule	Italy	1920	only	-	Mar	20	24:00	1:00	S
+Rule	Italy	1920	only	-	Sep	18	24:00	0	-
+Rule	Italy	1940	only	-	Jun	14	24:00	1:00	S
+Rule	Italy	1942	only	-	Nov	 2	 2:00s	0	-
+Rule	Italy	1943	only	-	Mar	29	 2:00s	1:00	S
+Rule	Italy	1943	only	-	Oct	 4	 2:00s	0	-
+Rule	Italy	1944	only	-	Apr	 2	 2:00s	1:00	S
+Rule	Italy	1944	only	-	Sep	17	 2:00s	0	-
+Rule	Italy	1945	only	-	Apr	 2	 2:00	1:00	S
+Rule	Italy	1945	only	-	Sep	15	 1:00	0	-
+Rule	Italy	1946	only	-	Mar	17	 2:00s	1:00	S
+Rule	Italy	1946	only	-	Oct	 6	 2:00s	0	-
+Rule	Italy	1947	only	-	Mar	16	 0:00s	1:00	S
+Rule	Italy	1947	only	-	Oct	 5	 0:00s	0	-
+Rule	Italy	1948	only	-	Feb	29	 2:00s	1:00	S
+Rule	Italy	1948	only	-	Oct	 3	 2:00s	0	-
+Rule	Italy	1966	1968	-	May	Sun>=22	 0:00s	1:00	S
+Rule	Italy	1966	only	-	Sep	24	24:00	0	-
+Rule	Italy	1967	1969	-	Sep	Sun>=22	 0:00s	0	-
+Rule	Italy	1969	only	-	Jun	 1	 0:00s	1:00	S
+Rule	Italy	1970	only	-	May	31	 0:00s	1:00	S
+Rule	Italy	1970	only	-	Sep	lastSun	 0:00s	0	-
+Rule	Italy	1971	1972	-	May	Sun>=22	 0:00s	1:00	S
+Rule	Italy	1971	only	-	Sep	lastSun	 0:00s	0	-
+Rule	Italy	1972	only	-	Oct	 1	 0:00s	0	-
+Rule	Italy	1973	only	-	Jun	 3	 0:00s	1:00	S
+Rule	Italy	1973	1974	-	Sep	lastSun	 0:00s	0	-
+Rule	Italy	1974	only	-	May	26	 0:00s	1:00	S
+Rule	Italy	1975	only	-	Jun	 1	 0:00s	1:00	S
+Rule	Italy	1975	1977	-	Sep	lastSun	 0:00s	0	-
+Rule	Italy	1976	only	-	May	30	 0:00s	1:00	S
+Rule	Italy	1977	1979	-	May	Sun>=22	 0:00s	1:00	S
+Rule	Italy	1978	only	-	Oct	 1	 0:00s	0	-
+Rule	Italy	1979	only	-	Sep	30	 0:00s	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Rome	0:49:56 -	LMT	1866 Sep 22
-			0:49:56	-	RMT	1893 Nov  1  0:00s # Rome Mean
-			1:00	Italy	CE%sT	1942 Nov  2  2:00s
-			1:00	C-Eur	CE%sT	1944 Jul
+			0:49:56	-	RMT	1893 Oct 31 23:49:56 # Rome Mean
+			1:00	Italy	CE%sT	1943 Sep 10
+			1:00	C-Eur	CE%sT	1944 Jun  4
 			1:00	Italy	CE%sT	1980
 			1:00	EU	CE%sT
 
@@ -1775,6 +1799,10 @@
 # See Europe/Belgrade.
 
 # Malta
+#
+# From Paul Eggert (2016-10-21):
+# Assume 1900-1972 was like Rome, overriding Shanks.
+#
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Malta	1973	only	-	Mar	31	0:00s	1:00	S
 Rule	Malta	1973	only	-	Sep	29	0:00s	0	-
@@ -1785,8 +1813,6 @@
 Rule	Malta	1980	only	-	Mar	31	2:00	1:00	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Malta	0:58:04 -	LMT	1893 Nov  2  0:00s # Valletta
-			1:00	Italy	CE%sT	1942 Nov  2  2:00s
-			1:00	C-Eur	CE%sT	1945 Apr  2  2:00s
 			1:00	Italy	CE%sT	1973 Mar 31
 			1:00	Malta	CE%sT	1981
 			1:00	EU	CE%sT
@@ -1918,7 +1944,7 @@
 # Amsterdam mean time.
 
 # The data entries before 1945 are taken from
-# http://www.phys.uu.nl/~vgent/wettijd/wettijd.htm
+# http://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Neth	1916	only	-	May	 1	0:00	1:00	NST	# Netherlands Summer Time
@@ -2283,7 +2309,6 @@
 # http://www.worldtimezone.com/dst_news/dst_news_russia-map-2014-07.html
 
 # From Paul Eggert (2006-03-22):
-# Except for Moscow after 1919-07-01, I invented the time zone abbreviations.
 # Moscow time zone abbreviations after 1919-07-01, and Moscow rules after 1991,
 # are from Andrey A. Chernov.  The rest is from Shanks & Pottenger,
 # except we follow Chernov's report that 1992 DST transitions were Sat
@@ -2359,7 +2384,7 @@
 			 2:00	Poland	CE%sT	1946
 			 3:00	Russia	MSK/MSD	1989 Mar 26  2:00s
 			 2:00	Russia	EE%sT	2011 Mar 27  2:00s
-			 3:00	-	FET	2014 Oct 26  2:00s
+			 3:00	-	+03	2014 Oct 26  2:00s
 			 2:00	-	EET
 
 
@@ -2412,6 +2437,16 @@
 # 78	RU-SPE	Saint Petersburg
 # 83	RU-NEN	Nenets Autonomous Okrug
 
+# From Paul Eggert (2016-08-23):
+# The Soviets switched to UT-based time in 1919.  Decree No. 59
+# (1919-02-08) http://istmat.info/node/35567 established UT-based time
+# zones, and Decree No. 147 (1919-03-29) http://istmat.info/node/35854
+# specified a transition date of 1919-07-01, apparently at 00:00 UT.
+# No doubt only the Soviet-controlled regions switched on that date;
+# later transitions to UT-based time in other parts of Russia are
+# taken from what appear to be guesses by Shanks.
+# (Thanks to Alexander Belopolsky for pointers to the decrees.)
+
 # From Stepan Golosunov (2016-03-07):
 # 11. Regions-violators, 1981-1982.
 # Wikipedia refers to
@@ -2453,7 +2488,7 @@
 # attributes the 1982 changes to the Act of the Council of Ministers
 # of the USSR No. 126 from 18.02.1982.  1980-925.txt also adds
 # Udmurtia to the list of affected territories and lists Khatangsky
-# district separately from Taymyr Autonomous Okurg.  Probably erroneously.
+# district separately from Taymyr Autonomous Okrug.  Probably erroneously.
 #
 # The affected territories are currently listed under Europe/Moscow,
 # Asia/Yekaterinburg and Asia/Krasnoyarsk.
@@ -2513,7 +2548,7 @@
 
 Zone Europe/Moscow	 2:30:17 -	LMT	1880
 			 2:30:17 -	MMT	1916 Jul  3 # Moscow Mean Time
-			 2:31:19 Russia	%s	1919 Jul  1  2:00
+			 2:31:19 Russia	%s	1919 Jul  1  0:00u
 			 3:00	Russia	%s	1921 Oct
 			 3:00	Russia	MSK/MSD	1922 Oct
 			 2:00	-	EET	1930 Jun 21
@@ -2596,22 +2631,21 @@
 # The 1988 transition is from USSR act No. 5 (1988-01-04).
 
 Zone Europe/Volgograd	 2:57:40 -	LMT	1920 Jan  3
-			 3:00	-	TSAT	1925 Apr  6 # Tsaritsyn Time
-			 3:00	-	STAT	1930 Jun 21 # Stalingrad Time
-			 4:00	-	STAT	1961 Nov 11
-			 4:00	Russia	VOL%sT	1988 Mar 27  2:00s # Volgograd T
-			 3:00	Russia	VOL%sT	1991 Mar 31  2:00s
-			 4:00	-	VOLT	1992 Mar 29  2:00s
-			 3:00	Russia	MSK/MSD	2011 Mar 27  2:00s
-			 4:00	-	MSK	2014 Oct 26  2:00s
-			 3:00	-	MSK
+			 3:00	-	+03	1930 Jun 21
+			 4:00	-	+04	1961 Nov 11
+			 4:00	Russia	+04/+05	1988 Mar 27  2:00s
+			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
+			 4:00	-	+04	1992 Mar 29  2:00s
+			 3:00	Russia	+03/+04	2011 Mar 27  2:00s
+			 4:00	-	+04	2014 Oct 26  2:00s
+			 3:00	-	+03
 
 # From Paul Eggert (2016-03-18):
 # Europe/Kirov covers:
 # 43	RU-KIR	Kirov Oblast
 # The 1989 transition is from USSR act No. 227 (1989-03-14).
 #
-Zone Europe/Kirov	 3:18:48 -	LMT	1919 Jul  1  2:00
+Zone Europe/Kirov	 3:18:48 -	LMT	1919 Jul  1  0:00u
 			 3:00	-	+03	1930 Jun 21
 			 4:00	Russia	+04/+05	1989 Mar 26  2:00s
 			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
@@ -2629,16 +2663,16 @@
 # Byalokoz 1919 says Samara was 3:20:20.
 # The 1989 transition is from USSR act No. 227 (1989-03-14).
 
-Zone Europe/Samara	 3:20:20 -	LMT	1919 Jul  1  2:00
-			 3:00	-	SAMT	1930 Jun 21 # Samara Time
-			 4:00	-	SAMT	1935 Jan 27
-			 4:00	Russia	KUY%sT	1989 Mar 26  2:00s # Kuybyshev
-			 3:00	Russia	MSK/MSD	1991 Mar 31  2:00s
-			 2:00	Russia	EE%sT	1991 Sep 29  2:00s
-			 3:00	-	SAMT	1991 Oct 20  3:00
-			 4:00	Russia	SAM%sT	2010 Mar 28  2:00s
-			 3:00	Russia	SAM%sT	2011 Mar 27  2:00s
-			 4:00	-	SAMT
+Zone Europe/Samara	 3:20:20 -	LMT	1919 Jul  1  0:00u
+			 3:00	-	+03	1930 Jun 21
+			 4:00	-	+04	1935 Jan 27
+			 4:00	Russia	+04/+05	1989 Mar 26  2:00s
+			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
+			 2:00	Russia	+02/+03	1991 Sep 29  2:00s
+			 3:00	-	+03	1991 Oct 20  3:00
+			 4:00	Russia	+04/+05	2010 Mar 28  2:00s
+			 3:00	Russia	+03/+04	2011 Mar 27  2:00s
+			 4:00	-	+04
 
 # From Paul Eggert (2016-03-18):
 # Europe/Ulyanovsk covers:
@@ -2653,7 +2687,7 @@
 # From Matt Johnson (2016-03-09):
 # http://publication.pravo.gov.ru/Document/View/0001201603090051
 
-Zone Europe/Ulyanovsk	 3:13:36 -	LMT	1919 Jul  1  2:00
+Zone Europe/Ulyanovsk	 3:13:36 -	LMT	1919 Jul  1  0:00u
 			 3:00	-	+03	1930 Jun 21
 			 4:00	Russia	+04/+05	1989 Mar 26  2:00s
 			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
@@ -2685,12 +2719,12 @@
 
 Zone Asia/Yekaterinburg	 4:02:33 -	LMT	1916 Jul  3
 			 3:45:05 -	PMT	1919 Jul 15  4:00
-			 4:00	-	SVET	1930 Jun 21 # Sverdlovsk Time
-			 5:00	Russia	SVE%sT	1991 Mar 31  2:00s
-			 4:00	Russia	SVE%sT	1992 Jan 19  2:00s
-			 5:00	Russia	YEK%sT	2011 Mar 27  2:00s
-			 6:00	-	YEKT	2014 Oct 26  2:00s
-			 5:00	-	YEKT
+			 4:00	-	+04	1930 Jun 21
+			 5:00	Russia	+05/+06	1991 Mar 31  2:00s
+			 4:00	Russia	+04/+05	1992 Jan 19  2:00s
+			 5:00	Russia	+05/+06	2011 Mar 27  2:00s
+			 6:00	-	+06	2014 Oct 26  2:00s
+			 5:00	-	+05
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25):
@@ -2700,12 +2734,12 @@
 # Byalokoz 1919 says Omsk was 4:53:30.
 
 Zone Asia/Omsk		 4:53:30 -	LMT	1919 Nov 14
-			 5:00	-	OMST	1930 Jun 21 # Omsk Time
-			 6:00	Russia	OMS%sT	1991 Mar 31  2:00s
-			 5:00	Russia	OMS%sT	1992 Jan 19  2:00s
-			 6:00	Russia	OMS%sT	2011 Mar 27  2:00s
-			 7:00	-	OMST	2014 Oct 26  2:00s
-			 6:00	-	OMST
+			 5:00	-	+05	1930 Jun 21
+			 6:00	Russia	+06/+07	1991 Mar 31  2:00s
+			 5:00	Russia	+05/+06	1992 Jan 19  2:00s
+			 6:00	Russia	+06/+07	2011 Mar 27  2:00s
+			 7:00	-	+07	2014 Oct 26  2:00s
+			 6:00	-	+06
 
 # From Paul Eggert (2016-02-22):
 # Asia/Barnaul covers:
@@ -2785,7 +2819,7 @@
 # Note that time belts (numbered from 2 (Moscow) to 12 according to their
 # GMT/UTC offset and having too many exceptions like regions formally
 # belonging to one belt but using time from another) were replaced
-# with time zones in 2011 with different numberings (there was a
+# with time zones in 2011 with different numbering (there was a
 # 2-hour gap between second and third zones in 2011-2014).
 
 # From Stepan Golosunov (2016-04-12):
@@ -2868,12 +2902,12 @@
 # Byalokoz 1919 says Krasnoyarsk was 6:11:26.
 
 Zone Asia/Krasnoyarsk	 6:11:26 -	LMT	1920 Jan  6
-			 6:00	-	KRAT	1930 Jun 21 # Krasnoyarsk Time
-			 7:00	Russia	KRA%sT	1991 Mar 31  2:00s
-			 6:00	Russia	KRA%sT	1992 Jan 19  2:00s
-			 7:00	Russia	KRA%sT	2011 Mar 27  2:00s
-			 8:00	-	KRAT	2014 Oct 26  2:00s
-			 7:00	-	KRAT
+			 6:00	-	+06	1930 Jun 21
+			 7:00	Russia	+07/+08	1991 Mar 31  2:00s
+			 6:00	Russia	+06/+07	1992 Jan 19  2:00s
+			 7:00	Russia	+07/+08	2011 Mar 27  2:00s
+			 8:00	-	+08	2014 Oct 26  2:00s
+			 7:00	-	+07
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25):
@@ -2890,12 +2924,12 @@
 
 Zone Asia/Irkutsk	 6:57:05 -	LMT	1880
 			 6:57:05 -	IMT	1920 Jan 25 # Irkutsk Mean Time
-			 7:00	-	IRKT	1930 Jun 21 # Irkutsk Time
-			 8:00	Russia	IRK%sT	1991 Mar 31  2:00s
-			 7:00	Russia	IRK%sT	1992 Jan 19  2:00s
-			 8:00	Russia	IRK%sT	2011 Mar 27  2:00s
-			 9:00	-	IRKT	2014 Oct 26  2:00s
-			 8:00	-	IRKT
+			 7:00	-	+07	1930 Jun 21
+			 8:00	Russia	+08/+09	1991 Mar 31  2:00s
+			 7:00	Russia	+07/+08	1992 Jan 19  2:00s
+			 8:00	Russia	+08/+09	2011 Mar 27  2:00s
+			 9:00	-	+09	2014 Oct 26  2:00s
+			 8:00	-	+08
 
 
 # From Tim Parenti (2014-07-06):
@@ -2912,13 +2946,13 @@
 # http://publication.pravo.gov.ru/Document/View/0001201512300107
 
 Zone Asia/Chita	 7:33:52 -	LMT	1919 Dec 15
-			 8:00	-	YAKT	1930 Jun 21 # Yakutsk Time
-			 9:00	Russia	YAK%sT	1991 Mar 31  2:00s
-			 8:00	Russia	YAK%sT	1992 Jan 19  2:00s
-			 9:00	Russia	YAK%sT	2011 Mar 27  2:00s
-			10:00	-	YAKT	2014 Oct 26  2:00s
-			 8:00	-	IRKT	2016 Mar 27  2:00
-			 9:00	-	YAKT
+			 8:00	-	+08	1930 Jun 21
+			 9:00	Russia	+09/+10	1991 Mar 31  2:00s
+			 8:00	Russia	+08/+09	1992 Jan 19  2:00s
+			 9:00	Russia	+09/+10	2011 Mar 27  2:00s
+			10:00	-	+10	2014 Oct 26  2:00s
+			 8:00	-	+08	2016 Mar 27  2:00
+			 9:00	-	+09
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2009-11-29):
@@ -2958,12 +2992,12 @@
 # Byalokoz 1919 says Yakutsk was 8:38:58.
 
 Zone Asia/Yakutsk	 8:38:58 -	LMT	1919 Dec 15
-			 8:00	-	YAKT	1930 Jun 21 # Yakutsk Time
-			 9:00	Russia	YAK%sT	1991 Mar 31  2:00s
-			 8:00	Russia	YAK%sT	1992 Jan 19  2:00s
-			 9:00	Russia	YAK%sT	2011 Mar 27  2:00s
-			10:00	-	YAKT	2014 Oct 26  2:00s
-			 9:00	-	YAKT
+			 8:00	-	+08	1930 Jun 21
+			 9:00	Russia	+09/+10	1991 Mar 31  2:00s
+			 8:00	Russia	+08/+09	1992 Jan 19  2:00s
+			 9:00	Russia	+09/+10	2011 Mar 27  2:00s
+			10:00	-	+10	2014 Oct 26  2:00s
+			 9:00	-	+09
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2009-11-29):
@@ -2981,12 +3015,12 @@
 # Go with Byalokoz.
 
 Zone Asia/Vladivostok	 8:47:31 -	LMT	1922 Nov 15
-			 9:00	-	VLAT	1930 Jun 21 # Vladivostok Time
-			10:00	Russia	VLA%sT	1991 Mar 31  2:00s
-			 9:00	Russia	VLA%sT	1992 Jan 19  2:00s
-			10:00	Russia	VLA%sT	2011 Mar 27  2:00s
-			11:00	-	VLAT	2014 Oct 26  2:00s
-			10:00	-	VLAT
+			 9:00	-	+09	1930 Jun 21
+			10:00	Russia	+10/+11	1991 Mar 31  2:00s
+			 9:00	Russia	+09/+10	1992 Jan 19  2:00s
+			10:00	Russia	+10/+11	2011 Mar 27  2:00s
+			11:00	-	+11	2014 Oct 26  2:00s
+			10:00	-	+10
 
 
 # From Tim Parenti (2014-07-03):
@@ -3004,14 +3038,14 @@
 # This transition is no doubt wrong, but we have no better info.
 
 Zone Asia/Khandyga	 9:02:13 -	LMT	1919 Dec 15
-			 8:00	-	YAKT	1930 Jun 21 # Yakutsk Time
-			 9:00	Russia	YAK%sT	1991 Mar 31  2:00s
-			 8:00	Russia	YAK%sT	1992 Jan 19  2:00s
-			 9:00	Russia	YAK%sT	2004
-			10:00	Russia	VLA%sT	2011 Mar 27  2:00s
-			11:00	-	VLAT	2011 Sep 13  0:00s # Decree 725?
-			10:00	-	YAKT	2014 Oct 26  2:00s
-			 9:00	-	YAKT
+			 8:00	-	+08	1930 Jun 21
+			 9:00	Russia	+09/+10	1991 Mar 31  2:00s
+			 8:00	Russia	+08/+09	1992 Jan 19  2:00s
+			 9:00	Russia	+09/+10	2004
+			10:00	Russia	+10/+11	2011 Mar 27  2:00s
+			11:00	-	+11	2011 Sep 13  0:00s # Decree 725?
+			10:00	-	+10	2014 Oct 26  2:00s
+			 9:00	-	+09
 
 
 # From Tim Parenti (2014-07-03):
@@ -3027,15 +3061,14 @@
 
 # The Zone name should be Asia/Yuzhno-Sakhalinsk, but that's too long.
 Zone Asia/Sakhalin	 9:30:48 -	LMT	1905 Aug 23
-			 9:00	-	JCST	1937 Oct  1
-			 9:00	-	JST	1945 Aug 25
-			11:00	Russia	SAK%sT	1991 Mar 31  2:00s # Sakhalin T
-			10:00	Russia	SAK%sT	1992 Jan 19  2:00s
-			11:00	Russia	SAK%sT	1997 Mar lastSun  2:00s
-			10:00	Russia	SAK%sT	2011 Mar 27  2:00s
-			11:00	-	SAKT	2014 Oct 26  2:00s
-			10:00	-	SAKT	2016 Mar 27  2:00s
-			11:00	-	SAKT
+			 9:00	-	+09	1945 Aug 25
+			11:00	Russia	+11/+12	1991 Mar 31  2:00s # Sakhalin T
+			10:00	Russia	+10/+11	1992 Jan 19  2:00s
+			11:00	Russia	+11/+12	1997 Mar lastSun  2:00s
+			10:00	Russia	+10/+11	2011 Mar 27  2:00s
+			11:00	-	+11	2014 Oct 26  2:00s
+			10:00	-	+10	2016 Mar 27  2:00s
+			11:00	-	+11
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2009-11-29):
@@ -3058,13 +3091,13 @@
 # http://publication.pravo.gov.ru/Document/View/0001201604050038
 
 Zone Asia/Magadan	10:03:12 -	LMT	1924 May  2
-			10:00	-	MAGT	1930 Jun 21 # Magadan Time
-			11:00	Russia	MAG%sT	1991 Mar 31  2:00s
-			10:00	Russia	MAG%sT	1992 Jan 19  2:00s
-			11:00	Russia	MAG%sT	2011 Mar 27  2:00s
-			12:00	-	MAGT	2014 Oct 26  2:00s
-			10:00	-	MAGT	2016 Apr 24  2:00s
-			11:00	-	MAGT
+			10:00	-	+10	1930 Jun 21 # Magadan Time
+			11:00	Russia	+11/+12	1991 Mar 31  2:00s
+			10:00	Russia	+10/+11	1992 Jan 19  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12	2014 Oct 26  2:00s
+			10:00	-	+10	2016 Apr 24  2:00s
+			11:00	-	+11
 
 
 # From Tim Parenti (2014-07-06):
@@ -3107,17 +3140,14 @@
 # in Russian.)  In addition, Srednekolymsk appears to be a much older
 # settlement and the population of Zyryanka seems to be declining.
 # Go with Srednekolymsk.
-#
-# Since Magadan Oblast moves to UTC+10 on 2014-10-26, we cannot keep using MAGT
-# as the abbreviation.  Use SRET instead.
 
 Zone Asia/Srednekolymsk	10:14:52 -	LMT	1924 May  2
-			10:00	-	MAGT	1930 Jun 21 # Magadan Time
-			11:00	Russia	MAG%sT	1991 Mar 31  2:00s
-			10:00	Russia	MAG%sT	1992 Jan 19  2:00s
-			11:00	Russia	MAG%sT	2011 Mar 27  2:00s
-			12:00	-	MAGT	2014 Oct 26  2:00s
-			11:00	-	SRET	# Srednekolymsk Time
+			10:00	-	+10	1930 Jun 21
+			11:00	Russia	+11/+12	1991 Mar 31  2:00s
+			10:00	Russia	+10/+11	1992 Jan 19  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12	2014 Oct 26  2:00s
+			11:00	-	+11
 
 
 # From Tim Parenti (2014-07-03):
@@ -3135,14 +3165,14 @@
 # UTC+12 since at least then, too.
 
 Zone Asia/Ust-Nera	 9:32:54 -	LMT	1919 Dec 15
-			 8:00	-	YAKT	1930 Jun 21 # Yakutsk Time
-			 9:00	Russia	YAKT	1981 Apr  1
-			11:00	Russia	MAG%sT	1991 Mar 31  2:00s
-			10:00	Russia	MAG%sT	1992 Jan 19  2:00s
-			11:00	Russia	MAG%sT	2011 Mar 27  2:00s
-			12:00	-	MAGT	2011 Sep 13  0:00s # Decree 725?
-			11:00	-	VLAT	2014 Oct 26  2:00s
-			10:00	-	VLAT
+			 8:00	-	+08	1930 Jun 21
+			 9:00	Russia	+09/+10	1981 Apr  1
+			11:00	Russia	+11/+12	1991 Mar 31  2:00s
+			10:00	Russia	+10/+11	1992 Jan 19  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12	2011 Sep 13  0:00s # Decree 725?
+			11:00	-	+11	2014 Oct 26  2:00s
+			10:00	-	+10
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25):
@@ -3155,12 +3185,12 @@
 # The Zone name should be Asia/Petropavlovsk-Kamchatski or perhaps
 # Asia/Petropavlovsk-Kamchatsky, but these are too long.
 Zone Asia/Kamchatka	10:34:36 -	LMT	1922 Nov 10
-			11:00	-	PETT	1930 Jun 21 # P-K Time
-			12:00	Russia	PET%sT	1991 Mar 31  2:00s
-			11:00	Russia	PET%sT	1992 Jan 19  2:00s
-			12:00	Russia	PET%sT	2010 Mar 28  2:00s
-			11:00	Russia	PET%sT	2011 Mar 27  2:00s
-			12:00	-	PETT
+			11:00	-	+11	1930 Jun 21
+			12:00	Russia	+12/+13	1991 Mar 31  2:00s
+			11:00	Russia	+11/+12	1992 Jan 19  2:00s
+			12:00	Russia	+12/+13	2010 Mar 28  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12
 
 
 # From Tim Parenti (2014-07-03):
@@ -3168,13 +3198,13 @@
 # 87	RU-CHU	Chukotka Autonomous Okrug
 
 Zone Asia/Anadyr	11:49:56 -	LMT	1924 May  2
-			12:00	-	ANAT	1930 Jun 21 # Anadyr Time
-			13:00	Russia	ANA%sT	1982 Apr  1  0:00s
-			12:00	Russia	ANA%sT	1991 Mar 31  2:00s
-			11:00	Russia	ANA%sT	1992 Jan 19  2:00s
-			12:00	Russia	ANA%sT	2010 Mar 28  2:00s
-			11:00	Russia	ANA%sT	2011 Mar 27  2:00s
-			12:00	-	ANAT
+			12:00	-	+12	1930 Jun 21
+			13:00	Russia	+13/+14	1982 Apr  1  0:00s
+			12:00	Russia	+12/+13	1991 Mar 31  2:00s
+			11:00	Russia	+11/+12	1992 Jan 19  2:00s
+			12:00	Russia	+12/+13	2010 Mar 28  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12
 
 
 # San Marino
@@ -3433,22 +3463,24 @@
 
 # Turkey
 
-# From Amar Devegowda (2007-01-03):
-# The time zone rules for Istanbul, Turkey have not been changed for years now.
-# ... The latest rules are available at:
-# http://www.timeanddate.com/worldclock/timezone.html?n=107
-# From Steffen Thorsen (2007-01-03):
-# I have been able to find press records back to 1996 which all say that
-# DST started 01:00 local time and end at 02:00 local time.  I am not sure
-# what happened before that.  One example for each year from 1996 to 2001:
-# http://newspot.byegm.gov.tr/arsiv/1996/21/N4.htm
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING97/03/97X03X25.TXT
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING98/03/98X03X02.HTM
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING99/10/99X10X26.HTM#%2016
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING2000/03/00X03X06.HTM#%2021
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING2001/03/23x03x01.HTM#%2027
-# From Paul Eggert (2007-01-03):
-# Prefer the above source to Shanks & Pottenger for time stamps after 1990.
+# From Kıvanç Yazan (2016-09-25):
+# 1) For 1986-2006, DST started at 01:00 local and ended at 02:00 local, with
+#    no exceptions.
+# 2) 1994's lastSun was overridden with Mar 20 ...
+# Here are official papers:
+# http://www.resmigazete.gov.tr/arsiv/19032.pdf  - page 2 for 1986
+# http://www.resmigazete.gov.tr/arsiv/19400.pdf  - page 4 for 1987
+# http://www.resmigazete.gov.tr/arsiv/19752.pdf  - page 15 for 1988
+# http://www.resmigazete.gov.tr/arsiv/20102.pdf  - page 6 for 1989
+# http://www.resmigazete.gov.tr/arsiv/20464.pdf  - page 1 for 1990 - 1992
+# http://www.resmigazete.gov.tr/arsiv/21531.pdf  - page 15 for 1993 - 1995
+# http://www.resmigazete.gov.tr/arsiv/21879.pdf  - page 1 for overriding 1994
+# http://www.resmigazete.gov.tr/arsiv/22588.pdf  - page 1 for 1996, 1997
+# http://www.resmigazete.gov.tr/arsiv/23286.pdf  - page 10 for 1998 - 2000
+# http://www.resmigazete.gov.tr/eskiler/2001/03/20010324.htm#2  - for 2001
+# http://www.resmigazete.gov.tr/eskiler/2002/03/20020316.htm#2  - for 2002-2006
+# From Paul Eggert (2016-09-25):
+# Prefer the above sources to Shanks & Pottenger for time stamps after 1985.
 
 # From Steffen Thorsen (2007-03-09):
 # Starting 2007 though, it seems that they are adopting EU's 1:00 UTC
@@ -3495,6 +3527,14 @@
 # Engineered Standard Time," said Twitter user @aysekarahasan.
 # http://www.bbc.com/news/world-europe-34631326
 
+# From Burak AYDIN (2016-09-08):
+# Turkey will stay in Daylight Saving Time even in winter....
+# http://www.resmigazete.gov.tr/eskiler/2016/09/20160908-2.pdf
+#
+# From Paul Eggert (2016-09-07):
+# The change is permanent, so this is the new standard time in Turkey.
+# It takes effect today, which is not much notice.
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Turkey	1916	only	-	May	 1	0:00	1:00	S
 Rule	Turkey	1916	only	-	Oct	 1	0:00	0	-
@@ -3549,16 +3589,16 @@
 Rule	Turkey	1983	only	-	Oct	 2	0:00	0	-
 Rule	Turkey	1985	only	-	Apr	20	0:00	1:00	S
 Rule	Turkey	1985	only	-	Sep	28	0:00	0	-
-Rule	Turkey	1986	1990	-	Mar	lastSun	2:00s	1:00	S
-Rule	Turkey	1986	1990	-	Sep	lastSun	2:00s	0	-
-Rule	Turkey	1991	2006	-	Mar	lastSun	1:00s	1:00	S
-Rule	Turkey	1991	1995	-	Sep	lastSun	1:00s	0	-
+Rule	Turkey	1986	1993	-	Mar	lastSun	1:00s	1:00	S
+Rule	Turkey	1986	1995	-	Sep	lastSun	1:00s	0	-
+Rule	Turkey	1994	only	-	Mar	20	1:00s	1:00	S
+Rule	Turkey	1995	2006	-	Mar	lastSun	1:00s	1:00	S
 Rule	Turkey	1996	2006	-	Oct	lastSun	1:00s	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Istanbul	1:55:52 -	LMT	1880
 			1:56:56	-	IMT	1910 Oct # Istanbul Mean Time?
 			2:00	Turkey	EE%sT	1978 Oct 15
-			3:00	Turkey	TR%sT	1985 Apr 20 # Turkey Time
+			3:00	Turkey	+03/+04	1985 Apr 20
 			2:00	Turkey	EE%sT	2007
 			2:00	EU	EE%sT	2011 Mar 27  1:00u
 			2:00	-	EET	2011 Mar 28  1:00u
@@ -3566,7 +3606,8 @@
 			2:00	-	EET	2014 Mar 31  1:00u
 			2:00	EU	EE%sT	2015 Oct 25  1:00u
 			2:00	1:00	EEST	2015 Nov  8  1:00u
-			2:00	EU	EE%sT
+			2:00	EU	EE%sT	2016 Sep  7
+			3:00	-	+03
 Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
 
 # Ukraine
--- a/make/data/tzdata/factory	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/factory	Tue Dec 20 13:28:30 2016 -0800
@@ -24,9 +24,10 @@
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
-# For companies who don't want to put time zone specification in
-# their installation procedures.  When users run date, they'll get the message.
-# Also useful for the "comp.sources" version.
+# For distributors who don't want to put time zone specification in
+# their installation procedures.  Users that run 'date' will get the
+# time zone abbreviation "-00", indicating that the actual time zone
+# is unknown.
 
 # Zone	NAME	GMTOFF	RULES	FORMAT
-Zone	Factory	0	- "Local time zone must be set--see zic manual page"
+Zone	Factory	0	-	-00
--- a/make/data/tzdata/leapseconds	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/leapseconds	Tue Dec 20 13:28:30 2016 -0800
@@ -79,6 +79,7 @@
 Leap	2008	Dec	31	23:59:60	+	S
 Leap	2012	Jun	30	23:59:60	+	S
 Leap	2015	Jun	30	23:59:60	+	S
+Leap	2016	Dec	31	23:59:60	+	S
 
-#	Updated through IERS Bulletin C51
-#	File expires on:  28 December 2016
+#	Updated through IERS Bulletin C52
+#	File expires on:  28 June 2017
--- a/make/data/tzdata/northamerica	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/northamerica	Tue Dec 20 13:28:30 2016 -0800
@@ -47,8 +47,32 @@
 # was the result of his proposals at the Convention of Railroad Trunk Lines
 # in New York City (1869-10).  His 1870 proposal was based on Washington, DC,
 # but in 1872-05 he moved the proposed origin to Greenwich.
-# His proposal was adopted by the railroads on 1883-11-18 at 12:00,
-# and the most of the country soon followed suit.
+
+# From Paul Eggert (2016-09-21):
+# Dowd's proposal left many details unresolved, such as where to draw
+# lines between time zones.  The key individual who made time zones
+# work in the US was William Frederick Allen - railway engineer,
+# managing editor of the Travelers' Guide, and secretary of the
+# General Time Convention, a railway standardization group.  Allen
+# spent months in dialogs with scientific and railway leaders,
+# developed a workable plan to institute time zones, and presented it
+# to the General Time Convention on 1883-04-11, saying that his plan
+# meant "local time would be practically abolished" - a plus for
+# railway scheduling.  By the next convention on 1883-10-11 nearly all
+# railroads had agreed and it took effect on 1883-11-18 at 12:00.
+# That Sunday was called the "day of two noons", as the eastern parts
+# of the new zones observed noon twice.  Allen witnessed the
+# transition in New York City, writing:
+#
+#   I heard the bells of St. Paul's strike on the old time.  Four
+#   minutes later, obedient to the electrical signal from the Naval
+#   Observatory ... the time-ball made its rapid descent, the chimes
+#   of old Trinity rang twelve measured strokes, and local time was
+#   abandoned, probably forever.
+#
+# Most of the US soon followed suit.  See:
+# Bartky IR. The adoption of standard time. Technol Cult 1989 Jan;30(1):25-56.
+# http://dx.doi.org/10.2307/3105430
 
 # From Paul Eggert (2005-04-16):
 # That 1883 transition occurred at 12:00 new time, not at 12:00 old time.
@@ -436,11 +460,42 @@
 # north of the Salmon River, and the towns of Burgdorf and Warren),
 # Nevada (except West Wendover), Oregon (except the northern 3/4 of
 # Malheur county), and Washington
+
+# From Paul Eggert (2016-08-20):
+# In early February 1948, in response to California's electricity shortage,
+# PG&E changed power frequency from 60 to 59.5 Hz during daylight hours,
+# causing electric clocks to lose six minutes per day.  (This did not change
+# legal time, and is not part of the data here.)  See:
+# Ross SA. An energy crisis from the past: Northern California in 1948.
+# Working Paper No. 8, Institute of Governmental Studies, UC Berkeley,
+# 1973-11.  http://escholarship.org/uc/item/8x22k30c
+#
+# In another measure to save electricity, DST was instituted from 1948-03-14
+# at 02:01 to 1949-01-16 at 02:00, with the governor having the option to move
+# the fallback transition earlier.  See pages 3-4 of:
+# http://clerk.assembly.ca.gov/sites/clerk.assembly.ca.gov/files/archive/Statutes/1948/48Vol1_Chapters.pdf
+#
+# In response:
+#
+#   Governor Warren received a torrent of objecting mail, and it is not too much
+#   to speculate that the objections to Daylight Saving Time were one important
+#   factor in the defeat of the Dewey-Warren Presidential ticket in California.
+#     -- Ross, p 25
+#
+# On December 8 the governor exercised the option, setting the date to January 1
+# (LA Times 1948-12-09).  The transition time was 02:00 (LA Times 1949-01-01).
+#
+# Despite the controversy, in 1949 California voters approved Proposition 12,
+# which established DST from April's last Sunday at 01:00 until September's
+# last Sunday at 02:00. This was amended by 1962's Proposition 6, which changed
+# the fall-back date to October's last Sunday. See:
+# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props
+# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER
-Rule	CA	1948	only	-	Mar	14	2:00	1:00	D
+Rule	CA	1948	only	-	Mar	14	2:01	1:00	D
 Rule	CA	1949	only	-	Jan	 1	2:00	0	S
-Rule	CA	1950	1966	-	Apr	lastSun	2:00	1:00	D
+Rule	CA	1950	1966	-	Apr	lastSun	1:00	1:00	D
 Rule	CA	1950	1961	-	Sep	lastSun	2:00	0	S
 Rule	CA	1962	1966	-	Oct	lastSun	2:00	0	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -3304,7 +3359,7 @@
 # indicating that the normal ET rules are followed.
 #
 # From Paul Eggert (2014-08-19):
-# The 2014-08-13 Cabinet meeting decided to stay on UTC-4 year-round.  See:
+# The 2014-08-13 Cabinet meeting decided to stay on UT -04 year-round.  See:
 # http://tcweeklynews.com/daylight-savings-time-to-be-maintained-p5353-127.htm
 # Model this as a switch from EST/EDT to AST ...
 # From Chris Walton (2014-11-04):
--- a/make/data/tzdata/southamerica	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/southamerica	Tue Dec 20 13:28:30 2016 -0800
@@ -433,9 +433,9 @@
 # stuck on Summer daylight savings time even though the summer is over.
 
 # From Paul Eggert (2013-09-05):
-# Perhaps San Luis operates on the legal fiction that it is at UTC-4
+# Perhaps San Luis operates on the legal fiction that it is at -04
 # with perpetual summer time, but ordinary usage typically seems to
-# just say it's at UTC-3; see, for example,
+# just say it's at -03; see, for example,
 # http://es.wikipedia.org/wiki/Hora_oficial_argentina
 # We've documented similar situations as being plain changes to
 # standard time, so let's do that here too.  This does not change UTC
--- a/make/data/tzdata/zone.tab	Tue Dec 13 12:52:17 2016 -0800
+++ b/make/data/tzdata/zone.tab	Tue Dec 20 13:28:30 2016 -0800
@@ -175,7 +175,8 @@
 CV	+1455-02331	Atlantic/Cape_Verde
 CW	+1211-06900	America/Curacao
 CX	-1025+10543	Indian/Christmas
-CY	+3510+03322	Asia/Nicosia
+CY	+3510+03322	Asia/Nicosia	Cyprus (most areas)
+CY	+3507+03357	Asia/Famagusta	Northern Cyprus
 CZ	+5005+01426	Europe/Prague
 DE	+5230+01322	Europe/Berlin	Germany (most areas)
 DE	+4742+00841	Europe/Busingen	Busingen
@@ -284,7 +285,7 @@
 MH	+0905+16720	Pacific/Kwajalein	Kwajalein
 MK	+4159+02126	Europe/Skopje
 ML	+1239-00800	Africa/Bamako
-MM	+1647+09610	Asia/Rangoon
+MM	+1647+09610	Asia/Yangon
 MN	+4755+10653	Asia/Ulaanbaatar	Mongolia (most areas)
 MN	+4801+09139	Asia/Hovd	Bayan-Olgiy, Govi-Altai, Hovd, Uvs, Zavkhan
 MN	+4804+11430	Asia/Choibalsan	Dornod, Sukhbaatar
--- a/src/macosx/native/sun/awt/CMenuComponent.m	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/macosx/native/sun/awt/CMenuComponent.m	Tue Dec 20 13:28:30 2016 -0800
@@ -41,45 +41,11 @@
     return self;
 }
 
--(void) cleanup {
-    // Used by subclasses
-}
-
--(void) disposer {
+-(void) dealloc {
     JNIEnv *env = [ThreadUtilities getJNIEnvUncached];
     JNFDeleteGlobalRef(env, fPeer);
     fPeer = NULL;
 
-    [self cleanup];
-    [self release];
+    [super dealloc];
 }
-
-// The method is used by all subclasses, since the process of the creation
-// is the same. The only exception is the CMenuItem class.
-- (void) _create_OnAppKitThread: (NSMutableArray *)argValue {
-    jobject cPeerObjGlobal = (jobject)[[argValue objectAtIndex: 0] pointerValue];
-    CMenuItem *aCMenuItem = [self initWithPeer:cPeerObjGlobal];
-    [argValue removeAllObjects];
-    [argValue addObject: aCMenuItem];
-}
-
 @end
-
-/*
- * Class:     sun_lwawt_macosx_CMenuComponent
- * Method:    nativeDispose
- * Signature: (J)V
- */
-JNIEXPORT void JNICALL
-Java_sun_lwawt_macosx_CMenuComponent_nativeDispose
-(JNIEnv *env, jobject peer, jlong menuItemObj)
-{
-JNF_COCOA_ENTER(env);
-
-    [ThreadUtilities performOnMainThread:@selector(disposer)
-                                      on:((id)jlong_to_ptr(menuItemObj))
-                              withObject:nil
-                           waitUntilDone:NO];
-
-JNF_COCOA_EXIT(env);
-}
--- a/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/com/sun/imageio/plugins/png/PNGImageReader.java	Tue Dec 20 13:28:30 2016 -0800
@@ -729,7 +729,11 @@
                     parse_iCCP_chunk(chunkLength);
                     break;
                 case iTXt_TYPE:
-                    parse_iTXt_chunk(chunkLength);
+                    if (ignoreMetadata) {
+                        stream.skipBytes(chunkLength);
+                    } else {
+                        parse_iTXt_chunk(chunkLength);
+                    }
                     break;
                 case pHYs_TYPE:
                     parse_pHYs_chunk();
@@ -753,7 +757,11 @@
                     parse_tRNS_chunk(chunkLength);
                     break;
                 case zTXt_TYPE:
-                    parse_zTXt_chunk(chunkLength);
+                    if (ignoreMetadata) {
+                        stream.skipBytes(chunkLength);
+                    } else {
+                        parse_zTXt_chunk(chunkLength);
+                    }
                     break;
                 default:
                     // Read an unknown chunk
--- a/src/share/classes/com/sun/jndi/cosnaming/CNBindingEnumeration.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/com/sun/jndi/cosnaming/CNBindingEnumeration.java	Tue Dec 20 13:28:30 2016 -0800
@@ -33,6 +33,8 @@
 
 import org.omg.CosNaming.*;
 
+import com.sun.jndi.toolkit.corba.CorbaUtils;
+
 /**
   * Implements the JNDI NamingEnumeration interface for COS
   * Naming. Gets hold of a list of bindings from the COS Naming Server
@@ -212,7 +214,10 @@
         Name cname = CNNameParser.cosNameToName(bndg.binding_name);
 
         try {
+            // Check whether object factory codebase is trusted
+            if (CorbaUtils.isObjectFactoryTrusted(obj)) {
             obj = NamingManager.getObjectInstance(obj, cname, _ctx, _env);
+            }
         } catch (NamingException e) {
             throw e;
         } catch (Exception e) {
--- a/src/share/classes/com/sun/jndi/cosnaming/CNCtx.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/com/sun/jndi/cosnaming/CNCtx.java	Tue Dec 20 13:28:30 2016 -0800
@@ -36,6 +36,8 @@
 import java.io.InputStreamReader;
 import java.io.BufferedReader;
 import java.io.IOException;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import org.omg.CosNaming.*;
 import org.omg.CosNaming.NamingContextPackage.*;
@@ -82,6 +84,19 @@
     private static final String FED_PROP = "com.sun.jndi.cosnaming.federation";
     boolean federation = false;
 
+    /**
+     * Determines whether classes may be loaded from an arbitrary URL code base.
+     */
+    public static final boolean trustURLCodebase;
+    static {
+        // System property to control whether classes may be loaded from an
+        // arbitrary URL code base
+        PrivilegedAction<String> act = () -> System.getProperty(
+            "com.sun.jndi.cosnaming.object.trustURLCodebase", "false");
+        String trust = AccessController.doPrivileged(act);
+        trustURLCodebase = "true".equalsIgnoreCase(trust);
+    }
+
     // Reference counter for tracking _orb references
     OrbReuseTracker orbTracker = null;
     int enumCount;
@@ -534,12 +549,16 @@
             if (name.size() == 0 )
                 return this; // %%% should clone() so that env can be changed
             NameComponent[] path = CNNameParser.nameToCosName(name);
+            java.lang.Object answer = null;
 
             try {
-                java.lang.Object answer = callResolve(path);
-
+                answer = callResolve(path);
                 try {
-                    return NamingManager.getObjectInstance(answer, name, this, _env);
+                    // Check whether object factory codebase is trusted
+                    if (CorbaUtils.isObjectFactoryTrusted(answer)) {
+                        answer = NamingManager.getObjectInstance(
+                            answer, name, this, _env);
+                    }
                 } catch (NamingException e) {
                     throw e;
                 } catch (Exception e) {
@@ -552,6 +571,7 @@
                 javax.naming.Context cctx = getContinuationContext(cpe);
                 return cctx.lookup(cpe.getRemainingName());
             }
+            return answer;
     }
 
     /**
--- a/src/share/classes/com/sun/jndi/cosnaming/ExceptionMapper.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/com/sun/jndi/cosnaming/ExceptionMapper.java	Tue Dec 20 13:28:30 2016 -0800
@@ -33,6 +33,8 @@
 import org.omg.CosNaming.NamingContextPackage.*;
 import org.omg.CORBA.*;
 
+import com.sun.jndi.toolkit.corba.CorbaUtils;
+
 /**
   * A convenience class to map the COS Naming exceptions to the JNDI exceptions.
   * @author Raj Krishnamurthy
@@ -202,10 +204,13 @@
             // Not a context, use object factory to transform object.
 
             Name cname = CNNameParser.cosNameToName(resolvedName);
-            java.lang.Object resolvedObj2;
+            java.lang.Object resolvedObj2 = null;
             try {
+                // Check whether object factory codebase is trusted
+                if (CorbaUtils.isObjectFactoryTrusted(resolvedObj)) {
                 resolvedObj2 = NamingManager.getObjectInstance(resolvedObj,
                     cname, ctx, ctx._env);
+                }
             } catch (NamingException ge) {
                 throw ge;
             } catch (Exception ge) {
--- a/src/share/classes/com/sun/jndi/rmi/registry/RegistryContext.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/com/sun/jndi/rmi/registry/RegistryContext.java	Tue Dec 20 13:28:30 2016 -0800
@@ -32,6 +32,8 @@
 import java.rmi.server.*;
 import java.rmi.registry.Registry;
 import java.rmi.registry.LocateRegistry;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 
 import javax.naming.*;
 import javax.naming.spi.NamingManager;
@@ -52,6 +54,18 @@
     private int port;
     private static final NameParser nameParser = new AtomicNameParser();
     private static final String SOCKET_FACTORY = "com.sun.jndi.rmi.factory.socket";
+    /**
+     * Determines whether classes may be loaded from an arbitrary URL code base.
+     */
+    static final boolean trustURLCodebase;
+    static {
+        // System property to control whether classes may be loaded from an
+        // arbitrary URL codebase
+        PrivilegedAction<String> act = () -> System.getProperty(
+            "com.sun.jndi.rmi.object.trustURLCodebase", "false");
+        String trust = AccessController.doPrivileged(act);
+        trustURLCodebase = "true".equalsIgnoreCase(trust);
+    }
 
     Reference reference = null; // ref used to create this context, if any
 
@@ -461,6 +475,27 @@
             Object obj = (r instanceof RemoteReference)
                         ? ((RemoteReference)r).getReference()
                         : (Object)r;
+
+            /*
+             * Classes may only be loaded from an arbitrary URL codebase when
+             * the system property com.sun.jndi.rmi.object.trustURLCodebase
+             * has been set to "true".
+             */
+
+            // Use reference if possible
+            Reference ref = null;
+            if (obj instanceof Reference) {
+                ref = (Reference) obj;
+            } else if (obj instanceof Referenceable) {
+                ref = ((Referenceable)(obj)).getReference();
+            }
+
+            if (ref != null && ref.getFactoryClassLocation() != null &&
+                !trustURLCodebase) {
+                throw new ConfigurationException(
+                    "The object factory is untrusted. Set the system property" +
+                    " 'com.sun.jndi.rmi.object.trustURLCodebase' to 'true'.");
+            }
             return NamingManager.getObjectInstance(obj, name, this,
                                                    environment);
         } catch (NamingException e) {
--- a/src/share/classes/com/sun/jndi/toolkit/corba/CorbaUtils.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/com/sun/jndi/toolkit/corba/CorbaUtils.java	Tue Dec 20 13:28:30 2016 -0800
@@ -36,8 +36,9 @@
 
 import org.omg.CORBA.ORB;
 
-import javax.naming.Context;
-import javax.naming.ConfigurationException;
+import javax.naming.*;
+
+import com.sun.jndi.cosnaming.CNCtx;
 
 /**
   * Contains utilities for performing CORBA-related tasks:
@@ -204,6 +205,32 @@
     }
 
     /**
+     * Check whether object factory code base is trusted.
+     * Classes may only be loaded from an arbitrary URL code base when
+     * the system property com.sun.jndi.rmi.object.trustURLCodebase
+     * has been set to "true".
+     */
+    public static boolean isObjectFactoryTrusted(Object obj)
+        throws NamingException {
+
+        // Extract Reference, if possible
+        Reference ref = null;
+        if (obj instanceof Reference) {
+            ref = (Reference) obj;
+        } else if (obj instanceof Referenceable) {
+            ref = ((Referenceable)(obj)).getReference();
+        }
+
+        if (ref != null && ref.getFactoryClassLocation() != null &&
+                !CNCtx.trustURLCodebase) {
+            throw new ConfigurationException(
+                "The object factory is untrusted. Set the system property" +
+                " 'com.sun.jndi.cosnaming.object.trustURLCodebase' to 'true'.");
+        }
+        return true;
+    }
+
+    /**
      * This method returns a new ORB instance for the given applet
      * without creating a static dependency on java.applet.
      */
--- a/src/share/classes/java/lang/invoke/MethodHandles.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/java/lang/invoke/MethodHandles.java	Tue Dec 20 13:28:30 2016 -0800
@@ -680,7 +680,9 @@
             // disallow lookup more restricted packages
             if (allowedModes == ALL_MODES && lookupClass.getClassLoader() == null) {
                 if (name.startsWith("java.") ||
-                        (name.startsWith("sun.") && !name.startsWith("sun.invoke."))) {
+                        (name.startsWith("sun.")
+                                && !name.startsWith("sun.invoke.")
+                                && !name.equals("sun.reflect.ReflectionFactory"))) {
                     throw newIllegalArgumentException("illegal lookupClass: " + lookupClass);
                 }
             }
--- a/src/share/classes/java/net/URLStreamHandler.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/java/net/URLStreamHandler.java	Tue Dec 20 13:28:30 2016 -0800
@@ -161,9 +161,9 @@
             (spec.charAt(start + 1) == '/')) {
             start += 2;
             i = spec.indexOf('/', start);
-            if (i < 0) {
+            if (i < 0 || i > limit) {
                 i = spec.indexOf('?', start);
-                if (i < 0)
+                if (i < 0 || i > limit)
                     i = limit;
             }
 
@@ -171,8 +171,14 @@
 
             int ind = authority.indexOf('@');
             if (ind != -1) {
-                userInfo = authority.substring(0, ind);
-                host = authority.substring(ind+1);
+                if (ind != authority.lastIndexOf('@')) {
+                    // more than one '@' in authority. This is not server based
+                    userInfo = null;
+                    host = null;
+                } else {
+                    userInfo = authority.substring(0, ind);
+                    host = authority.substring(ind+1);
+                }
             } else {
                 userInfo = null;
             }
--- a/src/share/classes/java/time/format/ZoneName.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/java/time/format/ZoneName.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,11 +25,8 @@
 package java.time.format;
 
 import java.util.HashMap;
-import java.util.HashSet;
 import java.util.Locale;
 import java.util.Map;
-import java.util.Map.Entry;
-import java.util.Set;
 
 /**
  * A helper class to map a zone name to metazone and back to the
@@ -335,6 +332,7 @@
         "America/Eirunepe", "Amazon", "America/Manaus",
         "Africa/Nairobi", "Africa_Eastern", "Africa/Nairobi",
         "Asia/Yakutsk", "Yakutsk", "Asia/Yakutsk",
+        "Asia/Yangon", "Myanmar", "Asia/Rangoon",
         "America/Goose_Bay", "Atlantic", "America/Halifax",
         "Africa/Maseru", "Africa_Southern", "Africa/Johannesburg",
         "America/Swift_Current", "America_Central", "America/Chicago",
@@ -770,6 +768,7 @@
         "America/Indianapolis", "America/Indiana/Indianapolis",
         "Europe/Belfast", "Europe/London",
         "America/Kralendijk", "America/Curacao",
+        "Asia/Rangoon", "Asia/Yangon",
     };
 
     private static final Map<String, String> zidToMzone = new HashMap<>();
--- a/src/share/classes/java/util/concurrent/atomic/AtomicIntegerFieldUpdater.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/java/util/concurrent/atomic/AtomicIntegerFieldUpdater.java	Tue Dec 20 13:28:30 2016 -0800
@@ -40,6 +40,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Objects;
 import java.util.function.IntBinaryOperator;
 import java.util.function.IntUnaryOperator;
 import sun.reflect.CallerSensitive;
@@ -410,7 +411,17 @@
             if (!Modifier.isVolatile(modifiers))
                 throw new IllegalArgumentException("Must be volatile type");
 
-            this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
+            // Access to protected field members is restricted to receivers only
+            // of the accessing class, or one of its subclasses, and the
+            // accessing class must in turn be a subclass (or package sibling)
+            // of the protected member's defining class.
+            // If the updater refers to a protected field of a declaring class
+            // outside the current package, the receiver argument will be
+            // narrowed to the type of the accessing class.
+            this.cclass = (Modifier.isProtected(modifiers) &&
+                           tclass.isAssignableFrom(caller) &&
+                           !isSamePackage(tclass, caller))
+                          ? caller : tclass;
             this.tclass = tclass;
             this.offset = U.objectFieldOffset(field);
         }
@@ -432,6 +443,21 @@
         }
 
         /**
+         * Returns true if the two classes have the same class loader and
+         * package qualifier
+         */
+        private static boolean isSamePackage(Class<?> class1, Class<?> class2) {
+            return class1.getClassLoader() == class2.getClassLoader()
+                   && Objects.equals(getPackageName(class1), getPackageName(class2));
+        }
+
+        private static String getPackageName(Class<?> cls) {
+            String cn = cls.getName();
+            int dot = cn.lastIndexOf('.');
+            return (dot != -1) ? cn.substring(0, dot) : "";
+        }
+
+        /**
          * Checks that target argument is instance of cclass.  On
          * failure, throws cause.
          */
--- a/src/share/classes/java/util/concurrent/atomic/AtomicLongFieldUpdater.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/java/util/concurrent/atomic/AtomicLongFieldUpdater.java	Tue Dec 20 13:28:30 2016 -0800
@@ -40,6 +40,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Objects;
 import java.util.function.LongBinaryOperator;
 import java.util.function.LongUnaryOperator;
 import sun.reflect.CallerSensitive;
@@ -408,7 +409,17 @@
             if (!Modifier.isVolatile(modifiers))
                 throw new IllegalArgumentException("Must be volatile type");
 
-            this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
+            // Access to protected field members is restricted to receivers only
+            // of the accessing class, or one of its subclasses, and the
+            // accessing class must in turn be a subclass (or package sibling)
+            // of the protected member's defining class.
+            // If the updater refers to a protected field of a declaring class
+            // outside the current package, the receiver argument will be
+            // narrowed to the type of the accessing class.
+            this.cclass = (Modifier.isProtected(modifiers) &&
+                           tclass.isAssignableFrom(caller) &&
+                           !isSamePackage(tclass, caller))
+                          ? caller : tclass;
             this.tclass = tclass;
             this.offset = U.objectFieldOffset(field);
         }
@@ -539,7 +550,17 @@
             if (!Modifier.isVolatile(modifiers))
                 throw new IllegalArgumentException("Must be volatile type");
 
-            this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
+            // Access to protected field members is restricted to receivers only
+            // of the accessing class, or one of its subclasses, and the
+            // accessing class must in turn be a subclass (or package sibling)
+            // of the protected member's defining class.
+            // If the updater refers to a protected field of a declaring class
+            // outside the current package, the receiver argument will be
+            // narrowed to the type of the accessing class.
+            this.cclass = (Modifier.isProtected(modifiers) &&
+                           tclass.isAssignableFrom(caller) &&
+                           !isSamePackage(tclass, caller))
+                          ? caller : tclass;
             this.tclass = tclass;
             this.offset = U.objectFieldOffset(field);
         }
@@ -620,4 +641,19 @@
         } while (acl != null);
         return false;
     }
+
+    /**
+     * Returns true if the two classes have the same class loader and
+     * package qualifier
+     */
+    private static boolean isSamePackage(Class<?> class1, Class<?> class2) {
+        return class1.getClassLoader() == class2.getClassLoader()
+               && Objects.equals(getPackageName(class1), getPackageName(class2));
 }
+
+    private static String getPackageName(Class<?> cls) {
+        String cn = cls.getName();
+        int dot = cn.lastIndexOf('.');
+        return (dot != -1) ? cn.substring(0, dot) : "";
+    }
+}
--- a/src/share/classes/java/util/concurrent/atomic/AtomicReferenceFieldUpdater.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/java/util/concurrent/atomic/AtomicReferenceFieldUpdater.java	Tue Dec 20 13:28:30 2016 -0800
@@ -40,6 +40,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedActionException;
 import java.security.PrivilegedExceptionAction;
+import java.util.Objects;
 import java.util.function.BinaryOperator;
 import java.util.function.UnaryOperator;
 import sun.reflect.CallerSensitive;
@@ -346,7 +347,17 @@
             if (!Modifier.isVolatile(modifiers))
                 throw new IllegalArgumentException("Must be volatile type");
 
-            this.cclass = (Modifier.isProtected(modifiers)) ? caller : tclass;
+            // Access to protected field members is restricted to receivers only
+            // of the accessing class, or one of its subclasses, and the
+            // accessing class must in turn be a subclass (or package sibling)
+            // of the protected member's defining class.
+            // If the updater refers to a protected field of a declaring class
+            // outside the current package, the receiver argument will be
+            // narrowed to the type of the accessing class.
+            this.cclass = (Modifier.isProtected(modifiers) &&
+                           tclass.isAssignableFrom(caller) &&
+                           !isSamePackage(tclass, caller))
+                          ? caller : tclass;
             this.tclass = tclass;
             this.vclass = vclass;
             this.offset = U.objectFieldOffset(field);
@@ -369,6 +380,21 @@
         }
 
         /**
+         * Returns true if the two classes have the same class loader and
+         * package qualifier
+         */
+        private static boolean isSamePackage(Class<?> class1, Class<?> class2) {
+            return class1.getClassLoader() == class2.getClassLoader()
+                   && Objects.equals(getPackageName(class1), getPackageName(class2));
+        }
+
+        private static String getPackageName(Class<?> cls) {
+            String cn = cls.getName();
+            int dot = cn.lastIndexOf('.');
+            return (dot != -1) ? cn.substring(0, dot) : "";
+        }
+
+        /**
          * Checks that target argument is instance of cclass.  On
          * failure, throws cause.
          */
--- a/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/javax/management/remote/rmi/RMIConnectionImpl.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2002, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2002, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -992,7 +992,7 @@
 
                 filterValues[i] =
                     unwrap(filters[i], targetCl, defaultClassLoader,
-                           NotificationFilter.class, delegationSubjects[i]);
+                           NotificationFilter.class, sbjs[i]);
 
                 if (debug) logger.debug("addNotificationListener"+
                                         "(ObjectName,NotificationFilter)",
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/DOMSignatureMethod.java	Tue Dec 20 13:28:30 2016 -0800
@@ -21,7 +21,7 @@
  * under the License.
  */
 /*
- * Copyright (c) 2005, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  */
 /*
  * $Id: DOMSignatureMethod.java 1333415 2012-05-03 12:03:51Z coheigea $
@@ -41,6 +41,7 @@
 import com.sun.org.apache.xml.internal.security.algorithms.implementations.SignatureECDSA;
 import com.sun.org.apache.xml.internal.security.utils.JavaUtils;
 import org.jcp.xml.dsig.internal.SignerOutputStream;
+import sun.security.util.KeyUtil;
 
 /**
  * DOM-based abstract implementation of SignatureMethod.
@@ -162,6 +163,7 @@
         if (!(key instanceof PublicKey)) {
             throw new InvalidKeyException("key must be PublicKey");
         }
+        checkKeySize(context, key);
         if (signature == null) {
             try {
                 Provider p = (Provider)context.getProperty
@@ -197,6 +199,37 @@
         }
     }
 
+    /**
+     * If secure validation mode is enabled, checks that the key size is
+     * restricted.
+     *
+     * @param context the context
+     * @param key the key to check
+     * @throws XMLSignatureException if the key size is restricted
+     */
+    private static void checkKeySize(XMLCryptoContext context, Key key)
+        throws XMLSignatureException {
+        if (Utils.secureValidation(context)) {
+            int size = KeyUtil.getKeySize(key);
+            if (size == -1) {
+                // key size cannot be determined, so we cannot check against
+                // restrictions. Note that a DSA key w/o params will be
+                // rejected later if the certificate chain is validated.
+                if (log.isLoggable(java.util.logging.Level.FINE)) {
+                    log.log(java.util.logging.Level.FINE, "Size for " +
+                            key.getAlgorithm() + " key cannot be determined");
+                }
+                return;
+            }
+            if (Policy.restrictKey(key.getAlgorithm(), size)) {
+                throw new XMLSignatureException(key.getAlgorithm() +
+                    " keys less than " +
+                    Policy.minKeySize(key.getAlgorithm()) + " bits are" +
+                    " forbidden when secure validation is enabled");
+            }
+        }
+    }
+
     byte[] sign(Key key, SignedInfo si, XMLSignContext context)
         throws InvalidKeyException, XMLSignatureException
     {
@@ -207,6 +240,7 @@
         if (!(key instanceof PrivateKey)) {
             throw new InvalidKeyException("key must be PrivateKey");
         }
+        checkKeySize(context, key);
         if (signature == null) {
             try {
                 Provider p = (Provider)context.getProperty
--- a/src/share/classes/org/jcp/xml/dsig/internal/dom/Policy.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/org/jcp/xml/dsig/internal/dom/Policy.java	Tue Dec 20 13:28:30 2016 -0800
@@ -31,8 +31,10 @@
 import java.security.PrivilegedAction;
 import java.security.Security;
 import java.util.Collections;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Locale;
+import java.util.Map;
 import java.util.Set;
 
 /**
@@ -46,6 +48,7 @@
     private static int maxTrans = Integer.MAX_VALUE;
     private static int maxRefs = Integer.MAX_VALUE;
     private static Set<String> disallowedRefUriSchemes = new HashSet<>();
+    private static Map<String, Integer> minKeyMap = new HashMap<>();
     private static boolean noDuplicateIds = false;
     private static boolean noRMLoops = false;
 
@@ -101,6 +104,13 @@
                             scheme.toLowerCase(Locale.ROOT));
                     }
                     break;
+                case "minKeySize":
+                    if (tokens.length != 3) {
+                        error(entry);
+                    }
+                    minKeyMap.put(tokens[1],
+                                  Integer.parseUnsignedInt(tokens[2]));
+                    break;
                 case "noDuplicateIds":
                     if (tokens.length != 1) {
                         error(entry);
@@ -147,6 +157,10 @@
         return false;
     }
 
+    public static boolean restrictKey(String type, int size) {
+        return (size < minKeyMap.getOrDefault(type, 0));
+    }
+
     public static boolean restrictDuplicateIds() {
         return noDuplicateIds;
     }
@@ -171,6 +185,10 @@
         return Collections.<String>unmodifiableSet(disallowedRefUriSchemes);
     }
 
+    public static int minKeySize(String type) {
+        return minKeyMap.getOrDefault(type, 0);
+    }
+
     private static void error(String entry) {
         throw new IllegalArgumentException(
             "Invalid jdk.xml.dsig.secureValidationPolicy entry: " + entry);
--- a/src/share/classes/sun/reflect/ReflectionFactory.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/reflect/ReflectionFactory.java	Tue Dec 20 13:28:30 2016 -0800
@@ -25,16 +25,28 @@
 
 package sun.reflect;
 
+import java.io.Externalizable;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutputStream;
+import java.io.ObjectStreamClass;
+import java.io.OptionalDataException;
+import java.io.Serializable;
+import java.lang.invoke.MethodHandle;
+import java.lang.invoke.MethodHandles;
 import java.lang.reflect.Field;
 import java.lang.reflect.Executable;
+import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Modifier;
 import java.security.AccessController;
 import java.security.Permission;
 import java.security.PrivilegedAction;
+import java.util.Objects;
+
 import sun.reflect.misc.ReflectUtil;
 
+
 /** <P> The master factory for all reflective objects, both those in
     java.lang.reflect (Fields, Methods, Constructors) as well as their
     delegates (FieldAccessors, MethodAccessors, ConstructorAccessors).
@@ -56,6 +68,9 @@
     // Provides access to package-private mechanisms in java.lang.reflect
     private static volatile LangReflectAccess langReflectAccess;
 
+    /* Method for static class initializer <clinit>, or null */
+    private static volatile Method hasStaticInitializerMethod;
+
     //
     // "Inflation" mechanism. Loading bytecodes to implement
     // Method.invoke() and Constructor.newInstance() currently costs
@@ -73,8 +88,7 @@
     private static boolean noInflation        = false;
     private static int     inflationThreshold = 15;
 
-    private ReflectionFactory() {
-    }
+    private ReflectionFactory() {}
 
     /**
      * A convenience class for acquiring the capability to instantiate
@@ -328,6 +342,14 @@
     //
     //
 
+    /**
+     * Returns an accessible constructor capable of creating instances
+     * of the given class, initialized by the given constructor.
+     *
+     * @param classToInstantiate the class to instantiate
+     * @param constructorToCall the constructor to call
+     * @return an accessible constructor
+     */
     public Constructor<?> newConstructorForSerialization
         (Class<?> classToInstantiate, Constructor<?> constructorToCall)
     {
@@ -335,6 +357,42 @@
         if (constructorToCall.getDeclaringClass() == classToInstantiate) {
             return constructorToCall;
         }
+        return generateConstructor(classToInstantiate, constructorToCall);
+    }
+
+    /**
+     * Returns an accessible no-arg constructor for a class.
+     * The no-arg constructor is found searching the class and its supertypes.
+     *
+     * @param cl the class to instantiate
+     * @return a no-arg constructor for the class or {@code null} if
+     *     the class or supertypes do not have a suitable no-arg constructor
+     */
+    public final Constructor<?> newConstructorForSerialization(Class<?> cl) {
+        Class<?> initCl = cl;
+        while (Serializable.class.isAssignableFrom(initCl)) {
+            if ((initCl = initCl.getSuperclass()) == null) {
+                return null;
+            }
+        }
+        Constructor<?> constructorToCall;
+        try {
+            constructorToCall = initCl.getDeclaredConstructor();
+            int mods = constructorToCall.getModifiers();
+            if ((mods & Modifier.PRIVATE) != 0 ||
+                    ((mods & (Modifier.PUBLIC | Modifier.PROTECTED)) == 0 &&
+                            !packageEquals(cl, initCl))) {
+                return null;
+            }
+        } catch (NoSuchMethodException ex) {
+            return null;
+        }
+        return generateConstructor(cl, constructorToCall);
+    }
+
+    private final Constructor<?> generateConstructor(Class<?> classToInstantiate,
+                                                     Constructor<?> constructorToCall) {
+
 
         ConstructorAccessor acc = new MethodAccessorGenerator().
             generateSerializationConstructor(classToInstantiate,
@@ -355,9 +413,222 @@
                                           langReflectAccess().
                                           getConstructorParameterAnnotations(constructorToCall));
         setConstructorAccessor(c, acc);
+        c.setAccessible(true);
         return c;
     }
 
+    /**
+     * Returns an accessible no-arg constructor for an externalizable class to be
+     * initialized using a public no-argument constructor.
+     *
+     * @param cl the class to instantiate
+     * @return A no-arg constructor for the class; returns {@code null} if
+     *     the class does not implement {@link java.io.Externalizable}
+     */
+    public final Constructor<?> newConstructorForExternalization(Class<?> cl) {
+        if (!Externalizable.class.isAssignableFrom(cl)) {
+            return null;
+        }
+        try {
+            Constructor<?> cons = cl.getConstructor();
+            cons.setAccessible(true);
+            return cons;
+        } catch (NoSuchMethodException ex) {
+            return null;
+        }
+    }
+
+    /**
+     * Returns a direct MethodHandle for the {@code readObject} method on
+     * a Serializable class.
+     * The first argument of {@link MethodHandle#invoke} is the serializable
+     * object and the second argument is the {@code ObjectInputStream} passed to
+     * {@code readObject}.
+     *
+     * @param cl a Serializable class
+     * @return  a direct MethodHandle for the {@code readObject} method of the class or
+     *          {@code null} if the class does not have a {@code readObject} method
+     */
+    public final MethodHandle readObjectForSerialization(Class<?> cl) {
+        return findReadWriteObjectForSerialization(cl, "readObject", ObjectInputStream.class);
+    }
+
+    /**
+     * Returns a direct MethodHandle for the {@code readObjectNoData} method on
+     * a Serializable class.
+     * The first argument of {@link MethodHandle#invoke} is the serializable
+     * object and the second argument is the {@code ObjectInputStream} passed to
+     * {@code readObjectNoData}.
+     *
+     * @param cl a Serializable class
+     * @return  a direct MethodHandle for the {@code readObjectNoData} method
+     *          of the class or {@code null} if the class does not have a
+     *          {@code readObjectNoData} method
+     */
+    public final MethodHandle readObjectNoDataForSerialization(Class<?> cl) {
+        return findReadWriteObjectForSerialization(cl, "readObjectNoData", ObjectInputStream.class);
+    }
+
+    /**
+     * Returns a direct MethodHandle for the {@code writeObject} method on
+     * a Serializable class.
+     * The first argument of {@link MethodHandle#invoke} is the serializable
+     * object and the second argument is the {@code ObjectOutputStream} passed to
+     * {@code writeObject}.
+     *
+     * @param cl a Serializable class
+     * @return  a direct MethodHandle for the {@code writeObject} method of the class or
+     *          {@code null} if the class does not have a {@code writeObject} method
+     */
+    public final MethodHandle writeObjectForSerialization(Class<?> cl) {
+        return findReadWriteObjectForSerialization(cl, "writeObject", ObjectOutputStream.class);
+    }
+
+    private final MethodHandle findReadWriteObjectForSerialization(Class<?> cl,
+                                                                   String methodName,
+                                                                   Class<?> streamClass) {
+        if (!Serializable.class.isAssignableFrom(cl)) {
+            return null;
+        }
+
+        try {
+            Method meth = cl.getDeclaredMethod(methodName, streamClass);
+            int mods = meth.getModifiers();
+            if (meth.getReturnType() != Void.TYPE ||
+                    Modifier.isStatic(mods) ||
+                    !Modifier.isPrivate(mods)) {
+                return null;
+            }
+            meth.setAccessible(true);
+            return MethodHandles.lookup().unreflect(meth);
+        } catch (NoSuchMethodException ex) {
+            return null;
+        } catch (IllegalAccessException ex1) {
+            throw new InternalError("Error", ex1);
+        }
+    }
+
+    /**
+     * Returns a direct MethodHandle for the {@code readResolve} method on
+     * a serializable class.
+     * The single argument of {@link MethodHandle#invoke} is the serializable
+     * object.
+     *
+     * @param cl the Serializable class
+     * @return  a direct MethodHandle for the {@code readResolve} method of the class or
+     *          {@code null} if the class does not have a {@code readResolve} method
+     */
+    public final MethodHandle readResolveForSerialization(Class<?> cl) {
+        return getReplaceResolveForSerialization(cl, "readResolve");
+    }
+
+    /**
+     * Returns a direct MethodHandle for the {@code writeReplace} method on
+     * a serializable class.
+     * The single argument of {@link MethodHandle#invoke} is the serializable
+     * object.
+     *
+     * @param cl the Serializable class
+     * @return  a direct MethodHandle for the {@code writeReplace} method of the class or
+     *          {@code null} if the class does not have a {@code writeReplace} method
+     */
+    public final MethodHandle writeReplaceForSerialization(Class<?> cl) {
+        return getReplaceResolveForSerialization(cl, "writeReplace");
+    }
+
+    /**
+     * Returns a direct MethodHandle for the {@code writeReplace} method on
+     * a serializable class.
+     * The single argument of {@link MethodHandle#invoke} is the serializable
+     * object.
+     *
+     * @param cl the Serializable class
+     * @return  a direct MethodHandle for the {@code writeReplace} method of the class or
+     *          {@code null} if the class does not have a {@code writeReplace} method
+     */
+    private MethodHandle getReplaceResolveForSerialization(Class<?> cl,
+                                                           String methodName) {
+        if (!Serializable.class.isAssignableFrom(cl)) {
+            return null;
+        }
+
+        Class<?> defCl = cl;
+        while (defCl != null) {
+            try {
+                Method m = defCl.getDeclaredMethod(methodName);
+                if (m.getReturnType() != Object.class) {
+                    return null;
+                }
+                int mods = m.getModifiers();
+                if (Modifier.isStatic(mods) | Modifier.isAbstract(mods)) {
+                    return null;
+                } else if (Modifier.isPublic(mods) | Modifier.isProtected(mods)) {
+                    // fall through
+                } else if (Modifier.isPrivate(mods) && (cl != defCl)) {
+                    return null;
+                } else if (!packageEquals(cl, defCl)) {
+                    return null;
+                }
+                try {
+                    // Normal return
+                    m.setAccessible(true);
+                    return MethodHandles.lookup().unreflect(m);
+                } catch (IllegalAccessException ex0) {
+                    // setAccessible should prevent IAE
+                    throw new InternalError("Error", ex0);
+                }
+            } catch (NoSuchMethodException ex) {
+                defCl = defCl.getSuperclass();
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Returns true if the class has a static initializer.
+     * The presence of a static initializer is used to compute the serialVersionUID.
+     * @param cl a serializable classLook
+     * @return {@code true} if the class has a static initializer,
+     *          otherwise {@code false}
+     */
+    public final boolean hasStaticInitializerForSerialization(Class<?> cl) {
+        Method m = hasStaticInitializerMethod;
+        if (m == null) {
+            try {
+                m = ObjectStreamClass.class.getDeclaredMethod("hasStaticInitializer",
+                        new Class<?>[]{Class.class});
+                m.setAccessible(true);
+                hasStaticInitializerMethod = m;
+            } catch (NoSuchMethodException ex) {
+                throw new InternalError("No such method hasStaticInitializer on "
+                        + ObjectStreamClass.class, ex);
+            }
+        }
+        try {
+            return (Boolean) m.invoke(null, cl);
+        } catch (InvocationTargetException | IllegalAccessException ex) {
+            throw new InternalError("Exception invoking hasStaticInitializer", ex);
+        }
+    }
+
+    /**
+     * Returns a new OptionalDataException with {@code eof} set to {@code true}
+     * or {@code false}.
+     * @param bool the value of {@code eof} in the created OptionalDataException
+     * @return  a new OptionalDataException
+     */
+    public final OptionalDataException newOptionalDataExceptionForSerialization(boolean bool) {
+        try {
+            Constructor<OptionalDataException> boolCtor =
+                    OptionalDataException.class.getDeclaredConstructor(Boolean.TYPE);
+            boolCtor.setAccessible(true);
+            return boolCtor.newInstance(bool);
+        } catch (NoSuchMethodException | InstantiationException|
+                IllegalAccessException|InvocationTargetException ex) {
+            throw new InternalError("unable to create OptionalDataException", ex);
+        }
+    }
+
     //--------------------------------------------------------------------------
     //
     // Internals only below this point
@@ -421,4 +692,17 @@
         }
         return langReflectAccess;
     }
+
+    /**
+     * Returns true if classes are defined in the classloader and same package, false
+     * otherwise.
+     * @param cl1 a class
+     * @param cl2 another class
+     * @returns true if the two classes are in the same classloader and package
+     */
+    private static boolean packageEquals(Class<?> cl1, Class<?> cl2) {
+        return cl1.getClassLoader() == cl2.getClassLoader() &&
+                Objects.equals(cl1.getPackage(), cl2.getPackage());
+    }
+
 }
--- a/src/share/classes/sun/security/ec/ECDSASignature.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/ec/ECDSASignature.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009, 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2009, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -25,6 +25,7 @@
 
 package sun.security.ec;
 
+import java.io.IOException;
 import java.nio.ByteBuffer;
 import java.math.BigInteger;
 
@@ -363,13 +364,22 @@
     }
 
     // Convert the DER encoding of R and S into a concatenation of R and S
-    private byte[] decodeSignature(byte[] signature) throws SignatureException {
+    private byte[] decodeSignature(byte[] sig) throws SignatureException {
 
         try {
-            DerInputStream in = new DerInputStream(signature);
+            // Enforce strict DER checking for signatures
+            DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
             DerValue[] values = in.getSequence(2);
+
+            // check number of components in the read sequence
+            // and trailing data
+            if ((values.length != 2) || (in.available() != 0)) {
+                throw new IOException("Invalid encoding for signature");
+            }
+
             BigInteger r = values[0].getPositiveBigInteger();
             BigInteger s = values[1].getPositiveBigInteger();
+
             // trim leading zeroes
             byte[] rBytes = trimZeroes(r.toByteArray());
             byte[] sBytes = trimZeroes(s.toByteArray());
@@ -383,7 +393,7 @@
             return result;
 
         } catch (Exception e) {
-            throw new SignatureException("Could not decode signature", e);
+            throw new SignatureException("Invalid encoding for signature", e);
         }
     }
 
--- a/src/share/classes/sun/security/pkcs/SignerInfo.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/pkcs/SignerInfo.java	Tue Dec 20 13:28:30 2016 -0800
@@ -498,6 +498,23 @@
         return unauthenticatedAttributes;
     }
 
+    /**
+     * Returns the timestamp PKCS7 data unverified.
+     * @return a PKCS7 object
+     */
+    public PKCS7 getTsToken() throws IOException {
+        if (unauthenticatedAttributes == null) {
+            return null;
+        }
+        PKCS9Attribute tsTokenAttr =
+                unauthenticatedAttributes.getAttribute(
+                        PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
+        if (tsTokenAttr == null) {
+            return null;
+        }
+        return new PKCS7((byte[])tsTokenAttr.getValue());
+    }
+
     /*
      * Extracts a timestamp from a PKCS7 SignerInfo.
      *
@@ -525,19 +542,12 @@
         if (timestamp != null || !hasTimestamp)
             return timestamp;
 
-        if (unauthenticatedAttributes == null) {
-            hasTimestamp = false;
-            return null;
-        }
-        PKCS9Attribute tsTokenAttr =
-            unauthenticatedAttributes.getAttribute(
-                PKCS9Attribute.SIGNATURE_TIMESTAMP_TOKEN_OID);
-        if (tsTokenAttr == null) {
+        PKCS7 tsToken = getTsToken();
+        if (tsToken == null) {
             hasTimestamp = false;
             return null;
         }
 
-        PKCS7 tsToken = new PKCS7((byte[])tsTokenAttr.getValue());
         // Extract the content (an encoded timestamp token info)
         byte[] encTsTokenInfo = tsToken.getContentInfo().getData();
         // Extract the signer (the Timestamping Authority)
--- a/src/share/classes/sun/security/pkcs11/P11Signature.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/pkcs11/P11Signature.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -705,12 +705,21 @@
         }
     }
 
-    private static byte[] asn1ToDSA(byte[] signature) throws SignatureException {
+    private static byte[] asn1ToDSA(byte[] sig) throws SignatureException {
         try {
-            DerInputStream in = new DerInputStream(signature);
+            // Enforce strict DER checking for signatures
+            DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
             DerValue[] values = in.getSequence(2);
+
+            // check number of components in the read sequence
+            // and trailing data
+            if ((values.length != 2) || (in.available() != 0)) {
+                throw new IOException("Invalid encoding for signature");
+            }
+
             BigInteger r = values[0].getPositiveBigInteger();
             BigInteger s = values[1].getPositiveBigInteger();
+
             byte[] br = toByteArray(r, 20);
             byte[] bs = toByteArray(s, 20);
             if ((br == null) || (bs == null)) {
@@ -720,16 +729,25 @@
         } catch (SignatureException e) {
             throw e;
         } catch (Exception e) {
-            throw new SignatureException("invalid encoding for signature", e);
+            throw new SignatureException("Invalid encoding for signature", e);
         }
     }
 
-    private byte[] asn1ToECDSA(byte[] signature) throws SignatureException {
+    private byte[] asn1ToECDSA(byte[] sig) throws SignatureException {
         try {
-            DerInputStream in = new DerInputStream(signature);
+            // Enforce strict DER checking for signatures
+            DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
             DerValue[] values = in.getSequence(2);
+
+            // check number of components in the read sequence
+            // and trailing data
+            if ((values.length != 2) || (in.available() != 0)) {
+                throw new IOException("Invalid encoding for signature");
+            }
+
             BigInteger r = values[0].getPositiveBigInteger();
             BigInteger s = values[1].getPositiveBigInteger();
+
             // trim leading zeroes
             byte[] br = KeyUtil.trimZeroes(r.toByteArray());
             byte[] bs = KeyUtil.trimZeroes(s.toByteArray());
@@ -740,7 +758,7 @@
             System.arraycopy(bs, 0, res, res.length - bs.length, bs.length);
             return res;
         } catch (Exception e) {
-            throw new SignatureException("invalid encoding for signature", e);
+            throw new SignatureException("Invalid encoding for signature", e);
         }
     }
 
--- a/src/share/classes/sun/security/provider/DSA.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/provider/DSA.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -267,14 +267,20 @@
         BigInteger s = null;
         // first decode the signature.
         try {
-            DerInputStream in = new DerInputStream(signature, offset, length);
+            // Enforce strict DER checking for signatures
+            DerInputStream in =
+                new DerInputStream(signature, offset, length, false);
             DerValue[] values = in.getSequence(2);
 
+            // check number of components in the read sequence
+            // and trailing data
+            if ((values.length != 2) || (in.available() != 0)) {
+                throw new IOException("Invalid encoding for signature");
+            }
             r = values[0].getBigInteger();
             s = values[1].getBigInteger();
-
         } catch (IOException e) {
-            throw new SignatureException("invalid encoding for signature");
+            throw new SignatureException("Invalid encoding for signature", e);
         }
 
         // some implementations do not correctly encode values in the ASN.1
@@ -366,13 +372,49 @@
         return t5.mod(q);
     }
 
-    // NOTE: This following impl is defined in FIPS 186-4 AppendixB.2.1.
     protected BigInteger generateK(BigInteger q) {
+        // Implementation defined in FIPS 186-4 AppendixB.2.1.
         SecureRandom random = getSigningRandom();
         byte[] kValue = new byte[(q.bitLength() + 7)/8 + 8];
 
         random.nextBytes(kValue);
-        return new BigInteger(1, kValue).mod(q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
+        BigInteger k = new BigInteger(1, kValue).mod(
+                q.subtract(BigInteger.ONE)).add(BigInteger.ONE);
+
+        // Using an equivalent exponent of fixed length (same as q or 1 bit
+        // less than q) to keep the kG timing relatively constant.
+        //
+        // Note that this is an extra step on top of the approach defined in
+        // FIPS 186-4 AppendixB.2.1 so as to make a fixed length K.
+        k = k.add(q).divide(BigInteger.valueOf(2));
+
+        // An alternative implementation based on FIPS 186-4 AppendixB2.2
+        // with fixed-length K.
+        //
+        // Please keep it here as we may need to switch to it in the future.
+        //
+        // SecureRandom random = getSigningRandom();
+        // byte[] kValue = new byte[(q.bitLength() + 7)/8];
+        // BigInteger d = q.subtract(BigInteger.TWO);
+        // BigInteger k;
+        // do {
+        //     random.nextBytes(kValue);
+        //     BigInteger c = new BigInteger(1, kValue);
+        //     if (c.compareTo(d) <= 0) {
+        //         k = c.add(BigInteger.ONE);
+        //         // Using an equivalent exponent of fixed length to keep
+        //         // the g^k timing relatively constant.
+        //         //
+        //         // Note that this is an extra step on top of the approach
+        //         // defined in FIPS 186-4 AppendixB.2.2 so as to make a
+        //         // fixed length K.
+        //         if (k.bitLength() >= q.bitLength()) {
+        //             break;
+        //         }
+        //     }
+        // } while (true);
+
+        return k;
     }
 
     // Use the application-specified SecureRandom Object if provided.
--- a/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/provider/certpath/AlgorithmChecker.java	Tue Dec 20 13:28:30 2016 -0800
@@ -29,7 +29,6 @@
 import java.security.CryptoPrimitive;
 import java.util.Collection;
 import java.util.Collections;
-import java.util.Date;
 import java.util.Set;
 import java.util.EnumSet;
 import java.math.BigInteger;
@@ -60,7 +59,7 @@
 import sun.security.x509.AlgorithmId;
 
 /**
- * A {@code PKIXCertPathChecker} implementation to check whether a
+ * A <code>PKIXCertPathChecker</code> implementation to check whether a
  * specified certificate contains the required algorithm constraints.
  * <p>
  * Certificate fields such as the subject public key, the signature
@@ -75,7 +74,6 @@
 
     private final AlgorithmConstraints constraints;
     private final PublicKey trustedPubKey;
-    private final Date pkixdate;
     private PublicKey prevPubKey;
 
     private final static Set<CryptoPrimitive> SIGNATURE_PRIMITIVE_SET =
@@ -101,7 +99,7 @@
     private boolean trustedMatch = false;
 
     /**
-     * Create a new {@code AlgorithmChecker} with the algorithm
+     * Create a new <code>AlgorithmChecker</code> with the algorithm
      * constraints specified in security property
      * "jdk.certpath.disabledAlgorithms".
      *
@@ -109,26 +107,11 @@
      *     certificate
      */
     public AlgorithmChecker(TrustAnchor anchor) {
-        this(anchor, certPathDefaultConstraints, null);
+        this(anchor, certPathDefaultConstraints);
     }
 
     /**
-     * Create a new {@code AlgorithmChecker} with the
-     * given {@code TrustAnchor} and {@code AlgorithmConstraints}.
-     *
-     * @param anchor the trust anchor selected to validate the target
-     *     certificate
-     * @param constraints the algorithm constraints (or null)
-     *
-     * @throws IllegalArgumentException if the {@code anchor} is null
-     */
-    public AlgorithmChecker(TrustAnchor anchor,
-            AlgorithmConstraints constraints) {
-        this(anchor, constraints, null);
-    }
-
-    /**
-     * Create a new {@code AlgorithmChecker} with the
+     * Create a new <code>AlgorithmChecker</code> with the
      * given {@code AlgorithmConstraints}.
      * <p>
      * Note that this constructor will be used to check a certification
@@ -141,24 +124,20 @@
         this.prevPubKey = null;
         this.trustedPubKey = null;
         this.constraints = constraints;
-        this.pkixdate = null;
     }
 
     /**
-     * Create a new {@code AlgorithmChecker} with the
-     * given {@code TrustAnchor} and {@code AlgorithmConstraints}.
+     * Create a new <code>AlgorithmChecker</code> with the
+     * given <code>TrustAnchor</code> and <code>AlgorithmConstraints</code>.
      *
      * @param anchor the trust anchor selected to validate the target
      *     certificate
      * @param constraints the algorithm constraints (or null)
-     * @param pkixdate Date the constraints are checked against. The value is
-     *             either the PKIXParameter date or null for the current date.
      *
-     * @throws IllegalArgumentException if the {@code anchor} is null
+     * @throws IllegalArgumentException if the <code>anchor</code> is null
      */
     public AlgorithmChecker(TrustAnchor anchor,
-            AlgorithmConstraints constraints,
-            Date pkixdate) {
+            AlgorithmConstraints constraints) {
 
         if (anchor == null) {
             throw new IllegalArgumentException(
@@ -178,22 +157,6 @@
 
         this.prevPubKey = trustedPubKey;
         this.constraints = constraints;
-        this.pkixdate = pkixdate;
-    }
-
-    /**
-     * Create a new {@code AlgorithmChecker} with the
-     * given {@code TrustAnchor} and {@code PKIXParameter} date.
-     *
-     * @param anchor the trust anchor selected to validate the target
-     *     certificate
-     * @param pkixdate Date the constraints are checked against. The value is
-     *             either the PKIXParameter date or null for the current date.
-     *
-     * @throws IllegalArgumentException if the {@code anchor} is null
-     */
-    public AlgorithmChecker(TrustAnchor anchor, Date pkixdate) {
-        this(anchor, certPathDefaultConstraints, pkixdate);
     }
 
     // Check this 'cert' for restrictions in the AnchorCertificates
@@ -292,16 +255,17 @@
 
         PublicKey currPubKey = cert.getPublicKey();
 
-        // Check against DisabledAlgorithmConstraints certpath constraints.
-        // permits() will throw exception on failure.
-        certPathDefaultConstraints.permits(primitives,
+        if (constraints instanceof DisabledAlgorithmConstraints) {
+            // Check against DisabledAlgorithmConstraints certpath constraints.
+            // permits() will throw exception on failure.
+            ((DisabledAlgorithmConstraints)constraints).permits(primitives,
                 new CertConstraintParameters((X509Certificate)cert,
-                        trustedMatch, pkixdate));
-                // new CertConstraintParameters(x509Cert, trustedMatch));
-        // If there is no previous key, set one and exit
-        if (prevPubKey == null) {
-            prevPubKey = currPubKey;
-            return;
+                        trustedMatch));
+            // If there is no previous key, set one and exit
+            if (prevPubKey == null) {
+                prevPubKey = currPubKey;
+                return;
+            }
         }
 
         X509CertImpl x509Cert;
--- a/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/provider/certpath/PKIXCertPathValidator.java	Tue Dec 20 13:28:30 2016 -0800
@@ -172,7 +172,7 @@
         List<PKIXCertPathChecker> certPathCheckers = new ArrayList<>();
         // add standard checkers that we will be using
         certPathCheckers.add(untrustedChecker);
-        certPathCheckers.add(new AlgorithmChecker(anchor, params.date()));
+        certPathCheckers.add(new AlgorithmChecker(anchor));
         certPathCheckers.add(new KeyChecker(certPathLen,
                                             params.targetCertConstraints()));
         certPathCheckers.add(new ConstraintsChecker(certPathLen));
--- a/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/provider/certpath/SunCertPathBuilder.java	Tue Dec 20 13:28:30 2016 -0800
@@ -343,8 +343,7 @@
                 checkers.add(policyChecker);
 
                 // add the algorithm checker
-                checkers.add(new AlgorithmChecker(builder.trustAnchor,
-                        buildParams.date()));
+                checkers.add(new AlgorithmChecker(builder.trustAnchor));
 
                 BasicChecker basicChecker = null;
                 if (nextState.keyParamsNeeded()) {
--- a/src/share/classes/sun/security/rsa/RSASignature.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/rsa/RSASignature.java	Tue Dec 20 13:28:30 2016 -0800
@@ -223,9 +223,10 @@
      * Decode the signature data. Verify that the object identifier matches
      * and return the message digest.
      */
-    public static byte[] decodeSignature(ObjectIdentifier oid, byte[] signature)
+    public static byte[] decodeSignature(ObjectIdentifier oid, byte[] sig)
             throws IOException {
-        DerInputStream in = new DerInputStream(signature);
+        // Enforce strict DER checking for signatures
+        DerInputStream in = new DerInputStream(sig, 0, sig.length, false);
         DerValue[] values = in.getSequence(2);
         if ((values.length != 2) || (in.available() != 0)) {
             throw new IOException("SEQUENCE length error");
--- a/src/share/classes/sun/security/ssl/ServerHandshaker.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/ssl/ServerHandshaker.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1026,11 +1026,18 @@
             if (trySetCipherSuite(suite) == false) {
                 continue;
             }
+
+            if (debug != null && Debug.isOn("handshake")) {
+                System.out.println("Standard ciphersuite chosen: " + suite);
+            }
             return;
         }
 
         for (CipherSuite suite : legacySuites) {
             if (trySetCipherSuite(suite)) {
+                if (debug != null && Debug.isOn("handshake")) {
+                    System.out.println("Legacy ciphersuite chosen: " + suite);
+                }
                 return;
             }
         }
--- a/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/ssl/SupportedEllipticCurvesExtension.java	Tue Dec 20 13:28:30 2016 -0800
@@ -280,7 +280,7 @@
     private static int getPreferredCurve(int[] curves,
                 AlgorithmConstraints constraints) {
         for (int curveId : curves) {
-            if (constraints.permits(
+            if (isSupported(curveId) && constraints.permits(
                     EnumSet.of(CryptoPrimitive.KEY_AGREEMENT),
                                 "EC", idToParams.get(curveId))) {
                 return curveId;
--- a/src/share/classes/sun/security/tools/jarsigner/Main.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/tools/jarsigner/Main.java	Tue Dec 20 13:28:30 2016 -0800
@@ -53,6 +53,9 @@
 import java.security.cert.PKIXParameters;
 import java.security.cert.TrustAnchor;
 import java.util.Map.Entry;
+import sun.security.pkcs.PKCS7;
+import sun.security.pkcs.SignerInfo;
+import sun.security.timestamp.TimestampToken;
 import sun.security.tools.KeyStoreUtil;
 import sun.security.tools.PathList;
 import sun.security.x509.*;
@@ -97,6 +100,15 @@
 
     private static final long SIX_MONTHS = 180*24*60*60*1000L; //milliseconds
 
+    private static final DisabledAlgorithmConstraints DISABLED_CHECK =
+            new DisabledAlgorithmConstraints(
+                    DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS);
+
+    private static final Set<CryptoPrimitive> DIGEST_PRIMITIVE_SET = Collections
+            .unmodifiableSet(EnumSet.of(CryptoPrimitive.MESSAGE_DIGEST));
+    private static final Set<CryptoPrimitive> SIG_PRIMITIVE_SET = Collections
+            .unmodifiableSet(EnumSet.of(CryptoPrimitive.SIGNATURE));
+
     // Attention:
     // This is the entry that get launched by the security tool jarsigner.
     public static void main(String args[]) throws Exception {
@@ -172,6 +184,8 @@
     private boolean badExtendedKeyUsage = false;
     private boolean badNetscapeCertType = false;
 
+    private boolean seeWeak = false;
+
     CertificateFactory certificateFactory;
     CertPathValidator validator;
     PKIXParameters pkixParameters;
@@ -577,6 +591,10 @@
     {
         boolean anySigned = false;  // if there exists entry inside jar signed
         JarFile jf = null;
+        Map<String,String> digestMap = new HashMap<>();
+        Map<String,PKCS7> sigMap = new HashMap<>();
+        Map<String,String> sigNameMap = new HashMap<>();
+        Map<String,String> unparsableSignatures = new HashMap<>();
 
         try {
             jf = new JarFile(jarName, true);
@@ -587,17 +605,44 @@
             while (entries.hasMoreElements()) {
                 JarEntry je = entries.nextElement();
                 entriesVec.addElement(je);
-                InputStream is = null;
+                try (InputStream is = jf.getInputStream(je)) {
+                    String name = je.getName();
+                    if (signatureRelated(name)
+                            && SignatureFileVerifier.isBlockOrSF(name)) {
+                        String alias = name.substring(name.lastIndexOf('/') + 1,
+                                name.lastIndexOf('.'));
                 try {
-                    is = jf.getInputStream(je);
-                    int n;
-                    while ((n = is.read(buffer, 0, buffer.length)) != -1) {
+                            if (name.endsWith(".SF")) {
+                                Manifest sf = new Manifest(is);
+                                boolean found = false;
+                                for (Object obj : sf.getMainAttributes().keySet()) {
+                                    String key = obj.toString();
+                                    if (key.endsWith("-Digest-Manifest")) {
+                                        digestMap.put(alias,
+                                                key.substring(0, key.length() - 16));
+                                        found = true;
+                                        break;
+                                    }
+                                }
+                                if (!found) {
+                                    unparsableSignatures.putIfAbsent(alias,
+                                        String.format(
+                                            rb.getString("history.unparsable"),
+                                            name));
+                                }
+                            } else {
+                                sigNameMap.put(alias, name);
+                                sigMap.put(alias, new PKCS7(is));
+                            }
+                        } catch (IOException ioe) {
+                            unparsableSignatures.putIfAbsent(alias, String.format(
+                                    rb.getString("history.unparsable"), name));
+                        }
+                    } else {
+                        while (is.read(buffer, 0, buffer.length) != -1) {
                         // we just read. this will throw a SecurityException
                         // if  a signature/digest check fails.
                     }
-                } finally {
-                    if (is != null) {
-                        is.close();
                     }
                 }
             }
@@ -756,13 +801,106 @@
                     System.out.println(rb.getString(
                         ".X.not.signed.by.specified.alias.es."));
                 }
+            }
+            if (man == null) {
+                System.out.println();
+                System.out.println(rb.getString("no.manifest."));
+            }
+
+            // Even if the verbose option is not specified, all out strings
+            // must be generated so seeWeak can be updated.
+            if (!digestMap.isEmpty()
+                    || !sigMap.isEmpty()
+                    || !unparsableSignatures.isEmpty()) {
+                if (verbose != null) {
                 System.out.println();
             }
-            if (man == null)
-                System.out.println(rb.getString("no.manifest."));
+                for (String s : sigMap.keySet()) {
+                    if (!digestMap.containsKey(s)) {
+                        unparsableSignatures.putIfAbsent(s, String.format(
+                                rb.getString("history.nosf"), s));
+                    }
+                }
+                for (String s : digestMap.keySet()) {
+                    PKCS7 p7 = sigMap.get(s);
+                    if (p7 != null) {
+                        String history;
+                        try {
+                            SignerInfo si = p7.getSignerInfos()[0];
+                            X509Certificate signer = si.getCertificate(p7);
+                            String digestAlg = digestMap.get(s);
+                            String sigAlg = AlgorithmId.makeSigAlg(
+                                    si.getDigestAlgorithmId().getName(),
+                                    si.getDigestEncryptionAlgorithmId().getName());
+                            PublicKey key = signer.getPublicKey();
+                            PKCS7 tsToken = si.getTsToken();
+                            if (tsToken != null) {
+                                SignerInfo tsSi = tsToken.getSignerInfos()[0];
+                                X509Certificate tsSigner = tsSi.getCertificate(tsToken);
+                                byte[] encTsTokenInfo = tsToken.getContentInfo().getData();
+                                TimestampToken tsTokenInfo = new TimestampToken(encTsTokenInfo);
+                                PublicKey tsKey = tsSigner.getPublicKey();
+                                String tsDigestAlg = tsTokenInfo.getHashAlgorithm().getName();
+                                String tsSigAlg = AlgorithmId.makeSigAlg(
+                                        tsSi.getDigestAlgorithmId().getName(),
+                                        tsSi.getDigestEncryptionAlgorithmId().getName());
+                                Calendar c = Calendar.getInstance(
+                                        TimeZone.getTimeZone("UTC"),
+                                        Locale.getDefault(Locale.Category.FORMAT));
+                                c.setTime(tsTokenInfo.getDate());
+                                history = String.format(
+                                        rb.getString("history.with.ts"),
+                                        signer.getSubjectX500Principal(),
+                                        withWeak(digestAlg, DIGEST_PRIMITIVE_SET),
+                                        withWeak(sigAlg, SIG_PRIMITIVE_SET),
+                                        withWeak(key),
+                                        c,
+                                        tsSigner.getSubjectX500Principal(),
+                                        withWeak(tsDigestAlg, DIGEST_PRIMITIVE_SET),
+                                        withWeak(tsSigAlg, SIG_PRIMITIVE_SET),
+                                        withWeak(tsKey));
+                            } else {
+                                history = String.format(
+                                        rb.getString("history.without.ts"),
+                                        signer.getSubjectX500Principal(),
+                                        withWeak(digestAlg, DIGEST_PRIMITIVE_SET),
+                                        withWeak(sigAlg, SIG_PRIMITIVE_SET),
+                                        withWeak(key));
+                            }
+                        } catch (Exception e) {
+                            // The only usage of sigNameMap, remember the name
+                            // of the block file if it's invalid.
+                            history = String.format(
+                                    rb.getString("history.unparsable"),
+                                    sigNameMap.get(s));
+                        }
+                        if (verbose != null) {
+                            System.out.println(history);
+                        }
+                    } else {
+                        unparsableSignatures.putIfAbsent(s, String.format(
+                                rb.getString("history.nobk"), s));
+                    }
+                }
+                if (verbose != null) {
+                    for (String s : unparsableSignatures.keySet()) {
+                        System.out.println(unparsableSignatures.get(s));
+                    }
+                }
+            }
+            System.out.println();
 
             if (!anySigned) {
-                if (hasSignature) {
+                if (seeWeak) {
+                    if (verbose != null) {
+                        System.out.println(rb.getString("jar.treated.unsigned.see.weak.verbose"));
+                        System.out.println("\n  " +
+                                DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS +
+                                "=" + Security.getProperty(DisabledAlgorithmConstraints.PROPERTY_JAR_DISABLED_ALGS));
+                    } else {
+                        System.out.println(rb.getString("jar.treated.unsigned.see.weak"));
+                    }
+                } else if (hasSignature) {
                     System.out.println(rb.getString("jar.treated.unsigned"));
                 } else {
                     System.out.println(rb.getString("jar.is.unsigned"));
@@ -869,6 +1007,26 @@
         System.exit(1);
     }
 
+    private String withWeak(String alg, Set<CryptoPrimitive> primitiveSet) {
+        if (DISABLED_CHECK.permits(primitiveSet, alg, null)) {
+            return alg;
+        } else {
+            seeWeak = true;
+            return String.format(rb.getString("with.weak"), alg);
+        }
+    }
+
+    private String withWeak(PublicKey key) {
+        if (DISABLED_CHECK.permits(SIG_PRIMITIVE_SET, key)) {
+            return String.format(
+                    rb.getString("key.bit"), KeyUtil.getKeySize(key));
+        } else {
+            seeWeak = true;
+            return String.format(
+                    rb.getString("key.bit.weak"), KeyUtil.getKeySize(key));
+        }
+    }
+
     private static MessageFormat validityTimeForm = null;
     private static MessageFormat notYetTimeForm = null;
     private static MessageFormat expiredTimeForm = null;
--- a/src/share/classes/sun/security/tools/jarsigner/Resources.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/tools/jarsigner/Resources.java	Tue Dec 20 13:28:30 2016 -0800
@@ -138,11 +138,26 @@
         {"jar.is.unsigned",
                 "jar is unsigned."},
         {"jar.treated.unsigned",
-                "Signature not parsable or verifiable. The jar will be treated as unsigned. The jar may have been signed with a weak algorithm that is now disabled. For more information, rerun jarsigner with debug enabled (-J-Djava.security.debug=jar)."},
+                "WARNING: Signature is either not parsable or not verifiable, and the jar will be treated as unsigned. For more information, re-run jarsigner with debug enabled (-J-Djava.security.debug=jar)."},
+        {"jar.treated.unsigned.see.weak",
+                "The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled.\n\nRe-run jarsigner with the -verbose option for more details."},
+        {"jar.treated.unsigned.see.weak.verbose",
+                "WARNING: The jar will be treated as unsigned, because it is signed with a weak algorithm that is now disabled by the security property:"},
         {"jar.signed.", "jar signed."},
         {"jar.signed.with.signer.errors.", "jar signed, with signer errors."},
         {"jar.verified.", "jar verified."},
         {"jar.verified.with.signer.errors.", "jar verified, with signer errors."},
+
+        {"history.with.ts", "- Signed by \"%1$s\"\n    Digest algorithm: %2$s\n    Signature algorithm: %3$s, %4$s\n  Timestamped by \"%6$s\" on %5$tc\n    Timestamp digest algorithm: %7$s\n    Timestamp signature algorithm: %8$s, %9$s"},
+        {"history.without.ts", "- Signed by \"%1$s\"\n    Digest algorithm: %2$s\n    Signature algorithm: %3$s, %4$s"},
+        {"history.unparsable", "- Unparsable signature-related file %s"},
+        {"history.nosf", "- Missing signature-related file META-INF/%s.SF"},
+        {"history.nobk", "- Missing block file for signature-related file META-INF/%s.SF"},
+
+        {"with.weak", "%s (weak)"},
+        {"key.bit", "%d-bit key"},
+        {"key.bit.weak", "%d-bit key (weak)"},
+
         {"jarsigner.", "jarsigner: "},
         {"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
                 "signature filename must consist of the following characters: A-Z, 0-9, _ or -"},
--- a/src/share/classes/sun/security/tools/jarsigner/Resources_ja.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/tools/jarsigner/Resources_ja.java	Tue Dec 20 13:28:30 2016 -0800
@@ -135,12 +135,29 @@
         {"no.manifest.", "\u30DE\u30CB\u30D5\u30A7\u30B9\u30C8\u306F\u5B58\u5728\u3057\u307E\u305B\u3093\u3002"},
         {".Signature.related.entries.","(\u30B7\u30B0\u30CD\u30C1\u30E3\u95A2\u9023\u30A8\u30F3\u30C8\u30EA)"},
         {".Unsigned.entries.", "(\u672A\u7F72\u540D\u306E\u30A8\u30F3\u30C8\u30EA)"},
-        {"jar.is.unsigned.signatures.missing.or.not.parsable.",
-                "jar\u306F\u7F72\u540D\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002(\u30B7\u30B0\u30CD\u30C1\u30E3\u304C\u898B\u3064\u304B\u3089\u306A\u3044\u304B\u3001\u69CB\u6587\u89E3\u6790\u3067\u304D\u307E\u305B\u3093)"},
+        {"jar.is.unsigned",
+                "jar\u306F\u7F72\u540D\u3055\u308C\u3066\u3044\u307E\u305B\u3093\u3002"},
+        {"jar.treated.unsigned",
+                "\u8B66\u544A: \u7F72\u540D\u304C\u69CB\u6587\u89E3\u6790\u3067\u304D\u306A\u3044\u304B\u691C\u8A3C\u3067\u304D\u306A\u3044\u305F\u3081\u3001\u3053\u306Ejar\u306F\u672A\u7F72\u540D\u3068\u3057\u3066\u6271\u308F\u308C\u307E\u3059\u3002\u8A73\u7D30\u306F\u3001\u30C7\u30D0\u30C3\u30B0\u3092\u6709\u52B9\u306B\u3057\u3066(-J-Djava.security.debug=jar) jarsigner\u3092\u518D\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
+        {"jar.treated.unsigned.see.weak",
+                "\u3053\u306Ejar\u306F\u3001\u73FE\u5728\u7121\u52B9\u306B\u306A\u3063\u3066\u3044\u308B\u5F31\u3044\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3067\u7F72\u540D\u3055\u308C\u3066\u3044\u308B\u305F\u3081\u3001\u672A\u7F72\u540D\u3068\u3057\u3066\u6271\u308F\u308C\u307E\u3059\u3002\n\n\u8A73\u7D30\u306F\u3001-verbose\u30AA\u30D7\u30B7\u30E7\u30F3\u3092\u4F7F\u7528\u3057\u3066jarsigner\u3092\u518D\u5B9F\u884C\u3057\u3066\u304F\u3060\u3055\u3044\u3002"},
+        {"jar.treated.unsigned.see.weak.verbose",
+                "\u8B66\u544A: \u3053\u306Ejar\u306F\u3001\u30BB\u30AD\u30E5\u30EA\u30C6\u30A3\u30FB\u30D7\u30ED\u30D1\u30C6\u30A3\u306B\u3088\u3063\u3066\u73FE\u5728\u7121\u52B9\u306B\u306A\u3063\u3066\u3044\u308B\u5F31\u3044\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0\u3067\u7F72\u540D\u3055\u308C\u3066\u3044\u308B\u305F\u3081\u3001\u672A\u7F72\u540D\u3068\u3057\u3066\u6271\u308F\u308C\u307E\u3059:"},
         {"jar.signed.", "jar\u306F\u7F72\u540D\u3055\u308C\u307E\u3057\u305F\u3002"},
         {"jar.signed.with.signer.errors.", "jar\u306F\u7F72\u540D\u3055\u308C\u307E\u3057\u305F - \u7F72\u540D\u8005\u30A8\u30E9\u30FC\u304C\u3042\u308A\u307E\u3059\u3002"},
         {"jar.verified.", "jar\u304C\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F\u3002"},
         {"jar.verified.with.signer.errors.", "jar\u306F\u691C\u8A3C\u3055\u308C\u307E\u3057\u305F - \u7F72\u540D\u8005\u30A8\u30E9\u30FC\u304C\u3042\u308A\u307E\u3059\u3002"},
+
+        {"history.with.ts", "- \u7F72\u540D\u8005: \"%1$s\"\n    \u30C0\u30A4\u30B8\u30A7\u30B9\u30C8\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %2$s\n    \u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %3$s\u3001%4$s\n  \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u4ED8\u52A0\u8005: \"%6$s\" \u65E5\u6642: %5$tc\n    \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306E\u30C0\u30A4\u30B8\u30A7\u30B9\u30C8\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %7$s\n    \u30BF\u30A4\u30E0\u30B9\u30BF\u30F3\u30D7\u306E\u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %8$s\u3001%9$s"},
+        {"history.without.ts", "- \u7F72\u540D\u8005: \"%1$s\"\n    \u30C0\u30A4\u30B8\u30A7\u30B9\u30C8\u30FB\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %2$s\n    \u7F72\u540D\u30A2\u30EB\u30B4\u30EA\u30BA\u30E0: %3$s\u3001%4$s"},
+        {"history.unparsable", "- \u7F72\u540D\u95A2\u9023\u30D5\u30A1\u30A4\u30EB%s\u3092\u89E3\u6790\u3067\u304D\u307E\u305B\u3093"},
+        {"history.nosf", "- \u7F72\u540D\u95A2\u9023\u30D5\u30A1\u30A4\u30EBMETA-INF/%s.SF\u304C\u3042\u308A\u307E\u305B\u3093"},
+        {"history.nobk", "- \u7F72\u540D\u95A2\u9023\u30D5\u30A1\u30A4\u30EBMETA-INF/%s.SF\u306E\u30D6\u30ED\u30C3\u30AF\u30FB\u30D5\u30A1\u30A4\u30EB\u304C\u3042\u308A\u307E\u305B\u3093"},
+
+        {"with.weak", "%s (\u5F31)"},
+        {"key.bit", "%d\u30D3\u30C3\u30C8\u9375"},
+        {"key.bit.weak", "%d\u30D3\u30C3\u30C8\u9375(\u5F31)"},
+
         {"jarsigner.", "jarsigner: "},
         {"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
                 "\u30B7\u30B0\u30CD\u30C1\u30E3\u306E\u30D5\u30A1\u30A4\u30EB\u540D\u306B\u4F7F\u7528\u3067\u304D\u308B\u6587\u5B57\u306F\u3001A-Z\u30010-9\u3001_\u3001- \u306E\u307F\u3067\u3059\u3002"},
--- a/src/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/tools/jarsigner/Resources_zh_CN.java	Tue Dec 20 13:28:30 2016 -0800
@@ -135,12 +135,29 @@
         {"no.manifest.", "\u6CA1\u6709\u6E05\u5355\u3002"},
         {".Signature.related.entries.","(\u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6761\u76EE)"},
         {".Unsigned.entries.", "(\u672A\u7B7E\u540D\u6761\u76EE)"},
-        {"jar.is.unsigned.signatures.missing.or.not.parsable.",
-                "jar \u672A\u7B7E\u540D\u3002(\u7F3A\u5C11\u7B7E\u540D\u6216\u65E0\u6CD5\u89E3\u6790\u7B7E\u540D)"},
+        {"jar.is.unsigned",
+                "jar \u672A\u7B7E\u540D\u3002"},
+        {"jar.treated.unsigned",
+                "\u8B66\u544A: \u7B7E\u540D\u65E0\u6CD5\u89E3\u6790\u6216\u9A8C\u8BC1, \u8BE5 jar \u5C06\u88AB\u89C6\u4E3A\u672A\u7B7E\u540D\u3002\u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u5728\u542F\u7528\u8C03\u8BD5\u7684\u60C5\u51B5\u4E0B\u91CD\u65B0\u8FD0\u884C jarsigner (-J-Djava.security.debug=jar)\u3002"},
+        {"jar.treated.unsigned.see.weak",
+                "\u7531\u4E8E\u8BE5 jar \u662F\u4F7F\u7528\u76EE\u524D\u5DF2\u7981\u7528\u7684\u5F31\u7B97\u6CD5\u7B7E\u540D\u7684, \u56E0\u6B64\u8BE5 jar \u5C06\u88AB\u89C6\u4E3A\u672A\u7B7E\u540D\u3002\n\n\u6709\u5173\u8BE6\u7EC6\u4FE1\u606F, \u8BF7\u4F7F\u7528 -verbose \u9009\u9879\u91CD\u65B0\u8FD0\u884C jarsigner\u3002"},
+        {"jar.treated.unsigned.see.weak.verbose",
+                "\u8B66\u544A: \u7531\u4E8E\u8BE5 jar \u662F\u4F7F\u7528\u76EE\u524D\u5DF2\u7531\u5B89\u5168\u5C5E\u6027\u7981\u7528\u7684\u5F31\u7B97\u6CD5\u7B7E\u540D\u7684, \u56E0\u6B64\u8BE5 jar \u5C06\u88AB\u89C6\u4E3A\u672A\u7B7E\u540D:"},
         {"jar.signed.", "jar \u5DF2\u7B7E\u540D\u3002"},
         {"jar.signed.with.signer.errors.", "jar \u5DF2\u7B7E\u540D, \u4F46\u51FA\u73B0\u7B7E\u540D\u8005\u9519\u8BEF\u3002"},
         {"jar.verified.", "jar \u5DF2\u9A8C\u8BC1\u3002"},
         {"jar.verified.with.signer.errors.", "jar \u5DF2\u9A8C\u8BC1, \u4F46\u51FA\u73B0\u7B7E\u540D\u8005\u9519\u8BEF\u3002"},
+
+        {"history.with.ts", "- \u7531 \"%1$s\" \u7B7E\u540D\n    \u6458\u8981\u7B97\u6CD5: %2$s\n    \u7B7E\u540D\u7B97\u6CD5: %3$s, %4$s\n  \u7531 \"%6$s\" \u4E8E %5$tc \u52A0\u65F6\u95F4\u6233\n    \u65F6\u95F4\u6233\u6458\u8981\u7B97\u6CD5: %7$s\n    \u65F6\u95F4\u6233\u7B7E\u540D\u7B97\u6CD5: %8$s, %9$s"},
+        {"history.without.ts", "- \u7531 \"%1$s\" \u7B7E\u540D\n    \u6458\u8981\u7B97\u6CD5: %2$s\n    \u7B7E\u540D\u7B97\u6CD5: %3$s, %4$s"},
+        {"history.unparsable", "- \u65E0\u6CD5\u89E3\u6790\u7684\u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6587\u4EF6 %s"},
+        {"history.nosf", "- \u7F3A\u5C11\u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6587\u4EF6 META-INF/%s.SF"},
+        {"history.nobk", "- \u4E0E\u7B7E\u540D\u76F8\u5173\u7684\u6587\u4EF6 META-INF/%s.SF \u7F3A\u5C11\u5757\u6587\u4EF6"},
+
+        {"with.weak", "%s (\u5F31)"},
+        {"key.bit", "%d \u4F4D\u5BC6\u94A5"},
+        {"key.bit.weak", "%d \u4F4D\u5BC6\u94A5 (\u5F31)"},
+
         {"jarsigner.", "jarsigner: "},
         {"signature.filename.must.consist.of.the.following.characters.A.Z.0.9.or.",
                 "\u7B7E\u540D\u6587\u4EF6\u540D\u5FC5\u987B\u5305\u542B\u4EE5\u4E0B\u5B57\u7B26: A-Z, 0-9, _ \u6216 -"},
--- a/src/share/classes/sun/security/tools/policytool/Resources_sv.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/tools/policytool/Resources_sv.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -43,7 +43,7 @@
         {"Illegal.option.option", "Otill\u00E5tet alternativ: {0}"},
         {"Usage.policytool.options.", "Syntax: policytool [alternativ]"},
         {".file.file.policy.file.location",
-                "  [-file <fil>]    policyfilens plats"},
+                "  [-file <fil>]    policyfiladress"},
         {"New", "&Nytt"},
         {"Open", "&\u00D6ppna..."},
         {"Save", "S&para"},
--- a/src/share/classes/sun/security/util/AnchorCertificates.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/util/AnchorCertificates.java	Tue Dec 20 13:28:30 2016 -0800
@@ -56,7 +56,7 @@
                 try {
                     cacerts = KeyStore.getInstance("JKS");
                     try (FileInputStream fis = new FileInputStream(f)) {
-                        cacerts.load(fis, "changeit".toCharArray());
+                        cacerts.load(fis, null);
                         certs = new HashSet<>();
                         Enumeration<String> list = cacerts.aliases();
                         String alias;
--- a/src/share/classes/sun/security/util/CertConstraintParameters.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/util/CertConstraintParameters.java	Tue Dec 20 13:28:30 2016 -0800
@@ -26,7 +26,6 @@
 package sun.security.util;
 
 import java.security.cert.X509Certificate;
-import java.util.Date;
 
 /**
  * This class is a wrapper for keeping state and passing objects between PKIX,
@@ -35,21 +34,18 @@
 public class CertConstraintParameters {
     // A certificate being passed to check against constraints.
     private final X509Certificate cert;
+
     // This is true if the trust anchor in the certificate chain matches a cert
     // in AnchorCertificates
     private final boolean trustedMatch;
-    // PKIXParameter date
-    private final Date pkixDate;
 
-    public CertConstraintParameters(X509Certificate c, boolean match,
-            Date pkixdate) {
+    public CertConstraintParameters(X509Certificate c, boolean match) {
         cert = c;
         trustedMatch = match;
-        pkixDate = pkixdate;
     }
 
     public CertConstraintParameters(X509Certificate c) {
-        this(c, false, null);
+        this(c, false);
     }
 
     // Returns if the trust anchor has a match if anchor checking is enabled.
@@ -60,9 +56,4 @@
     public X509Certificate getCertificate() {
         return cert;
     }
-
-    public Date getPKIXParamDate() {
-        return pkixDate;
-    }
-
 }
--- a/src/share/classes/sun/security/util/DerInputBuffer.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/util/DerInputBuffer.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -147,6 +147,11 @@
         System.arraycopy(buf, pos, bytes, 0, len);
         skip(len);
 
+        // check to make sure no extra leading 0s for DER
+        if (len >= 2 && (bytes[0] == 0) && (bytes[1] >= 0)) {
+            throw new IOException("Invalid encoding: redundant leading 0s");
+        }
+
         if (makePositive) {
             return new BigInteger(1, bytes);
         } else {
--- a/src/share/classes/sun/security/util/DerInputStream.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/util/DerInputStream.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -77,7 +77,7 @@
      * @param data the buffer from which to create the string (CONSUMED)
      */
     public DerInputStream(byte[] data) throws IOException {
-        init(data, 0, data.length);
+        init(data, 0, data.length, true);
     }
 
     /**
@@ -92,23 +92,48 @@
      *          starting at "offset"
      */
     public DerInputStream(byte[] data, int offset, int len) throws IOException {
-        init(data, offset, len);
+        init(data, offset, len, true);
+    }
+
+    /**
+     * Create a DER input stream from part of a data buffer with
+     * additional arg to indicate whether to allow constructed
+     * indefinite-length encoding.
+     * The buffer is not copied, it is shared.  Accordingly, the
+     * buffer should be treated as read-only.
+     *
+     * @param data the buffer from which to create the string (CONSUMED)
+     * @param offset the first index of <em>data</em> which will
+     *          be read as DER input in the new stream
+     * @param len how long a chunk of the buffer to use,
+     *          starting at "offset"
+     * @param allowIndefiniteLength whether to allow constructed
+     *          indefinite-length encoding
+     */
+    public DerInputStream(byte[] data, int offset, int len,
+        boolean allowIndefiniteLength) throws IOException {
+        init(data, offset, len, allowIndefiniteLength);
     }
 
     /*
      * private helper routine
      */
-    private void init(byte[] data, int offset, int len) throws IOException {
+    private void init(byte[] data, int offset, int len,
+        boolean allowIndefiniteLength) throws IOException {
         if ((offset+2 > data.length) || (offset+len > data.length)) {
             throw new IOException("Encoding bytes too short");
         }
         // check for indefinite length encoding
         if (DerIndefLenConverter.isIndefinite(data[offset+1])) {
-            byte[] inData = new byte[len];
-            System.arraycopy(data, offset, inData, 0, len);
+            if (!allowIndefiniteLength) {
+                throw new IOException("Indefinite length BER encoding found");
+            } else {
+                byte[] inData = new byte[len];
+                System.arraycopy(data, offset, inData, 0, len);
 
-            DerIndefLenConverter derIn = new DerIndefLenConverter();
-            buffer = new DerInputBuffer(derIn.convert(inData));
+                DerIndefLenConverter derIn = new DerIndefLenConverter();
+                buffer = new DerInputBuffer(derIn.convert(inData));
+            }
         } else
             buffer = new DerInputBuffer(data, offset, len);
         buffer.mark(Integer.MAX_VALUE);
@@ -233,12 +258,21 @@
          * First byte = number of excess bits in the last octet of the
          * representation.
          */
-        int validBits = length*8 - buffer.read();
+        int excessBits = buffer.read();
+        if (excessBits < 0) {
+            throw new IOException("Unused bits of bit string invalid");
+        }
+        int validBits = length*8 - excessBits;
+        if (validBits < 0) {
+            throw new IOException("Valid bits of bit string invalid");
+        }
 
         byte[] repn = new byte[length];
 
-        if ((length != 0) && (buffer.read(repn) != length))
-            throw new IOException("short read of DER bit string");
+        if ((length != 0) && (buffer.read(repn) != length)) {
+            throw new IOException("Short read of DER bit string");
+        }
+
         return new BitArray(validBits, repn);
     }
 
@@ -252,7 +286,7 @@
         int length = getLength(buffer);
         byte[] retval = new byte[length];
         if ((length != 0) && (buffer.read(retval) != length))
-            throw new IOException("short read of DER octet string");
+            throw new IOException("Short read of DER octet string");
 
         return retval;
     }
@@ -262,7 +296,7 @@
      */
     public void getBytes(byte[] val) throws IOException {
         if ((val.length != 0) && (buffer.read(val) != val.length)) {
-            throw new IOException("short read of DER octet string");
+            throw new IOException("Short read of DER octet string");
         }
     }
 
@@ -346,7 +380,7 @@
         DerInputStream  newstr;
 
         byte lenByte = (byte)buffer.read();
-        int len = getLength((lenByte & 0xff), buffer);
+        int len = getLength(lenByte, buffer);
 
         if (len == -1) {
            // indefinite length encoding found
@@ -392,7 +426,7 @@
         } while (newstr.available() > 0);
 
         if (newstr.available() != 0)
-            throw new IOException("extra data at end of vector");
+            throw new IOException("Extra data at end of vector");
 
         /*
          * Now stick them into the array we're returning.
@@ -483,7 +517,7 @@
         int length = getLength(buffer);
         byte[] retval = new byte[length];
         if ((length != 0) && (buffer.read(retval) != length))
-            throw new IOException("short read of DER " +
+            throw new IOException("Short read of DER " +
                                   stringName + " string");
 
         return new String(retval, enc);
@@ -544,7 +578,11 @@
      */
     static int getLength(int lenByte, InputStream in) throws IOException {
         int value, tmp;
+        if (lenByte == -1) {
+            throw new IOException("Short read of DER length");
+        }
 
+        String mdName = "DerInputStream.getLength(): ";
         tmp = lenByte;
         if ((tmp & 0x080) == 0x00) { // short form, 1 byte datum
             value = tmp;
@@ -558,17 +596,23 @@
             if (tmp == 0)
                 return -1;
             if (tmp < 0 || tmp > 4)
-                throw new IOException("DerInputStream.getLength(): lengthTag="
-                    + tmp + ", "
+                throw new IOException(mdName + "lengthTag=" + tmp + ", "
                     + ((tmp < 0) ? "incorrect DER encoding." : "too big."));
 
-            for (value = 0; tmp > 0; tmp --) {
+            value = 0x0ff & in.read();
+            tmp--;
+            if (value == 0) {
+                // DER requires length value be encoded in minimum number of bytes
+                throw new IOException(mdName + "Redundant length bytes found");
+            }
+            while (tmp-- > 0) {
                 value <<= 8;
                 value += 0x0ff & in.read();
             }
             if (value < 0) {
-                throw new IOException("DerInputStream.getLength(): "
-                        + "Invalid length bytes");
+                throw new IOException(mdName + "Invalid length bytes");
+            } else if (value <= 127) {
+                throw new IOException(mdName + "Should use short form for length");
             }
         }
         return value;
--- a/src/share/classes/sun/security/util/DerValue.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/util/DerValue.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1996, 2009, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1996, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -249,7 +249,7 @@
 
         tag = (byte)in.read();
         byte lenByte = (byte)in.read();
-        length = DerInputStream.getLength((lenByte & 0xff), in);
+        length = DerInputStream.getLength(lenByte, in);
         if (length == -1) {  // indefinite length encoding found
             DerInputBuffer inbuf = in.dup();
             int readLen = inbuf.available();
@@ -362,7 +362,7 @@
 
         tag = (byte)in.read();
         byte lenByte = (byte)in.read();
-        length = DerInputStream.getLength((lenByte & 0xff), in);
+        length = DerInputStream.getLength(lenByte, in);
         if (length == -1) { // indefinite length encoding found
             int readLen = in.available();
             int offset = 2;     // for tag and length bytes
--- a/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/util/DisabledAlgorithmConstraints.java	Tue Dec 20 13:28:30 2016 -0800
@@ -31,15 +31,11 @@
 import java.security.cert.CertPathValidatorException;
 import java.security.cert.CertPathValidatorException.BasicReason;
 import java.security.cert.X509Certificate;
-import java.text.SimpleDateFormat;
-import java.util.Calendar;
-import java.util.Date;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Set;
-import java.util.TimeZone;
 import java.util.regex.Pattern;
 import java.util.regex.Matcher;
 
@@ -242,8 +238,6 @@
         private Map<String, Set<Constraint>> constraintsMap = new HashMap<>();
         private static final Pattern keySizePattern = Pattern.compile(
                 "keySize\\s*(<=|<|==|!=|>|>=)\\s*(\\d+)");
-        private static final Pattern denyAfterPattern = Pattern.compile(
-                "denyAfter\\s+(\\d{4})-(\\d{2})-(\\d{2})");
 
         public Constraints(String[] constraintArray) {
             for (String constraintEntry : constraintArray) {
@@ -274,11 +268,10 @@
                 }
 
                 // Convert constraint conditions into Constraint classes
-                Constraint c, lastConstraint = null;
+                Constraint c = null;
+                Constraint lastConstraint = null;
                 // Allow only one jdkCA entry per constraint entry
                 boolean jdkCALimit = false;
-                // Allow only one denyAfter entry per constraint entry
-                boolean denyAfterLimit = false;
 
                 for (String entry : policy.split("&")) {
                     entry = entry.trim();
@@ -304,25 +297,6 @@
                         }
                         c = new jdkCAConstraint(algorithm);
                         jdkCALimit = true;
-
-                    } else if(matcher.usePattern(denyAfterPattern).matches()) {
-                        if (debug != null) {
-                            debug.println("Constraints set to denyAfter");
-                        }
-                        if (denyAfterLimit) {
-                            throw new IllegalArgumentException("Only one " +
-                                    "denyAfter entry allowed in property. " +
-                                    "Constraint: " + constraintEntry);
-                        }
-                        int year = Integer.parseInt(matcher.group(1));
-                        int month = Integer.parseInt(matcher.group(2));
-                        int day = Integer.parseInt(matcher.group(3));
-                        c = new DenyAfterConstraint(algorithm, year, month,
-                                day);
-                        denyAfterLimit = true;
-                    } else {
-                        throw new IllegalArgumentException("Error in security" +
-                                " property. Constraint unknown: " + entry);
                     }
 
                     // Link multiple conditions for a single constraint
@@ -332,7 +306,9 @@
                             constraintsMap.putIfAbsent(algorithm,
                                     new HashSet<>());
                         }
-                        constraintsMap.get(algorithm).add(c);
+                        if (c != null) {
+                            constraintsMap.get(algorithm).add(c);
+                        }
                     } else {
                         lastConstraint.nextConstraint = c;
                     }
@@ -396,15 +372,7 @@
         }
                         }
 
-    /**
-     * This abstract Constraint class for algorithm-based checking
-     * may contain one or more constraints.  If the '&' on the {@Security}
-     * property is used, multiple constraints have been grouped together
-     * requiring all the constraints to fail for the check to be disallowed.
-     *
-     * If the class contains multiple constraints, the next constraint
-     * is stored in {@code nextConstraint} in linked-list fashion.
-     */
+    // Abstract class for algorithm constraint checking
     private abstract static class Constraint {
         String algorithm;
         Constraint nextConstraint = null;
@@ -440,79 +408,22 @@
         }
 
         /**
-         * Check if an algorithm constraint is permitted with a given key.
-         *
-         * If the check inside of {@code permit()} fails, it must call
-         * {@code next()} with the same {@code Key} parameter passed if
-         * multiple constraints need to be checked.
-         *
+         * Check if an algorithm constraint permit this key to be used.
          * @param key Public key
-         * @return 'true' if constraint is allowed, 'false' if disallowed.
+         * @return true if constraints do not match
          */
         public boolean permits(Key key) {
             return true;
         }
 
         /**
-         * Check if an algorithm constraint is permitted with a given
-         * CertConstraintParameters.
-         *
-         * If the check inside of {@code permits()} fails, it must call
-         * {@code next()} with the same {@code CertConstraintParameters}
-         * parameter passed if multiple constraints need to be checked.
-         *
-         * @param cp CertConstraintParameter containing certificate info
-         * @throws CertPathValidatorException if constraint disallows.
-         *
+         * Check if an algorithm constraint is permit this certificate to
+         * be used.
+         * @param cp CertificateParameter containing certificate and state info
+         * @return true if constraints do not match
          */
         public abstract void permits(CertConstraintParameters cp)
                 throws CertPathValidatorException;
-
-        /**
-         * Recursively check if the constraints are allowed.
-         *
-         * If {@code nextConstraint} is non-null, this method will
-         * call {@code nextConstraint}'s {@code permits()} to check if the
-         * constraint is allowed or denied.  If the constraint's
-         * {@code permits()} is allowed, this method will exit this and any
-         * recursive next() calls, returning 'true'.  If the constraints called
-         * were disallowed, the last constraint will throw
-         * {@code CertPathValidatorException}.
-         *
-         * @param cp CertConstraintParameters
-         * @return 'true' if constraint allows the operation, 'false' if
-         * we are at the end of the constraint list or,
-         * {@code nextConstraint} is null.
-         */
-        boolean next(CertConstraintParameters cp)
-                throws CertPathValidatorException {
-            if (nextConstraint != null) {
-                nextConstraint.permits(cp);
-                return true;
-            }
-            return false;
-        }
-
-        /**
-         * Recursively check if this constraint is allowed,
-         *
-         * If {@code nextConstraint} is non-null, this method will
-         * call {@code nextConstraint}'s {@code permit()} to check if the
-         * constraint is allowed or denied.  If the constraint's
-         * {@code permit()} is allowed, this method will exit this and any
-         * recursive next() calls, returning 'true'.  If the constraints
-         * called were disallowed the check will exit with 'false'.
-         *
-         * @param key Public key
-         * @return 'true' if constraint allows the operation, 'false' if
-         * the constraint denies the operation.
-         */
-        boolean next(Key key) {
-            if (nextConstraint != null && nextConstraint.permits(key)) {
-                return true;
-            }
-            return false;
-        }
     }
 
     /*
@@ -525,9 +436,9 @@
         }
 
         /*
-         * Check if CertConstraintParameters has a trusted match, if it does
-         * call next() for any following constraints. If it does not, exit
-         * as this constraint(s) does not restrict the operation.
+         * Check if each constraint fails and check if there is a linked
+         * constraint  Any permitted constraint will exit the linked list
+         * to allow the operation.
          */
         public void permits(CertConstraintParameters cp)
                 throws CertPathValidatorException {
@@ -535,9 +446,10 @@
                 debug.println("jdkCAConstraints.permits(): " + algorithm);
             }
 
-            // Check chain has a trust anchor in cacerts
+            // Return false if the chain has a trust anchor in cacerts
             if (cp.isTrustedMatch()) {
-                if (next(cp)) {
+                if (nextConstraint != null) {
+                    nextConstraint.permits(cp);
                     return;
                 }
                 throw new CertPathValidatorException(
@@ -548,99 +460,6 @@
         }
     }
 
-    /*
-     * This class handles the denyAfter constraint.  The date is in the UTC/GMT
-     * timezone.
-     */
-     private static class DenyAfterConstraint extends Constraint {
-         private Date denyAfterDate;
-         private static final SimpleDateFormat dateFormat =
-                 new SimpleDateFormat("EEE, MMM d HH:mm:ss z YYYY");
-
-         DenyAfterConstraint(String algo, int year, int month, int day) {
-             Calendar c;
-
-             algorithm = algo;
-
-             if (debug != null) {
-                 debug.println("DenyAfterConstraint read in as:  year " +
-                         year + ", month = " + month + ", day = " + day);
-             }
-
-             c = new Calendar.Builder().setTimeZone(TimeZone.getTimeZone("GMT"))
-                     .setDate(year, month - 1, day).build();
-
-             if (year > c.getActualMaximum(Calendar.YEAR) ||
-                     year < c.getActualMinimum(Calendar.YEAR)) {
-                 throw new IllegalArgumentException(
-                         "Invalid year given in constraint: " + year);
-             }
-             if ((month - 1) > c.getActualMaximum(Calendar.MONTH) ||
-                     (month - 1) < c.getActualMinimum(Calendar.MONTH)) {
-                 throw new IllegalArgumentException(
-                         "Invalid month given in constraint: " + month);
-             }
-             if (day > c.getActualMaximum(Calendar.DAY_OF_MONTH) ||
-                     day < c.getActualMinimum(Calendar.DAY_OF_MONTH)) {
-                 throw new IllegalArgumentException(
-                         "Invalid Day of Month given in constraint: " + day);
-             }
-
-             denyAfterDate = c.getTime();
-             if (debug != null) {
-                 debug.println("DenyAfterConstraint date set to: " +
-                         dateFormat.format(denyAfterDate));
-             }
-         }
-
-         /*
-          * Checking that the provided date is not beyond the constraint date.
-          * The provided date can be the PKIXParameter date if given,
-          * otherwise it is the current date.
-          *
-          * If the constraint disallows, call next() for any following
-          * constraints. Throw an exception if this is the last constraint.
-          */
-         @Override
-         public void permits(CertConstraintParameters cp)
-                 throws CertPathValidatorException {
-             Date currentDate;
-
-             if (cp.getPKIXParamDate() != null) {
-                 currentDate = cp.getPKIXParamDate();
-             } else {
-                 currentDate = new Date();
-             }
-
-             if (!denyAfterDate.after(currentDate)) {
-                 if (next(cp)) {
-                     return;
-                 }
-                 throw new CertPathValidatorException(
-                         "denyAfter constraint check failed.  " +
-                                 "Constraint date: " +
-                                 dateFormat.format(denyAfterDate) +
-                                 "; Cert date: " +
-                                 dateFormat.format(currentDate),
-                          null, null, -1, BasicReason.ALGORITHM_CONSTRAINED);
-             }
-         }
-
-         /*
-          * Return result if the constraint's date is beyond the current date
-          * in UTC timezone.
-          */
-         public boolean permits(Key key) {
-             if (next(key)) {
-                 return true;
-             }
-             if (debug != null) {
-                 debug.println("DenyAfterConstraints.permits(): " + algorithm);
-             }
-
-             return denyAfterDate.after(new Date());
-         }
-     }
 
     /*
      * This class contains constraints dealing with the key size
--- a/src/share/classes/sun/security/util/ObjectIdentifier.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/security/util/ObjectIdentifier.java	Tue Dec 20 13:28:30 2016 -0800
@@ -255,7 +255,13 @@
                 + " (tag = " +  type_id + ")"
                 );
 
-        encoding = new byte[in.getLength()];
+        int len = in.getLength();
+        if (len > in.available()) {
+            throw new IOException("ObjectIdentifier() -- length exceeds" +
+                    "data available.  Length: " + len + ", Available: " +
+                    in.available());
+        }
+        encoding = new byte[len];
         in.getBytes(encoding);
         check(encoding);
     }
--- a/src/share/classes/sun/util/resources/TimeZoneNames.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/TimeZoneNames.java	Tue Dec 20 13:28:30 2016 -0800
@@ -188,6 +188,9 @@
         String MHT[] = new String[] {"Marshall Islands Time", "MHT",
                                      "Marshall Islands Summer Time", "MHST",
                                      "Marshall Islands Time", "MHT"};
+        String MMT[] = new String[] {"Myanmar Time", "MMT",
+                                     "Myanmar Summer Time", "MMST",
+                                     "Myanmar Time", "MMT"};
         String MSK[] = new String[] {"Moscow Standard Time", "MSK",
                                      "Moscow Daylight Time", "MSD",
                                      "Moscow Time", "MT"};
@@ -683,9 +686,7 @@
             {"Asia/Qyzylorda", new String[] {"Qyzylorda Time", "QYZT",
                                              "Qyzylorda Summer Time", "QYZST",
                                              "Qyzylorda Time", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"Myanmar Time", "MMT",
-                                           "Myanmar Summer Time", "MMST",
-                                           "Myanmar Time", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"Sakhalin Time", "SAKT",
@@ -718,6 +719,7 @@
                                                "Vladivostok Summer Time", "VLAST",
                                                "Vladivostok Time", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Yekaterinburg Time", "YEKT",
                                                  "Yekaterinburg Summer Time", "YEKST",
                                                  "Yekaterinburg Time", "YEKT"}},
--- a/src/share/classes/sun/util/resources/de/TimeZoneNames_de.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/de/TimeZoneNames_de.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"Marshallinseln Zeit", "MHT",
                                      "Marshallinseln Sommerzeit", "MHST",
                                      "Marshallinseln Zeit", "MHT"};
+        String MMT[] = new String[] {"Myanmar Zeit", "MMT",
+                                     "Myanmar Sommerzeit", "MMST",
+                                     "Myanmar Zeit", "MMT"};
         String MSK[] = new String[] {"Moskauer Normalzeit", "MSK",
                                      "Moskauer Sommerzeit", "MSD",
                                      "Zeitzone f\u00FCr Moskau", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Qyzylorda Zeit", "QYZT",
                                              "Qyzylorda Sommerzeit", "QYZST",
                                              "Qyzylorda Zeit", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"Myanmar Zeit", "MMT",
-                                           "Myanmar Sommerzeit", "MMST",
-                                           "Myanmar Zeit", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"Sakhalin Zeit", "SAKT",
@@ -719,6 +720,7 @@
                                                "Wladiwostok Sommerzeit", "VLAST",
                                                "Wladiwostok Zeit", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Jekaterinburger Zeit", "YEKT",
                                                  "Jekaterinburger Sommerzeit", "YEKST",
                                                  "Jekaterinburger Zeit", "YEKT"}},
--- a/src/share/classes/sun/util/resources/es/TimeZoneNames_es.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/es/TimeZoneNames_es.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"Hora de las Islas Marshall", "MHT",
                                      "Hora de verano de las Islas Marshall", "MHST",
                                      "Hora de Islas Marshall", "MHT"};
+        String MMT[] = new String[] {"Hora de Myanmar", "MMT",
+                                     "Hora de verano de Myanmar", "MMST",
+                                     "Hora de Myanmar", "MMT"};
         String MSK[] = new String[] {"Hora est\u00e1ndar de Mosc\u00fa", "MSK",
                                      "Hora de verano de Mosc\u00fa", "MSD",
                                      "Hora de Mosc\u00FA", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Hora de Qyzylorda", "QYZT",
                                              "Hora de verano de Qyzylorda", "QYZST",
                                              "Hora de Qyzylorda", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"Hora de Myanmar", "MMT",
-                                           "Hora de verano de Myanmar", "MMST",
-                                           "Hora de Myanmar", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"Hora de Sajalin", "SAKT",
@@ -719,6 +720,7 @@
                                                "Hora de verano de Vladivostok", "VLAST",
                                                "Hora de Vladivostok", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Hora de Ekaterinburgo", "YEKT",
                                                  "Hora de verano de Ekaterinburgo", "YEKST",
                                                  "Hora de Ekaterinburgo", "YEKT"}},
--- a/src/share/classes/sun/util/resources/fr/TimeZoneNames_fr.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/fr/TimeZoneNames_fr.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"Heure des Iles Marshall", "MHT",
                                      "Heure d'\u00e9t\u00e9 des Iles Marshall", "MHST",
                                      "Heure des Iles Marshall", "MHT"};
+        String MMT[] = new String[] {"Heure de Myanmar", "MMT",
+                                     "Heure d'\u00e9t\u00e9 de Myanmar", "MMST",
+                                     "Heure de Myanmar", "MMT"};
         String MSK[] = new String[] {"Heure standard de Moscou", "MSK",
                                      "Heure avanc\u00e9e de Moscou", "MSD",
                                      "Moscou", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Heure de Kyzylorda", "QYZT",
                                              "Heure d'\u00e9t\u00e9 de Kyzylorda", "QYZST",
                                              "Heure de Kyzylorda", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"Heure de Myanmar", "MMT",
-                                           "Heure d'\u00e9t\u00e9 de Myanmar", "MMST",
-                                           "Heure de Myanmar", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"Heure de Sakhalin", "SAKT",
@@ -719,6 +720,7 @@
                                                "Heure d'\u00e9t\u00e9 de Vladivostok", "VLAST",
                                                "Heure de Vladivostok", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Heure de Yekaterinburg", "YEKT",
                                                  "Heure d'\u00e9t\u00e9 de Yekaterinburg", "YEKST",
                                                  "Heure de Yekaterinburg", "YEKT"}},
--- a/src/share/classes/sun/util/resources/it/TimeZoneNames_it.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/it/TimeZoneNames_it.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"Ora delle Isole Marshall", "MHT",
                                      "Ora estiva delle Isole Marshall", "MHST",
                                      "Ora delle Isole Marshall", "MHT"};
+        String MMT[] = new String[] {"Ora della Birmania/Myanmar", "MMT",
+                                     "Ora estiva della Birmania/Myanmar", "MMST",
+                                     "Ora della Birmania/Myanmar", "MMT"};
         String MSK[] = new String[] {"Ora standard di Mosca", "MSK",
                                      "Ora legale di Mosca", "MSD",
                                      "Ora Mosca", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Ora di Qyzylorda", "QYZT",
                                              "Ora estiva di Qyzylorda", "QYZST",
                                              "Ora di Qyzylorda", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"Ora della Birmania/Myanmar", "MMT",
-                                           "Ora estiva della Birmania/Myanmar", "MMST",
-                                           "Ora della Birmania/Myanmar", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"Ora di Sakhalin", "SAKT",
@@ -719,6 +720,7 @@
                                                "Ora estiva di Vladivostok", "VLAST",
                                                "Ora di Vladivostok", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Ora di Ekaterinburg", "YEKT",
                                                  "Ora estiva di Ekaterinburg", "YEKST",
                                                  "Ora di Ekaterinburg", "YEKT"}},
--- a/src/share/classes/sun/util/resources/ja/TimeZoneNames_ja.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/ja/TimeZoneNames_ja.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"\u30de\u30fc\u30b7\u30e3\u30eb\u5cf6\u6642\u9593", "MHT",
                                      "\u30de\u30fc\u30b7\u30e3\u30eb\u5cf6\u590f\u6642\u9593", "MHST",
                                      "\u30DE\u30FC\u30B7\u30E3\u30EB\u8AF8\u5CF6\u6642\u9593", "MHT"};
+        String MMT[] = new String[] {"\u30df\u30e3\u30f3\u30de\u30fc\u6642\u9593", "MMT",
+                                     "\u30df\u30e3\u30f3\u30de\u30fc\u590f\u6642\u9593", "MMST",
+                                     "\u30DF\u30E3\u30F3\u30DE\u30FC\u6642\u9593", "MMT"};
         String MSK[] = new String[] {"\u30e2\u30b9\u30af\u30ef\u6a19\u6e96\u6642", "MSK",
                                      "\u30e2\u30b9\u30af\u30ef\u590f\u6642\u9593", "MSD",
                                      "\u30E2\u30B9\u30AF\u30EF\u6642\u9593", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"\u30ad\u30b8\u30eb\u30aa\u30eb\u30c0\u6642\u9593", "QYZT",
                                              "\u30ad\u30b8\u30eb\u30aa\u30eb\u30c0\u590f\u6642\u9593", "QYZST",
                                              "\u30AF\u30BA\u30ED\u30EB\u30C0\u6642\u9593", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"\u30df\u30e3\u30f3\u30de\u30fc\u6642\u9593", "MMT",
-                                           "\u30df\u30e3\u30f3\u30de\u30fc\u590f\u6642\u9593", "MMST",
-                                           "\u30DF\u30E3\u30F3\u30DE\u30FC\u6642\u9593", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"\u6a3a\u592a\u6642\u9593", "SAKT",
@@ -719,6 +720,7 @@
                                                "\u30a6\u30e9\u30b8\u30aa\u30b9\u30c8\u30af\u590f\u6642\u9593", "VLAST",
                                                "\u30A6\u30E9\u30B8\u30AA\u30B9\u30C8\u30AF\u6642\u9593", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"\u30a8\u30ab\u30c6\u30ea\u30f3\u30d6\u30eb\u30b0\u6642\u9593", "YEKT",
                                                  "\u30a8\u30ab\u30c6\u30ea\u30f3\u30d6\u30eb\u30b0\u590f\u6642\u9593", "YEKST",
                                                  "\u30A8\u30AB\u30C6\u30EA\u30F3\u30D6\u30EB\u30AF\u6642\u9593", "YEKT"}},
--- a/src/share/classes/sun/util/resources/ko/TimeZoneNames_ko.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/ko/TimeZoneNames_ko.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"\ub9c8\uc15c\uc81c\ub3c4 \uc2dc\uac04", "MHT",
                                      "\ub9c8\uc15c\uc81c\ub3c4 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MHST",
                                      "\uB9C8\uC15C \uC81C\uB3C4 \uD45C\uC900\uC2DC", "MHT"};
+        String MMT[] = new String[] {"\ubbf8\uc580\ub9c8 \uc2dc\uac04", "MMT",
+                                     "\ubbf8\uc580\ub9c8 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MMST",
+                                     "\uBBF8\uC580\uB9C8 \uD45C\uC900\uC2DC", "MMT"};
         String MSK[] = new String[] {"\ubaa8\uc2a4\ud06c\ubc14 \ud45c\uc900\uc2dc", "MSK",
                                      "\ubaa8\uc2a4\ud06c\ubc14 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MSD",
                                      "\uBAA8\uC2A4\uD06C\uBC14 \uD45C\uC900\uC2DC", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Qyzylorda \ud45c\uc900\uc2dc", "QYZT",
                                              "Qyzylorda \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "QYZST",
                                              "\uD0A4\uC9C8\uB85C\uB974\uB2E4 \uD45C\uC900\uC2DC", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"\ubbf8\uc580\ub9c8 \uc2dc\uac04", "MMT",
-                                           "\ubbf8\uc580\ub9c8 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "MMST",
-                                           "\uBBF8\uC580\uB9C8 \uD45C\uC900\uC2DC", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"\uc0ac\ud560\ub9b0 \uc2dc\uac04", "SAKT",
@@ -719,6 +720,7 @@
                                                "\ube14\ub77c\ub514\ubcf4\uc2a4\ud1a1 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "VLAST",
                                                "\uBE14\uB77C\uB514\uBCF4\uC2A4\uD1A1 \uD45C\uC900\uC2DC", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"\uc608\uce74\ud14c\ub9b0\ubc84\uadf8 \uc2dc\uac04", "YEKT",
                                                  "\uc608\uce74\ud14c\ub9b0\ubc84\uadf8 \uc77c\uad11\uc808\uc57d\uc2dc\uac04", "YEKST",
                                                  "\uC608\uCE74\uD14C\uB9B0\uBD80\uB974\uD06C \uD45C\uC900\uC2DC", "YEKT"}},
--- a/src/share/classes/sun/util/resources/pt/TimeZoneNames_pt_BR.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/pt/TimeZoneNames_pt_BR.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MSK[] = new String[] {"Fuso hor\u00e1rio padr\u00e3o de Moscou", "MSK",
                                      "Hor\u00e1rio de luz natural de Moscou", "MSD",
                                      "Hor\u00E1rio de Moscou", "MT"};
+        String MMT[] = new String[] {"Fuso hor\u00e1rio de Mianmar", "MMT",
+                                     "Fuso hor\u00e1rio de ver\u00e3o de Mianmar", "MMST",
+                                     "Hor\u00E1rio de Mianmar", "MMT"};
         String MST[] = new String[] {"Fuso hor\u00e1rio padr\u00e3o das montanhas", "MST",
                                      "Hor\u00e1rio de luz natural das montanhas", "MDT",
                                      "Hor\u00E1rio das Montanhas Rochosas", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Fuso hor\u00e1rio de Kizil-Orda", "QYZT",
                                              "Fuso hor\u00e1rio de ver\u00e3o de Kizil-Orda", "QYZST",
                                              "Hor\u00E1rio de Qyzylorda", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"Fuso hor\u00e1rio de Mianmar", "MMT",
-                                           "Fuso hor\u00e1rio de ver\u00e3o de Mianmar", "MMST",
-                                           "Hor\u00E1rio de Mianmar", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"Fuso hor\u00e1rio de Sakhalina", "SAKT",
@@ -719,6 +720,7 @@
                                                "Fuso hor\u00e1rio de ver\u00e3o de Vladivostok", "VLAST",
                                                "Hor\u00E1rio de Vladivostok", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Fuso hor\u00e1rio de Yekaterinburgo", "YEKT",
                                                  "Fuso hor\u00e1rio de ver\u00e3o de Yekaterinburgo", "YEKST",
                                                  "Hor\u00E1rio de Yekaterinburg", "YEKT"}},
--- a/src/share/classes/sun/util/resources/sv/TimeZoneNames_sv.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/sv/TimeZoneNames_sv.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"Marshall\u00f6arna, normaltid", "MHT",
                                      "Marshall\u00f6arna, sommartid", "MHST",
                                      "Marshall\u00F6arna-tid", "MHT"};
+        String MMT[] = new String[] {"Myanmar, normaltid", "MMT",
+                                     "Myanmar, sommartid", "MMST",
+                                     "Myanmar-tid", "MMT"};
         String MSK[] = new String[] {"Moskva, normaltid", "MSK",
                                      "Moskva, sommartid", "MSD",
                                      "Moskvas tid", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Qyzylorda, normaltid", "QYZT",
                                              "Qyzylorda, sommartid", "QYZST",
                                              "Qyzylorda-tid", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"Myanmar, normaltid", "MMT",
-                                           "Myanmar, sommartid", "MMST",
-                                           "Myanmar-tid", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"Sakhalin, normaltid", "SAKT",
@@ -719,6 +720,7 @@
                                                "Vladivostok, sommartid", "VLAST",
                                                "Vladivostok-tid", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Jekaterinburg, normaltid", "YEKT",
                                                  "Jekaterinburg, sommartid", "YEKST",
                                                  "Jekaterinburg-tid", "YEKT"}},
--- a/src/share/classes/sun/util/resources/zh/TimeZoneNames_zh_CN.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/zh/TimeZoneNames_zh_CN.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"\u9a6c\u7ecd\u5c14\u7fa4\u5c9b\u65f6\u95f4", "MHT",
                                      "\u9a6c\u7ecd\u5c14\u7fa4\u5c9b\u590f\u4ee4\u65f6", "MHST",
                                      "\u9A6C\u7ECD\u5C14\u7FA4\u5C9B\u65F6\u95F4", "MHT"};
+        String MMT[] = new String[] {"\u7f05\u7538\u65f6\u95f4", "MMT",
+                                     "\u7f05\u7538\u590f\u4ee4\u65f6", "MMST",
+                                     "\u7F05\u7538\u65F6\u95F4", "MMT"};
         String MSK[] = new String[] {"\u83ab\u65af\u79d1\u6807\u51c6\u65f6\u95f4", "MSK",
                                      "\u83ab\u65af\u79d1\u590f\u4ee4\u65f6", "MSD",
                                      "\u83AB\u65AF\u79D1\u65F6\u95F4", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Qyzylorda \u65f6\u95f4", "QYZT",
                                              "Qyzylorda \u590f\u4ee4\u65f6", "QYZST",
                                              "Qyzylorda \u65F6\u95F4", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"\u7f05\u7538\u65f6\u95f4", "MMT",
-                                           "\u7f05\u7538\u590f\u4ee4\u65f6", "MMST",
-                                           "\u7F05\u7538\u65F6\u95F4", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"\u5e93\u9875\u5c9b\u65f6\u95f4", "SAKT",
@@ -719,6 +720,7 @@
                                                "\u6d77\u53c2\u5d34\u590f\u4ee4\u65f6", "VLAST",
                                                "\u6D77\u53C2\u5D34\u65F6\u95F4", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Yekaterinburg \u65f6\u95f4", "YEKT",
                                                  "Yekaterinburg \u590f\u4ee4\u65f6", "YEKST",
                                                  "Yekaterinburg \u65F6\u95F4", "YEKT"}},
--- a/src/share/classes/sun/util/resources/zh/TimeZoneNames_zh_TW.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/classes/sun/util/resources/zh/TimeZoneNames_zh_TW.java	Tue Dec 20 13:28:30 2016 -0800
@@ -189,6 +189,9 @@
         String MHT[] = new String[] {"\u99ac\u7d39\u723e\u7fa4\u5cf6\u6642\u9593", "MHT",
                                      "\u99ac\u7d39\u723e\u7fa4\u5cf6\u590f\u4ee4\u6642\u9593", "MHST",
                                      "\u99AC\u7D39\u723E\u7FA4\u5CF6\u6642\u9593", "MHT"};
+        String MMT[] = new String[] {"\u7dec\u7538\u6642\u9593", "MMT",
+                                     "\u7dec\u7538\u590f\u4ee4\u6642\u9593", "MMST",
+                                     "\u7DEC\u7538\u6642\u9593", "MMT"};
         String MSK[] = new String[] {"\u83ab\u65af\u79d1\u6a19\u6e96\u6642\u9593", "MSK",
                                      "\u83ab\u65af\u79d1\u65e5\u5149\u7bc0\u7d04\u6642\u9593", "MSD",
                                      "\u83AB\u65AF\u79D1\u6642\u9593", "MT"};
@@ -684,9 +687,7 @@
             {"Asia/Qyzylorda", new String[] {"Qyzylorda \u6642\u9593", "QYZT",
                                              "Qyzylorda \u590f\u4ee4\u6642\u9593", "QYZST",
                                              "\u514B\u5B5C\u6D1B\u723E\u9054\u6642\u9593", "QYZT"}},
-            {"Asia/Rangoon", new String[] {"\u7dec\u7538\u6642\u9593", "MMT",
-                                           "\u7dec\u7538\u590f\u4ee4\u6642\u9593", "MMST",
-                                           "\u7DEC\u7538\u6642\u9593", "MMT"}},
+            {"Asia/Rangoon", MMT},
             {"Asia/Riyadh", ARAST},
             {"Asia/Saigon", ICT},
             {"Asia/Sakhalin", new String[] {"\u5eab\u9801\u5cf6\u6642\u9593", "SAKT",
@@ -721,6 +722,7 @@
                                                "\u6d77\u53c3\u5d34\u590f\u4ee4\u6642\u9593", "VLAST",
                                                "\u6D77\u53C3\u5D34\u6642\u9593", "VLAT"}},
             {"Asia/Yakutsk", YAKT},
+            {"Asia/Yangon", MMT},
             {"Asia/Yekaterinburg", new String[] {"Yekaterinburg \u6642\u9593", "YEKT",
                                                  "Yekaterinburg \u590f\u4ee4\u6642\u9593", "YEKST",
                                                  "\u8449\u5361\u6377\u7433\u5821\u6642\u9593", "YEKT"}},
--- a/src/share/lib/security/java.security-aix	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/lib/security/java.security-aix	Tue Dec 20 13:28:30 2016 -0800
@@ -422,7 +422,9 @@
 # describes the mechanism for disabling algorithms based on algorithm name
 # and/or key length.  This includes algorithms used in certificates, as well
 # as revocation information such as CRLs and signed OCSP Responses.
-# The syntax of the disabled algorithm string is described as follows:
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
 #   DisabledAlgorithms:
 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 #
@@ -433,23 +435,26 @@
 #       (see below)
 #
 #   Constraint:
-#       KeySizeConstraint | CAConstraint | DenyAfterConstraint
+#       KeySizeConstraint, CertConstraint
 #
 #   KeySizeConstraint:
-#       keySize Operator KeyLength
+#       keySize Operator DecimalInteger
 #
 #   Operator:
 #       <= | < | == | != | >= | >
 #
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
+#   DecimalInteger:
+#       DecimalDigits
 #
-#   CAConstraint:
+#   DecimalDigits:
+#       DecimalDigit {DecimalDigit}
+#
+#   DecimalDigit: one of
+#       1 2 3 4 5 6 7 8 9 0
+#
+#   CertConstraint
 #       jdkCA
 #
-#   DenyAfterConstraint:
-#       denyAfter YYYY-MM-DD
-#
 # The "AlgorithmName" is the standard algorithm name of the disabled
 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
 # Documentation" for information about Standard Algorithm Names.  Matching
@@ -462,42 +467,27 @@
 # that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
 # will not disable algorithms related to "ECDSA".
 #
-# A "Constraint" defines restrictions on the keys and/or certificates for
-# a specified AlgorithmName:
+# A "Constraint" provides further guidance for the algorithm being specified.
+# The "KeySizeConstraint" requires a key of a valid size range if the
+# "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
+# key size specified in number of bits.  For example, "RSA keySize <= 1024"
+# indicates that any RSA key with key size less than or equal to 1024 bits
+# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
+# that any RSA key with key size less than 1024 or greater than 2048 should
+# be disabled. Note that the "KeySizeConstraint" only makes sense to key
+# algorithms.
 #
-#   KeySizeConstraint:
-#     keySize Operator KeyLength
-#       The constraint requires a key of a valid size range if the
-#       "AlgorithmName" is of a key algorithm.  The "KeyLength" indicates
-#       the key size specified in number of bits.  For example,
-#       "RSA keySize <= 1024" indicates that any RSA key with key size less
-#       than or equal to 1024 bits should be disabled, and
-#       "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
-#       with key size less than 1024 or greater than 2048 should be disabled.
-#       This constraint is only used on algorithms that have a key size.
+# "CertConstraint" specifies additional constraints for
+# certificates that contain algorithms that are restricted:
 #
-#   CAConstraint:
-#     jdkCA
-#       This constraint prohibits the specified algorithm only if the
-#       algorithm is used in a certificate chain that terminates at a marked
-#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
-#       constraint is not set, then all chains using the specified algorithm
-#       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To apply this constraint to SHA-1 certificates, include
-#       the following:  "SHA1 jdkCA"
-#
-#   DenyAfterConstraint:
-#     denyAfter YYYY-MM-DD
-#       This constraint prohibits a certificate with the specified algorithm
-#       from being used after the date regardless of the certificate's
-#       validity.  JAR files that are signed and timestamped before the
-#       constraint date with certificates containing the disabled algorithm
-#       will not be restricted.  The date is processed in the UTC timezone.
-#       This constraint can only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
-#       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
+#   "jdkCA" prohibits the specified algorithm only if the algorithm is used
+#     in a certificate chain that terminates at a marked trust anchor in the
+#     lib/security/cacerts keystore.  All other chains are not affected.
+#     If the jdkCA constraint is not set, then all chains using the
+#     specified algorithm are restricted.  jdkCA may only be used once in
+#     a DisabledAlgorithm expression.
+#     Example:  To apply this constraint to SHA-1 certificates, include
+#     the following  "SHA1 jdkCA"
 #
 # When an algorithm must satisfy more than one constraint, it must be
 # delimited by an ampersand '&'.  For example, to restrict certificates in a
@@ -520,6 +510,43 @@
 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
     DSA keySize < 1024, EC keySize < 224
 
+# Algorithm restrictions for signed JAR files
+#
+# In some environments, certain algorithms or key lengths may be undesirable
+# for signed JAR validation.  For example, "MD2" is generally no longer
+# considered to be a secure hash algorithm.  This section describes the
+# mechanism for disabling algorithms based on algorithm name and/or key length.
+# JARs signed with any of the disabled algorithms or key sizes will be treated
+# as unsigned.
+#
+# The syntax of the disabled algorithm string is described as follows:
+#   DisabledAlgorithms:
+#       " DisabledAlgorithm { , DisabledAlgorithm } "
+#
+#   DisabledAlgorithm:
+#       AlgorithmName [Constraint]
+#
+#   AlgorithmName:
+#       (see below)
+#
+#   Constraint:
+#       KeySizeConstraint
+#
+#   KeySizeConstraint:
+#       keySize Operator KeyLength
+#
+#   Operator:
+#       <= | < | == | != | >= | >
+#
+#   KeyLength:
+#       Integer value of the algorithm's key length in bits
+#
+# Note: This property is currently used by the JDK Reference
+# implementation. It is not guaranteed to be examined and used by other
+# implementations.
+#
+jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
+
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
 #
@@ -674,7 +701,7 @@
 #       Constraint {"," Constraint }
 #   Constraint:
 #       AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
-#       ReferenceUriSchemeConstraint | OtherConstraint
+#       ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
 #   AlgConstraint
 #       "disallowAlg" Uri
 #   MaxTransformsConstraint:
@@ -683,12 +710,16 @@
 #       "maxReferences" Integer
 #   ReferenceUriSchemeConstraint:
 #       "disallowReferenceUriSchemes" String { String }
+#   KeySizeConstraint:
+#       "minKeySize" KeyAlg Integer
 #   OtherConstraint:
 #       "noDuplicateIds" | "noRetrievalMethodLoops"
 #
 # For AlgConstraint, Uri is the algorithm URI String that is not allowed.
 # See the XML Signature Recommendation for more information on algorithm
-# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
+# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
+# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
+# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
 # specified more than once, only the last entry is enforced.
 #
 # Note: This property is currently used by the JDK Reference implementation. It
@@ -702,46 +733,11 @@
     maxTransforms 5,\
     maxReferences 30,\
     disallowReferenceUriSchemes file http https,\
+    minKeySize RSA 1024,\
+    minKeySize DSA 1024,\
     noDuplicateIds,\
     noRetrievalMethodLoops
 
-# Algorithm restrictions for signed JAR files
-#
-# In some environments, certain algorithms or key lengths may be undesirable
-# for signed JAR validation.  For example, "MD2" is generally no longer
-# considered to be a secure hash algorithm.  This section describes the
-# mechanism for disabling algorithms based on algorithm name and/or key length.
-# JARs signed with any of the disabled algorithms or key sizes will be treated
-# as unsigned.
-#
-# The syntax of the disabled algorithm string is described as follows:
-#   DisabledAlgorithms:
-#       " DisabledAlgorithm { , DisabledAlgorithm } "
-#
-#   DisabledAlgorithm:
-#       AlgorithmName [Constraint]
-#
-#   AlgorithmName:
-#       (see below)
-#
-#   Constraint:
-#       KeySizeConstraint
-#
-#   KeySizeConstraint:
-#       keySize Operator KeyLength
-#
-#   Operator:
-#       <= | < | == | != | >= | >
-#
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
-#
-# Note: This property is currently used by the JDK Reference
-# implementation. It is not guaranteed to be examined and used by other
-# implementations.
-#
-jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
-
 #
 # Serialization process-wide filter
 #
--- a/src/share/lib/security/java.security-linux	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/lib/security/java.security-linux	Tue Dec 20 13:28:30 2016 -0800
@@ -422,7 +422,9 @@
 # describes the mechanism for disabling algorithms based on algorithm name
 # and/or key length.  This includes algorithms used in certificates, as well
 # as revocation information such as CRLs and signed OCSP Responses.
-# The syntax of the disabled algorithm string is described as follows:
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
 #   DisabledAlgorithms:
 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 #
@@ -433,23 +435,26 @@
 #       (see below)
 #
 #   Constraint:
-#       KeySizeConstraint | CAConstraint | DenyAfterConstraint
+#       KeySizeConstraint, CertConstraint
 #
 #   KeySizeConstraint:
-#       keySize Operator KeyLength
+#       keySize Operator DecimalInteger
 #
 #   Operator:
 #       <= | < | == | != | >= | >
 #
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
+#   DecimalInteger:
+#       DecimalDigits
 #
-#   CAConstraint:
+#   DecimalDigits:
+#       DecimalDigit {DecimalDigit}
+#
+#   DecimalDigit: one of
+#       1 2 3 4 5 6 7 8 9 0
+#
+#   CertConstraint
 #       jdkCA
 #
-#   DenyAfterConstraint:
-#       denyAfter YYYY-MM-DD
-#
 # The "AlgorithmName" is the standard algorithm name of the disabled
 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
 # Documentation" for information about Standard Algorithm Names.  Matching
@@ -462,42 +467,27 @@
 # that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
 # will not disable algorithms related to "ECDSA".
 #
-# A "Constraint" defines restrictions on the keys and/or certificates for
-# a specified AlgorithmName:
+# A "Constraint" provides further guidance for the algorithm being specified.
+# The "KeySizeConstraint" requires a key of a valid size range if the
+# "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
+# key size specified in number of bits.  For example, "RSA keySize <= 1024"
+# indicates that any RSA key with key size less than or equal to 1024 bits
+# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
+# that any RSA key with key size less than 1024 or greater than 2048 should
+# be disabled. Note that the "KeySizeConstraint" only makes sense to key
+# algorithms.
 #
-#   KeySizeConstraint:
-#     keySize Operator KeyLength
-#       The constraint requires a key of a valid size range if the
-#       "AlgorithmName" is of a key algorithm.  The "KeyLength" indicates
-#       the key size specified in number of bits.  For example,
-#       "RSA keySize <= 1024" indicates that any RSA key with key size less
-#       than or equal to 1024 bits should be disabled, and
-#       "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
-#       with key size less than 1024 or greater than 2048 should be disabled.
-#       This constraint is only used on algorithms that have a key size.
+# "CertConstraint" specifies additional constraints for
+# certificates that contain algorithms that are restricted:
 #
-#   CAConstraint:
-#     jdkCA
-#       This constraint prohibits the specified algorithm only if the
-#       algorithm is used in a certificate chain that terminates at a marked
-#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
-#       constraint is not set, then all chains using the specified algorithm
-#       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To apply this constraint to SHA-1 certificates, include
-#       the following:  "SHA1 jdkCA"
-#
-#   DenyAfterConstraint:
-#     denyAfter YYYY-MM-DD
-#       This constraint prohibits a certificate with the specified algorithm
-#       from being used after the date regardless of the certificate's
-#       validity.  JAR files that are signed and timestamped before the
-#       constraint date with certificates containing the disabled algorithm
-#       will not be restricted.  The date is processed in the UTC timezone.
-#       This constraint can only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
-#       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
+#   "jdkCA" prohibits the specified algorithm only if the algorithm is used
+#     in a certificate chain that terminates at a marked trust anchor in the
+#     lib/security/cacerts keystore.  All other chains are not affected.
+#     If the jdkCA constraint is not set, then all chains using the
+#     specified algorithm are restricted.  jdkCA may only be used once in
+#     a DisabledAlgorithm expression.
+#     Example:  To apply this constraint to SHA-1 certificates, include
+#     the following:  "SHA1 jdkCA"
 #
 # When an algorithm must satisfy more than one constraint, it must be
 # delimited by an ampersand '&'.  For example, to restrict certificates in a
@@ -520,6 +510,43 @@
 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
     DSA keySize < 1024, EC keySize < 224
 
+# Algorithm restrictions for signed JAR files
+#
+# In some environments, certain algorithms or key lengths may be undesirable
+# for signed JAR validation.  For example, "MD2" is generally no longer
+# considered to be a secure hash algorithm.  This section describes the
+# mechanism for disabling algorithms based on algorithm name and/or key length.
+# JARs signed with any of the disabled algorithms or key sizes will be treated
+# as unsigned.
+#
+# The syntax of the disabled algorithm string is described as follows:
+#   DisabledAlgorithms:
+#       " DisabledAlgorithm { , DisabledAlgorithm } "
+#
+#   DisabledAlgorithm:
+#       AlgorithmName [Constraint]
+#
+#   AlgorithmName:
+#       (see below)
+#
+#   Constraint:
+#       KeySizeConstraint
+#
+#   KeySizeConstraint:
+#       keySize Operator KeyLength
+#
+#   Operator:
+#       <= | < | == | != | >= | >
+#
+#   KeyLength:
+#       Integer value of the algorithm's key length in bits
+#
+# Note: This property is currently used by the JDK Reference
+# implementation. It is not guaranteed to be examined and used by other
+# implementations.
+#
+jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
+
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
 #
@@ -674,7 +701,7 @@
 #       Constraint {"," Constraint }
 #   Constraint:
 #       AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
-#       ReferenceUriSchemeConstraint | OtherConstraint
+#       ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
 #   AlgConstraint
 #       "disallowAlg" Uri
 #   MaxTransformsConstraint:
@@ -683,12 +710,16 @@
 #       "maxReferences" Integer
 #   ReferenceUriSchemeConstraint:
 #       "disallowReferenceUriSchemes" String { String }
+#   KeySizeConstraint:
+#       "minKeySize" KeyAlg Integer
 #   OtherConstraint:
 #       "noDuplicateIds" | "noRetrievalMethodLoops"
 #
 # For AlgConstraint, Uri is the algorithm URI String that is not allowed.
 # See the XML Signature Recommendation for more information on algorithm
-# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
+# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
+# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
+# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
 # specified more than once, only the last entry is enforced.
 #
 # Note: This property is currently used by the JDK Reference implementation. It
@@ -702,46 +733,11 @@
     maxTransforms 5,\
     maxReferences 30,\
     disallowReferenceUriSchemes file http https,\
+    minKeySize RSA 1024,\
+    minKeySize DSA 1024,\
     noDuplicateIds,\
     noRetrievalMethodLoops
 
-# Algorithm restrictions for signed JAR files
-#
-# In some environments, certain algorithms or key lengths may be undesirable
-# for signed JAR validation.  For example, "MD2" is generally no longer
-# considered to be a secure hash algorithm.  This section describes the
-# mechanism for disabling algorithms based on algorithm name and/or key length.
-# JARs signed with any of the disabled algorithms or key sizes will be treated
-# as unsigned.
-#
-# The syntax of the disabled algorithm string is described as follows:
-#   DisabledAlgorithms:
-#       " DisabledAlgorithm { , DisabledAlgorithm } "
-#
-#   DisabledAlgorithm:
-#       AlgorithmName [Constraint]
-#
-#   AlgorithmName:
-#       (see below)
-#
-#   Constraint:
-#       KeySizeConstraint
-#
-#   KeySizeConstraint:
-#       keySize Operator KeyLength
-#
-#   Operator:
-#       <= | < | == | != | >= | >
-#
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
-#
-# Note: This property is currently used by the JDK Reference
-# implementation. It is not guaranteed to be examined and used by other
-# implementations.
-#
-jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
-
 #
 # Serialization process-wide filter
 #
--- a/src/share/lib/security/java.security-macosx	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/lib/security/java.security-macosx	Tue Dec 20 13:28:30 2016 -0800
@@ -425,7 +425,9 @@
 # describes the mechanism for disabling algorithms based on algorithm name
 # and/or key length.  This includes algorithms used in certificates, as well
 # as revocation information such as CRLs and signed OCSP Responses.
-# The syntax of the disabled algorithm string is described as follows:
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
 #   DisabledAlgorithms:
 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 #
@@ -436,23 +438,26 @@
 #       (see below)
 #
 #   Constraint:
-#       KeySizeConstraint | CAConstraint | DenyAfterConstraint
+#       KeySizeConstraint, CertConstraint
 #
 #   KeySizeConstraint:
-#       keySize Operator KeyLength
+#       keySize Operator DecimalInteger
 #
 #   Operator:
 #       <= | < | == | != | >= | >
 #
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
+#   DecimalInteger:
+#       DecimalDigits
 #
-#   CAConstraint:
+#   DecimalDigits:
+#       DecimalDigit {DecimalDigit}
+#
+#   DecimalDigit: one of
+#       1 2 3 4 5 6 7 8 9 0
+#
+#   CertConstraint
 #       jdkCA
 #
-#   DenyAfterConstraint:
-#       denyAfter YYYY-MM-DD
-#
 # The "AlgorithmName" is the standard algorithm name of the disabled
 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
 # Documentation" for information about Standard Algorithm Names.  Matching
@@ -465,42 +470,27 @@
 # that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
 # will not disable algorithms related to "ECDSA".
 #
-# A "Constraint" defines restrictions on the keys and/or certificates for
-# a specified AlgorithmName:
+# A "Constraint" provides further guidance for the algorithm being specified.
+# The "KeySizeConstraint" requires a key of a valid size range if the
+# "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
+# key size specified in number of bits.  For example, "RSA keySize <= 1024"
+# indicates that any RSA key with key size less than or equal to 1024 bits
+# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
+# that any RSA key with key size less than 1024 or greater than 2048 should
+# be disabled. Note that the "KeySizeConstraint" only makes sense to key
+# algorithms.
 #
-#   KeySizeConstraint:
-#     keySize Operator KeyLength
-#       The constraint requires a key of a valid size range if the
-#       "AlgorithmName" is of a key algorithm.  The "KeyLength" indicates
-#       the key size specified in number of bits.  For example,
-#       "RSA keySize <= 1024" indicates that any RSA key with key size less
-#       than or equal to 1024 bits should be disabled, and
-#       "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
-#       with key size less than 1024 or greater than 2048 should be disabled.
-#       This constraint is only used on algorithms that have a key size.
+# "CertConstraint" specifies additional constraints for
+# certificates that contain algorithms that are restricted:
 #
-#   CAConstraint:
-#     jdkCA
-#       This constraint prohibits the specified algorithm only if the
-#       algorithm is used in a certificate chain that terminates at a marked
-#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
-#       constraint is not set, then all chains using the specified algorithm
-#       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To apply this constraint to SHA-1 certificates, include
-#       the following:  "SHA1 jdkCA"
-#
-#   DenyAfterConstraint:
-#     denyAfter YYYY-MM-DD
-#       This constraint prohibits a certificate with the specified algorithm
-#       from being used after the date regardless of the certificate's
-#       validity.  JAR files that are signed and timestamped before the
-#       constraint date with certificates containing the disabled algorithm
-#       will not be restricted.  The date is processed in the UTC timezone.
-#       This constraint can only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
-#       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
+#   "jdkCA" prohibits the specified algorithm only if the algorithm is used
+#     in a certificate chain that terminates at a marked trust anchor in the
+#     lib/security/cacerts keystore.  All other chains are not affected.
+#     If the jdkCA constraint is not set, then all chains using the
+#     specified algorithm are restricted. jdkCA may only be used once in
+#     a DisabledAlgorithm expression.
+#     Example:  To apply this constraint to SHA-1 certificates, include
+#     the following:  "SHA1 jdkCA"
 #
 # When an algorithm must satisfy more than one constraint, it must be
 # delimited by an ampersand '&'.  For example, to restrict certificates in a
@@ -523,6 +513,43 @@
 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
     DSA keySize < 1024, EC keySize < 224
 
+# Algorithm restrictions for signed JAR files
+#
+# In some environments, certain algorithms or key lengths may be undesirable
+# for signed JAR validation.  For example, "MD2" is generally no longer
+# considered to be a secure hash algorithm.  This section describes the
+# mechanism for disabling algorithms based on algorithm name and/or key length.
+# JARs signed with any of the disabled algorithms or key sizes will be treated
+# as unsigned.
+#
+# The syntax of the disabled algorithm string is described as follows:
+#   DisabledAlgorithms:
+#       " DisabledAlgorithm { , DisabledAlgorithm } "
+#
+#   DisabledAlgorithm:
+#       AlgorithmName [Constraint]
+#
+#   AlgorithmName:
+#       (see below)
+#
+#   Constraint:
+#       KeySizeConstraint
+#
+#   KeySizeConstraint:
+#       keySize Operator KeyLength
+#
+#   Operator:
+#       <= | < | == | != | >= | >
+#
+#   KeyLength:
+#       Integer value of the algorithm's key length in bits
+#
+# Note: This property is currently used by the JDK Reference
+# implementation. It is not guaranteed to be examined and used by other
+# implementations.
+#
+jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
+
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
 #
@@ -677,7 +704,7 @@
 #       Constraint {"," Constraint }
 #   Constraint:
 #       AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
-#       ReferenceUriSchemeConstraint | OtherConstraint
+#       ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
 #   AlgConstraint
 #       "disallowAlg" Uri
 #   MaxTransformsConstraint:
@@ -686,12 +713,16 @@
 #       "maxReferences" Integer
 #   ReferenceUriSchemeConstraint:
 #       "disallowReferenceUriSchemes" String { String }
+#   KeySizeConstraint:
+#       "minKeySize" KeyAlg Integer
 #   OtherConstraint:
 #       "noDuplicateIds" | "noRetrievalMethodLoops"
 #
 # For AlgConstraint, Uri is the algorithm URI String that is not allowed.
 # See the XML Signature Recommendation for more information on algorithm
-# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
+# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
+# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
+# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
 # specified more than once, only the last entry is enforced.
 #
 # Note: This property is currently used by the JDK Reference implementation. It
@@ -705,46 +736,11 @@
     maxTransforms 5,\
     maxReferences 30,\
     disallowReferenceUriSchemes file http https,\
+    minKeySize RSA 1024,\
+    minKeySize DSA 1024,\
     noDuplicateIds,\
     noRetrievalMethodLoops
 
-# Algorithm restrictions for signed JAR files
-#
-# In some environments, certain algorithms or key lengths may be undesirable
-# for signed JAR validation.  For example, "MD2" is generally no longer
-# considered to be a secure hash algorithm.  This section describes the
-# mechanism for disabling algorithms based on algorithm name and/or key length.
-# JARs signed with any of the disabled algorithms or key sizes will be treated
-# as unsigned.
-#
-# The syntax of the disabled algorithm string is described as follows:
-#   DisabledAlgorithms:
-#       " DisabledAlgorithm { , DisabledAlgorithm } "
-#
-#   DisabledAlgorithm:
-#       AlgorithmName [Constraint]
-#
-#   AlgorithmName:
-#       (see below)
-#
-#   Constraint:
-#       KeySizeConstraint
-#
-#   KeySizeConstraint:
-#       keySize Operator KeyLength
-#
-#   Operator:
-#       <= | < | == | != | >= | >
-#
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
-#
-# Note: This property is currently used by the JDK Reference
-# implementation. It is not guaranteed to be examined and used by other
-# implementations.
-#
-jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
-
 #
 # Serialization process-wide filter
 #
--- a/src/share/lib/security/java.security-solaris	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/lib/security/java.security-solaris	Tue Dec 20 13:28:30 2016 -0800
@@ -424,7 +424,9 @@
 # describes the mechanism for disabling algorithms based on algorithm name
 # and/or key length.  This includes algorithms used in certificates, as well
 # as revocation information such as CRLs and signed OCSP Responses.
-# The syntax of the disabled algorithm string is described as follows:
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
 #   DisabledAlgorithms:
 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 #
@@ -435,23 +437,26 @@
 #       (see below)
 #
 #   Constraint:
-#       KeySizeConstraint | CAConstraint | DenyAfterConstraint
+#       KeySizeConstraint, CertConstraint
 #
 #   KeySizeConstraint:
-#       keySize Operator KeyLength
+#       keySize Operator DecimalInteger
 #
 #   Operator:
 #       <= | < | == | != | >= | >
 #
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
+#   DecimalInteger:
+#       DecimalDigits
 #
-#   CAConstraint:
+#   DecimalDigits:
+#       DecimalDigit {DecimalDigit}
+#
+#   DecimalDigit: one of
+#       1 2 3 4 5 6 7 8 9 0
+#
+#   CertConstraint
 #       jdkCA
 #
-#   DenyAfterConstraint:
-#       denyAfter YYYY-MM-DD
-#
 # The "AlgorithmName" is the standard algorithm name of the disabled
 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
 # Documentation" for information about Standard Algorithm Names.  Matching
@@ -464,42 +469,27 @@
 # that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
 # will not disable algorithms related to "ECDSA".
 #
-# A "Constraint" defines restrictions on the keys and/or certificates for
-# a specified AlgorithmName:
+# A "Constraint" provides further guidance for the algorithm being specified.
+# The "KeySizeConstraint" requires a key of a valid size range if the
+# "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
+# key size specified in number of bits.  For example, "RSA keySize <= 1024"
+# indicates that any RSA key with key size less than or equal to 1024 bits
+# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
+# that any RSA key with key size less than 1024 or greater than 2048 should
+# be disabled. Note that the "KeySizeConstraint" only makes sense to key
+# algorithms.
 #
-#   KeySizeConstraint:
-#     keySize Operator KeyLength
-#       The constraint requires a key of a valid size range if the
-#       "AlgorithmName" is of a key algorithm.  The "KeyLength" indicates
-#       the key size specified in number of bits.  For example,
-#       "RSA keySize <= 1024" indicates that any RSA key with key size less
-#       than or equal to 1024 bits should be disabled, and
-#       "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
-#       with key size less than 1024 or greater than 2048 should be disabled.
-#       This constraint is only used on algorithms that have a key size.
+# "CertConstraint" specifies additional constraints for
+# certificates that contain algorithms that are restricted:
 #
-#   CAConstraint:
-#     jdkCA
-#       This constraint prohibits the specified algorithm only if the
-#       algorithm is used in a certificate chain that terminates at a marked
-#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
-#       constraint is not set, then all chains using the specified algorithm
-#       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To apply this constraint to SHA-1 certificates, include
-#       the following:  "SHA1 jdkCA"
-#
-#   DenyAfterConstraint:
-#     denyAfter YYYY-MM-DD
-#       This constraint prohibits a certificate with the specified algorithm
-#       from being used after the date regardless of the certificate's
-#       validity.  JAR files that are signed and timestamped before the
-#       constraint date with certificates containing the disabled algorithm
-#       will not be restricted.  The date is processed in the UTC timezone.
-#       This constraint can only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
-#       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
+#   "jdkCA" prohibits the specified algorithm only if the algorithm is used
+#     in a certificate chain that terminates at a marked trust anchor in the
+#     lib/security/cacerts keystore.  All other chains are not affected.
+#     If the jdkCA constraint is not set, then all chains using the
+#     specified algorithm are restricted. jdkCA may only be used once in
+#     a DisabledAlgorithm expression.
+#     Example:  To apply this constraint to SHA-1 certificates, include
+#     the following:  "SHA1 jdkCA"
 #
 # When an algorithm must satisfy more than one constraint, it must be
 # delimited by an ampersand '&'.  For example, to restrict certificates in a
@@ -522,6 +512,43 @@
 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
     DSA keySize < 1024, EC keySize < 224
 
+# Algorithm restrictions for signed JAR files
+#
+# In some environments, certain algorithms or key lengths may be undesirable
+# for signed JAR validation.  For example, "MD2" is generally no longer
+# considered to be a secure hash algorithm.  This section describes the
+# mechanism for disabling algorithms based on algorithm name and/or key length.
+# JARs signed with any of the disabled algorithms or key sizes will be treated
+# as unsigned.
+#
+# The syntax of the disabled algorithm string is described as follows:
+#   DisabledAlgorithms:
+#       " DisabledAlgorithm { , DisabledAlgorithm } "
+#
+#   DisabledAlgorithm:
+#       AlgorithmName [Constraint]
+#
+#   AlgorithmName:
+#       (see below)
+#
+#   Constraint:
+#       KeySizeConstraint
+#
+#   KeySizeConstraint:
+#       keySize Operator KeyLength
+#
+#   Operator:
+#       <= | < | == | != | >= | >
+#
+#   KeyLength:
+#       Integer value of the algorithm's key length in bits
+#
+# Note: This property is currently used by the JDK Reference
+# implementation. It is not guaranteed to be examined and used by other
+# implementations.
+#
+jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
+
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
 #
@@ -676,7 +703,7 @@
 #       Constraint {"," Constraint }
 #   Constraint:
 #       AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
-#       ReferenceUriSchemeConstraint | OtherConstraint
+#       ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
 #   AlgConstraint
 #       "disallowAlg" Uri
 #   MaxTransformsConstraint:
@@ -685,12 +712,16 @@
 #       "maxReferences" Integer
 #   ReferenceUriSchemeConstraint:
 #       "disallowReferenceUriSchemes" String { String }
+#   KeySizeConstraint:
+#       "minKeySize" KeyAlg Integer
 #   OtherConstraint:
 #       "noDuplicateIds" | "noRetrievalMethodLoops"
 #
 # For AlgConstraint, Uri is the algorithm URI String that is not allowed.
 # See the XML Signature Recommendation for more information on algorithm
-# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
+# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
+# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
+# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
 # specified more than once, only the last entry is enforced.
 #
 # Note: This property is currently used by the JDK Reference implementation. It
@@ -704,46 +735,11 @@
     maxTransforms 5,\
     maxReferences 30,\
     disallowReferenceUriSchemes file http https,\
+    minKeySize RSA 1024,\
+    minKeySize DSA 1024,\
     noDuplicateIds,\
     noRetrievalMethodLoops
 
-# Algorithm restrictions for signed JAR files
-#
-# In some environments, certain algorithms or key lengths may be undesirable
-# for signed JAR validation.  For example, "MD2" is generally no longer
-# considered to be a secure hash algorithm.  This section describes the
-# mechanism for disabling algorithms based on algorithm name and/or key length.
-# JARs signed with any of the disabled algorithms or key sizes will be treated
-# as unsigned.
-#
-# The syntax of the disabled algorithm string is described as follows:
-#   DisabledAlgorithms:
-#       " DisabledAlgorithm { , DisabledAlgorithm } "
-#
-#   DisabledAlgorithm:
-#       AlgorithmName [Constraint]
-#
-#   AlgorithmName:
-#       (see below)
-#
-#   Constraint:
-#       KeySizeConstraint
-#
-#   KeySizeConstraint:
-#       keySize Operator KeyLength
-#
-#   Operator:
-#       <= | < | == | != | >= | >
-#
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
-#
-# Note: This property is currently used by the JDK Reference
-# implementation. It is not guaranteed to be examined and used by other
-# implementations.
-#
-jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
-
 #
 # Serialization process-wide filter
 #
--- a/src/share/lib/security/java.security-windows	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/lib/security/java.security-windows	Tue Dec 20 13:28:30 2016 -0800
@@ -425,7 +425,9 @@
 # describes the mechanism for disabling algorithms based on algorithm name
 # and/or key length.  This includes algorithms used in certificates, as well
 # as revocation information such as CRLs and signed OCSP Responses.
-# The syntax of the disabled algorithm string is described as follows:
+#
+# The syntax of the disabled algorithm string is described as this Java
+# BNF-style:
 #   DisabledAlgorithms:
 #       " DisabledAlgorithm { , DisabledAlgorithm } "
 #
@@ -436,23 +438,26 @@
 #       (see below)
 #
 #   Constraint:
-#       KeySizeConstraint | CAConstraint | DenyAfterConstraint
+#       KeySizeConstraint, CertConstraint
 #
 #   KeySizeConstraint:
-#       keySize Operator KeyLength
+#       keySize Operator DecimalInteger
 #
 #   Operator:
 #       <= | < | == | != | >= | >
 #
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
+#   DecimalInteger:
+#       DecimalDigits
 #
-#   CAConstraint:
+#   DecimalDigits:
+#       DecimalDigit {DecimalDigit}
+#
+#   DecimalDigit: one of
+#       1 2 3 4 5 6 7 8 9 0
+#
+#   CertConstraint
 #       jdkCA
 #
-#   DenyAfterConstraint:
-#       denyAfter YYYY-MM-DD
-#
 # The "AlgorithmName" is the standard algorithm name of the disabled
 # algorithm. See "Java Cryptography Architecture Standard Algorithm Name
 # Documentation" for information about Standard Algorithm Names.  Matching
@@ -465,42 +470,27 @@
 # that rely on DSA, such as NONEwithDSA, SHA1withDSA.  However, the assertion
 # will not disable algorithms related to "ECDSA".
 #
-# A "Constraint" defines restrictions on the keys and/or certificates for
-# a specified AlgorithmName:
+# A "Constraint" provides further guidance for the algorithm being specified.
+# The "KeySizeConstraint" requires a key of a valid size range if the
+# "AlgorithmName" is of a key algorithm.  The "DecimalInteger" indicates the
+# key size specified in number of bits.  For example, "RSA keySize <= 1024"
+# indicates that any RSA key with key size less than or equal to 1024 bits
+# should be disabled, and "RSA keySize < 1024, RSA keySize > 2048" indicates
+# that any RSA key with key size less than 1024 or greater than 2048 should
+# be disabled. Note that the "KeySizeConstraint" only makes sense to key
+# algorithms.
 #
-#   KeySizeConstraint:
-#     keySize Operator KeyLength
-#       The constraint requires a key of a valid size range if the
-#       "AlgorithmName" is of a key algorithm.  The "KeyLength" indicates
-#       the key size specified in number of bits.  For example,
-#       "RSA keySize <= 1024" indicates that any RSA key with key size less
-#       than or equal to 1024 bits should be disabled, and
-#       "RSA keySize < 1024, RSA keySize > 2048" indicates that any RSA key
-#       with key size less than 1024 or greater than 2048 should be disabled.
-#       This constraint is only used on algorithms that have a key size.
+# "CertConstraint" specifies additional constraints for
+# certificates that contain algorithms that are restricted:
 #
-#   CAConstraint:
-#     jdkCA
-#       This constraint prohibits the specified algorithm only if the
-#       algorithm is used in a certificate chain that terminates at a marked
-#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
-#       constraint is not set, then all chains using the specified algorithm
-#       are restricted.  jdkCA may only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To apply this constraint to SHA-1 certificates, include
-#       the following:  "SHA1 jdkCA"
-#
-#   DenyAfterConstraint:
-#     denyAfter YYYY-MM-DD
-#       This constraint prohibits a certificate with the specified algorithm
-#       from being used after the date regardless of the certificate's
-#       validity.  JAR files that are signed and timestamped before the
-#       constraint date with certificates containing the disabled algorithm
-#       will not be restricted.  The date is processed in the UTC timezone.
-#       This constraint can only be used once in a DisabledAlgorithm
-#       expression.
-#       Example:  To deny usage of RSA 2048 bit certificates after Feb 3 2020,
-#       use the following:  "RSA keySize == 2048 & denyAfter 2020-02-03"
+#   "jdkCA" prohibits the specified algorithm only if the algorithm is used
+#     in a certificate chain that terminates at a marked trust anchor in the
+#     lib/security/cacerts keystore.  All other chains are not affected.
+#     If the jdkCA constraint is not set, then all chains using the
+#     specified algorithm are restricted.  jdkCA may only be used once in
+#     a DisabledAlgorithm expression.
+#     Example:  To apply this constraint to SHA-1 certificates, include
+#     the following:  "SHA1 jdkCA"
 #
 # When an algorithm must satisfy more than one constraint, it must be
 # delimited by an ampersand '&'.  For example, to restrict certificates in a
@@ -523,6 +513,43 @@
 jdk.certpath.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
     DSA keySize < 1024, EC keySize < 224
 
+# Algorithm restrictions for signed JAR files
+#
+# In some environments, certain algorithms or key lengths may be undesirable
+# for signed JAR validation.  For example, "MD2" is generally no longer
+# considered to be a secure hash algorithm.  This section describes the
+# mechanism for disabling algorithms based on algorithm name and/or key length.
+# JARs signed with any of the disabled algorithms or key sizes will be treated
+# as unsigned.
+#
+# The syntax of the disabled algorithm string is described as follows:
+#   DisabledAlgorithms:
+#       " DisabledAlgorithm { , DisabledAlgorithm } "
+#
+#   DisabledAlgorithm:
+#       AlgorithmName [Constraint]
+#
+#   AlgorithmName:
+#       (see below)
+#
+#   Constraint:
+#       KeySizeConstraint
+#
+#   KeySizeConstraint:
+#       keySize Operator KeyLength
+#
+#   Operator:
+#       <= | < | == | != | >= | >
+#
+#   KeyLength:
+#       Integer value of the algorithm's key length in bits
+#
+# Note: This property is currently used by the JDK Reference
+# implementation. It is not guaranteed to be examined and used by other
+# implementations.
+#
+jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
+
 # Algorithm restrictions for Secure Socket Layer/Transport Layer Security
 # (SSL/TLS) processing
 #
@@ -677,7 +704,7 @@
 #       Constraint {"," Constraint }
 #   Constraint:
 #       AlgConstraint | MaxTransformsConstraint | MaxReferencesConstraint |
-#       ReferenceUriSchemeConstraint | OtherConstraint
+#       ReferenceUriSchemeConstraint | KeySizeConstraint | OtherConstraint
 #   AlgConstraint
 #       "disallowAlg" Uri
 #   MaxTransformsConstraint:
@@ -686,12 +713,16 @@
 #       "maxReferences" Integer
 #   ReferenceUriSchemeConstraint:
 #       "disallowReferenceUriSchemes" String { String }
+#   KeySizeConstraint:
+#       "minKeySize" KeyAlg Integer
 #   OtherConstraint:
 #       "noDuplicateIds" | "noRetrievalMethodLoops"
 #
 # For AlgConstraint, Uri is the algorithm URI String that is not allowed.
 # See the XML Signature Recommendation for more information on algorithm
-# URI Identifiers. If the MaxTransformsConstraint or MaxReferencesConstraint is
+# URI Identifiers. For KeySizeConstraint, KeyAlg is the standard algorithm
+# name of the key type (ex: "RSA"). If the MaxTransformsConstraint,
+# MaxReferencesConstraint or KeySizeConstraint (for the same key type) is
 # specified more than once, only the last entry is enforced.
 #
 # Note: This property is currently used by the JDK Reference implementation. It
@@ -705,46 +736,11 @@
     maxTransforms 5,\
     maxReferences 30,\
     disallowReferenceUriSchemes file http https,\
+    minKeySize RSA 1024,\
+    minKeySize DSA 1024,\
     noDuplicateIds,\
     noRetrievalMethodLoops
 
-# Algorithm restrictions for signed JAR files
-#
-# In some environments, certain algorithms or key lengths may be undesirable
-# for signed JAR validation.  For example, "MD2" is generally no longer
-# considered to be a secure hash algorithm.  This section describes the
-# mechanism for disabling algorithms based on algorithm name and/or key length.
-# JARs signed with any of the disabled algorithms or key sizes will be treated
-# as unsigned.
-#
-# The syntax of the disabled algorithm string is described as follows:
-#   DisabledAlgorithms:
-#       " DisabledAlgorithm { , DisabledAlgorithm } "
-#
-#   DisabledAlgorithm:
-#       AlgorithmName [Constraint]
-#
-#   AlgorithmName:
-#       (see below)
-#
-#   Constraint:
-#       KeySizeConstraint
-#
-#   KeySizeConstraint:
-#       keySize Operator KeyLength
-#
-#   Operator:
-#       <= | < | == | != | >= | >
-#
-#   KeyLength:
-#       Integer value of the algorithm's key length in bits
-#
-# Note: This property is currently used by the JDK Reference
-# implementation. It is not guaranteed to be examined and used by other
-# implementations.
-#
-jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024
-
 #
 # Serialization process-wide filter
 #
--- a/src/share/native/sun/security/ec/impl/ec.c	Tue Dec 13 12:52:17 2016 -0800
+++ b/src/share/native/sun/security/ec/impl/ec.c	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2007, 2016, Oracle and/or its affiliates. All rights reserved.
  * Use is subject to license terms.
  *
  * This library is free software; you can redistribute it and/or
@@ -34,7 +34,7 @@
  *   Dr Vipul Gupta <vipul.gupta@sun.com> and
  *   Douglas Stebila <douglas@stebila.ca>, Sun Microsystems Laboratories
  *
- * Last Modified Date from the Original Code: April 2015
+ * Last Modified Date from the Original Code: November 2016
  *********************************************************************** */
 
 #include "mplogic.h"
@@ -714,6 +714,16 @@
     }
 
     /*
+     * Using an equivalent exponent of fixed length (same as n or 1 bit less
+     * than n) to keep the kG timing relatively constant.
+     *
+     * Note that this is an extra step on top of the approach defined in
+     * ANSI X9.62 so as to make a fixed length K.
+     */
+    CHECK_MPI_OK( mp_add(&k, &n, &k) );
+    CHECK_MPI_OK( mp_div_2(&k, &k) );
+
+    /*
     ** ANSI X9.62, Section 5.3.2, Step 2
     **
     ** Compute kG
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/java/security/Signature/SignatureLength.java	Tue Dec 20 13:28:30 2016 -0800
@@ -0,0 +1,101 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.security.*;
+
+/*
+ * @test
+ * @bug 8161571
+ * @summary Reject signatures presented for verification that contain extra
+ *          bytes.
+ * @run main SignatureLength
+ */
+public class SignatureLength {
+
+    public static void main(String[] args) throws Exception {
+        main0("EC", 256, "SHA256withECDSA", "SunEC");
+        main0("RSA", 2048, "SHA256withRSA", "SunRsaSign");
+        main0("DSA", 2048, "SHA256withDSA", "SUN");
+
+        if (System.getProperty("os.name").equals("SunOS")) {
+            main0("EC", 256, "SHA256withECDSA", null);
+            main0("RSA", 2048, "SHA256withRSA", null);
+        }
+    }
+
+    private static void main0(String keyAlgorithm, int keysize,
+            String signatureAlgorithm, String provider) throws Exception {
+        byte[] plaintext = "aaa".getBytes("UTF-8");
+
+        // Generate
+        KeyPairGenerator generator =
+            provider == null ?
+                (KeyPairGenerator) KeyPairGenerator.getInstance(keyAlgorithm) :
+                (KeyPairGenerator) KeyPairGenerator.getInstance(
+                                       keyAlgorithm, provider);
+        generator.initialize(keysize);
+        System.out.println("Generating " + keyAlgorithm + " keypair using " +
+            generator.getProvider().getName() + " JCE provider");
+        KeyPair keypair = generator.generateKeyPair();
+
+        // Sign
+        Signature signer =
+            provider == null ?
+                Signature.getInstance(signatureAlgorithm) :
+                Signature.getInstance(signatureAlgorithm, provider);
+        signer.initSign(keypair.getPrivate());
+        signer.update(plaintext);
+        System.out.println("Signing using " + signer.getProvider().getName() +
+            " JCE provider");
+        byte[] signature = signer.sign();
+
+        // Invalidate
+        System.out.println("Invalidating signature ...");
+        byte[] badSignature = new byte[signature.length + 5];
+        System.arraycopy(signature, 0, badSignature, 0, signature.length);
+        badSignature[signature.length] = 0x01;
+        badSignature[signature.length + 1] = 0x01;
+        badSignature[signature.length + 2] = 0x01;
+        badSignature[signature.length + 3] = 0x01;
+        badSignature[signature.length + 4] = 0x01;
+
+        // Verify
+        Signature verifier =
+            provider == null ?
+                Signature.getInstance(signatureAlgorithm) :
+                Signature.getInstance(signatureAlgorithm, provider);
+        verifier.initVerify(keypair.getPublic());
+        verifier.update(plaintext);
+        System.out.println("Verifying using " +
+            verifier.getProvider().getName() + " JCE provider");
+
+        try {
+            System.out.println("Valid? " + verifier.verify(badSignature));
+            throw new Exception(
+                "ERROR: expected a SignatureException but none was thrown");
+        } catch (SignatureException e) {
+            System.out.println("OK: caught expected exception: " + e);
+        }
+        System.out.println();
+    }
+}
--- a/test/java/time/test/java/time/format/TestZoneTextPrinterParser.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/java/time/test/java/time/format/TestZoneTextPrinterParser.java	Tue Dec 20 13:28:30 2016 -0800
@@ -49,7 +49,7 @@
 
 /*
  * @test
- * @bug 8081022 8151876
+ * @bug 8081022 8151876 8166875
  * @key randomness
  */
 
--- a/test/java/time/test/java/time/format/ZoneName.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/java/time/test/java/time/format/ZoneName.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2013, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -378,6 +378,7 @@
         "Europe/Helsinki", "Europe_Eastern", "Europe/Bucharest",
         "America/Nome", "Alaska", "America/Juneau",
         "Asia/Yakutsk", "Yakutsk", "Asia/Yakutsk",
+        "Asia/Yangon", "Myanmar", "Asia/Rangoon",
         "Africa/Conakry", "GMT", "Atlantic/Reykjavik",
         "Asia/Seoul", "Korea", "Asia/Seoul",
         "America/Antigua", "Atlantic", "America/Halifax",
@@ -747,6 +748,7 @@
         "NZ", "Pacific/Auckland",
         "Asia/Tel_Aviv", "Asia/Jerusalem",
         "Hongkong", "Asia/Hong_Kong",
+        "Asia/Rangoon", "Asia/Yangon",
     };
 
     private static final Map<String, String> zidToMzone = new HashMap<>();
--- a/test/lib/testlibrary/jdk/testlibrary/JarUtils.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/lib/testlibrary/jdk/testlibrary/JarUtils.java	Tue Dec 20 13:28:30 2016 -0800
@@ -25,6 +25,7 @@
 
 import java.io.File;
 import java.io.FileInputStream;
+import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.nio.file.Path;
@@ -43,7 +44,8 @@
 
 
     /**
-     * Create jar file with specified files from specified location.
+     * Create jar file with specified files. If a specified file does not exist,
+     * a new jar entry will be created with the file name itself as the content.
      */
     public static void createJar(String dest, Path filesLocation,
                                  String... fileNames) throws IOException {
@@ -63,6 +65,8 @@
                 }
                 try (FileInputStream fis = new FileInputStream(file)) {
                     Utils.transferBetweenStreams(fis, jos);
+                } catch (FileNotFoundException e) {
+                    jos.write(fileName.getBytes());
                 }
             }
         }
@@ -78,7 +82,17 @@
     }
 
     /**
-     * Add specified files to existing jar file.
+     * Add or remove specified files to existing jar file. If a specified file
+     * to be updated or added does not exist, the jar entry will be created
+     * with the file name itself as the content.
+     *
+     * @param src the original jar file name
+     * @param dest the new jar file name
+     * @param files the files to update. The list is broken into 2 groups
+     *              by a "-" string. The files before in the 1st group will
+     *              be either updated or added. The files in the 2nd group
+     *              will be removed. If no "-" exists, all files belong to
+     *              the 1st group.
      */
     public static void updateJar(String src, String dest, String... files)
             throws IOException {
@@ -94,8 +108,11 @@
                     JarEntry entry = entries.nextElement();
                     String name = entry.getName();
                     boolean found = false;
+                    boolean update = true;
                     for (String file : files) {
-                        if (name.equals(file)) {
+                        if (file.equals("-")) {
+                            update = false;
+                        } else if (name.equals(file)) {
                             updatedFiles.add(file);
                             found = true;
                             break;
@@ -103,11 +120,18 @@
                     }
 
                     if (found) {
+                        if (update) {
                         System.out.println(String.format("Updating %s with %s",
                                 dest, name));
                         jos.putNextEntry(new JarEntry(name));
                         try (FileInputStream fis = new FileInputStream(name)) {
                             Utils.transferBetweenStreams(fis, jos);
+                            } catch (FileNotFoundException e) {
+                                jos.write(name.getBytes());
+                            }
+                        } else {
+                            System.out.println(String.format("Removing %s from %s",
+                                    name, dest));
                         }
                     } else {
                         System.out.println(String.format("Copying %s to %s",
@@ -121,12 +145,17 @@
 
             // append new files
             for (String file : files) {
+                if (file.equals("-")) {
+                    break;
+                }
                 if (!updatedFiles.contains(file)) {
                     System.out.println(String.format("Adding %s with %s",
                             dest, file));
                     jos.putNextEntry(new JarEntry(file));
                     try (FileInputStream fis = new FileInputStream(file)) {
                         Utils.transferBetweenStreams(fis, jos);
+                    } catch (FileNotFoundException e) {
+                        jos.write(file.getBytes());
                     }
                 }
             }
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/reflect/ReflectionFactory/ReflectionFactoryTest.java	Tue Dec 20 13:28:30 2016 -0800
@@ -0,0 +1,341 @@
+/*
+ * Copyright (c) 2016, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ */
+
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.Externalizable;
+import java.io.IOException;
+import java.io.ObjectInput;
+import java.io.ObjectInputStream;
+import java.io.ObjectOutput;
+import java.io.ObjectOutputStream;
+import java.io.OptionalDataException;
+import java.io.Serializable;
+import java.lang.invoke.MethodHandle;
+import java.lang.reflect.Constructor;
+import java.lang.reflect.InvocationTargetException;
+
+import sun.reflect.ReflectionFactory;
+
+import org.testng.Assert;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+import org.testng.annotations.DataProvider;
+import org.testng.TestNG;
+
+/*
+ * @test
+ * @bug 8137058 8164908 8168980
+ * @run testng ReflectionFactoryTest
+ * @run testng/othervm/policy=security.policy ReflectionFactoryTest
+ * @summary Basic test for the unsupported ReflectionFactory
+ */
+
+public class ReflectionFactoryTest {
+
+    // Initialized by init()
+    static ReflectionFactory factory;
+
+    @DataProvider(name = "ClassConstructors")
+    static Object[][] classConstructors() {
+        return new Object[][] {
+                {Object.class},
+                {Foo.class},
+                {Bar.class},
+        };
+    }
+
+    @BeforeClass
+    static void init() {
+        factory = ReflectionFactory.getReflectionFactory();
+    }
+
+    /**
+     * Test that the correct Constructor is selected and run.
+     * @param type type of object to create
+     * @throws NoSuchMethodException - error
+     * @throws InstantiationException - error
+     * @throws IllegalAccessException - error
+     * @throws InvocationTargetException - error
+     */
+    @Test(dataProvider="ClassConstructors")
+    static void testConstructor(Class<?> type)
+        throws NoSuchMethodException, InstantiationException,
+            IllegalAccessException, InvocationTargetException
+    {
+        @SuppressWarnings("unchecked")
+        Constructor<?> c = factory.newConstructorForSerialization(type);
+
+        Object o = c.newInstance();
+        Assert.assertEquals(o.getClass(), type, "Instance is wrong type");
+        if (o instanceof Foo) {
+            Foo foo = (Foo)o;
+            foo.check();
+        }
+    }
+
+    @DataProvider(name = "NonSerialConstructors")
+    static Object[][] constructors() throws NoSuchMethodException {
+        return new Object[][] {
+                {Foo.class, Object.class.getDeclaredConstructor()},
+                {Foo.class, Foo.class.getDeclaredConstructor()},
+                {Baz.class, Object.class.getDeclaredConstructor()},
+                {Baz.class, Foo.class.getDeclaredConstructor()},
+                {Baz.class, Baz.class.getDeclaredConstructor()}
+        };
+    }
+
+    /**
+     * Tests that the given Constructor, in the hierarchy, is run.
+     */
+    @Test(dataProvider="NonSerialConstructors")
+    static void testNonSerializableConstructor(Class<?> cl,
+                                               Constructor<?> constructorToCall)
+        throws ReflectiveOperationException
+    {
+        @SuppressWarnings("unchecked")
+        Constructor<?> c = factory.newConstructorForSerialization(cl,
+                                                                  constructorToCall);
+
+        Object o = c.newInstance();
+        Assert.assertEquals(o.getClass(), cl, "Instance is wrong type");
+
+        int expectedFoo = 0;
+        int expectedBaz = 0;
+        if (constructorToCall.getName().equals("ReflectionFactoryTest$Foo")) {
+            expectedFoo = 1;
+        } else if (constructorToCall.getName().equals("ReflectionFactoryTest$Baz")) {
+            expectedFoo = 1;
+            expectedBaz = 4;
+        }
+
+        Assert.assertEquals(((Foo)o).foo(), expectedFoo);
+        if (o instanceof Baz) {
+            Assert.assertEquals(((Baz)o).baz(), expectedBaz);
+        }
+    }
+
+    static class Foo {
+        private int foo;
+        public Foo() {
+            this.foo = 1;
+        }
+
+        public String toString() {
+            return "foo: " + foo;
+        }
+
+        public void check() {
+            int expectedFoo = 1;
+            Assert.assertEquals(foo, expectedFoo, "foo() constructor not run");
+        }
+
+        public int foo() { return foo; }
+    }
+
+    static class Bar extends Foo implements Serializable {
+        private static final long serialVersionUID = 3L;
+
+        private int bar;
+        public Bar() {
+            this.bar = 1;
+        }
+
+        public String toString() {
+            return super.toString() + ", bar: " + bar;
+        }
+
+        public void check() {
+            super.check();
+            int expectedBar = 0;
+            Assert.assertEquals(bar, expectedBar, "bar() constructor not run");
+        }
+    }
+
+    static class Baz extends Foo {
+        private static final long serialVersionUID = 4L;
+
+        private final int baz;
+        public Baz() { this.baz = 4; }
+        public int baz() { return baz; }
+    }
+
+    /**
+     * Test newConstructorForExternalization returns the constructor and it can be called.
+     * @throws NoSuchMethodException - error
+     * @throws InstantiationException - error
+     * @throws IllegalAccessException - error
+     * @throws InvocationTargetException - error
+     */
+    @Test
+    static void newConstructorForExternalization()
+            throws NoSuchMethodException, InstantiationException,
+            IllegalAccessException, InvocationTargetException {
+        Constructor<?> cons = factory.newConstructorForExternalization(Ext.class);
+        Ext ext = (Ext)cons.newInstance();
+        Assert.assertEquals(ext.ext, 1, "Constructor not run");
+    }
+
+    static class Ext implements Externalizable {
+        private static final long serialVersionUID = 1L;
+
+        int ext;
+
+        public Ext() {
+            ext = 1;
+        }
+
+        @Override
+        public void writeExternal(ObjectOutput out) throws IOException {}
+
+        @Override
+        public void readExternal(ObjectInput in) throws IOException, ClassNotFoundException {}
+    }
+
+    @Test
+    static void testReadWriteObjectForSerialization() throws Throwable {
+        MethodHandle readObjectMethod = factory.readObjectForSerialization(Ser.class);
+        Assert.assertNotNull(readObjectMethod, "readObjectMethod not found");
+
+        MethodHandle readObjectNoDataMethod = factory.readObjectNoDataForSerialization(Ser.class);
+        Assert.assertNotNull(readObjectNoDataMethod, "readObjectNoDataMethod not found");
+
+        MethodHandle writeObjectMethod = factory.writeObjectForSerialization(Ser.class);
+        Assert.assertNotNull(writeObjectMethod, "writeObjectMethod not found");
+
+        MethodHandle readResolveMethod = factory.readResolveForSerialization(Ser.class);
+        Assert.assertNotNull(readResolveMethod, "readResolveMethod not found");
+
+        MethodHandle writeReplaceMethod = factory.writeReplaceForSerialization(Ser.class);
+        Assert.assertNotNull(writeReplaceMethod, "writeReplaceMethod not found");
+
+        byte[] data = null;
+        try (ByteArrayOutputStream baos = new ByteArrayOutputStream();
+            ObjectOutputStream oos = new ObjectOutputStream(baos)) {
+            Ser ser = new Ser();
+
+            writeReplaceMethod.invoke(ser);
+            Assert.assertTrue(ser.writeReplaceCalled, "writeReplace not called");
+            Assert.assertFalse(ser.writeObjectCalled, "writeObject should not have been called");
+
+            writeObjectMethod.invoke(ser, oos);
+            Assert.assertTrue(ser.writeReplaceCalled, "writeReplace should have been called");
+            Assert.assertTrue(ser.writeObjectCalled, "writeObject not called");
+            oos.flush();
+            data = baos.toByteArray();
+        }
+
+        try (ByteArrayInputStream bais = new ByteArrayInputStream(data);
+             ObjectInputStream ois = new ObjectInputStream(bais)) {
+            Ser ser2 = new Ser();
+
+            readObjectMethod.invoke(ser2, ois);
+            Assert.assertTrue(ser2.readObjectCalled, "readObject not called");
+            Assert.assertFalse(ser2.readObjectNoDataCalled, "readObjectNoData should not be called");
+            Assert.assertFalse(ser2.readResolveCalled, "readResolve should not be called");
+
+            readObjectNoDataMethod.invoke(ser2, ois);
+            Assert.assertTrue(ser2.readObjectCalled, "readObject should have been called");
+            Assert.assertTrue(ser2.readObjectNoDataCalled, "readObjectNoData not called");
+            Assert.assertFalse(ser2.readResolveCalled, "readResolve should not be called");
+
+            readResolveMethod.invoke(ser2);
+            Assert.assertTrue(ser2.readObjectCalled, "readObject should have been called");
+            Assert.assertTrue(ser2.readObjectNoDataCalled, "readObjectNoData not called");
+            Assert.assertTrue(ser2.readResolveCalled, "readResolve not called");
+        }
+    }
+
+    @Test
+    static void hasStaticInitializer() {
+        boolean actual = factory.hasStaticInitializerForSerialization(Ser.class);
+        Assert.assertTrue(actual, "hasStaticInitializerForSerialization is wrong");
+    }
+
+    static class Ser implements Serializable {
+        private static final long serialVersionUID = 2L;
+        static {
+            // Define a static class initialization method
+        }
+
+        boolean readObjectCalled = false;
+        boolean readObjectNoDataCalled = false;
+        boolean writeObjectCalled = false;
+        boolean readResolveCalled = false;
+        boolean writeReplaceCalled = false;
+
+        public Ser() {}
+
+        private void readObject(ObjectInputStream ois) throws IOException {
+            Assert.assertFalse(writeObjectCalled, "readObject called too many times");
+            readObjectCalled = ois.readBoolean();
+        }
+
+        private void readObjectNoData(ObjectInputStream ois) throws IOException {
+            Assert.assertFalse(readObjectNoDataCalled, "readObjectNoData called too many times");
+            readObjectNoDataCalled = true;
+        }
+
+        private void writeObject(ObjectOutputStream oos) throws IOException {
+            Assert.assertFalse(writeObjectCalled, "writeObject called too many times");
+            writeObjectCalled = true;
+            oos.writeBoolean(writeObjectCalled);
+        }
+
+        private Object writeReplace() {
+            Assert.assertFalse(writeReplaceCalled, "writeReplace called too many times");
+            writeReplaceCalled = true;
+            return this;
+        }
+
+        private Object readResolve() {
+            Assert.assertFalse(readResolveCalled, "readResolve called too many times");
+            readResolveCalled = true;
+            return this;
+        }
+    }
+
+    /**
+     * Test the constructor of OptionalDataExceptions.
+     */
+    @Test
+    static void newOptionalDataException() {
+        OptionalDataException ode = factory.newOptionalDataExceptionForSerialization(true);
+        Assert.assertTrue(ode.eof, "eof wrong");
+        ode = factory.newOptionalDataExceptionForSerialization(false);
+        Assert.assertFalse(ode.eof, "eof wrong");
+
+    }
+
+
+
+    // Main can be used to run the tests from the command line with only testng.jar.
+    @SuppressWarnings("raw_types")
+    @Test(enabled = false)
+    public static void main(String[] args) {
+        Class<?>[] testclass = {ReflectionFactoryTest.class};
+        TestNG testng = new TestNG();
+        testng.setTestClasses(testclass);
+        testng.run();
+    }
+}
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/test/sun/reflect/ReflectionFactory/security.policy	Tue Dec 20 13:28:30 2016 -0800
@@ -0,0 +1,11 @@
+// Individual Permissions for ReflectionFactoryTest
+grant {
+        // Permissions needed to run the test
+        permission java.util.PropertyPermission "*", "read";
+        permission java.io.FilePermission "<<ALL FILES>>", "read,write,delete,execute";
+
+        permission java.lang.reflect.ReflectPermission "suppressAccessChecks";
+        permission java.lang.RuntimePermission "accessDeclaredMembers";
+        permission java.lang.RuntimePermission "accessClassInPackage.sun.reflect";
+        permission java.lang.RuntimePermission "reflectionFactoryAccess";
+};
--- a/test/sun/security/smartcardio/TestChannel.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestChannel.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -46,6 +46,11 @@
 
     public static void main(String[] args) throws Exception {
         CardTerminal terminal = getTerminal(args);
+        if (terminal == null) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
+        }
 
         // establish a connection with the card
         Card card = terminal.connect("T=0");
--- a/test/sun/security/smartcardio/TestConnect.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestConnect.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,23 +39,12 @@
 public class TestConnect extends Utils {
 
     public static void main(String[] args) throws Exception {
-        TerminalFactory factory = TerminalFactory.getInstance("PC/SC", null, "SunPCSC");
-        System.out.println(factory);
-
-        List<CardTerminal> terminals = factory.terminals().list();
-        System.out.println("Terminals: " + terminals);
-        if (terminals.isEmpty()) {
-            throw new Exception("No card terminals available");
+        CardTerminal terminal = getTerminal(args, "SunPCSC");
+        if (terminal == null) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
         }
-        CardTerminal terminal = terminals.get(0);
-
-        if (terminal.isCardPresent() == false) {
-            System.out.println("*** Insert card");
-            if (terminal.waitForCardPresent(20 * 1000) == false) {
-                throw new Exception("no card available");
-            }
-        }
-        System.out.println("card present: " + terminal.isCardPresent());
 
         Card card = terminal.connect("*");
         System.out.println("card: " + card);
--- a/test/sun/security/smartcardio/TestConnectAgain.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestConnectAgain.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -39,6 +39,11 @@
 
     public static void main(String[] args) throws Exception {
         CardTerminal terminal = getTerminal(args);
+        if (terminal == null) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
+        }
 
         Card card = terminal.connect("T=0");
         CardChannel channel = card.getBasicChannel();
--- a/test/sun/security/smartcardio/TestControl.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestControl.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,6 +40,11 @@
 
     public static void main(String[] args) throws Exception {
         CardTerminal terminal = getTerminal(args);
+        if (terminal == null) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
+        }
 
         // establish a connection with the card
         Card card = terminal.connect("T=0");
--- a/test/sun/security/smartcardio/TestDefault.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestDefault.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,10 +40,12 @@
         TerminalFactory factory = TerminalFactory.getDefault();
         System.out.println("Type: " + factory.getType());
         List<CardTerminal> terminals = factory.terminals().list();
+        if (terminals.isEmpty()) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
+        }
         System.out.println("Terminals: " + terminals);
-        if (terminals.isEmpty()) {
-            throw new Exception("no terminals");
-        }
 
         System.out.println("OK.");
     }
--- a/test/sun/security/smartcardio/TestDirect.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestDirect.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,10 +40,12 @@
     public static void main(String[] args) throws Exception {
         TerminalFactory terminalFactory = TerminalFactory.getDefault();
         List<CardTerminal> cardTerminals = terminalFactory.terminals().list();
+        if (cardTerminals.isEmpty()) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
+        }
         System.out.println("Terminals: " + cardTerminals);
-        if (cardTerminals.isEmpty()) {
-            throw new Exception("No card terminals available");
-        }
         CardTerminal cardTerminal = cardTerminals.get(0);
         Card card = cardTerminal.connect("DIRECT");
         card.disconnect(true);
--- a/test/sun/security/smartcardio/TestExclusive.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestExclusive.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -44,6 +44,11 @@
 
     public static void main(String[] args) throws Exception {
         CardTerminal terminal = getTerminal(args);
+        if (terminal == null) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
+        }
 
         // establish a connection with the card
         Card card = terminal.connect("T=0");
--- a/test/sun/security/smartcardio/TestMultiplePresent.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestMultiplePresent.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -40,7 +40,12 @@
 
     public static void main(String[] args) throws Exception {
         Utils.setLibrary(args);
-        TerminalFactory factory = TerminalFactory.getInstance("PC/SC", null);
+        TerminalFactory factory = Utils.getTerminalFactory(null);
+        if (factory == null) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
+        }
         System.out.println(factory);
 
         CardTerminals terminals = factory.terminals();
@@ -49,7 +54,9 @@
         boolean multipleReaders = true;
         if (list.size() < 2) {
             if (list.isEmpty()) {
-                throw new Exception("no terminals");
+                System.out.println("Skipping the test: " +
+                        "no card terminals available");
+                return;
             }
             System.out.println("Only one reader present, using simplified test");
             multipleReaders = false;
--- a/test/sun/security/smartcardio/TestPresent.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestPresent.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -34,7 +34,7 @@
 import javax.smartcardio.CardTerminal;
 import javax.smartcardio.TerminalFactory;
 
-public class TestPresent {
+public class TestPresent extends Utils {
 
     private static class Timer {
         private long time = System.currentTimeMillis();
@@ -66,15 +66,12 @@
     }
 
     public static void main(String[] args) throws Exception {
-        TerminalFactory factory = TerminalFactory.getInstance("PC/SC", null);
-        System.out.println(factory);
-
-        List<CardTerminal> terminals = factory.terminals().list();
-        System.out.println("Terminals: " + terminals);
-        if (terminals.isEmpty()) {
-            throw new Exception("No card terminals available");
+        CardTerminal terminal = getTerminal(args);
+        if (terminal == null) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
         }
-        CardTerminal terminal = terminals.get(0);
 
         while (terminal.isCardPresent()) {
             System.out.println("*** Remove card!");
--- a/test/sun/security/smartcardio/TestTransmit.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/TestTransmit.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -48,6 +48,11 @@
 
     public static void main(String[] args) throws Exception {
         CardTerminal terminal = getTerminal(args);
+        if (terminal == null) {
+            System.out.println("Skipping the test: " +
+                    "no card terminals available");
+            return;
+        }
 
         Card card = terminal.connect("T=0");
         CardChannel channel = card.getBasicChannel();
--- a/test/sun/security/smartcardio/Utils.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/smartcardio/Utils.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -27,6 +27,7 @@
 import java.io.StringReader;
 import java.io.ByteArrayOutputStream;
 import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Arrays;
 import java.util.List;
 import javax.smartcardio.CardTerminal;
@@ -43,26 +44,59 @@
         }
     }
 
+    static TerminalFactory getTerminalFactory(String provName) throws Exception {
+        try {
+            TerminalFactory factory = (provName == null)
+                    ? TerminalFactory.getInstance("PC/SC", null)
+                    : TerminalFactory.getInstance("PC/SC", null, provName);
+            System.out.println(factory);
+            return factory;
+        } catch (NoSuchAlgorithmException e) {
+            Throwable cause = e.getCause();
+            if (cause != null && cause.getMessage().startsWith("PC/SC not available")) {
+                return null;
+            }
+            throw e;
+        }
+    }
+
     static CardTerminal getTerminal(String[] args) throws Exception {
+        return getTerminal(args, null);
+    }
+
+    static CardTerminal getTerminal(String[] args, String provider) throws Exception {
         setLibrary(args);
 
-        TerminalFactory factory = TerminalFactory.getInstance("PC/SC", null);
-        System.out.println(factory);
+        try {
+            TerminalFactory factory = (provider == null)
+                    ? TerminalFactory.getInstance("PC/SC", null)
+                    : TerminalFactory.getInstance("PC/SC", null, provider);
+            System.out.println(factory);
 
-        List<CardTerminal> terminals = factory.terminals().list();
-        System.out.println("Terminals: " + terminals);
-        if (terminals.isEmpty()) {
-            throw new Exception("No card terminals available");
+            List<CardTerminal> terminals = factory.terminals().list();
+            System.out.println("Terminals: " + terminals);
+            if (terminals.isEmpty()) {
+                return null;
+            }
+            CardTerminal terminal = terminals.get(0);
+
+            if (terminal.isCardPresent() == false) {
+                System.out.println("*** Insert card");
+                if (terminal.waitForCardPresent(20 * 1000) == false) {
+                    throw new Exception("no card available");
+                }
+            }
+            System.out.println("card present: " + terminal.isCardPresent());
+
+            return terminal;
+
+        } catch (NoSuchAlgorithmException e) {
+            Throwable cause = e.getCause();
+            if (cause != null && cause.getMessage().startsWith("PC/SC not available")) {
+                return null;
+            }
+            throw e;
         }
-        CardTerminal terminal = terminals.get(0);
-
-        if (terminal.isCardPresent() == false) {
-            System.out.println("*** Insert card");
-            if (terminal.waitForCardPresent(20 * 1000) == false) {
-                throw new Exception("no card available");
-            }
-        }
-        return terminal;
     }
 
     static final byte[] C1 = parse("00 A4 04 00 07 A0 00 00 00 62 81 01 00");
--- a/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/ssl/com/sun/net/ssl/internal/ssl/X509TrustManagerImpl/PKIXExtendedTM.java	Tue Dec 20 13:28:30 2016 -0800
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2010, 2015, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2010, 2016, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -28,9 +28,12 @@
 
 /*
  * @test
- * @bug 6916074
+ * @bug 6916074 8170131
  * @summary Add support for TLS 1.2
- * @run main/othervm PKIXExtendedTM
+ * @run main/othervm PKIXExtendedTM 0
+ * @run main/othervm PKIXExtendedTM 1
+ * @run main/othervm PKIXExtendedTM 2
+ * @run main/othervm PKIXExtendedTM 3
  */
 
 import java.net.*;
@@ -42,6 +45,7 @@
 import java.security.KeyFactory;
 import java.security.cert.Certificate;
 import java.security.cert.CertificateFactory;
+import java.security.cert.CertPathValidatorException;
 import java.security.spec.*;
 import java.security.interfaces.*;
 import java.math.BigInteger;
@@ -792,20 +796,85 @@
     volatile Exception serverException = null;
     volatile Exception clientException = null;
 
+    static class Test {
+        String tlsDisAlgs;
+        String certPathDisAlgs;
+        boolean fail;
+        Test(String tlsDisAlgs, String certPathDisAlgs, boolean fail) {
+            this.tlsDisAlgs = tlsDisAlgs;
+            this.certPathDisAlgs = certPathDisAlgs;
+            this.fail = fail;
+        }
+    }
+
+    static Test[] tests = {
+        // MD5 is used in this test case, don't disable MD5 algorithm.
+        new Test(
+            "SSLv3, RC4, DH keySize < 768",
+            "MD2, RSA keySize < 1024",
+            false),
+        // Disable MD5 but only if cert chains back to public root CA, should
+        // pass because the MD5 cert in this test case is issued by test CA
+        new Test(
+            "SSLv3, RC4, DH keySize < 768",
+            "MD2, MD5 jdkCA, RSA keySize < 1024",
+            false),
+        // Disable MD5 alg via TLS property and expect failure
+        new Test(
+            "SSLv3, MD5, RC4, DH keySize < 768",
+            "MD2, RSA keySize < 1024",
+            true),
+        // Disable MD5 alg via certpath property and expect failure
+        new Test(
+            "SSLv3, RC4, DH keySize < 768",
+            "MD2, MD5, RSA keySize < 1024",
+            true),
+    };
+
     public static void main(String args[]) throws Exception {
-        // MD5 is used in this test case, don't disable MD5 algorithm.
+        if (args.length != 1) {
+            throw new Exception("Incorrect number of arguments");
+        }
+        Test test = tests[Integer.parseInt(args[0])];
+        Security.setProperty("jdk.tls.disabledAlgorithms", test.tlsDisAlgs);
         Security.setProperty("jdk.certpath.disabledAlgorithms",
-                "MD2, RSA keySize < 1024");
-        Security.setProperty("jdk.tls.disabledAlgorithms",
-                "SSLv3, RC4, DH keySize < 768");
+                             test.certPathDisAlgs);
 
-        if (debug)
+        if (debug) {
             System.setProperty("javax.net.debug", "all");
+        }
 
         /*
          * Start the tests.
          */
-        new PKIXExtendedTM();
+        try {
+            new PKIXExtendedTM();
+            if (test.fail) {
+                throw new Exception("Expected MD5 certificate to be blocked");
+            }
+        } catch (Exception e) {
+            if (test.fail) {
+                // find expected cause
+                boolean correctReason = false;
+                Throwable cause = e.getCause();
+                while (cause != null) {
+                    if (cause instanceof CertPathValidatorException) {
+                        CertPathValidatorException cpve =
+                            (CertPathValidatorException)cause;
+                        if (cpve.getReason() == CertPathValidatorException.BasicReason.ALGORITHM_CONSTRAINED) {
+                            correctReason = true;
+                            break;
+                        }
+                    }
+                    cause = cause.getCause();
+                }
+                if (!correctReason) {
+                    throw new Exception("Unexpected exception", e);
+                }
+            } else {
+                throw e;
+            }
+        }
     }
 
     Thread clientThread = null;
--- a/test/sun/security/tools/jarsigner/TimestampCheck.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/tools/jarsigner/TimestampCheck.java	Tue Dec 20 13:28:30 2016 -0800
@@ -22,25 +22,31 @@
  */
 
 import com.sun.net.httpserver.*;
-import java.io.BufferedReader;
 import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.math.BigInteger;
 import java.net.InetSocketAddress;
+import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.security.KeyStore;
 import java.security.PrivateKey;
 import java.security.Signature;
 import java.security.cert.Certificate;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Calendar;
+import java.util.List;
 import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 
 import sun.misc.IOUtils;
+import jdk.testlibrary.*;
+import jdk.testlibrary.JarUtils;
 import sun.security.pkcs.ContentInfo;
 import sun.security.pkcs.PKCS7;
 import sun.security.pkcs.PKCS9Attribute;
@@ -52,11 +58,22 @@
 import sun.security.x509.AlgorithmId;
 import sun.security.x509.X500Name;
 
+/*
+ * @test
+ * @bug 6543842 6543440 6939248 8009636 8024302 8163304 8169911 8169688
+ * @summary checking response of timestamp
+ * @modules java.base/sun.security.pkcs
+ *          java.base/sun.security.timestamp
+ *          java.base/sun.security.x509
+ *          java.base/sun.security.util
+ *          java.base/sun.security.tools.keytool
+ * @library /lib/testlibrary
+ * @run main/timeout=600 TimestampCheck
+ */
 public class TimestampCheck {
-    static final String TSKS = "tsks";
-    static final String JAR = "old.jar";
 
-    static final String defaultPolicyId = "2.3.4.5";
+    static final String defaultPolicyId = "2.3.4";
+    static String host = null;
 
     static class Handler implements HttpHandler, AutoCloseable {
 
@@ -75,11 +92,7 @@
             t.getRequestBody().read(input);
 
             try {
-                int path = 0;
-                if (t.getRequestURI().getPath().length() > 1) {
-                    path = Integer.parseInt(
-                            t.getRequestURI().getPath().substring(1));
-                }
+                String path = t.getRequestURI().getPath().substring(1);
                 byte[] output = sign(input, path);
                 Headers out = t.getResponseHeaders();
                 out.set("Content-Type", "application/timestamp-reply");
@@ -97,24 +110,9 @@
         /**
          * @param input The data to sign
          * @param path different cases to simulate, impl on URL path
-         * 0: normal
-         * 1: Missing nonce
-         * 2: Different nonce
-         * 3: Bad digets octets in messageImprint
-         * 4: Different algorithmId in messageImprint
-         * 5: whole chain in cert set
-         * 6: extension is missing
-         * 7: extension is non-critical
-         * 8: extension does not have timestamping
-         * 9: no cert in response
-         * 10: normal
-         * 11: always return default policy id
-         * 12: normal
-         * otherwise: normal
          * @returns the signed
          */
-        byte[] sign(byte[] input, int path) throws Exception {
-            // Read TSRequest
+        byte[] sign(byte[] input, String path) throws Exception {
             DerValue value = new DerValue(input);
             System.err.println("\nIncoming Request\n===================");
             System.err.println("Version: " + value.data.getInteger());
@@ -138,36 +136,35 @@
                 }
             }
 
-            // Write TSResponse
             System.err.println("\nResponse\n===================");
-            KeyStore ks = KeyStore.getInstance("JKS");
-            try (FileInputStream fis = new FileInputStream(keystore)) {
-                ks.load(fis, "changeit".toCharArray());
+            FileInputStream is = new FileInputStream(keystore);
+            KeyStore ks = KeyStore.getInstance("JCEKS");
+            ks.load(is, "changeit".toCharArray());
+            is.close();
+
+            String alias = "ts";
+            if (path.startsWith("bad") || path.equals("weak")) {
+                alias = "ts" + path;
             }
 
-            String alias = "ts";
-            if (path == 6) alias = "tsbad1";
-            if (path == 7) alias = "tsbad2";
-            if (path == 8) alias = "tsbad3";
-
-            if (path == 11) {
+            if (path.equals("diffpolicy")) {
                 policyId = new ObjectIdentifier(defaultPolicyId);
             }
 
             DerOutputStream statusInfo = new DerOutputStream();
             statusInfo.putInteger(0);
 
-            DerOutputStream token = new DerOutputStream();
             AlgorithmId[] algorithms = {aid};
             Certificate[] chain = ks.getCertificateChain(alias);
-            X509Certificate[] signerCertificateChain = null;
+            X509Certificate[] signerCertificateChain;
             X509Certificate signer = (X509Certificate)chain[0];
-            if (path == 5) {   // Only case 5 uses full chain
+
+            if (path.equals("fullchain")) {   // Only case 5 uses full chain
                 signerCertificateChain = new X509Certificate[chain.length];
                 for (int i=0; i<chain.length; i++) {
                     signerCertificateChain[i] = (X509Certificate)chain[i];
                 }
-            } else if (path == 9) {
+            } else if (path.equals("nocert")) {
                 signerCertificateChain = new X509Certificate[0];
             } else {
                 signerCertificateChain = new X509Certificate[1];
@@ -179,11 +176,11 @@
             tst.putInteger(1);
             tst.putOID(policyId);
 
-            if (path != 3 && path != 4) {
+            if (!path.equals("baddigest") && !path.equals("diffalg")) {
                 tst.putDerValue(messageImprint);
             } else {
                 byte[] data = messageImprint.toByteArray();
-                if (path == 4) {
+                if (path.equals("diffalg")) {
                     data[6] = (byte)0x01;
                 } else {
                     data[data.length-1] = (byte)0x01;
@@ -198,10 +195,10 @@
             Calendar cal = Calendar.getInstance();
             tst.putGeneralizedTime(cal.getTime());
 
-            if (path == 2) {
+            if (path.equals("diffnonce")) {
                 tst.putInteger(1234);
-            } else if (path == 1) {
-                // do nothing
+            } else if (path.equals("nononce")) {
+                // no noce
             } else {
                 tst.putInteger(nonce);
             }
@@ -212,6 +209,8 @@
             DerOutputStream tstInfo2 = new DerOutputStream();
             tstInfo2.putOctetString(tstInfo.toByteArray());
 
+            // Always use the same algorithm at timestamp signing
+            // so it is different from the hash algorithm.
             Signature sig = Signature.getInstance("SHA1withRSA");
             sig.initSign((PrivateKey)(ks.getKey(
                     alias, "changeit".toCharArray())));
@@ -229,12 +228,11 @@
             SignerInfo signerInfo = new SignerInfo(
                     new X500Name(signer.getIssuerX500Principal().getName()),
                     signer.getSerialNumber(),
-                    aid, AlgorithmId.get("RSA"), sig.sign());
+                    AlgorithmId.get("SHA-1"), AlgorithmId.get("RSA"), sig.sign());
 
             SignerInfo[] signerInfos = {signerInfo};
-            PKCS7 p7 =
-                    new PKCS7(algorithms, contentInfo, signerCertificateChain,
-                    signerInfos);
+            PKCS7 p7 = new PKCS7(algorithms, contentInfo,
+                    signerCertificateChain, signerInfos);
             ByteArrayOutputStream p7out = new ByteArrayOutputStream();
             p7.encodeSignedData(p7out);
 
@@ -293,42 +291,79 @@
             stop();
         }
     }
-    public static void main(String[] args) throws Exception {
-        try (Handler tsa = Handler.init(0, TSKS);) {
+
+    public static void main(String[] args) throws Throwable {
+
+        prepare();
+
+        try (Handler tsa = Handler.init(0, "tsks");) {
             tsa.start();
             int port = tsa.getPort();
 
-            String cmd;
-            // Use -J-Djava.security.egd=file:/dev/./urandom to speed up
-            // nonce generation in timestamping request. Not avaibale on
-            // Windows and defaults to thread seed generator, not too bad.
-            if (System.getProperty("java.home").endsWith("jre")) {
-                cmd = System.getProperty("java.home") + "/../bin/jarsigner";
-            } else {
-                cmd = System.getProperty("java.home") + "/bin/jarsigner";
-            }
-
-            cmd += " -J-Djava.security.egd=file:/dev/./urandom"
-                    + " -debug -keystore " + TSKS + " -storepass changeit"
-                    + " -tsa http://localhost:" + port + "/%d"
-                    + " -signedjar new_%d.jar " + JAR + " old";
+            host = "http://localhost:" + port + "/";
 
             if (args.length == 0) {         // Run this test
-                jarsigner(cmd, 0, true);    // Success, normal call
-                jarsigner(cmd, 1, false);   // These 4 should fail
-                jarsigner(cmd, 2, false);
-                jarsigner(cmd, 3, false);
-                jarsigner(cmd, 4, false);
-                jarsigner(cmd, 5, true);    // Success, 6543440 solved.
-                jarsigner(cmd, 6, false);   // tsbad1
-                jarsigner(cmd, 7, false);   // tsbad2
-                jarsigner(cmd, 8, false);   // tsbad3
-                jarsigner(cmd, 9, false);   // no cert in timestamp
-                jarsigner(cmd + " -tsapolicyid 1.2.3.4", 10, true);
-                checkTimestamp("new_10.jar", "1.2.3.4", "SHA-256");
-                jarsigner(cmd + " -tsapolicyid 1.2.3.5", 11, false);
-                jarsigner(cmd + " -tsadigestalg SHA", 12, true);
-                checkTimestamp("new_12.jar", defaultPolicyId, "SHA-1");
+                sign("none")
+                        .shouldContain("is not timestamped")
+                        .shouldHaveExitValue(0);
+
+                sign("badku")
+                        .shouldHaveExitValue(0);
+                checkBadKU("badku.jar");
+
+                sign("normal")
+                        .shouldNotContain("is not timestamped")
+                        .shouldHaveExitValue(0);
+
+                sign("nononce")
+                        .shouldHaveExitValue(1);
+                sign("diffnonce")
+                        .shouldHaveExitValue(1);
+                sign("baddigest")
+                        .shouldHaveExitValue(1);
+                sign("diffalg")
+                        .shouldHaveExitValue(1);
+                sign("fullchain")
+                        .shouldHaveExitValue(0);   // Success, 6543440 solved.
+                sign("bad1")
+                        .shouldHaveExitValue(1);
+                sign("bad2")
+                        .shouldHaveExitValue(1);
+                sign("bad3")
+                        .shouldHaveExitValue(1);
+                sign("nocert")
+                        .shouldHaveExitValue(1);
+
+                sign("policy", "-tsapolicyid",  "1.2.3")
+                        .shouldHaveExitValue(0);
+                checkTimestamp("policy.jar", "1.2.3", "SHA-256");
+
+                sign("diffpolicy", "-tsapolicyid", "1.2.3")
+                        .shouldHaveExitValue(1);
+
+                sign("tsaalg", "-tsadigestalg", "SHA")
+                        .shouldHaveExitValue(0);
+                checkTimestamp("tsaalg.jar", defaultPolicyId, "SHA-1");
+
+                sign("weak", "-digestalg", "MD2",
+                                "-sigalg", "MD2withRSA", "-tsadigestalg", "MD2")
+                        .shouldHaveExitValue(0);
+                checkWeak("weak.jar");
+
+                signWithAliasAndTsa("halfWeak", "old.jar", "old", "-digestalg", "MD5")
+                        .shouldHaveExitValue(0);
+                checkHalfWeak("halfWeak.jar");
+
+                // sign with DSA key
+                signWithAliasAndTsa("sign1", "old.jar", "dsakey")
+                        .shouldHaveExitValue(0);
+                // sign with RSAkeysize < 1024
+                signWithAliasAndTsa("sign2", "sign1.jar", "weakkeysize")
+                        .shouldHaveExitValue(0);
+                checkMultiple("sign2.jar");
+
+                // When .SF or .RSA is missing or invalid
+                checkMissingOrInvalidFiles("normal.jar");
             } else {                        // Run as a standalone server
                 System.err.println("Press Enter to quit server");
                 System.in.read();
@@ -336,6 +371,132 @@
         }
     }
 
+    private static void checkMissingOrInvalidFiles(String s)
+            throws Throwable {
+        JarUtils.updateJar(s, "1.jar", "-", "META-INF/OLD.SF");
+        verify("1.jar", "-verbose")
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldContain("Missing signature-related file META-INF/OLD.SF");
+        JarUtils.updateJar(s, "2.jar", "-", "META-INF/OLD.RSA");
+        verify("2.jar", "-verbose")
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldContain("Missing block file for signature-related file META-INF/OLD.SF");
+        JarUtils.updateJar(s, "3.jar", "META-INF/OLD.SF");
+        verify("3.jar", "-verbose")
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldContain("Unparsable signature-related file META-INF/OLD.SF");
+        JarUtils.updateJar(s, "4.jar", "META-INF/OLD.RSA");
+        verify("4.jar", "-verbose")
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldContain("Unparsable signature-related file META-INF/OLD.RSA");
+    }
+
+    static OutputAnalyzer jarsigner(List<String> extra)
+            throws Throwable {
+        JDKToolLauncher launcher = JDKToolLauncher.createUsingTestJDK("jarsigner")
+                .addVMArg("-Duser.language=en")
+                .addVMArg("-Duser.country=US")
+                .addToolArg("-keystore")
+                .addToolArg("tsks")
+                .addToolArg("-storepass")
+                .addToolArg("changeit");
+        for (String s : extra) {
+            if (s.startsWith("-J")) {
+                launcher.addVMArg(s.substring(2));
+            } else {
+                launcher.addToolArg(s);
+            }
+        }
+        System.err.println("COMMAND: ");
+        for (String cmd : launcher.getCommand()) {
+            System.err.print(cmd + " ");
+        }
+        System.err.println();
+        return ProcessTools.executeCommand(launcher.getCommand());
+    }
+
+    static OutputAnalyzer verify(String file, String... extra)
+            throws Throwable {
+        List<String> args = new ArrayList<>();
+        args.add("-verify");
+        args.add(file);
+        args.addAll(Arrays.asList(extra));
+        return jarsigner(args);
+    }
+
+    static void checkBadKU(String file) throws Throwable {
+        System.err.println("BadKU: " + file);
+        verify(file)
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldContain("re-run jarsigner with debug enabled");
+        verify(file, "-verbose")
+                .shouldHaveExitValue(0)
+                .shouldContain("Signed by")
+                .shouldContain("treated as unsigned")
+                .shouldContain("re-run jarsigner with debug enabled");
+        verify(file, "-J-Djava.security.debug=jar")
+                .shouldHaveExitValue(0)
+                .shouldContain("SignatureException: Key usage restricted")
+                .shouldContain("treated as unsigned")
+                .shouldContain("re-run jarsigner with debug enabled");
+    }
+
+    static void checkWeak(String file) throws Throwable {
+        verify(file)
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldMatch("weak algorithm that is now disabled.")
+                .shouldMatch("Re-run jarsigner with the -verbose option for more details");
+        verify(file, "-verbose")
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldMatch("weak algorithm that is now disabled by")
+                .shouldMatch("Digest algorithm: .*weak")
+                .shouldMatch("Signature algorithm: .*weak")
+                .shouldMatch("Timestamp digest algorithm: .*weak")
+                .shouldNotMatch("Timestamp signature algorithm: .*weak.*weak")
+                .shouldMatch("Timestamp signature algorithm: .*key.*weak");
+        verify(file, "-J-Djava.security.debug=jar")
+                .shouldHaveExitValue(0)
+                .shouldMatch("SignatureException:.*Disabled");
+    }
+
+    static void checkHalfWeak(String file) throws Throwable {
+        verify(file)
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldMatch("weak algorithm that is now disabled.")
+                .shouldMatch("Re-run jarsigner with the -verbose option for more details");
+        verify(file, "-verbose")
+                .shouldHaveExitValue(0)
+                .shouldContain("treated as unsigned")
+                .shouldMatch("weak algorithm that is now disabled by")
+                .shouldMatch("Digest algorithm: .*weak")
+                .shouldNotMatch("Signature algorithm: .*weak")
+                .shouldNotMatch("Timestamp digest algorithm: .*weak")
+                .shouldNotMatch("Timestamp signature algorithm: .*weak.*weak")
+                .shouldNotMatch("Timestamp signature algorithm: .*key.*weak");
+     }
+
+    static void checkMultiple(String file) throws Throwable {
+        verify(file)
+                .shouldHaveExitValue(0)
+                .shouldContain("jar verified");
+        verify(file, "-verbose", "-certs")
+                .shouldHaveExitValue(0)
+                .shouldContain("jar verified")
+                .shouldMatch("X.509.*CN=dsakey")
+                .shouldNotMatch("X.509.*CN=weakkeysize")
+                .shouldMatch("Signed by .*CN=dsakey")
+                .shouldMatch("Signed by .*CN=weakkeysize")
+                .shouldMatch("Signature algorithm: .*key.*weak");
+     }
+
     static void checkTimestamp(String file, String policyId, String digestAlg)
             throws Exception {
         try (JarFile jf = new JarFile(file)) {
@@ -362,41 +523,75 @@
         }
     }
 
+    static int which = 0;
+
     /**
-     * @param cmd the command line (with a hole to plug in)
-     * @param path the path in the URL, i.e, http://localhost/path
-     * @param expected if this command should succeed
+     * @param extra more args given to jarsigner
      */
-    static void jarsigner(String cmd, int path, boolean expected)
-            throws Exception {
-        System.err.println("Test " + path);
-        Process p = Runtime.getRuntime().exec(String.format(cmd, path, path));
-        BufferedReader reader = new BufferedReader(
-                new InputStreamReader(p.getErrorStream()));
-        while (true) {
-            String s = reader.readLine();
-            if (s == null) break;
-            System.err.println(s);
+    static OutputAnalyzer sign(String path, String... extra)
+            throws Throwable {
+        String alias = path.equals("badku") ? "badku" : "old";
+        return signWithAliasAndTsa(path, "old.jar", alias, extra);
+    }
+
+    static OutputAnalyzer signWithAliasAndTsa (String path, String jar,
+            String alias, String...extra) throws Throwable {
+        which++;
+        System.err.println("\n>> Test #" + which + ": " + Arrays.toString(extra));
+        List<String> args = new ArrayList<>();
+        args.add("-J-Djava.security.egd=file:/dev/./urandom");
+        args.add("-debug");
+        args.add("-signedjar");
+        args.add(path + ".jar");
+        args.add(jar);
+        args.add(alias);
+        if (!path.equals("none") && !path.equals("badku")) {
+            args.add("-tsa");
+            args.add(host + path);
+         }
+        args.addAll(Arrays.asList(extra));
+        return jarsigner(args);
+    }
+
+    static void prepare() throws Exception {
+        jdk.testlibrary.JarUtils.createJar("old.jar", "A");
+        Files.deleteIfExists(Paths.get("tsks"));
+        keytool("-alias ca -genkeypair -ext bc -dname CN=CA");
+        keytool("-alias old -genkeypair -dname CN=old");
+        keytool("-alias dsakey -genkeypair -keyalg DSA -dname CN=dsakey");
+        keytool("-alias weakkeysize -genkeypair -keysize 512 -dname CN=weakkeysize");
+        keytool("-alias badku -genkeypair -dname CN=badku");
+        keytool("-alias ts -genkeypair -dname CN=ts");
+        keytool("-alias tsweak -genkeypair -keysize 512 -dname CN=tsbad1");
+        keytool("-alias tsbad1 -genkeypair -dname CN=tsbad1");
+        keytool("-alias tsbad2 -genkeypair -dname CN=tsbad2");
+        keytool("-alias tsbad3 -genkeypair -dname CN=tsbad3");
+
+        gencert("old");
+        gencert("dsakey");
+        gencert("weakkeysize");
+        gencert("badku", "-ext ku:critical=keyAgreement");
+        gencert("ts", "-ext eku:critical=ts");
+        gencert("tsweak", "-ext eku:critical=ts");
+        gencert("tsbad1");
+        gencert("tsbad2", "-ext eku=ts");
+        gencert("tsbad3", "-ext eku:critical=cs");
+    }
+
+    static void gencert(String alias, String... extra) throws Exception {
+        keytool("-alias " + alias + " -certreq -file " + alias + ".req");
+        String genCmd = "-gencert -alias ca -infile " +
+                alias + ".req -outfile " + alias + ".cert";
+        for (String s : extra) {
+            genCmd += " " + s;
         }
+        keytool(genCmd);
+        keytool("-alias " + alias + " -importcert -file " + alias + ".cert");
+    }
 
-        // Will not see noTimestamp warning
-        boolean seeWarning = false;
-        reader = new BufferedReader(
-                new InputStreamReader(p.getInputStream()));
-        while (true) {
-            String s = reader.readLine();
-            if (s == null) break;
-            System.err.println(s);
-            if (s.indexOf("Warning:") >= 0) {
-                seeWarning = true;
-            }
-        }
-        int result = p.waitFor();
-        if (expected && result != 0 || !expected && result == 0) {
-            throw new Exception("Failed");
-        }
-        if (seeWarning) {
-            throw new Exception("See warning");
-        }
+    static void keytool(String cmd) throws Exception {
+        cmd = "-keystore tsks -storepass changeit -keypass changeit " +
+                "-keyalg rsa -validity 200 " + cmd;
+        sun.security.tools.keytool.Main.main(cmd.split(" "));
     }
 }
--- a/test/sun/security/tools/jarsigner/ts.sh	Tue Dec 13 12:52:17 2016 -0800
+++ /dev/null	Thu Jan 01 00:00:00 1970 +0000
@@ -1,91 +0,0 @@
-#
-# Copyright (c) 2007, 2013, Oracle and/or its affiliates. All rights reserved.
-# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
-# 
-# This code is free software; you can redistribute it and/or modify it
-# under the terms of the GNU General Public License version 2 only, as
-# published by the Free Software Foundation.
-# 
-# This code is distributed in the hope that it will be useful, but WITHOUT
-# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
-# version 2 for more details (a copy is included in the LICENSE file that
-# accompanied this code).
-# 
-# You should have received a copy of the GNU General Public License version
-# 2 along with this work; if not, write to the Free Software Foundation,
-# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
-# 
-# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
-# or visit www.oracle.com if you need additional information or have any
-# questions.
-#
-
-# @test
-# @bug 6543842 6543440 6939248 8009636 8024302
-# @summary checking response of timestamp
-#
-# @run shell/timeout=600 ts.sh
-
-# Run for a long time because jarsigner with timestamp needs to create a
-# 64-bit random number and it might be extremely slow on a machine with
-# not enough entropy pool
-
-# set platform-dependent variables
-OS=`uname -s`
-case "$OS" in
-  Windows_* )
-    FS="\\"
-    ;;
-  * )
-    FS="/"
-    ;;
-esac
-
-if [ "${TESTSRC}" = "" ] ; then
-  TESTSRC="."
-fi
-if [ "${TESTJAVA}" = "" ] ; then
-  JAVAC_CMD=`which javac`
-  TESTJAVA=`dirname $JAVAC_CMD`/..
-fi
-
-JAR="${TESTJAVA}${FS}bin${FS}jar"
-JAVA="${TESTJAVA}${FS}bin${FS}java"
-JAVAC="${TESTJAVA}${FS}bin${FS}javac"
-KT="${TESTJAVA}${FS}bin${FS}keytool -keystore tsks -storepass changeit -keypass changeit -keyalg rsa -validity 200"
-
-rm tsks
-echo Nothing > A
-rm old.jar
-$JAR cvf old.jar A
-
-# ca is CA
-# old is signer for code
-# ts is signer for timestamp
-# tsbad1 has no extendedKeyUsage
-# tsbad2's extendedKeyUsage is non-critical
-# tsbad3's extendedKeyUsage has no timestamping
-
-$KT -alias ca -genkeypair -ext bc -dname CN=CA
-$KT -alias old -genkeypair -dname CN=old
-$KT -alias ts -genkeypair -dname CN=ts
-$KT -alias tsbad1 -genkeypair -dname CN=tsbad1
-$KT -alias tsbad2 -genkeypair -dname CN=tsbad2
-$KT -alias tsbad3 -genkeypair -dname CN=tsbad3
-$KT -alias ts -certreq | \
-        $KT -alias ca -gencert -ext eku:critical=ts | \
-        $KT -alias ts -importcert
-$KT -alias tsbad1 -certreq | \
-        $KT -alias ca -gencert | \
-        $KT -alias tsbad1 -importcert
-$KT -alias tsbad2 -certreq | \
-        $KT -alias ca -gencert -ext eku=ts | \
-        $KT -alias tsbad2 -importcert
-$KT -alias tsbad3 -certreq | \
-        $KT -alias ca -gencert -ext eku:critical=cs | \
-        $KT -alias tsbad3 -importcert
-
-$JAVAC -XDignore.symbol.file -d . ${TESTSRC}/TimestampCheck.java
-$JAVA ${TESTVMOPTS} TimestampCheck
-
--- a/test/sun/security/tools/jarsigner/warnings/Test.java	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/security/tools/jarsigner/warnings/Test.java	Tue Dec 20 13:28:30 2016 -0800
@@ -197,4 +197,21 @@
         cmd.addAll(Arrays.asList(args));
         return ProcessTools.executeCommand(cmd.toArray(new String[cmd.size()]));
     }
+
+    protected OutputAnalyzer keytool(String... cmd) throws Throwable {
+        return tool(KEYTOOL, cmd);
+    }
+
+    protected OutputAnalyzer jarsigner(String... cmd) throws Throwable {
+        return tool(JARSIGNER, cmd);
+    }
+
+    private OutputAnalyzer tool(String tool, String... args) throws Throwable {
+        List<String> cmd = new ArrayList<>();
+        cmd.add(tool);
+        cmd.add("-J-Duser.language=en");
+        cmd.add("-J-Duser.country=US");
+        cmd.addAll(Arrays.asList(args));
+        return ProcessTools.executeCommand(cmd.toArray(new String[cmd.size()]));
+    }
 }
--- a/test/sun/util/calendar/zi/tzdata/VERSION	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/VERSION	Tue Dec 20 13:28:30 2016 -0800
@@ -21,4 +21,4 @@
 # or visit www.oracle.com if you need additional information or have any
 # questions.
 #
-tzdata2016f
+tzdata2016i
--- a/test/sun/util/calendar/zi/tzdata/africa	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/africa	Tue Dec 20 13:28:30 2016 -0800
@@ -487,7 +487,7 @@
 # http://www.libyaherald.com/2013/10/24/correction-no-time-change-tomorrow/
 #
 # From Paul Eggert (2013-10-25):
-# For now, assume they're reverting to the pre-2012 rules of permanent UTC+2.
+# For now, assume they're reverting to the pre-2012 rules of permanent UT +02.
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Libya	1951	only	-	Oct	14	2:00	1:00	S
--- a/test/sun/util/calendar/zi/tzdata/antarctica	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/antarctica	Tue Dec 20 13:28:30 2016 -0800
@@ -33,9 +33,7 @@
 # http://www.spri.cam.ac.uk/bob/periant.htm
 # for information.
 # Unless otherwise specified, we have no time zone information.
-#
-# Except for the French entries,
-# I made up all time zone abbreviations mentioned here; corrections welcome!
+
 # FORMAT is '-00' and GMTOFF is 0 for locations while uninhabited.
 
 # Argentina - year-round bases
@@ -52,7 +50,7 @@
 #	previously sealers and scientific personnel wintered
 #	Margaret Turner reports
 #	http://web.archive.org/web/20021204222245/http://www.dstc.qut.edu.au/DST/marg/daylight.html
-#	(1999-09-30) that they're UTC+5, with no DST;
+#	(1999-09-30) that they're UT +05, with no DST;
 #	presumably this is when they have visitors.
 #
 # year-round bases
@@ -89,25 +87,29 @@
 # Background:
 # http://www.timeanddate.com/news/time/antartica-time-changes-2010.html
 
+# From Steffen Thorsen (2016-10-28):
+# Australian Antarctica Division informed us that Casey changed time
+# zone to UTC+11 in "the morning of 22nd October 2016".
+
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Casey	0	-	-00	1969
-			8:00	-	AWST	2009 Oct 18  2:00
-						# Australian Western Std Time
-			11:00	-	CAST	2010 Mar  5  2:00  # Casey Time
-			8:00	-	AWST	2011 Oct 28  2:00
-			11:00	-	CAST	2012 Feb 21 17:00u
-			8:00	-	AWST
+			8:00	-	+08	2009 Oct 18  2:00
+			11:00	-	+11	2010 Mar  5  2:00
+			8:00	-	+08	2011 Oct 28  2:00
+			11:00	-	+11	2012 Feb 21 17:00u
+			8:00	-	+08	2016 Oct 22
+			11:00	-	+11
 Zone Antarctica/Davis	0	-	-00	1957 Jan 13
-			7:00	-	DAVT	1964 Nov    # Davis Time
+			7:00	-	+07	1964 Nov
 			0	-	-00	1969 Feb
-			7:00	-	DAVT	2009 Oct 18  2:00
-			5:00	-	DAVT	2010 Mar 10 20:00u
-			7:00	-	DAVT	2011 Oct 28  2:00
-			5:00	-	DAVT	2012 Feb 21 20:00u
-			7:00	-	DAVT
+			7:00	-	+07	2009 Oct 18  2:00
+			5:00	-	+05	2010 Mar 10 20:00u
+			7:00	-	+07	2011 Oct 28  2:00
+			5:00	-	+05	2012 Feb 21 20:00u
+			7:00	-	+07
 Zone Antarctica/Mawson	0	-	-00	1954 Feb 13
-			6:00	-	MAWT	2009 Oct 18  2:00 # Mawson Time
-			5:00	-	MAWT
+			6:00	-	+06	2009 Oct 18  2:00
+			5:00	-	+05
 # References:
 # Casey Weather (1998-02-26)
 # http://www.antdiv.gov.au/aad/exop/sfo/casey/casey_aws.html
@@ -161,7 +163,7 @@
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Indian/Kerguelen	0	-	-00	1950 # Port-aux-Français
-			5:00	-	TFT	# ISO code TF Time
+			5:00	-	+05
 #
 # year-round base in the main continent
 # Dumont d'Urville, Île des Pétrels, -6640+14001, since 1956-11
@@ -172,9 +174,9 @@
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/DumontDUrville 0 -	-00	1947
-			10:00	-	PMT	1952 Jan 14 # Port-Martin Time
+			10:00	-	+10	1952 Jan 14
 			0	-	-00	1956 Nov
-			10:00	-	DDUT	# Dumont-d'Urville Time
+			10:00	-	+10
 
 # France & Italy - year-round base
 # Concordia, -750600+1232000, since 2005
@@ -200,7 +202,7 @@
 # station of Japan, it's appropriate for the principal location.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Syowa	0	-	-00	1957 Jan 29
-			3:00	-	SYOT	# Syowa Time
+			3:00	-	+03
 # See:
 # NIPR Antarctic Research Activities (1999-08-17)
 # http://www.nipr.ac.jp/english/ara01.html
@@ -237,17 +239,17 @@
 # correct, but they should be quite close to the actual dates.
 #
 # From Paul Eggert (2014-03-21):
-# The CET-switching Troll rules require zic from tzcode 2014b or later, so as
+# The CET-switching Troll rules require zic from tz 2014b or later, so as
 # suggested by Bengt-Inge Larsson comment them out for now, and approximate
 # with only UTC and CEST.  Uncomment them when 2014b is more prevalent.
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-#Rule	Troll	2005	max	-	Mar	 1	1:00u	1:00	CET
-Rule	Troll	2005	max	-	Mar	lastSun	1:00u	2:00	CEST
-#Rule	Troll	2005	max	-	Oct	lastSun	1:00u	1:00	CET
-#Rule	Troll	2004	max	-	Nov	 7	1:00u	0:00	UTC
+#Rule	Troll	2005	max	-	Mar	 1	1:00u	1:00	+01
+Rule	Troll	2005	max	-	Mar	lastSun	1:00u	2:00	+02
+#Rule	Troll	2005	max	-	Oct	lastSun	1:00u	1:00	+01
+#Rule	Troll	2004	max	-	Nov	 7	1:00u	0:00	+00
 # Remove the following line when uncommenting the above '#Rule' lines.
-Rule	Troll	2004	max	-	Oct	lastSun	1:00u	0:00	UTC
+Rule	Troll	2004	max	-	Oct	lastSun	1:00u	0:00	+00
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Troll	0	-	-00	2005 Feb 12
 			0:00	Troll	%s
@@ -288,10 +290,10 @@
 # changes during the year and does not necessarily correspond to mean
 # solar noon.  So the Vostok time might have been whatever the clocks
 # happened to be during their visit.  So we still don't really know what time
-# it is at Vostok.  But we'll guess UTC+6.
+# it is at Vostok.  But we'll guess +06.
 #
 Zone Antarctica/Vostok	0	-	-00	1957 Dec 16
-			6:00	-	VOST	# Vostok time
+			6:00	-	+06
 
 # S Africa - year-round bases
 # Marion Island, -4653+03752
@@ -324,7 +326,7 @@
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Antarctica/Rothera	0	-	-00	1976 Dec  1
-			-3:00	-	ROTT	# Rothera time
+			-3:00	-	-03
 
 # Uruguay - year round base
 # Artigas, King George Island, -621104-0585107
--- a/test/sun/util/calendar/zi/tzdata/asia	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/asia	Tue Dec 20 13:28:30 2016 -0800
@@ -139,13 +139,11 @@
 # http://www.worldtimezone.com/dst_news/dst_news_armenia03.html
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Yerevan	2:58:00 -	LMT	1924 May  2
-			3:00	-	YERT	1957 Mar    # Yerevan Time
-			4:00 RussiaAsia YER%sT	1991 Mar 31  2:00s
-			3:00	1:00	YERST	1991 Sep 23 # independence
-			3:00 RussiaAsia	AM%sT	1995 Sep 24  2:00s
-			4:00	-	AMT	1997
-			4:00 RussiaAsia	AM%sT	2012 Feb  9
-			4:00	-	AMT
+			3:00	-	+03	1957 Mar
+			4:00 RussiaAsia +04/+05	1991 Mar 31  2:00s
+			3:00 RussiaAsia	+03/+04	1995 Sep 24  2:00s
+			4:00	-	+04	1997
+			4:00 RussiaAsia	+04/+05
 
 # Azerbaijan
 
@@ -166,13 +164,12 @@
 Rule	Azer	1997	2015	-	Oct	lastSun	 5:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Baku	3:19:24 -	LMT	1924 May  2
-			3:00	-	BAKT	1957 Mar    # Baku Time
-			4:00 RussiaAsia BAK%sT	1991 Mar 31  2:00s
-			3:00	1:00	BAKST	1991 Aug 30 # independence
-			3:00 RussiaAsia	AZ%sT	1992 Sep lastSun  2:00s
-			4:00	-	AZT	1996     # Azerbaijan Time
-			4:00	EUAsia	AZ%sT	1997
-			4:00	Azer	AZ%sT
+			3:00	-	+03	1957 Mar
+			4:00 RussiaAsia +04/+05	1991 Mar 31  2:00s
+			3:00 RussiaAsia	+03/+04	1992 Sep lastSun  2:00s
+			4:00	-	+04	1996
+			4:00	EUAsia	+04/+05	1997
+			4:00	Azer	+04/+05
 
 # Bahrain
 # See Asia/Qatar.
@@ -291,7 +288,7 @@
 # Milne says 6:24:40 was the meridian of the time ball observatory at Rangoon.
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
-Zone	Asia/Rangoon	6:24:40 -	LMT	1880        # or Yangon
+Zone	Asia/Yangon	6:24:40 -	LMT	1880        # or Rangoon
 			6:24:40	-	RMT	1920        # Rangoon Mean Time?
 			6:30	-	BURT	1942 May    # Burma Time
 			9:00	-	JST	1945 May  3
@@ -406,7 +403,7 @@
 # Lewiston (ME) Daily Sun (1939-05-29), p 17, said "Even the time is
 # different - the occupied districts going by Tokyo time, an hour
 # ahead of that prevailing in the rest of Shanghai."  Guess that the
-# Xujiahui Observatory was under French control and stuck with UT+8.
+# Xujiahui Observatory was under French control and stuck with UT +08.
 #
 # In earlier versions of this file, China had many separate Zone entries, but
 # this was based on what were apparently incorrect data in Shanks & Pottenger.
@@ -415,26 +412,26 @@
 # Proposed in 1918 and theoretically in effect until 1949 (although in practice
 # mainly observed in coastal areas), the five zones were:
 #
-# Changbai Time ("Long-white Time", Long-white = Heilongjiang area) UT+8.5
+# Changbai Time ("Long-white Time", Long-white = Heilongjiang area) UT +08:30
 # Asia/Harbin (currently a link to Asia/Shanghai)
 # Heilongjiang (except Mohe county), Jilin
 #
-# Zhongyuan Time ("Central plain Time") UT+8
+# Zhongyuan Time ("Central plain Time") UT +08
 # Asia/Shanghai
 # most of China
 # This currently represents most other zones as well,
 # as apparently these regions have been the same since 1970.
 # Milne gives 8:05:43.2 for Xujiahui Observatory time; round to nearest.
-# Guo says Shanghai switched to UT+8 "from the end of the 19th century".
+# Guo says Shanghai switched to UT +08 "from the end of the 19th century".
 #
-# Long-shu Time (probably due to Long and Shu being two names of that area) UT+7
+# Long-shu Time (probably due to Long and Shu being two names of the area) UT +07
 # Asia/Chongqing (currently a link to Asia/Shanghai)
 # Guangxi, Guizhou, Hainan, Ningxia, Sichuan, Shaanxi, and Yunnan;
 # most of Gansu; west Inner Mongolia; west Qinghai; and the Guangdong
 # counties Deqing, Enping, Kaiping, Luoding, Taishan, Xinxing,
 # Yangchun, Yangjiang, Yu'nan, and Yunfu.
 #
-# Xin-zang Time ("Xinjiang-Tibet Time") UT+6
+# Xin-zang Time ("Xinjiang-Tibet Time") UT +06
 # Asia/Urumqi
 # This currently represents Kunlun Time as well,
 # as apparently the two regions have been the same since 1970.
@@ -447,7 +444,7 @@
 # Shihezi, Changji, Yanqi, Heshuo, Tuokexun, Tulufan, Shanshan, Hami,
 # Fukang, Kuitun, Kumukuli, Miquan, Qitai, and Turfan.
 #
-# Kunlun Time UT+5.5
+# Kunlun Time UT +05:30
 # Asia/Kashgar (currently a link to Asia/Urumqi)
 # West Tibet, including Pulan, Aheqi, Shufu, Shule;
 # West Xinjiang, including Aksu, Atushi, Yining, Hetian, Cele, Luopu, Nileke,
@@ -463,7 +460,7 @@
 #
 # On the other hand, ethnic Uyghurs, who make up about half the
 # population of Xinjiang, typically use "Xinjiang time" which is two
-# hours behind Beijing time, or UTC +0600. The government of the Xinjiang
+# hours behind Beijing time, or UT +06. The government of the Xinjiang
 # Uyghur Autonomous Region, (XAUR, or just Xinjiang for short) as well as
 # local governments such as the Ürümqi city government use both times in
 # publications, referring to what is popularly called Xinjiang time as
@@ -519,8 +516,8 @@
 # having the same time as Beijing.
 
 # From Paul Eggert (2014-06-30):
-# In the early days of the PRC, Tibet was given its own time zone (UT+6) but
-# this was withdrawn in 1959 and never reinstated; see Tubten Khétsun,
+# In the early days of the PRC, Tibet was given its own time zone (UT +06)
+# but this was withdrawn in 1959 and never reinstated; see Tubten Khétsun,
 # Memories of life in Lhasa under Chinese Rule, Columbia U Press, ISBN
 # 978-0231142861 (2008), translator's introduction by Matthew Akester, p x.
 # As this is before our 1970 cutoff, Tibet doesn't need a separate zone.
@@ -534,12 +531,12 @@
 # Republics, the Soviet Union, the Kuomintang, and the People's Republic of
 # China, and tracking down all these organizations' timekeeping rules would be
 # quite a trick.  Approximate this lost history by a transition from LMT to
-# XJT at the start of 1928, the year of accession of the warlord Jin Shuren,
+# UT +06 at the start of 1928, the year of accession of the warlord Jin Shuren,
 # which happens to be the date given by Shanks & Pottenger (no doubt as a
-# guess) as the transition from LMT.  Ignore the usage of UT+8 before
-# 1986-02-01 under the theory that the transition date to UT+8 is unknown and
+# guess) as the transition from LMT.  Ignore the usage of +08 before
+# 1986-02-01 under the theory that the transition date to +08 is unknown and
 # that the sort of users who prefer Asia/Urumqi now typically ignored the
-# UT+8 mandate back then.
+# +08 mandate back then.
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 # Beijing time, used throughout China; represented by Shanghai.
@@ -744,7 +741,7 @@
 # be found from historical government announcement database.
 
 # From Paul Eggert (2014-07-03):
-# As per Yu-Cheng Chuang, say that Taiwan was at UT+9 from 1937-10-01
+# As per Yu-Cheng Chuang, say that Taiwan was at UT +09 from 1937-10-01
 # until 1945-09-21 at 01:00, overriding Shanks & Pottenger.
 # Likewise, use Yu-Cheng Chuang's data for DST in Taiwan.
 
@@ -797,9 +794,19 @@
 ###############################################################################
 
 # Cyprus
+
+# Milne says the Eastern Telegraph Company used 2:14:00.  Stick with LMT.
+# IATA SSIM (1998-09) has Cyprus using EU rules for the first time.
+
+# From Paul Eggert (2016-09-09):
+# Yesterday's Cyprus Mail reports that Northern Cyprus followed Turkey's
+# lead and switched from +02/+03 to +03 year-round.
+# http://cyprus-mail.com/2016/09/08/two-time-zones-cyprus-turkey-will-not-turn-clocks-back-next-month/
 #
-# Milne says the Eastern Telegraph Company used 2:14:00.  Stick with LMT.
-#
+# From Even Scharning (2016-10-31):
+# Looks like the time zone split in Cyprus went through last night.
+# http://cyprus-mail.com/2016/10/30/cyprus-new-division-two-time-zones-now-reality/
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Cyprus	1975	only	-	Apr	13	0:00	1:00	S
 Rule	Cyprus	1975	only	-	Oct	12	0:00	0	-
@@ -814,7 +821,10 @@
 Zone	Asia/Nicosia	2:13:28 -	LMT	1921 Nov 14
 			2:00	Cyprus	EE%sT	1998 Sep
 			2:00	EUAsia	EE%sT
-# IATA SSIM (1998-09) has Cyprus using EU rules for the first time.
+Zone	Asia/Famagusta	2:15:48	-	LMT	1921 Nov 14
+			2:00	Cyprus	EE%sT	1998 Sep
+			2:00	EUAsia	EE%sT	2016 Sep  8
+			3:00	-	+03
 
 # Classically, Cyprus belongs to Asia; e.g. see Herodotus, Histories, I.72.
 # However, for various reasons many users expect to find it under Europe.
@@ -858,16 +868,15 @@
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Tbilisi	2:59:11 -	LMT	1880
 			2:59:11	-	TBMT	1924 May  2 # Tbilisi Mean Time
-			3:00	-	TBIT	1957 Mar    # Tbilisi Time
-			4:00 RussiaAsia TBI%sT	1991 Mar 31  2:00s
-			3:00	1:00	TBIST	1991 Apr  9 # independence
-			3:00 RussiaAsia GE%sT	1992        # Georgia Time
-			3:00 E-EurAsia	GE%sT	1994 Sep lastSun
-			4:00 E-EurAsia	GE%sT	1996 Oct lastSun
-			4:00	1:00	GEST	1997 Mar lastSun
-			4:00 E-EurAsia	GE%sT	2004 Jun 27
-			3:00 RussiaAsia	GE%sT	2005 Mar lastSun  2:00
-			4:00	-	GET
+			3:00	-	+03	1957 Mar
+			4:00 RussiaAsia +04/+05	1991 Mar 31  2:00s
+			3:00 RussiaAsia +03/+04	1992
+			3:00 E-EurAsia	+03/+04	1994 Sep lastSun
+			4:00 E-EurAsia	+04/+05	1996 Oct lastSun
+			4:00	1:00	+05	1997 Mar lastSun
+			4:00 E-EurAsia	+04/+05	2004 Jun 27
+			3:00 RussiaAsia	+03/+04	2005 Mar lastSun  2:00
+			4:00	-	+04
 
 # East Timor
 
@@ -944,7 +953,7 @@
 # These would be the earliest possible times for a change.
 # Régimes horaires pour le monde entier, by Henri Le Corre, (Éditions
 # Traditionnelles, 1987, Paris) says that Java and Madura switched
-# from JST to UTC+07:30 on 1945-09-23, and gives 1944-09-01 for Jayapura
+# from UT +09 to +07:30 on 1945-09-23, and gives 1944-09-01 for Jayapura
 # (Hollandia).  For now, assume all Indonesian locations other than Jayapura
 # switched on 1945-09-23.
 #
@@ -955,11 +964,11 @@
 # summary published by the Time and Frequency Laboratory of the
 # Research Center for Calibration, Instrumentation and Metrology,
 # Indonesia, <http://time.kim.lipi.go.id/time-eng.php> (2006-09-29).
-# The abbreviations are:
+# The time zone abbreviations and UT offsets are:
 #
-# WIB  - UTC+7 - Waktu Indonesia Barat (Indonesia western time)
-# WITA - UTC+8 - Waktu Indonesia Tengah (Indonesia central time)
-# WIT  - UTC+9 - Waktu Indonesia Timur (Indonesia eastern time)
+# WIB  - +07 - Waktu Indonesia Barat (Indonesia western time)
+# WITA - +08 - Waktu Indonesia Tengah (Indonesia central time)
+# WIT  - +09 - Waktu Indonesia Timur (Indonesia eastern time)
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 # Java, Sumatra
@@ -1848,11 +1857,11 @@
 Rule	Kyrgyz	1997	2004	-	Oct	lastSun	2:30	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Bishkek	4:58:24 -	LMT	1924 May  2
-			5:00	-	FRUT	1930 Jun 21 # Frunze Time
-			6:00 RussiaAsia FRU%sT	1991 Mar 31  2:00s
-			5:00	1:00	FRUST	1991 Aug 31  2:00 # independence
-			5:00	Kyrgyz	KG%sT	2005 Aug 12 # Kyrgyzstan Time
-			6:00	-	KGT
+			5:00	-	+05	1930 Jun 21
+			6:00 RussiaAsia +06/+07	1991 Mar 31  2:00s
+			5:00 RussiaAsia	+05/+06	1991 Aug 31  2:00
+			5:00	Kyrgyz	+05/+06	2005 Aug 12
+			6:00	-	+06
 
 ###############################################################################
 
@@ -1891,25 +1900,24 @@
 Rule	ROK	1987	1988	-	May	Sun>=8	2:00	1:00	D
 Rule	ROK	1987	1988	-	Oct	Sun>=8	3:00	0	S
 
-# From Paul Eggert (2014-10-30):
+# From Paul Eggert (2016-08-23):
 # The Korean Wikipedia entry gives the following sources for UT offsets:
 #
-# 1908: Official Journal Article No. 3994 (Edict No. 5)
+# 1908: Official Journal Article No. 3994 (decree No. 5)
 # 1912: Governor-General of Korea Official Gazette Issue No. 367
 #       (Announcement No. 338)
 # 1954: Presidential Decree No. 876 (1954-03-17)
 # 1961: Law No. 676 (1961-08-07)
-# 1987: Law No. 3919 (1986-12-31)
 #
-# The Wikipedia entry also has confusing information about a change
-# to UT+9 in April 1910, but then what would be the point of the later change
-# to UT+9 on 1912-01-01?  Omit the 1910 change for now.
+# (Another source "1987: Law No. 3919 (1986-12-31)" was in the 2014-10-30
+# edition of the Korean Wikipedia entry.)
 #
 # I guessed that time zone abbreviations through 1945 followed the same
 # rules as discussed under Taiwan, with nominal switches from JST to KST
 # when the respective cities were taken over by the Allies after WWII.
 #
-# For Pyongyang we have no information; guess no changes since World War II.
+# For Pyongyang, guess no changes from World War II until 2015, as we
+# have no information otherwise.
 
 # From Steffen Thorsen (2015-08-07):
 # According to many news sources, North Korea is going to change to
@@ -2069,7 +2077,7 @@
 # Bill Bonnet (2005-05-19) reports that the US Embassy in Ulaanbaatar says
 # there is only one time zone and that DST is observed, citing Microsoft
 # Windows XP as the source.  Risto Nykänen (2005-05-16) reports that
-# travelmongolia.org says there are two time zones (UTC+7, UTC+8) with no DST.
+# travelmongolia.org says there are two time zones (UT +07, +08) with no DST.
 # Oscar van Vlijmen (2005-05-20) reports that the Mongolian Embassy in
 # Washington, DC says there are two time zones, with DST observed.
 # He also found
@@ -2572,11 +2580,6 @@
 # From Paul Eggert (2015-03-03):
 # http://www.timeanddate.com/time/change/west-bank/ramallah?year=2014
 # says that the fall 2014 transition was Oct 23 at 24:00.
-# For future dates, guess the last Friday in March at 24:00 through
-# the first Friday on or after October 21 at 00:00.  This is consistent with
-# the predictions in today's editions of the following URLs:
-# http://www.timeanddate.com/time/change/gaza-strip/gaza
-# http://www.timeanddate.com/time/change/west-bank/hebron
 
 # From Hannah Kreitem (2016-03-09):
 # http://www.palestinecabinet.gov.ps/WebSite/ar/ViewDetails?ID=31728
@@ -2586,7 +2589,21 @@
 #
 # From Paul Eggert (2016-03-12):
 # Predict spring transitions on March's last Saturday at 01:00 from now on.
-# Leave fall predictions alone for now.
+
+# From Sharef Mustafa (2016-10-19):
+# [T]he Palestinian cabinet decision (Mar 8th 2016) published on
+# http://www.palestinecabinet.gov.ps/WebSite/Upload/Decree/GOV_17/16032016134830.pdf
+# states that summer time will end on Oct 29th at 01:00.
+#
+# From Tim Parenti (2016-10-19):
+# Predict fall transitions on October's last Saturday at 01:00 from now on.
+# This is consistent with the 2016 transition as well as our spring
+# predictions.
+#
+# From Paul Eggert (2016-10-19):
+# It's also consistent with predictions in the following URLs today:
+# http://www.timeanddate.com/time/change/gaza-strip/gaza
+# http://www.timeanddate.com/time/change/west-bank/hebron
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule EgyptAsia	1957	only	-	May	10	0:00	1:00	S
@@ -2615,9 +2632,10 @@
 Rule Palestine	2012	2014	-	Mar	lastThu	24:00	1:00	S
 Rule Palestine	2012	only	-	Sep	21	1:00	0	-
 Rule Palestine	2013	only	-	Sep	Fri>=21	0:00	0	-
-Rule Palestine	2014	max	-	Oct	Fri>=21	0:00	0	-
+Rule Palestine	2014	2015	-	Oct	Fri>=21	0:00	0	-
 Rule Palestine	2015	only	-	Mar	lastFri	24:00	1:00	S
 Rule Palestine	2016	max	-	Mar	lastSat	1:00	1:00	S
+Rule Palestine	2016	max	-	Oct	lastSat	1:00	0	-
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Gaza	2:17:52	-	LMT	1900 Oct
@@ -2705,7 +2723,7 @@
 # earlier date.
 #
 # Shanks & Pottenger also state that until 1968-05-01 Saudi Arabia had two
-# time zones; the other zone, at UTC+4, was in the far eastern part of
+# time zones; the other zone, at UT +04, was in the far eastern part of
 # the country.  Ignore this, as it's before our 1970 cutoff.
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -2767,45 +2785,31 @@
 # People who live in regions under Tamil control can use [TZ='Asia/Kolkata'],
 # as that zone has agreed with the Tamil areas since our cutoff date of 1970.
 
-# From K Sethu (2006-04-25):
-# I think the abbreviation LKT originated from the world of computers at
-# the time of or subsequent to the time zone changes by SL Government
-# twice in 1996 and probably SL Government or its standardization
-# agencies never declared an abbreviation as a national standard.
+# From Sadika Sumanapala (2016-10-19):
+# According to http://www.sltime.org (maintained by Measurement Units,
+# Standards & Services Department, Sri Lanka) abbreviation for Sri Lanka
+# standard time is SLST.
 #
-# I recollect before the recent change the government announcements
-# mentioning it as simply changing Sri Lanka Standard Time or Sri Lanka
-# Time and no mention was made about the abbreviation.
-#
-# If we look at Sri Lanka Department of Government's "Official News
-# Website of Sri Lanka" ... http://www.news.lk/ we can see that they
-# use SLT as abbreviation in time stamp at the beginning of each news
-# item....
-#
-# Within Sri Lanka I think LKT is well known among computer users and
-# administrators.  In my opinion SLT may not be a good choice because the
-# nation's largest telcom / internet operator Sri Lanka Telcom is well
-# known by that abbreviation - simply as SLT (there IP domains are
-# slt.lk and sltnet.lk).
-#
-# But if indeed our government has adopted SLT as standard abbreviation
-# (that we have not known so far) then  it is better that it be used for
-# all computers.
-
-# From Paul Eggert (2006-04-25):
-# One possibility is that we wait for a bit for the dust to settle down
-# and then see what people actually say in practice.
+# From Paul Eggert (2016-10-18):
+# "SLST" seems to be reasonably recent and rarely-used outside time
+# zone nerd sources.  I searched Google News and found three uses of
+# it in the International Business Times of India in February and
+# March of this year when discussing cricket match times, but nothing
+# since then (though there has been a lot of cricket) and nothing in
+# other English-language news sources.  Our old abbreviation "LKT" is
+# even worse.  For now, let's use a numeric abbreviation; we can
+# switch to "SLST" if it catches on.
 
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Colombo	5:19:24 -	LMT	1880
 			5:19:32	-	MMT	1906        # Moratuwa Mean Time
-			5:30	-	IST	1942 Jan  5
-			5:30	0:30	IHST	1942 Sep
-			5:30	1:00	IST	1945 Oct 16  2:00
-			5:30	-	IST	1996 May 25  0:00
-			6:30	-	LKT	1996 Oct 26  0:30
-			6:00	-	LKT	2006 Apr 15  0:30
-			5:30	-	IST
+			5:30	-	+0530	1942 Jan  5
+			5:30	0:30	+0530/+06 1942 Sep
+			5:30	1:00	+0530/+0630 1945 Oct 16  2:00
+			5:30	-	+0530	1996 May 25  0:00
+			6:30	-	+0630	1996 Oct 26  0:30
+			6:00	-	+06	2006 Apr 15  0:30
+			5:30	-	+0530
 
 # Syria
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
@@ -2974,10 +2978,10 @@
 # From Shanks & Pottenger.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Dushanbe	4:35:12 -	LMT	1924 May  2
-			5:00	-	DUST	1930 Jun 21 # Dushanbe Time
-			6:00 RussiaAsia DUS%sT	1991 Mar 31  2:00s
-			5:00	1:00	DUSST	1991 Sep  9  2:00s
-			5:00	-	TJT	# Tajikistan Time
+			5:00	-	+05	1930 Jun 21
+			6:00 RussiaAsia +06/+07	1991 Mar 31  2:00s
+			5:00	1:00	+05/+06	1991 Sep  9  2:00s
+			5:00	-	+05
 
 # Thailand
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -2991,11 +2995,10 @@
 # From Shanks & Pottenger.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Ashgabat	3:53:32 -	LMT	1924 May  2 # or Ashkhabad
-			4:00	-	ASHT	1930 Jun 21 # Ashkhabad Time
-			5:00 RussiaAsia	ASH%sT	1991 Mar 31  2:00
-			4:00 RussiaAsia	ASH%sT	1991 Oct 27 # independence
-			4:00 RussiaAsia	TM%sT	1992 Jan 19  2:00
-			5:00	-	TMT
+			4:00	-	+04	1930 Jun 21
+			5:00 RussiaAsia	+05/+06	1991 Mar 31  2:00
+			4:00 RussiaAsia	+04/+05	1992 Jan 19  2:00
+			5:00	-	+05
 
 # United Arab Emirates
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -3007,20 +3010,18 @@
 # Byalokoz 1919 says Uzbekistan was 4:27:53.
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Asia/Samarkand	4:27:53 -	LMT	1924 May  2
-			4:00	-	SAMT	1930 Jun 21 # Samarkand Time
-			5:00	-	SAMT	1981 Apr  1
-			5:00	1:00	SAMST	1981 Oct  1
-			6:00	-	TAST	1982 Apr  1 # Tashkent Time
-			5:00 RussiaAsia	SAM%sT	1991 Sep  1 # independence
-			5:00 RussiaAsia	UZ%sT	1992
-			5:00	-	UZT
+			4:00	-	+04	1930 Jun 21
+			5:00	-	+05	1981 Apr  1
+			5:00	1:00	+06	1981 Oct  1
+			6:00	-	+06	1982 Apr  1
+			5:00 RussiaAsia	+05/+06	1992
+			5:00	-	+05
 # Milne says Tashkent was 4:37:10.8; round to nearest.
 Zone	Asia/Tashkent	4:37:11 -	LMT	1924 May  2
-			5:00	-	TAST	1930 Jun 21 # Tashkent Time
-			6:00 RussiaAsia	TAS%sT	1991 Mar 31  2:00
-			5:00 RussiaAsia	TAS%sT	1991 Sep  1 # independence
-			5:00 RussiaAsia	UZ%sT	1992
-			5:00	-	UZT
+			5:00	-	+05	1930 Jun 21
+			6:00 RussiaAsia	+06/+07	1991 Mar 31  2:00
+			5:00 RussiaAsia	+05/+06	1992
+			5:00	-	+05
 
 # Vietnam
 
--- a/test/sun/util/calendar/zi/tzdata/australasia	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/australasia	Tue Dec 20 13:28:30 2016 -0800
@@ -373,7 +373,13 @@
 # commencing at 2.00 am on Sunday 1st November, 2015 and ending at
 # 3.00 am on Sunday 17th January, 2016.
 
-# From Paul Eggert (2015-09-01):
+# From Raymond Kumar (2016-10-04):
+# http://www.fiji.gov.fj/Media-Center/Press-Releases/DAYLIGHT-SAVING-STARTS-ON-6th-NOVEMBER,-2016.aspx
+# "Fiji's daylight savings will begin on Sunday, 6 November 2016, when
+# clocks go forward an hour at 2am to 3am....  Daylight Saving will
+# end at 3.00am on Sunday 15th January 2017."
+
+# From Paul Eggert (2016-10-03):
 # For now, guess DST from 02:00 the first Sunday in November to
 # 03:00 the third Sunday in January.  Although ad hoc, it matches
 # transitions since late 2014 and seems more likely to match future
@@ -568,7 +574,7 @@
 # Base the Bougainville entry on the Arawa-Kieta region, which appears to have
 # the most people even though it was devastated in the Bougainville Civil War.
 #
-# Although Shanks gives 1942-03-15 / 1943-11-01 for JST, these dates
+# Although Shanks gives 1942-03-15 / 1943-11-01 for UT +09, these dates
 # are apparently rough guesswork from the starts of military campaigns.
 # The World War II entries below are instead based on Arawa-Kieta.
 # The Japanese occupied Kieta in July 1942,
@@ -576,8 +582,8 @@
 # http://pwencycl.kgbudge.com/B/o/Bougainville.htm
 # and seem to have controlled it until their 1945-08-21 surrender.
 #
-# The Autonomous Region of Bougainville plans to switch from UTC+10 to UTC+11
-# on 2014-12-28 at 02:00.  They call UTC+11 "Bougainville Standard Time";
+# The Autonomous Region of Bougainville switched from UT +10 to +11
+# on 2014-12-28 at 02:00.  They call +11 "Bougainville Standard Time";
 # abbreviate this as BST.  See:
 # http://www.bougainville24.com/bougainville-issues/bougainville-gets-own-timezone/
 #
@@ -643,7 +649,7 @@
 # From Paul Eggert (2014-06-27):
 # The International Date Line Act 2011
 # http://www.parliament.gov.ws/images/ACTS/International_Date_Line_Act__2011_-_Eng.pdf
-# changed Samoa from UTC-11 to UTC+13, effective "12 o'clock midnight, on
+# changed Samoa from UT -11 to +13, effective "12 o'clock midnight, on
 # Thursday 29th December 2011".  The International Date Line was adjusted
 # accordingly.
 
@@ -719,11 +725,13 @@
 Rule	Tonga	2000	only	-	Mar	19	2:00s	0	-
 Rule	Tonga	2000	2001	-	Nov	Sun>=1	2:00	1:00	S
 Rule	Tonga	2001	2002	-	Jan	lastSun	2:00	0	-
+Rule	Tonga	2016	max	-	Nov	Sun>=1	2:00	1:00	S
+Rule	Tonga	2017	max	-	Jan	Sun>=15	3:00	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone Pacific/Tongatapu	12:19:20 -	LMT	1901
-			12:20	-	TOT	1941 # Tonga Time
-			13:00	-	TOT	1999
-			13:00	Tonga	TO%sT
+			12:20	-	+1220	1941
+			13:00	-	+13	1999
+			13:00	Tonga	+13/+14
 
 # Tuvalu
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -738,7 +746,7 @@
 # 1886-1891; Baker was similar but exact dates are not known.
 # Inhabited by civilians 1935-1942; U.S. military bases 1943-1944;
 # uninhabited thereafter.
-# Howland observed Hawaii Standard Time (UT-10:30) in 1937;
+# Howland observed Hawaii Standard Time (UT -10:30) in 1937;
 # see page 206 of Elgen M. Long and Marie K. Long,
 # Amelia Earhart: the Mystery Solved, Simon & Schuster (2000).
 # So most likely Howland and Baker observed Hawaii Time from 1935
@@ -1496,7 +1504,7 @@
 # Zealand time.  I understand that is the time they keep locally, anyhow."
 # For now, assume this practice goes back to the introduction of standard time
 # in New Zealand, as this would make Chatham Islands time almost exactly match
-# LMT back when New Zealand was at UTC+11:30; also, assume Chatham Islands did
+# LMT back when New Zealand was at UT +11:30; also, assume Chatham Islands did
 # not observe New Zealand's prewar DST.
 
 ###############################################################################
@@ -1552,7 +1560,7 @@
 # For now, we assume the Ladrones switched at the same time as the Philippines;
 # see Asia/Manila.
 
-# US Public Law 106-564 (2000-12-23) made UTC+10 the official standard time,
+# US Public Law 106-564 (2000-12-23) made UT +10 the official standard time,
 # under the name "Chamorro Standard Time".  There is no official abbreviation,
 # but Congressman Robert A. Underwood, author of the bill that became law,
 # wrote in a press release (2000-12-27) that he will seek the use of "ChST".
@@ -1564,15 +1572,15 @@
 # "I am certain, having lived there for the past decade, that 'Truk'
 # (now properly known as Chuuk) ... is in the time zone GMT+10."
 #
-# Shanks & Pottenger write that Truk switched from UTC+10 to UTC+11
+# Shanks & Pottenger write that Truk switched from UT +10 to +11
 # on 1978-10-01; ignore this for now.
 
 # From Paul Eggert (1999-10-29):
 # The Federated States of Micronesia Visitors Board writes in
 # The Federated States of Micronesia - Visitor Information (1999-01-26)
 # http://www.fsmgov.org/info/clocks.html
-# that Truk and Yap are UTC+10, and Ponape and Kosrae are UTC+11.
-# We don't know when Kosrae switched from UTC+12; assume January 1 for now.
+# that Truk and Yap are UT +10, and Ponape and Kosrae are +11.
+# We don't know when Kosrae switched from +12; assume January 1 for now.
 
 
 # Midway
@@ -1638,11 +1646,11 @@
 # ordaining - by a masterpiece of diplomatic flattery - that
 # the Fourth of July should be celebrated twice in that year."
 
-# Although Shanks & Pottenger says they both switched to UTC-11:30
-# in 1911, and to UTC-11 in 1950. many earlier sources give UTC-11
+# Although Shanks & Pottenger says they both switched to UT -11:30
+# in 1911, and to -11 in 1950. many earlier sources give -11
 # for American Samoa, e.g., the US National Bureau of Standards
 # circular "Standard Time Throughout the World", 1932.
-# Assume American Samoa switched to UTC-11 in 1911, not 1950,
+# Assume American Samoa switched to -11 in 1911, not 1950,
 # and that after 1950 they agreed until (western) Samoa skipped a
 # day in 2011.  Assume also that the Samoas follow the US and New
 # Zealand's "ST"/"DT" style of daylight-saving abbreviations.
@@ -1729,9 +1737,17 @@
 # of January the standard time in the Kingdom shall be moved backward by one
 # hour to 1:00am.
 
-# From Pulu 'Anau (2002-11-05):
+# From Pulu ʻAnau (2002-11-05):
 # The law was for 3 years, supposedly to get renewed.  It wasn't.
 
+# From Pulu ʻAnau (2016-10-27):
+# http://mic.gov.to/news-today/press-releases/6375-daylight-saving-set-to-run-from-6-november-2016-to-15-january-2017
+# Cannot find anyone who knows the rules, has seen the duration or has seen
+# the cabinet decision, but it appears we are following Fiji's rule set.
+#
+# From Tim Parenti (2016-10-26):
+# Assume Tonga will observe DST from the first Sunday in November at 02:00
+# through the third Sunday in January at 03:00, like Fiji, for now.
 
 # Wake
 
--- a/test/sun/util/calendar/zi/tzdata/backward	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/backward	Tue Dec 20 13:28:30 2016 -0800
@@ -59,6 +59,7 @@
 Link	Asia/Urumqi		Asia/Kashgar
 Link	Asia/Kathmandu		Asia/Katmandu
 Link	Asia/Macau		Asia/Macao
+Link	Asia/Yangon		Asia/Rangoon
 Link	Asia/Ho_Chi_Minh	Asia/Saigon
 Link	Asia/Jerusalem		Asia/Tel_Aviv
 Link	Asia/Thimphu		Asia/Thimbu
--- a/test/sun/util/calendar/zi/tzdata/etcetera	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/etcetera	Tue Dec 20 13:28:30 2016 -0800
@@ -31,6 +31,13 @@
 # need now for the entries that are not on UTC are for ships at sea
 # that cannot use POSIX TZ settings.
 
+# Starting with POSIX 1003.1-2001, the entries below are all
+# unnecessary as settings for the TZ environment variable.  E.g.,
+# instead of TZ='Etc/GMT+4' one can use the POSIX setting TZ='<-04>+4'.
+#
+# Do not use a POSIX TZ setting like TZ='GMT+4', which is four hours
+# behind GMT but uses the completely misleading abbreviation "GMT".
+
 Zone	Etc/GMT		0	-	GMT
 Zone	Etc/UTC		0	-	UTC
 Zone	Etc/UCT		0	-	UCT
@@ -49,23 +56,13 @@
 Link	Etc/GMT				Etc/GMT+0
 Link	Etc/GMT				Etc/GMT0
 
-# We use POSIX-style signs in the Zone names and the output abbreviations,
+# Be consistent with POSIX TZ settings in the Zone names,
 # even though this is the opposite of what many people expect.
 # POSIX has positive signs west of Greenwich, but many people expect
 # positive signs east of Greenwich.  For example, TZ='Etc/GMT+4' uses
-# the abbreviation "GMT+4" and corresponds to 4 hours behind UT
+# the abbreviation "-04" and corresponds to 4 hours behind UT
 # (i.e. west of Greenwich) even though many people would expect it to
 # mean 4 hours ahead of UT (i.e. east of Greenwich).
-#
-# In the draft 5 of POSIX 1003.1-200x, the angle bracket notation allows for
-# TZ='<GMT-4>+4'; if you want time zone abbreviations conforming to
-# ISO 8601 you can use TZ='<-0400>+4'.  Thus the commonly-expected
-# offset is kept within the angle bracket (and is used for display)
-# while the POSIX sign is kept outside the angle bracket (and is used
-# for calculation).
-#
-# Do not use a TZ setting like TZ='GMT+4', which is four hours behind
-# GMT but uses the completely misleading abbreviation "GMT".
 
 # Earlier incarnations of this package were not POSIX-compliant,
 # and had lines such as
@@ -74,30 +71,31 @@
 # way does a
 #		zic -l GMT-12
 # so we moved the names into the Etc subdirectory.
+# Also, the time zone abbreviations are now compatible with %z.
 
-Zone	Etc/GMT-14	14	-	GMT-14	# 14 hours ahead of GMT
-Zone	Etc/GMT-13	13	-	GMT-13
-Zone	Etc/GMT-12	12	-	GMT-12
-Zone	Etc/GMT-11	11	-	GMT-11
-Zone	Etc/GMT-10	10	-	GMT-10
-Zone	Etc/GMT-9	9	-	GMT-9
-Zone	Etc/GMT-8	8	-	GMT-8
-Zone	Etc/GMT-7	7	-	GMT-7
-Zone	Etc/GMT-6	6	-	GMT-6
-Zone	Etc/GMT-5	5	-	GMT-5
-Zone	Etc/GMT-4	4	-	GMT-4
-Zone	Etc/GMT-3	3	-	GMT-3
-Zone	Etc/GMT-2	2	-	GMT-2
-Zone	Etc/GMT-1	1	-	GMT-1
-Zone	Etc/GMT+1	-1	-	GMT+1
-Zone	Etc/GMT+2	-2	-	GMT+2
-Zone	Etc/GMT+3	-3	-	GMT+3
-Zone	Etc/GMT+4	-4	-	GMT+4
-Zone	Etc/GMT+5	-5	-	GMT+5
-Zone	Etc/GMT+6	-6	-	GMT+6
-Zone	Etc/GMT+7	-7	-	GMT+7
-Zone	Etc/GMT+8	-8	-	GMT+8
-Zone	Etc/GMT+9	-9	-	GMT+9
-Zone	Etc/GMT+10	-10	-	GMT+10
-Zone	Etc/GMT+11	-11	-	GMT+11
-Zone	Etc/GMT+12	-12	-	GMT+12
+Zone	Etc/GMT-14	14	-	+14
+Zone	Etc/GMT-13	13	-	+13
+Zone	Etc/GMT-12	12	-	+12
+Zone	Etc/GMT-11	11	-	+11
+Zone	Etc/GMT-10	10	-	+10
+Zone	Etc/GMT-9	9	-	+09
+Zone	Etc/GMT-8	8	-	+08
+Zone	Etc/GMT-7	7	-	+07
+Zone	Etc/GMT-6	6	-	+06
+Zone	Etc/GMT-5	5	-	+05
+Zone	Etc/GMT-4	4	-	+04
+Zone	Etc/GMT-3	3	-	+03
+Zone	Etc/GMT-2	2	-	+02
+Zone	Etc/GMT-1	1	-	+01
+Zone	Etc/GMT+1	-1	-	-01
+Zone	Etc/GMT+2	-2	-	-02
+Zone	Etc/GMT+3	-3	-	-03
+Zone	Etc/GMT+4	-4	-	-04
+Zone	Etc/GMT+5	-5	-	-05
+Zone	Etc/GMT+6	-6	-	-06
+Zone	Etc/GMT+7	-7	-	-07
+Zone	Etc/GMT+8	-8	-	-08
+Zone	Etc/GMT+9	-9	-	-09
+Zone	Etc/GMT+10	-10	-	-10
+Zone	Etc/GMT+11	-11	-	-11
+Zone	Etc/GMT+12	-12	-	-12
--- a/test/sun/util/calendar/zi/tzdata/europe	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/europe	Tue Dec 20 13:28:30 2016 -0800
@@ -98,8 +98,7 @@
 #        1:00       CET CEST CEMT Central Europe
 #        1:00:14    SET           Swedish (1879-1899)*
 #        2:00       EET EEST      Eastern Europe
-#        3:00       FET           Further-eastern Europe (2011-2014)*
-#        3:00       MSK MSD  MSM* Minsk, Moscow
+#        3:00       MSK MSD       Moscow
 
 # From Peter Ilieve (1994-12-04),
 # The original six [EU members]: Belgium, France, (West) Germany, Italy,
@@ -606,16 +605,33 @@
 Rule	E-Eur	1981	max	-	Mar	lastSun	 0:00	1:00	S
 Rule	E-Eur	1996	max	-	Oct	lastSun	 0:00	0	-
 
+
+# Daylight saving time for Russia and the Soviet Union
+#
+# The 1917-1921 decree URLs are from Alexander Belopolsky (2016-08-23).
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Russia	1917	only	-	Jul	 1	23:00	1:00	MST  # Moscow Summer Time
+#
+# Decree No. 142 (1917-12-22) http://istmat.info/node/28137
 Rule	Russia	1917	only	-	Dec	28	 0:00	0	MMT  # Moscow Mean Time
+#
+# Decree No. 497 (1918-05-30) http://istmat.info/node/30001
 Rule	Russia	1918	only	-	May	31	22:00	2:00	MDST # Moscow Double Summer Time
 Rule	Russia	1918	only	-	Sep	16	 1:00	1:00	MST
+#
+# Decree No. 258 (1919-05-29) http://istmat.info/node/37949
 Rule	Russia	1919	only	-	May	31	23:00	2:00	MDST
-Rule	Russia	1919	only	-	Jul	 1	 2:00	1:00	MSD
+#
+Rule	Russia	1919	only	-	Jul	 1	 0:00u	1:00	MSD
 Rule	Russia	1919	only	-	Aug	16	 0:00	0	MSK
+#
+# Decree No. 63 (1921-02-03) http://istmat.info/node/45840
 Rule	Russia	1921	only	-	Feb	14	23:00	1:00	MSD
-Rule	Russia	1921	only	-	Mar	20	23:00	2:00	MSM  # Midsummer
+#
+# Decree No. 121 (1921-03-07) http://istmat.info/node/45949
+Rule	Russia	1921	only	-	Mar	20	23:00	2:00	+05
+#
 Rule	Russia	1921	only	-	Sep	 1	 0:00	1:00	MSD
 Rule	Russia	1921	only	-	Oct	 1	 0:00	0	-
 # Act No. 925 of the Council of Ministers of the USSR (1980-10-24):
@@ -798,8 +814,6 @@
 # From Alexander Bokovoy (2014-10-09):
 # Belarussian government decided against changing to winter time....
 # http://eng.belta.by/all_news/society/Belarus-decides-against-adjusting-time-in-Russias-wake_i_76335.html
-# From Paul Eggert (2014-10-08):
-# Hence Belarus can share time zone abbreviations with Moscow again.
 #
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Minsk	1:50:16 -	LMT	1880
@@ -810,8 +824,7 @@
 			3:00	Russia	MSK/MSD	1990
 			3:00	-	MSK	1991 Mar 31  2:00s
 			2:00	Russia	EE%sT	2011 Mar 27  2:00s
-			3:00	-	FET	2014 Oct 26  1:00s
-			3:00	-	MSK
+			3:00	-	+03
 
 # Belgium
 #
@@ -1319,7 +1332,7 @@
 # http://www.parlament-berlin.de/pds-fraktion.nsf/727459127c8b66ee8525662300459099/defc77cb784f180ac1256c2b0030274b/$FILE/bersarint.pdf
 # says that Bersarin issued an order to use Moscow time on May 20.
 # However, Moscow did not observe daylight saving in 1945, so
-# this was equivalent to CEMT (GMT+3), not GMT+4.
+# this was equivalent to UT +03, not +04.
 
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
@@ -1510,73 +1523,84 @@
 # But these events all occurred before the 1970 cutoff,
 # so record only the time in Rome.
 #
-# From Paul Eggert (2006-03-22):
-# For Italian DST we have three sources: Shanks & Pottenger, Whitman, and
-# F. Pollastri
-# Day-light Saving Time in Italy (2006-02-03)
-# http://toi.iriti.cnr.it/uk/ienitlt.html
-# ('FP' below), taken from an Italian National Electrotechnical Institute
-# publication. When the three sources disagree, guess who's right, as follows:
+# From Michael Deckers (2016-10-24):
+# http://www.ac-ilsestante.it/MERIDIANE/ora_legale quotes a law of 1893-08-10
+# ... [translated as] "The preceding dispositions will enter into
+# force at the instant at which, according to the time specified in
+# the 1st article, the 1st of November 1893 will begin...."
 #
-# year	FP	Shanks&P. (S)	Whitman (W)	Go with:
-# 1916	06-03	06-03 24:00	06-03 00:00	FP & W
-#	09-30	09-30 24:00	09-30 01:00	FP; guess 24:00s
-# 1917	04-01	03-31 24:00	03-31 00:00	FP & S
-#	09-30	09-29 24:00	09-30 01:00	FP & W
-# 1918	03-09	03-09 24:00	03-09 00:00	FP & S
-#	10-06	10-05 24:00	10-06 01:00	FP & W
-# 1919	03-01	03-01 24:00	03-01 00:00	FP & S
-#	10-04	10-04 24:00	10-04 01:00	FP; guess 24:00s
-# 1920	03-20	03-20 24:00	03-20 00:00	FP & S
-#	09-18	09-18 24:00	10-01 01:00	FP; guess 24:00s
-# 1944	04-02	04-03 02:00			S (see C-Eur)
-#	09-16	10-02 03:00			FP; guess 24:00s
-# 1945	09-14	09-16 24:00			FP; guess 24:00s
-# 1970	05-21	05-31 00:00			S
-#	09-20	09-27 00:00			S
+# From Pierpaolo Bernardi (2016-10-20):
+# The authoritative source for time in Italy is the national metrological
+# institute, which has a summary page of historical DST data at
+# http://www.inrim.it/res/tf/ora_legale_i.shtml
+# (2016-10-24):
+# http://www.renzobaldini.it/le-ore-legali-in-italia/
+# has still different data for 1944.  It divides Italy in two, as
+# there were effectively two governments at the time, north of Gothic
+# Line German controlled territory, official government RSI, and south
+# of the Gothic Line, controlled by allied armies.
+#
+# From Brian Inglis (2016-10-23):
+# Viceregal LEGISLATIVE DECREE. 14 September 1944, no. 219.
+# Restoration of Standard Time. (044U0219) (OJ 62 of 30.9.1944) ...
+# Given the R. law decreed on 1944-03-29, no. 92, by which standard time is
+# advanced to sixty minutes later starting at hour two on 1944-04-02; ...
+# Starting at hour three on the date 1944-09-17 standard time will be resumed.
+#
+# From Paul Eggert (2016-10-27):
+# Go with INRiM for DST rules, except as corrected by Inglis for 1944
+# for the Kingdom of Italy.  This is consistent with Renzo Baldini.
+# Model Rome's occupation by using using C-Eur rules from 1943-09-10
+# to 1944-06-04; although Rome was an open city during this period, it
+# was effectively controlled by Germany.
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
-Rule	Italy	1916	only	-	Jun	 3	0:00s	1:00	S
-Rule	Italy	1916	only	-	Oct	 1	0:00s	0	-
-Rule	Italy	1917	only	-	Apr	 1	0:00s	1:00	S
-Rule	Italy	1917	only	-	Sep	30	0:00s	0	-
-Rule	Italy	1918	only	-	Mar	10	0:00s	1:00	S
-Rule	Italy	1918	1919	-	Oct	Sun>=1	0:00s	0	-
-Rule	Italy	1919	only	-	Mar	 2	0:00s	1:00	S
-Rule	Italy	1920	only	-	Mar	21	0:00s	1:00	S
-Rule	Italy	1920	only	-	Sep	19	0:00s	0	-
-Rule	Italy	1940	only	-	Jun	15	0:00s	1:00	S
-Rule	Italy	1944	only	-	Sep	17	0:00s	0	-
-Rule	Italy	1945	only	-	Apr	 2	2:00	1:00	S
-Rule	Italy	1945	only	-	Sep	15	0:00s	0	-
-Rule	Italy	1946	only	-	Mar	17	2:00s	1:00	S
-Rule	Italy	1946	only	-	Oct	 6	2:00s	0	-
-Rule	Italy	1947	only	-	Mar	16	0:00s	1:00	S
-Rule	Italy	1947	only	-	Oct	 5	0:00s	0	-
-Rule	Italy	1948	only	-	Feb	29	2:00s	1:00	S
-Rule	Italy	1948	only	-	Oct	 3	2:00s	0	-
-Rule	Italy	1966	1968	-	May	Sun>=22	0:00	1:00	S
-Rule	Italy	1966	1969	-	Sep	Sun>=22	0:00	0	-
-Rule	Italy	1969	only	-	Jun	 1	0:00	1:00	S
-Rule	Italy	1970	only	-	May	31	0:00	1:00	S
-Rule	Italy	1970	only	-	Sep	lastSun	0:00	0	-
-Rule	Italy	1971	1972	-	May	Sun>=22	0:00	1:00	S
-Rule	Italy	1971	only	-	Sep	lastSun	1:00	0	-
-Rule	Italy	1972	only	-	Oct	 1	0:00	0	-
-Rule	Italy	1973	only	-	Jun	 3	0:00	1:00	S
-Rule	Italy	1973	1974	-	Sep	lastSun	0:00	0	-
-Rule	Italy	1974	only	-	May	26	0:00	1:00	S
-Rule	Italy	1975	only	-	Jun	 1	0:00s	1:00	S
-Rule	Italy	1975	1977	-	Sep	lastSun	0:00s	0	-
-Rule	Italy	1976	only	-	May	30	0:00s	1:00	S
-Rule	Italy	1977	1979	-	May	Sun>=22	0:00s	1:00	S
-Rule	Italy	1978	only	-	Oct	 1	0:00s	0	-
-Rule	Italy	1979	only	-	Sep	30	0:00s	0	-
+Rule	Italy	1916	only	-	Jun	 3	24:00	1:00	S
+Rule	Italy	1916	1917	-	Sep	30	24:00	0	-
+Rule	Italy	1917	only	-	Mar	31	24:00	1:00	S
+Rule	Italy	1918	only	-	Mar	 9	24:00	1:00	S
+Rule	Italy	1918	only	-	Oct	 6	24:00	0	-
+Rule	Italy	1919	only	-	Mar	 1	24:00	1:00	S
+Rule	Italy	1919	only	-	Oct	 4	24:00	0	-
+Rule	Italy	1920	only	-	Mar	20	24:00	1:00	S
+Rule	Italy	1920	only	-	Sep	18	24:00	0	-
+Rule	Italy	1940	only	-	Jun	14	24:00	1:00	S
+Rule	Italy	1942	only	-	Nov	 2	 2:00s	0	-
+Rule	Italy	1943	only	-	Mar	29	 2:00s	1:00	S
+Rule	Italy	1943	only	-	Oct	 4	 2:00s	0	-
+Rule	Italy	1944	only	-	Apr	 2	 2:00s	1:00	S
+Rule	Italy	1944	only	-	Sep	17	 2:00s	0	-
+Rule	Italy	1945	only	-	Apr	 2	 2:00	1:00	S
+Rule	Italy	1945	only	-	Sep	15	 1:00	0	-
+Rule	Italy	1946	only	-	Mar	17	 2:00s	1:00	S
+Rule	Italy	1946	only	-	Oct	 6	 2:00s	0	-
+Rule	Italy	1947	only	-	Mar	16	 0:00s	1:00	S
+Rule	Italy	1947	only	-	Oct	 5	 0:00s	0	-
+Rule	Italy	1948	only	-	Feb	29	 2:00s	1:00	S
+Rule	Italy	1948	only	-	Oct	 3	 2:00s	0	-
+Rule	Italy	1966	1968	-	May	Sun>=22	 0:00s	1:00	S
+Rule	Italy	1966	only	-	Sep	24	24:00	0	-
+Rule	Italy	1967	1969	-	Sep	Sun>=22	 0:00s	0	-
+Rule	Italy	1969	only	-	Jun	 1	 0:00s	1:00	S
+Rule	Italy	1970	only	-	May	31	 0:00s	1:00	S
+Rule	Italy	1970	only	-	Sep	lastSun	 0:00s	0	-
+Rule	Italy	1971	1972	-	May	Sun>=22	 0:00s	1:00	S
+Rule	Italy	1971	only	-	Sep	lastSun	 0:00s	0	-
+Rule	Italy	1972	only	-	Oct	 1	 0:00s	0	-
+Rule	Italy	1973	only	-	Jun	 3	 0:00s	1:00	S
+Rule	Italy	1973	1974	-	Sep	lastSun	 0:00s	0	-
+Rule	Italy	1974	only	-	May	26	 0:00s	1:00	S
+Rule	Italy	1975	only	-	Jun	 1	 0:00s	1:00	S
+Rule	Italy	1975	1977	-	Sep	lastSun	 0:00s	0	-
+Rule	Italy	1976	only	-	May	30	 0:00s	1:00	S
+Rule	Italy	1977	1979	-	May	Sun>=22	 0:00s	1:00	S
+Rule	Italy	1978	only	-	Oct	 1	 0:00s	0	-
+Rule	Italy	1979	only	-	Sep	30	 0:00s	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Rome	0:49:56 -	LMT	1866 Sep 22
-			0:49:56	-	RMT	1893 Nov  1  0:00s # Rome Mean
-			1:00	Italy	CE%sT	1942 Nov  2  2:00s
-			1:00	C-Eur	CE%sT	1944 Jul
+			0:49:56	-	RMT	1893 Oct 31 23:49:56 # Rome Mean
+			1:00	Italy	CE%sT	1943 Sep 10
+			1:00	C-Eur	CE%sT	1944 Jun  4
 			1:00	Italy	CE%sT	1980
 			1:00	EU	CE%sT
 
@@ -1775,6 +1799,10 @@
 # See Europe/Belgrade.
 
 # Malta
+#
+# From Paul Eggert (2016-10-21):
+# Assume 1900-1972 was like Rome, overriding Shanks.
+#
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Malta	1973	only	-	Mar	31	0:00s	1:00	S
 Rule	Malta	1973	only	-	Sep	29	0:00s	0	-
@@ -1785,8 +1813,6 @@
 Rule	Malta	1980	only	-	Mar	31	2:00	1:00	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Malta	0:58:04 -	LMT	1893 Nov  2  0:00s # Valletta
-			1:00	Italy	CE%sT	1942 Nov  2  2:00s
-			1:00	C-Eur	CE%sT	1945 Apr  2  2:00s
 			1:00	Italy	CE%sT	1973 Mar 31
 			1:00	Malta	CE%sT	1981
 			1:00	EU	CE%sT
@@ -1918,7 +1944,7 @@
 # Amsterdam mean time.
 
 # The data entries before 1945 are taken from
-# http://www.phys.uu.nl/~vgent/wettijd/wettijd.htm
+# http://www.staff.science.uu.nl/~gent0113/wettijd/wettijd.htm
 
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Neth	1916	only	-	May	 1	0:00	1:00	NST	# Netherlands Summer Time
@@ -2283,7 +2309,6 @@
 # http://www.worldtimezone.com/dst_news/dst_news_russia-map-2014-07.html
 
 # From Paul Eggert (2006-03-22):
-# Except for Moscow after 1919-07-01, I invented the time zone abbreviations.
 # Moscow time zone abbreviations after 1919-07-01, and Moscow rules after 1991,
 # are from Andrey A. Chernov.  The rest is from Shanks & Pottenger,
 # except we follow Chernov's report that 1992 DST transitions were Sat
@@ -2359,7 +2384,7 @@
 			 2:00	Poland	CE%sT	1946
 			 3:00	Russia	MSK/MSD	1989 Mar 26  2:00s
 			 2:00	Russia	EE%sT	2011 Mar 27  2:00s
-			 3:00	-	FET	2014 Oct 26  2:00s
+			 3:00	-	+03	2014 Oct 26  2:00s
 			 2:00	-	EET
 
 
@@ -2412,6 +2437,16 @@
 # 78	RU-SPE	Saint Petersburg
 # 83	RU-NEN	Nenets Autonomous Okrug
 
+# From Paul Eggert (2016-08-23):
+# The Soviets switched to UT-based time in 1919.  Decree No. 59
+# (1919-02-08) http://istmat.info/node/35567 established UT-based time
+# zones, and Decree No. 147 (1919-03-29) http://istmat.info/node/35854
+# specified a transition date of 1919-07-01, apparently at 00:00 UT.
+# No doubt only the Soviet-controlled regions switched on that date;
+# later transitions to UT-based time in other parts of Russia are
+# taken from what appear to be guesses by Shanks.
+# (Thanks to Alexander Belopolsky for pointers to the decrees.)
+
 # From Stepan Golosunov (2016-03-07):
 # 11. Regions-violators, 1981-1982.
 # Wikipedia refers to
@@ -2453,7 +2488,7 @@
 # attributes the 1982 changes to the Act of the Council of Ministers
 # of the USSR No. 126 from 18.02.1982.  1980-925.txt also adds
 # Udmurtia to the list of affected territories and lists Khatangsky
-# district separately from Taymyr Autonomous Okurg.  Probably erroneously.
+# district separately from Taymyr Autonomous Okrug.  Probably erroneously.
 #
 # The affected territories are currently listed under Europe/Moscow,
 # Asia/Yekaterinburg and Asia/Krasnoyarsk.
@@ -2513,7 +2548,7 @@
 
 Zone Europe/Moscow	 2:30:17 -	LMT	1880
 			 2:30:17 -	MMT	1916 Jul  3 # Moscow Mean Time
-			 2:31:19 Russia	%s	1919 Jul  1  2:00
+			 2:31:19 Russia	%s	1919 Jul  1  0:00u
 			 3:00	Russia	%s	1921 Oct
 			 3:00	Russia	MSK/MSD	1922 Oct
 			 2:00	-	EET	1930 Jun 21
@@ -2596,22 +2631,21 @@
 # The 1988 transition is from USSR act No. 5 (1988-01-04).
 
 Zone Europe/Volgograd	 2:57:40 -	LMT	1920 Jan  3
-			 3:00	-	TSAT	1925 Apr  6 # Tsaritsyn Time
-			 3:00	-	STAT	1930 Jun 21 # Stalingrad Time
-			 4:00	-	STAT	1961 Nov 11
-			 4:00	Russia	VOL%sT	1988 Mar 27  2:00s # Volgograd T
-			 3:00	Russia	VOL%sT	1991 Mar 31  2:00s
-			 4:00	-	VOLT	1992 Mar 29  2:00s
-			 3:00	Russia	MSK/MSD	2011 Mar 27  2:00s
-			 4:00	-	MSK	2014 Oct 26  2:00s
-			 3:00	-	MSK
+			 3:00	-	+03	1930 Jun 21
+			 4:00	-	+04	1961 Nov 11
+			 4:00	Russia	+04/+05	1988 Mar 27  2:00s
+			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
+			 4:00	-	+04	1992 Mar 29  2:00s
+			 3:00	Russia	+03/+04	2011 Mar 27  2:00s
+			 4:00	-	+04	2014 Oct 26  2:00s
+			 3:00	-	+03
 
 # From Paul Eggert (2016-03-18):
 # Europe/Kirov covers:
 # 43	RU-KIR	Kirov Oblast
 # The 1989 transition is from USSR act No. 227 (1989-03-14).
 #
-Zone Europe/Kirov	 3:18:48 -	LMT	1919 Jul  1  2:00
+Zone Europe/Kirov	 3:18:48 -	LMT	1919 Jul  1  0:00u
 			 3:00	-	+03	1930 Jun 21
 			 4:00	Russia	+04/+05	1989 Mar 26  2:00s
 			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
@@ -2629,16 +2663,16 @@
 # Byalokoz 1919 says Samara was 3:20:20.
 # The 1989 transition is from USSR act No. 227 (1989-03-14).
 
-Zone Europe/Samara	 3:20:20 -	LMT	1919 Jul  1  2:00
-			 3:00	-	SAMT	1930 Jun 21 # Samara Time
-			 4:00	-	SAMT	1935 Jan 27
-			 4:00	Russia	KUY%sT	1989 Mar 26  2:00s # Kuybyshev
-			 3:00	Russia	MSK/MSD	1991 Mar 31  2:00s
-			 2:00	Russia	EE%sT	1991 Sep 29  2:00s
-			 3:00	-	SAMT	1991 Oct 20  3:00
-			 4:00	Russia	SAM%sT	2010 Mar 28  2:00s
-			 3:00	Russia	SAM%sT	2011 Mar 27  2:00s
-			 4:00	-	SAMT
+Zone Europe/Samara	 3:20:20 -	LMT	1919 Jul  1  0:00u
+			 3:00	-	+03	1930 Jun 21
+			 4:00	-	+04	1935 Jan 27
+			 4:00	Russia	+04/+05	1989 Mar 26  2:00s
+			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
+			 2:00	Russia	+02/+03	1991 Sep 29  2:00s
+			 3:00	-	+03	1991 Oct 20  3:00
+			 4:00	Russia	+04/+05	2010 Mar 28  2:00s
+			 3:00	Russia	+03/+04	2011 Mar 27  2:00s
+			 4:00	-	+04
 
 # From Paul Eggert (2016-03-18):
 # Europe/Ulyanovsk covers:
@@ -2653,7 +2687,7 @@
 # From Matt Johnson (2016-03-09):
 # http://publication.pravo.gov.ru/Document/View/0001201603090051
 
-Zone Europe/Ulyanovsk	 3:13:36 -	LMT	1919 Jul  1  2:00
+Zone Europe/Ulyanovsk	 3:13:36 -	LMT	1919 Jul  1  0:00u
 			 3:00	-	+03	1930 Jun 21
 			 4:00	Russia	+04/+05	1989 Mar 26  2:00s
 			 3:00	Russia	+03/+04	1991 Mar 31  2:00s
@@ -2685,12 +2719,12 @@
 
 Zone Asia/Yekaterinburg	 4:02:33 -	LMT	1916 Jul  3
 			 3:45:05 -	PMT	1919 Jul 15  4:00
-			 4:00	-	SVET	1930 Jun 21 # Sverdlovsk Time
-			 5:00	Russia	SVE%sT	1991 Mar 31  2:00s
-			 4:00	Russia	SVE%sT	1992 Jan 19  2:00s
-			 5:00	Russia	YEK%sT	2011 Mar 27  2:00s
-			 6:00	-	YEKT	2014 Oct 26  2:00s
-			 5:00	-	YEKT
+			 4:00	-	+04	1930 Jun 21
+			 5:00	Russia	+05/+06	1991 Mar 31  2:00s
+			 4:00	Russia	+04/+05	1992 Jan 19  2:00s
+			 5:00	Russia	+05/+06	2011 Mar 27  2:00s
+			 6:00	-	+06	2014 Oct 26  2:00s
+			 5:00	-	+05
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25):
@@ -2700,12 +2734,12 @@
 # Byalokoz 1919 says Omsk was 4:53:30.
 
 Zone Asia/Omsk		 4:53:30 -	LMT	1919 Nov 14
-			 5:00	-	OMST	1930 Jun 21 # Omsk Time
-			 6:00	Russia	OMS%sT	1991 Mar 31  2:00s
-			 5:00	Russia	OMS%sT	1992 Jan 19  2:00s
-			 6:00	Russia	OMS%sT	2011 Mar 27  2:00s
-			 7:00	-	OMST	2014 Oct 26  2:00s
-			 6:00	-	OMST
+			 5:00	-	+05	1930 Jun 21
+			 6:00	Russia	+06/+07	1991 Mar 31  2:00s
+			 5:00	Russia	+05/+06	1992 Jan 19  2:00s
+			 6:00	Russia	+06/+07	2011 Mar 27  2:00s
+			 7:00	-	+07	2014 Oct 26  2:00s
+			 6:00	-	+06
 
 # From Paul Eggert (2016-02-22):
 # Asia/Barnaul covers:
@@ -2785,7 +2819,7 @@
 # Note that time belts (numbered from 2 (Moscow) to 12 according to their
 # GMT/UTC offset and having too many exceptions like regions formally
 # belonging to one belt but using time from another) were replaced
-# with time zones in 2011 with different numberings (there was a
+# with time zones in 2011 with different numbering (there was a
 # 2-hour gap between second and third zones in 2011-2014).
 
 # From Stepan Golosunov (2016-04-12):
@@ -2868,12 +2902,12 @@
 # Byalokoz 1919 says Krasnoyarsk was 6:11:26.
 
 Zone Asia/Krasnoyarsk	 6:11:26 -	LMT	1920 Jan  6
-			 6:00	-	KRAT	1930 Jun 21 # Krasnoyarsk Time
-			 7:00	Russia	KRA%sT	1991 Mar 31  2:00s
-			 6:00	Russia	KRA%sT	1992 Jan 19  2:00s
-			 7:00	Russia	KRA%sT	2011 Mar 27  2:00s
-			 8:00	-	KRAT	2014 Oct 26  2:00s
-			 7:00	-	KRAT
+			 6:00	-	+06	1930 Jun 21
+			 7:00	Russia	+07/+08	1991 Mar 31  2:00s
+			 6:00	Russia	+06/+07	1992 Jan 19  2:00s
+			 7:00	Russia	+07/+08	2011 Mar 27  2:00s
+			 8:00	-	+08	2014 Oct 26  2:00s
+			 7:00	-	+07
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25):
@@ -2890,12 +2924,12 @@
 
 Zone Asia/Irkutsk	 6:57:05 -	LMT	1880
 			 6:57:05 -	IMT	1920 Jan 25 # Irkutsk Mean Time
-			 7:00	-	IRKT	1930 Jun 21 # Irkutsk Time
-			 8:00	Russia	IRK%sT	1991 Mar 31  2:00s
-			 7:00	Russia	IRK%sT	1992 Jan 19  2:00s
-			 8:00	Russia	IRK%sT	2011 Mar 27  2:00s
-			 9:00	-	IRKT	2014 Oct 26  2:00s
-			 8:00	-	IRKT
+			 7:00	-	+07	1930 Jun 21
+			 8:00	Russia	+08/+09	1991 Mar 31  2:00s
+			 7:00	Russia	+07/+08	1992 Jan 19  2:00s
+			 8:00	Russia	+08/+09	2011 Mar 27  2:00s
+			 9:00	-	+09	2014 Oct 26  2:00s
+			 8:00	-	+08
 
 
 # From Tim Parenti (2014-07-06):
@@ -2912,13 +2946,13 @@
 # http://publication.pravo.gov.ru/Document/View/0001201512300107
 
 Zone Asia/Chita	 7:33:52 -	LMT	1919 Dec 15
-			 8:00	-	YAKT	1930 Jun 21 # Yakutsk Time
-			 9:00	Russia	YAK%sT	1991 Mar 31  2:00s
-			 8:00	Russia	YAK%sT	1992 Jan 19  2:00s
-			 9:00	Russia	YAK%sT	2011 Mar 27  2:00s
-			10:00	-	YAKT	2014 Oct 26  2:00s
-			 8:00	-	IRKT	2016 Mar 27  2:00
-			 9:00	-	YAKT
+			 8:00	-	+08	1930 Jun 21
+			 9:00	Russia	+09/+10	1991 Mar 31  2:00s
+			 8:00	Russia	+08/+09	1992 Jan 19  2:00s
+			 9:00	Russia	+09/+10	2011 Mar 27  2:00s
+			10:00	-	+10	2014 Oct 26  2:00s
+			 8:00	-	+08	2016 Mar 27  2:00
+			 9:00	-	+09
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2009-11-29):
@@ -2958,12 +2992,12 @@
 # Byalokoz 1919 says Yakutsk was 8:38:58.
 
 Zone Asia/Yakutsk	 8:38:58 -	LMT	1919 Dec 15
-			 8:00	-	YAKT	1930 Jun 21 # Yakutsk Time
-			 9:00	Russia	YAK%sT	1991 Mar 31  2:00s
-			 8:00	Russia	YAK%sT	1992 Jan 19  2:00s
-			 9:00	Russia	YAK%sT	2011 Mar 27  2:00s
-			10:00	-	YAKT	2014 Oct 26  2:00s
-			 9:00	-	YAKT
+			 8:00	-	+08	1930 Jun 21
+			 9:00	Russia	+09/+10	1991 Mar 31  2:00s
+			 8:00	Russia	+08/+09	1992 Jan 19  2:00s
+			 9:00	Russia	+09/+10	2011 Mar 27  2:00s
+			10:00	-	+10	2014 Oct 26  2:00s
+			 9:00	-	+09
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2009-11-29):
@@ -2981,12 +3015,12 @@
 # Go with Byalokoz.
 
 Zone Asia/Vladivostok	 8:47:31 -	LMT	1922 Nov 15
-			 9:00	-	VLAT	1930 Jun 21 # Vladivostok Time
-			10:00	Russia	VLA%sT	1991 Mar 31  2:00s
-			 9:00	Russia	VLA%sT	1992 Jan 19  2:00s
-			10:00	Russia	VLA%sT	2011 Mar 27  2:00s
-			11:00	-	VLAT	2014 Oct 26  2:00s
-			10:00	-	VLAT
+			 9:00	-	+09	1930 Jun 21
+			10:00	Russia	+10/+11	1991 Mar 31  2:00s
+			 9:00	Russia	+09/+10	1992 Jan 19  2:00s
+			10:00	Russia	+10/+11	2011 Mar 27  2:00s
+			11:00	-	+11	2014 Oct 26  2:00s
+			10:00	-	+10
 
 
 # From Tim Parenti (2014-07-03):
@@ -3004,14 +3038,14 @@
 # This transition is no doubt wrong, but we have no better info.
 
 Zone Asia/Khandyga	 9:02:13 -	LMT	1919 Dec 15
-			 8:00	-	YAKT	1930 Jun 21 # Yakutsk Time
-			 9:00	Russia	YAK%sT	1991 Mar 31  2:00s
-			 8:00	Russia	YAK%sT	1992 Jan 19  2:00s
-			 9:00	Russia	YAK%sT	2004
-			10:00	Russia	VLA%sT	2011 Mar 27  2:00s
-			11:00	-	VLAT	2011 Sep 13  0:00s # Decree 725?
-			10:00	-	YAKT	2014 Oct 26  2:00s
-			 9:00	-	YAKT
+			 8:00	-	+08	1930 Jun 21
+			 9:00	Russia	+09/+10	1991 Mar 31  2:00s
+			 8:00	Russia	+08/+09	1992 Jan 19  2:00s
+			 9:00	Russia	+09/+10	2004
+			10:00	Russia	+10/+11	2011 Mar 27  2:00s
+			11:00	-	+11	2011 Sep 13  0:00s # Decree 725?
+			10:00	-	+10	2014 Oct 26  2:00s
+			 9:00	-	+09
 
 
 # From Tim Parenti (2014-07-03):
@@ -3027,15 +3061,14 @@
 
 # The Zone name should be Asia/Yuzhno-Sakhalinsk, but that's too long.
 Zone Asia/Sakhalin	 9:30:48 -	LMT	1905 Aug 23
-			 9:00	-	JCST	1937 Oct  1
-			 9:00	-	JST	1945 Aug 25
-			11:00	Russia	SAK%sT	1991 Mar 31  2:00s # Sakhalin T
-			10:00	Russia	SAK%sT	1992 Jan 19  2:00s
-			11:00	Russia	SAK%sT	1997 Mar lastSun  2:00s
-			10:00	Russia	SAK%sT	2011 Mar 27  2:00s
-			11:00	-	SAKT	2014 Oct 26  2:00s
-			10:00	-	SAKT	2016 Mar 27  2:00s
-			11:00	-	SAKT
+			 9:00	-	+09	1945 Aug 25
+			11:00	Russia	+11/+12	1991 Mar 31  2:00s # Sakhalin T
+			10:00	Russia	+10/+11	1992 Jan 19  2:00s
+			11:00	Russia	+11/+12	1997 Mar lastSun  2:00s
+			10:00	Russia	+10/+11	2011 Mar 27  2:00s
+			11:00	-	+11	2014 Oct 26  2:00s
+			10:00	-	+10	2016 Mar 27  2:00s
+			11:00	-	+11
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2009-11-29):
@@ -3058,13 +3091,13 @@
 # http://publication.pravo.gov.ru/Document/View/0001201604050038
 
 Zone Asia/Magadan	10:03:12 -	LMT	1924 May  2
-			10:00	-	MAGT	1930 Jun 21 # Magadan Time
-			11:00	Russia	MAG%sT	1991 Mar 31  2:00s
-			10:00	Russia	MAG%sT	1992 Jan 19  2:00s
-			11:00	Russia	MAG%sT	2011 Mar 27  2:00s
-			12:00	-	MAGT	2014 Oct 26  2:00s
-			10:00	-	MAGT	2016 Apr 24  2:00s
-			11:00	-	MAGT
+			10:00	-	+10	1930 Jun 21 # Magadan Time
+			11:00	Russia	+11/+12	1991 Mar 31  2:00s
+			10:00	Russia	+10/+11	1992 Jan 19  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12	2014 Oct 26  2:00s
+			10:00	-	+10	2016 Apr 24  2:00s
+			11:00	-	+11
 
 
 # From Tim Parenti (2014-07-06):
@@ -3107,17 +3140,14 @@
 # in Russian.)  In addition, Srednekolymsk appears to be a much older
 # settlement and the population of Zyryanka seems to be declining.
 # Go with Srednekolymsk.
-#
-# Since Magadan Oblast moves to UTC+10 on 2014-10-26, we cannot keep using MAGT
-# as the abbreviation.  Use SRET instead.
 
 Zone Asia/Srednekolymsk	10:14:52 -	LMT	1924 May  2
-			10:00	-	MAGT	1930 Jun 21 # Magadan Time
-			11:00	Russia	MAG%sT	1991 Mar 31  2:00s
-			10:00	Russia	MAG%sT	1992 Jan 19  2:00s
-			11:00	Russia	MAG%sT	2011 Mar 27  2:00s
-			12:00	-	MAGT	2014 Oct 26  2:00s
-			11:00	-	SRET	# Srednekolymsk Time
+			10:00	-	+10	1930 Jun 21
+			11:00	Russia	+11/+12	1991 Mar 31  2:00s
+			10:00	Russia	+10/+11	1992 Jan 19  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12	2014 Oct 26  2:00s
+			11:00	-	+11
 
 
 # From Tim Parenti (2014-07-03):
@@ -3135,14 +3165,14 @@
 # UTC+12 since at least then, too.
 
 Zone Asia/Ust-Nera	 9:32:54 -	LMT	1919 Dec 15
-			 8:00	-	YAKT	1930 Jun 21 # Yakutsk Time
-			 9:00	Russia	YAKT	1981 Apr  1
-			11:00	Russia	MAG%sT	1991 Mar 31  2:00s
-			10:00	Russia	MAG%sT	1992 Jan 19  2:00s
-			11:00	Russia	MAG%sT	2011 Mar 27  2:00s
-			12:00	-	MAGT	2011 Sep 13  0:00s # Decree 725?
-			11:00	-	VLAT	2014 Oct 26  2:00s
-			10:00	-	VLAT
+			 8:00	-	+08	1930 Jun 21
+			 9:00	Russia	+09/+10	1981 Apr  1
+			11:00	Russia	+11/+12	1991 Mar 31  2:00s
+			10:00	Russia	+10/+11	1992 Jan 19  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12	2011 Sep 13  0:00s # Decree 725?
+			11:00	-	+11	2014 Oct 26  2:00s
+			10:00	-	+10
 
 
 # From Tim Parenti (2014-07-03), per Oscar van Vlijmen (2001-08-25):
@@ -3155,12 +3185,12 @@
 # The Zone name should be Asia/Petropavlovsk-Kamchatski or perhaps
 # Asia/Petropavlovsk-Kamchatsky, but these are too long.
 Zone Asia/Kamchatka	10:34:36 -	LMT	1922 Nov 10
-			11:00	-	PETT	1930 Jun 21 # P-K Time
-			12:00	Russia	PET%sT	1991 Mar 31  2:00s
-			11:00	Russia	PET%sT	1992 Jan 19  2:00s
-			12:00	Russia	PET%sT	2010 Mar 28  2:00s
-			11:00	Russia	PET%sT	2011 Mar 27  2:00s
-			12:00	-	PETT
+			11:00	-	+11	1930 Jun 21
+			12:00	Russia	+12/+13	1991 Mar 31  2:00s
+			11:00	Russia	+11/+12	1992 Jan 19  2:00s
+			12:00	Russia	+12/+13	2010 Mar 28  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12
 
 
 # From Tim Parenti (2014-07-03):
@@ -3168,13 +3198,13 @@
 # 87	RU-CHU	Chukotka Autonomous Okrug
 
 Zone Asia/Anadyr	11:49:56 -	LMT	1924 May  2
-			12:00	-	ANAT	1930 Jun 21 # Anadyr Time
-			13:00	Russia	ANA%sT	1982 Apr  1  0:00s
-			12:00	Russia	ANA%sT	1991 Mar 31  2:00s
-			11:00	Russia	ANA%sT	1992 Jan 19  2:00s
-			12:00	Russia	ANA%sT	2010 Mar 28  2:00s
-			11:00	Russia	ANA%sT	2011 Mar 27  2:00s
-			12:00	-	ANAT
+			12:00	-	+12	1930 Jun 21
+			13:00	Russia	+13/+14	1982 Apr  1  0:00s
+			12:00	Russia	+12/+13	1991 Mar 31  2:00s
+			11:00	Russia	+11/+12	1992 Jan 19  2:00s
+			12:00	Russia	+12/+13	2010 Mar 28  2:00s
+			11:00	Russia	+11/+12	2011 Mar 27  2:00s
+			12:00	-	+12
 
 
 # San Marino
@@ -3433,22 +3463,24 @@
 
 # Turkey
 
-# From Amar Devegowda (2007-01-03):
-# The time zone rules for Istanbul, Turkey have not been changed for years now.
-# ... The latest rules are available at:
-# http://www.timeanddate.com/worldclock/timezone.html?n=107
-# From Steffen Thorsen (2007-01-03):
-# I have been able to find press records back to 1996 which all say that
-# DST started 01:00 local time and end at 02:00 local time.  I am not sure
-# what happened before that.  One example for each year from 1996 to 2001:
-# http://newspot.byegm.gov.tr/arsiv/1996/21/N4.htm
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING97/03/97X03X25.TXT
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING98/03/98X03X02.HTM
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING99/10/99X10X26.HTM#%2016
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING2000/03/00X03X06.HTM#%2021
-# http://www.byegm.gov.tr/YAYINLARIMIZ/CHR/ING2001/03/23x03x01.HTM#%2027
-# From Paul Eggert (2007-01-03):
-# Prefer the above source to Shanks & Pottenger for time stamps after 1990.
+# From Kıvanç Yazan (2016-09-25):
+# 1) For 1986-2006, DST started at 01:00 local and ended at 02:00 local, with
+#    no exceptions.
+# 2) 1994's lastSun was overridden with Mar 20 ...
+# Here are official papers:
+# http://www.resmigazete.gov.tr/arsiv/19032.pdf  - page 2 for 1986
+# http://www.resmigazete.gov.tr/arsiv/19400.pdf  - page 4 for 1987
+# http://www.resmigazete.gov.tr/arsiv/19752.pdf  - page 15 for 1988
+# http://www.resmigazete.gov.tr/arsiv/20102.pdf  - page 6 for 1989
+# http://www.resmigazete.gov.tr/arsiv/20464.pdf  - page 1 for 1990 - 1992
+# http://www.resmigazete.gov.tr/arsiv/21531.pdf  - page 15 for 1993 - 1995
+# http://www.resmigazete.gov.tr/arsiv/21879.pdf  - page 1 for overriding 1994
+# http://www.resmigazete.gov.tr/arsiv/22588.pdf  - page 1 for 1996, 1997
+# http://www.resmigazete.gov.tr/arsiv/23286.pdf  - page 10 for 1998 - 2000
+# http://www.resmigazete.gov.tr/eskiler/2001/03/20010324.htm#2  - for 2001
+# http://www.resmigazete.gov.tr/eskiler/2002/03/20020316.htm#2  - for 2002-2006
+# From Paul Eggert (2016-09-25):
+# Prefer the above sources to Shanks & Pottenger for time stamps after 1985.
 
 # From Steffen Thorsen (2007-03-09):
 # Starting 2007 though, it seems that they are adopting EU's 1:00 UTC
@@ -3495,6 +3527,14 @@
 # Engineered Standard Time," said Twitter user @aysekarahasan.
 # http://www.bbc.com/news/world-europe-34631326
 
+# From Burak AYDIN (2016-09-08):
+# Turkey will stay in Daylight Saving Time even in winter....
+# http://www.resmigazete.gov.tr/eskiler/2016/09/20160908-2.pdf
+#
+# From Paul Eggert (2016-09-07):
+# The change is permanent, so this is the new standard time in Turkey.
+# It takes effect today, which is not much notice.
+
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER/S
 Rule	Turkey	1916	only	-	May	 1	0:00	1:00	S
 Rule	Turkey	1916	only	-	Oct	 1	0:00	0	-
@@ -3549,16 +3589,16 @@
 Rule	Turkey	1983	only	-	Oct	 2	0:00	0	-
 Rule	Turkey	1985	only	-	Apr	20	0:00	1:00	S
 Rule	Turkey	1985	only	-	Sep	28	0:00	0	-
-Rule	Turkey	1986	1990	-	Mar	lastSun	2:00s	1:00	S
-Rule	Turkey	1986	1990	-	Sep	lastSun	2:00s	0	-
-Rule	Turkey	1991	2006	-	Mar	lastSun	1:00s	1:00	S
-Rule	Turkey	1991	1995	-	Sep	lastSun	1:00s	0	-
+Rule	Turkey	1986	1993	-	Mar	lastSun	1:00s	1:00	S
+Rule	Turkey	1986	1995	-	Sep	lastSun	1:00s	0	-
+Rule	Turkey	1994	only	-	Mar	20	1:00s	1:00	S
+Rule	Turkey	1995	2006	-	Mar	lastSun	1:00s	1:00	S
 Rule	Turkey	1996	2006	-	Oct	lastSun	1:00s	0	-
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
 Zone	Europe/Istanbul	1:55:52 -	LMT	1880
 			1:56:56	-	IMT	1910 Oct # Istanbul Mean Time?
 			2:00	Turkey	EE%sT	1978 Oct 15
-			3:00	Turkey	TR%sT	1985 Apr 20 # Turkey Time
+			3:00	Turkey	+03/+04	1985 Apr 20
 			2:00	Turkey	EE%sT	2007
 			2:00	EU	EE%sT	2011 Mar 27  1:00u
 			2:00	-	EET	2011 Mar 28  1:00u
@@ -3566,7 +3606,8 @@
 			2:00	-	EET	2014 Mar 31  1:00u
 			2:00	EU	EE%sT	2015 Oct 25  1:00u
 			2:00	1:00	EEST	2015 Nov  8  1:00u
-			2:00	EU	EE%sT
+			2:00	EU	EE%sT	2016 Sep  7
+			3:00	-	+03
 Link	Europe/Istanbul	Asia/Istanbul	# Istanbul is in both continents.
 
 # Ukraine
--- a/test/sun/util/calendar/zi/tzdata/factory	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/factory	Tue Dec 20 13:28:30 2016 -0800
@@ -24,9 +24,10 @@
 # This file is in the public domain, so clarified as of
 # 2009-05-17 by Arthur David Olson.
 
-# For companies who don't want to put time zone specification in
-# their installation procedures.  When users run date, they'll get the message.
-# Also useful for the "comp.sources" version.
+# For distributors who don't want to put time zone specification in
+# their installation procedures.  Users that run 'date' will get the
+# time zone abbreviation "-00", indicating that the actual time zone
+# is unknown.
 
 # Zone	NAME	GMTOFF	RULES	FORMAT
-Zone	Factory	0	- "Local time zone must be set--see zic manual page"
+Zone	Factory	0	-	-00
--- a/test/sun/util/calendar/zi/tzdata/leapseconds	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/leapseconds	Tue Dec 20 13:28:30 2016 -0800
@@ -79,6 +79,7 @@
 Leap	2008	Dec	31	23:59:60	+	S
 Leap	2012	Jun	30	23:59:60	+	S
 Leap	2015	Jun	30	23:59:60	+	S
+Leap	2016	Dec	31	23:59:60	+	S
 
-#	Updated through IERS Bulletin C51
-#	File expires on:  28 December 2016
+#	Updated through IERS Bulletin C52
+#	File expires on:  28 June 2017
--- a/test/sun/util/calendar/zi/tzdata/northamerica	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/northamerica	Tue Dec 20 13:28:30 2016 -0800
@@ -47,8 +47,32 @@
 # was the result of his proposals at the Convention of Railroad Trunk Lines
 # in New York City (1869-10).  His 1870 proposal was based on Washington, DC,
 # but in 1872-05 he moved the proposed origin to Greenwich.
-# His proposal was adopted by the railroads on 1883-11-18 at 12:00,
-# and the most of the country soon followed suit.
+
+# From Paul Eggert (2016-09-21):
+# Dowd's proposal left many details unresolved, such as where to draw
+# lines between time zones.  The key individual who made time zones
+# work in the US was William Frederick Allen - railway engineer,
+# managing editor of the Travelers' Guide, and secretary of the
+# General Time Convention, a railway standardization group.  Allen
+# spent months in dialogs with scientific and railway leaders,
+# developed a workable plan to institute time zones, and presented it
+# to the General Time Convention on 1883-04-11, saying that his plan
+# meant "local time would be practically abolished" - a plus for
+# railway scheduling.  By the next convention on 1883-10-11 nearly all
+# railroads had agreed and it took effect on 1883-11-18 at 12:00.
+# That Sunday was called the "day of two noons", as the eastern parts
+# of the new zones observed noon twice.  Allen witnessed the
+# transition in New York City, writing:
+#
+#   I heard the bells of St. Paul's strike on the old time.  Four
+#   minutes later, obedient to the electrical signal from the Naval
+#   Observatory ... the time-ball made its rapid descent, the chimes
+#   of old Trinity rang twelve measured strokes, and local time was
+#   abandoned, probably forever.
+#
+# Most of the US soon followed suit.  See:
+# Bartky IR. The adoption of standard time. Technol Cult 1989 Jan;30(1):25-56.
+# http://dx.doi.org/10.2307/3105430
 
 # From Paul Eggert (2005-04-16):
 # That 1883 transition occurred at 12:00 new time, not at 12:00 old time.
@@ -436,11 +460,42 @@
 # north of the Salmon River, and the towns of Burgdorf and Warren),
 # Nevada (except West Wendover), Oregon (except the northern 3/4 of
 # Malheur county), and Washington
+
+# From Paul Eggert (2016-08-20):
+# In early February 1948, in response to California's electricity shortage,
+# PG&E changed power frequency from 60 to 59.5 Hz during daylight hours,
+# causing electric clocks to lose six minutes per day.  (This did not change
+# legal time, and is not part of the data here.)  See:
+# Ross SA. An energy crisis from the past: Northern California in 1948.
+# Working Paper No. 8, Institute of Governmental Studies, UC Berkeley,
+# 1973-11.  http://escholarship.org/uc/item/8x22k30c
+#
+# In another measure to save electricity, DST was instituted from 1948-03-14
+# at 02:01 to 1949-01-16 at 02:00, with the governor having the option to move
+# the fallback transition earlier.  See pages 3-4 of:
+# http://clerk.assembly.ca.gov/sites/clerk.assembly.ca.gov/files/archive/Statutes/1948/48Vol1_Chapters.pdf
+#
+# In response:
+#
+#   Governor Warren received a torrent of objecting mail, and it is not too much
+#   to speculate that the objections to Daylight Saving Time were one important
+#   factor in the defeat of the Dewey-Warren Presidential ticket in California.
+#     -- Ross, p 25
+#
+# On December 8 the governor exercised the option, setting the date to January 1
+# (LA Times 1948-12-09).  The transition time was 02:00 (LA Times 1949-01-01).
+#
+# Despite the controversy, in 1949 California voters approved Proposition 12,
+# which established DST from April's last Sunday at 01:00 until September's
+# last Sunday at 02:00. This was amended by 1962's Proposition 6, which changed
+# the fall-back date to October's last Sunday. See:
+# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1501&context=ca_ballot_props
+# http://repository.uchastings.edu/cgi/viewcontent.cgi?article=1636&context=ca_ballot_props
 #
 # Rule	NAME	FROM	TO	TYPE	IN	ON	AT	SAVE	LETTER
-Rule	CA	1948	only	-	Mar	14	2:00	1:00	D
+Rule	CA	1948	only	-	Mar	14	2:01	1:00	D
 Rule	CA	1949	only	-	Jan	 1	2:00	0	S
-Rule	CA	1950	1966	-	Apr	lastSun	2:00	1:00	D
+Rule	CA	1950	1966	-	Apr	lastSun	1:00	1:00	D
 Rule	CA	1950	1961	-	Sep	lastSun	2:00	0	S
 Rule	CA	1962	1966	-	Oct	lastSun	2:00	0	S
 # Zone	NAME		GMTOFF	RULES	FORMAT	[UNTIL]
@@ -3304,7 +3359,7 @@
 # indicating that the normal ET rules are followed.
 #
 # From Paul Eggert (2014-08-19):
-# The 2014-08-13 Cabinet meeting decided to stay on UTC-4 year-round.  See:
+# The 2014-08-13 Cabinet meeting decided to stay on UT -04 year-round.  See:
 # http://tcweeklynews.com/daylight-savings-time-to-be-maintained-p5353-127.htm
 # Model this as a switch from EST/EDT to AST ...
 # From Chris Walton (2014-11-04):
--- a/test/sun/util/calendar/zi/tzdata/southamerica	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/southamerica	Tue Dec 20 13:28:30 2016 -0800
@@ -433,9 +433,9 @@
 # stuck on Summer daylight savings time even though the summer is over.
 
 # From Paul Eggert (2013-09-05):
-# Perhaps San Luis operates on the legal fiction that it is at UTC-4
+# Perhaps San Luis operates on the legal fiction that it is at -04
 # with perpetual summer time, but ordinary usage typically seems to
-# just say it's at UTC-3; see, for example,
+# just say it's at -03; see, for example,
 # http://es.wikipedia.org/wiki/Hora_oficial_argentina
 # We've documented similar situations as being plain changes to
 # standard time, so let's do that here too.  This does not change UTC
--- a/test/sun/util/calendar/zi/tzdata/zone.tab	Tue Dec 13 12:52:17 2016 -0800
+++ b/test/sun/util/calendar/zi/tzdata/zone.tab	Tue Dec 20 13:28:30 2016 -0800
@@ -175,7 +175,8 @@
 CV	+1455-02331	Atlantic/Cape_Verde
 CW	+1211-06900	America/Curacao
 CX	-1025+10543	Indian/Christmas
-CY	+3510+03322	Asia/Nicosia
+CY	+3510+03322	Asia/Nicosia	Cyprus (most areas)
+CY	+3507+03357	Asia/Famagusta	Northern Cyprus
 CZ	+5005+01426	Europe/Prague
 DE	+5230+01322	Europe/Berlin	Germany (most areas)
 DE	+4742+00841	Europe/Busingen	Busingen
@@ -284,7 +285,7 @@
 MH	+0905+16720	Pacific/Kwajalein	Kwajalein
 MK	+4159+02126	Europe/Skopje
 ML	+1239-00800	Africa/Bamako
-MM	+1647+09610	Asia/Rangoon
+MM	+1647+09610	Asia/Yangon
 MN	+4755+10653	Asia/Ulaanbaatar	Mongolia (most areas)
 MN	+4801+09139	Asia/Hovd	Bayan-Olgiy, Govi-Altai, Hovd, Uvs, Zavkhan
 MN	+4804+11430	Asia/Choibalsan	Dornod, Sukhbaatar