log.Infof("Use roots from %v and watch", fileBundle.RootCertFile)

		caBundle = s.CA.GetCAKeyCertBundle().GetRootCertPem()
		// Similar code to istio-ca-secret: refresh the root cert, but in casecrets
		s.addStartFunc("istiod server certificate rotation", func(stop <-chan struct{}) error {
			go func() {
				// regenerate istiod key cert when root cert changes.
				s.watchRootCertAndGenKeyCert(stop)

			// load ca certificates into a pool
			roots := x509.NewCertPool()
			for _, caCert := range caCerts {
				roots.AddCert(caCert)
			}

			<-startedCh

			// try to dial
			addr := fmt.Sprintf("localhost:%d", secureOptions.BindPort)
			t.Logf("Dialing %s as %q", addr, test.ServerName)
			conn, err := tls.Dial("tcp", addr, &tls.Config{
				RootCAs:    roots,

     * tries to step beyond the file system root, the root is returned.
     */
    public static File normalize(File src) {
        String path = src.getAbsolutePath();
        String normalizedPath = FilenameUtils.normalizeNoEndSeparator(path);
        if (normalizedPath != null) {
            return new File(normalizedPath);
        }
        File root = src;
        File parent = root.getParentFile();

starting with its own and including everything up-to but not including the root. We don't need to
include root certificates because the client already has them.

```java
HandshakeCertificates serverHandshakeCertificates = new HandshakeCertificates.Builder()
    .heldCertificate(serverCertificate, intermediateCertificate.certificate())
    .build();
```

The client only needs to know the trusted root certificate. It checks the server's certificate by

# Regression test for https://golang.org/issue/47979:
#
# An argument to 'go get' that results in an upgrade to a different existing
# root should be allowed, and should not panic the 'go' command.

cp go.mod go.mod.orig


# Transitive upgrades from upgraded roots should not prevent
# 'go get -u' from performing upgrades.

cp go.mod.orig go.mod
go get -u .
cmp go.mod go.mod.want

	}

	// Will use TLS unless the reserved 15010 port is used ( istiod on an ipsec/secure VPC)
	// rootCert may be nil - in which case the system roots are used, and the CA is expected to have public key
	// Otherwise assume the injection has mounted /etc/certs/root-cert.pem
	return citadel.NewCitadelClient(opts, tlsOpts)
}

func init() {
	providers["Citadel"] = createCitadel
}

 *    certificates to establish trust from a root certificate to the server's certificate. The root
 *    certificate is not included in this chain.
 *  * The client's handshake certificates must include a set of trusted root certificates. They will
 *    be used to authenticate the server's certificate chain. Typically this is a set of well-known
 *    root certificates that is distributed with the HTTP client or its platform. It may be

        )
    }

    def "can fetch buildscript classpath for sub-project script outside root project dir"() {

        given:
        def rootDependency = withEmptyJar("libs/root.jar")
        def subDependency = withEmptyJar("libs/sub.jar")

        and:
        withDefaultSettingsIn("root").append("""
            include("sub")
            project(":sub").apply {

        action.execute(deleteSpec);
        FileCollectionInternal roots = fileCollectionFactory.resolving(deleteSpec.getPaths());
        boolean didWork = false;
        for (File root : roots) {
            try {
                didWork |= deleter.deleteRecursively(root, deleteSpec.isFollowSymlinks());
            } catch (IOException ex) {
                throw new UncheckedIOException(ex);

Dependencies found in the `implementation` configuration will, on the other hand, not be exposed to consumers, and therefore not leak into the consumer's compile include root and link libraries.
This comes with several benefits: