Followup-For: Bug #929685
Control: tag -1 patch
Hi,
I looked into this again and would suggest to demote the
ca-certificates-java -> default-jre-headless
dependency to a recommends.
ca-certificates-java will have to gracefully handle the case that no JRE
is available at all and that one becomes available later.
No package in the archive depends on ca-certificates-java and expects to
get a JRE that way.
This does not change anything for packages depending on
default-jre-headless or openjdk-11-jre-headless or an installation of
ca-certificates-java with --install-recommends enabled (default),
just the order of configuration gets more deterministic.
The interesting case is installation of ca-certificates-java without
recommends if no jre is installed, and a subsequent installation of a
jre-headless package.
I solved this via triggers on /usr/lib/jvm which are propagated to the
update-ca-certificates trigger.
This does not seem to work entirely as I wanted, since
/etc/ssl/certs/java/cacerts does not get populated in this case, but I'm
not sure how the hook script is supposed to work:
* if I manually delete /etc/ssl/certs/java/cacerts and
dpkg-reconfigure ca-certificates afterwards to run the hook scripts,
only a 32-byte large file is created
* if I install ca-certificates-java in stretch and thereafter upgrade
ca-certificates to the buster version, ca-certificates reports some
added and some revoved certificates, but running the hook script does
not seem to update /etc/ssl/certs/java/cacerts either.
Please see the attached patch that implements this in
ca-certificates-java, I verified that the problemetic upgrade path is
fixed with this updated package.
I also fixed some issues (mostly inconsistencies w.r.t. supported java
versions) I noticed while developing this patch.
Andreas
diff -Nru ca-certificates-java-20190405/debian/ca-certificates-java.triggers
ca-certificates-java-20190405+nmu1/debian/ca-certificates-java.triggers
--- ca-certificates-java-20190405/debian/ca-certificates-java.triggers
2019-04-05 14:49:31.000000000 +0200
+++ ca-certificates-java-20190405+nmu1/debian/ca-certificates-java.triggers
2019-06-17 10:34:45.000000000 +0200
@@ -1 +1,2 @@
activate update-ca-certificates
+interest /usr/lib/jvm
diff -Nru ca-certificates-java-20190405/debian/changelog
ca-certificates-java-20190405+nmu1/debian/changelog
--- ca-certificates-java-20190405/debian/changelog 2019-04-05
14:56:54.000000000 +0200
+++ ca-certificates-java-20190405+nmu1/debian/changelog 2019-06-17
10:34:45.000000000 +0200
@@ -1,3 +1,18 @@
+ca-certificates-java (20190405+nmu1) UNRELEASED; urgency=medium
+
+ * Non-maintainer upload.
+ * Do not be satisfied by java7-runtime-headless.
+ * debian/jks-keystore.hook.in: Support Java 12-17.
+ * debian/postinst.in: Avoid warning about missing
+ /etc/ssl/certs/java/cacerts on initial install.
+ * Demote JRE dependency to Recommends to break dependency cycle.
+ (Closes: #929685)
+ * Skip Java certificates setup if no JRE is available.
+ * Add trigger on /usr/lib/jvm to perform Java certificates setup if a JRE
+ becomes available.
+
+ -- Andreas Beckmann <a...@debian.org> Mon, 17 Jun 2019 10:34:45 +0200
+
ca-certificates-java (20190405) unstable; urgency=medium
* Team upload.
diff -Nru ca-certificates-java-20190405/debian/control
ca-certificates-java-20190405+nmu1/debian/control
--- ca-certificates-java-20190405/debian/control 2019-04-05
14:49:31.000000000 +0200
+++ ca-certificates-java-20190405+nmu1/debian/control 2019-06-17
10:34:45.000000000 +0200
@@ -13,9 +13,9 @@
Architecture: all
Multi-Arch: foreign
Depends: ca-certificates (>= 20121114),
- default-jre-headless | java8-runtime-headless,
${misc:Depends},
${nss:Depends}
+Recommends: default-jre-headless (>= 2:1.8) | java8-runtime-headless,
# We need a versioned Depends due to multiarch changes (bug #635571).
Description: Common CA certificates (JKS keystore)
This package uses the hooks of the ca-certificates package to update the
diff -Nru ca-certificates-java-20190405/debian/jks-keystore.hook.in
ca-certificates-java-20190405+nmu1/debian/jks-keystore.hook.in
--- ca-certificates-java-20190405/debian/jks-keystore.hook.in 2019-04-05
14:49:31.000000000 +0200
+++ ca-certificates-java-20190405+nmu1/debian/jks-keystore.hook.in
2019-06-17 10:34:45.000000000 +0200
@@ -35,8 +35,7 @@
exit 1
fi
-for jvm in java-7-openjdk-$arch java-7-openjdk \
- oracle-java7-jre-$arch oracle-java7-server-jre-$arch
oracle-java7-jdk-$arch \
+for jvm in \
java-8-openjdk-$arch java-8-openjdk \
oracle-java8-jre-$arch oracle-java8-server-jre-$arch
oracle-java8-jdk-$arch \
java-9-openjdk-$arch java-9-openjdk \
@@ -44,7 +43,19 @@
java-10-openjdk-$arch java-10-openjdk \
oracle-java10-jre-$arch oracle-java10-server-jre-$arch
oracle-java10-jdk-$arch \
java-11-openjdk-$arch java-11-openjdk \
- oracle-java11-jre-$arch oracle-java11-server-jre-$arch
oracle-java11-jdk-$arch; do
+ oracle-java11-jre-$arch oracle-java11-server-jre-$arch
oracle-java11-jdk-$arch \
+ java-12-openjdk-$arch java-12-openjdk \
+ oracle-java12-jre-$arch oracle-java12-server-jre-$arch
oracle-java12-jdk-$arch \
+ java-13-openjdk-$arch java-13-openjdk \
+ oracle-java13-jre-$arch oracle-java13-server-jre-$arch
oracle-java13-jdk-$arch \
+ java-14-openjdk-$arch java-14-openjdk \
+ oracle-java14-jre-$arch oracle-java14-server-jre-$arch
oracle-java14-jdk-$arch \
+ java-15-openjdk-$arch java-15-openjdk \
+ oracle-java15-jre-$arch oracle-java15-server-jre-$arch
oracle-java15-jdk-$arch \
+ java-16-openjdk-$arch java-16-openjdk \
+ oracle-java16-jre-$arch oracle-java16-server-jre-$arch
oracle-java16-jdk-$arch \
+ java-17-openjdk-$arch java-17-openjdk \
+ oracle-java17-jre-$arch oracle-java17-server-jre-$arch
oracle-java17-jdk-$arch; do
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH
@@ -52,6 +63,11 @@
fi
done
+if ! which java >/dev/null; then
+ echo "No JRE found. Skipping Java certificates setup."
+ return
+fi
+
if dpkg-query --version >/dev/null; then
nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n
's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
diff -Nru ca-certificates-java-20190405/debian/postinst.in
ca-certificates-java-20190405+nmu1/debian/postinst.in
--- ca-certificates-java-20190405/debian/postinst.in 2019-04-05
14:52:55.000000000 +0200
+++ ca-certificates-java-20190405+nmu1/debian/postinst.in 2019-06-17
10:34:45.000000000 +0200
@@ -1,6 +1,11 @@
#!/bin/bash
set -e
+if [ "$1" = "triggered" ]; then
+ dpkg-trigger update-ca-certificates
+ exit 0
+fi
+
# use the locale C.UTF-8
unset LC_ALL
LC_CTYPE=C.UTF-8
@@ -25,8 +30,7 @@
setup_path()
{
- for jvm in java-7-openjdk-$arch java-7-openjdk \
- oracle-java7-jre-$arch oracle-java7-server-jre-$arch
oracle-java7-jdk-$arch \
+ for jvm in \
java-8-openjdk-$arch java-8-openjdk \
oracle-java8-jre-$arch oracle-java8-server-jre-$arch
oracle-java8-jdk-$arch \
java-9-openjdk-$arch java-9-openjdk \
@@ -86,6 +90,11 @@
first_install()
{
+ if ! which java >/dev/null; then
+ echo "No JRE found. Skipping Java certificates setup."
+ return
+ fi
+
if which dpkg-query >/dev/null; then
nsspkg=$(dpkg-query -L "$(nsslib_name)" | sed -n
's,\(.*\)/libnss3\.so$,\1,p'|head -n 1)
nsscfg=/etc/${jvm%-$arch}/security/nss.cfg
@@ -136,8 +145,8 @@
setup_path
if dpkg --compare-versions "$2" lt "20180516"; then
- if [ -e /etc/ssl/certs/java/cacerts \
- -a "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en
'\xfe\xed\xfe\xed')" ]; then
+ if [ -e /etc/ssl/certs/java/cacerts ] && \
+ [ "$(head -c4 /etc/ssl/certs/java/cacerts)" != "$(echo -en
'\xfe\xed\xfe\xed')" ]; then
check_proc
convert_pkcs12_keystore_to_jks
fi
