Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
X-Debbugs-Cc: Matthias Klose
[ Reason ]
The bullseye-security upload of openjdk-17 broke the very fragile
assumption in ca-certificates-java that a jre can be used even
before it was configured for the first time.
As a result new installations of openjdk-17-jre-headless from
bullseye-security (or -pu) (and its circular dependency
ca-certificates-java from bookworm) will fail, #1039472, (but
upgrades seem to work fine, since the jre has been configured at
least once in the past).
[ Impact ]
openjdk will fail on new installations after the next point release
[ Tests ]
local piuparts tests of bullseye with the fixed package installed,
buster->bullseye with the fixed package in the upgrade path and
bullseye->bookworm starting from the fixed package.
All installation/upgrades work fine.
[ Risks ]
The hack may break with the next openjdk-17 upload to oldstable, but
there is no alternative solution as trigger support is not yet prepared
in bullseye.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
In case ca-certificates-java wants to run with a not-yet-configured-once
jre, try to temporarily place a java.security file to make the java
command runnable again.
[ Other info ]
The patch is a backported variant of the HACK that temporarily appeared
in sid (ca-certificates-java 20230620).
Andreas
>From f020db198e9e96dbc9ddaf4b3dbe3d9247b85ae5 Mon Sep 17 00:00:00 2001
From: Matthias Klose
Date: Tue, 20 Jun 2023 06:13:02 +0200
Subject: [PATCH] [ Vladimir Petko ] * d/ca-certificates-java.postinst:
Work-around not yet configured jre.
(cherry picked from commit 561054ed46afe59b5996974e168418362c872d20)
---
debian/changelog | 8
debian/postinst | 7 +++
2 files changed, 15 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index e35274e..a49805a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+ca-certificates-java (20190909+deb11u1) bullseye; urgency=medium
+
+ [ Vladimir Petko ]
+ * d/ca-certificates-java.postinst: Work-around not yet configured jre.
+(Closes: #1039472)
+
+ -- Andreas Beckmann Tue, 27 Jun 2023 01:12:19 +0200
+
ca-certificates-java (20190909) unstable; urgency=medium
* Team upload.
diff --git a/debian/postinst b/debian/postinst
index 555f87b..7d68036 100644
--- a/debian/postinst
+++ b/debian/postinst
@@ -50,6 +50,13 @@ setup_path()
if [ -x /usr/lib/jvm/$jvm/bin/java ]; then
export JAVA_HOME=/usr/lib/jvm/$jvm
PATH=$JAVA_HOME/bin:$PATH
+ # copy java.security to allow import to function
+ security_conf=/etc/${jvm%-${arch}}/security
+ if [ -f ${security_conf}/java.security.dpkg-new ] \
+ && [ ! -f ${security_conf}/java.security ]; then
+ cp -v ${security_conf}/java.security.dpkg-new \
+ ${security_conf}/java.security
+ fi
break
fi
done
--
2.20.1