Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages
Followup-For: Bug #825730 Control: found -1 20141019+deb8u2 Hi, the fix that was backported to jessie is incomplete. update-ca-certificates in jessie does not know about the --hooksdir option, therefore the call that was added in the postinst is a no-op that just prints the usage and initial update of /etc/ssl/certs is still deferred to the hooks: Selecting previously unselected package ca-certificates. Preparing to unpack .../ca-certificates_20141019+deb8u2_all.deb ... Unpacking ca-certificates (20141019+deb8u2) ... Setting up ca-certificates (20141019+deb8u2) ... /usr/sbin/update-ca-certificates: [--verbose] [--fresh] Processing triggers for ca-certificates (20141019+deb8u2) ... Updating certificates in /etc/ssl/certs... 174 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.ddone. Looks like you need to backport some more commits to get the --hooksdir option for update-ca-certificates into jessie, too. At least this one (but I didn't test whether this is sufficient): fd660d3 Allow customisation of the paths used by update-ca-certificates Andreas
Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages
Stable update requested! Thanks again for the report, Andreas. https://bugs.debian.org/844746 "jessie-pu: package ca-certificates/20141019+deb8u2" -- Kind regards, Michael Shuler signature.asc Description: OpenPGP digital signature
Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages
On 09/11/2016 03:48 AM, Andreas Beckmann wrote: > The fix is quite easy: we just need to run update-ca-certificates > *without* processing the hooks during postinst configure: > > update-ca-certificates --hooksdir "" Thanks Andreas! I'll test this out as soon as I can. > This should be backported to stable, too. I have a pending stable upload after the next unstable, so as long as test install works and this fits for stable-updates policy, I don't see a problem with that. -- Kind regards, Michael
Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages
Followup-For: Bug #825730 Control: tag -1 patch The fix is quite easy: we just need to run update-ca-certificates *without* processing the hooks during postinst configure: update-ca-certificates --hooksdir "" This should be backported to stable, too. Andreas >From 1d989acd2c53a9242845a6fe84e2a97098e1b256 Mon Sep 17 00:00:00 2001 From: Andreas Beckmann Date: Sun, 11 Sep 2016 10:26:10 +0200 Subject: [PATCH] initially populate /etc/ssh/certs during postinst configure run update-ca-certificates without hooks (which are deferred to the noawait trigger) --- debian/changelog | 6 ++ debian/postinst | 7 +-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/debian/changelog b/debian/changelog index ffd5c73..46e8ed3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -23,6 +23,12 @@ ca-certificates (20160816) unstable; urgency=medium Update to Standards-Version: 3.9.8 Update to Vcs-Browser/Vcs-Git: https URLs + [ Andreas Beckmann ] + * debian/postinst: +Run update-certificates without hooks to initially populate +/etc/ssl/certs. (The hooks are deferred to the noawait trigger.) +(Closes: #825730) + -- Michael Shuler Tue, 16 Aug 2016 21:50:14 -0500 ca-certificates (20160104) unstable; urgency=medium diff --git a/debian/postinst b/debian/postinst index f7ef7f4..21586bb 100644 --- a/debian/postinst +++ b/debian/postinst @@ -138,13 +138,16 @@ EOF -e 's/^[[:space:]]*1[[:space:]]*/!/' \ >> /etc/ca-certificates.conf fi + # update /etc/ssl/certs without running the hooks # fix bogus symlink to ca-certificates.crt on upgrades; see # Debian #643667; drop after wheezy if dpkg --compare-versions "$2" lt-nl 20111025; then - dpkg-trigger --no-await update-ca-certificates-fresh + update-ca-certificates --hooksdir "" --fresh else - dpkg-trigger --no-await update-ca-certificates + update-ca-certificates --hooksdir "" fi + # deferred update of /etc/ssl/certs including running the hooks + dpkg-trigger --no-await update-ca-certificates ;; triggered) -- 2.9.3
Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages
The ca-certificates triggers were added to deal with installation/upgrade problems in https://bugs.debian.org/537051 Do you have a suggested patch that also properly handles the issues presented in #537051? I would suggest that downloader packages possibly might pre-depend on ca-certificates, if that is required by the download, as a possible fix. I'm not sure if the trigger runs to completion first, as a pre-depend package. -- Kind regards, Michael
Bug#825730: ca-certificates: using --noawait triggers breaks downloader packages
Package: ca-certificates Version: 20160104 Severity: important User: debian...@lists.debian.org Usertags: piuparts Control: found -1 20141019+deb8u1 Control: affects -1 + google-android-build-tools-installer Hi, ca-certificates.postinst activates the update-ca-certificates trigger with --noawait. This breaks downloader packages that are configured in the same run as (an initial install of) ca-certificates because /etc/ssl/certs is not set up at the time the downloader-pkg.postinst runs even though it Depends: ca-certificates. In a minimal (piuparts) sid:i386 chroot with main+contrib: # apt-get install google-android-build-tools-installer Reading package lists... Done Building dependency tree... Done The following additional packages will be installed: ca-certificates libffi6 libgmp10 libgnutls30 libhogweed4 libicu55 libidn11 libnettle6 libp11-kit0 libpsl0 libssl1.0.2 libtasn1-6 make openssl unzip wget Suggested packages: gnutls-bin make-doc zip Recommended packages: publicsuffix The following NEW packages will be installed: ca-certificates google-android-build-tools-installer libffi6 libgmp10 libgnutls30 libhogweed4 libicu55 libidn11 libnettle6 libp11-kit0 libpsl0 libssl1.0.2 libtasn1-6 make openssl unzip wget 0 upgraded, 17 newly installed, 0 to remove and 1 not upgraded. Need to get 114 kB/13.4 MB of archives. After this operation, 47.6 MB of additional disk space will be used. Get:1 http://ftp.de.debian.org/debian sid/main i386 libidn11 i386 1.32-3 [114 kB] Fetched 114 kB in 0s (0 B/s) debconf: delaying package configuration, since apt-utils is not installed Selecting previously unselected package libssl1.0.2:i386. (Reading database ... 7239 files and directories currently installed.) Preparing to unpack .../libssl1.0.2_1.0.2h-1_i386.deb ... Unpacking libssl1.0.2:i386 (1.0.2h-1) ... Selecting previously unselected package libgmp10:i386. Preparing to unpack .../libgmp10_2%3a6.1.0+dfsg-2_i386.deb ... Unpacking libgmp10:i386 (2:6.1.0+dfsg-2) ... Selecting previously unselected package libnettle6:i386. Preparing to unpack .../libnettle6_3.2-1_i386.deb ... Unpacking libnettle6:i386 (3.2-1) ... Selecting previously unselected package libhogweed4:i386. Preparing to unpack .../libhogweed4_3.2-1_i386.deb ... Unpacking libhogweed4:i386 (3.2-1) ... Selecting previously unselected package libidn11:i386. Preparing to unpack .../libidn11_1.32-3_i386.deb ... Unpacking libidn11:i386 (1.32-3) ... Selecting previously unselected package libffi6:i386. Preparing to unpack .../libffi6_3.2.1-4_i386.deb ... Unpacking libffi6:i386 (3.2.1-4) ... Selecting previously unselected package libp11-kit0:i386. Preparing to unpack .../libp11-kit0_0.23.2-3_i386.deb ... Unpacking libp11-kit0:i386 (0.23.2-3) ... Selecting previously unselected package libtasn1-6:i386. Preparing to unpack .../libtasn1-6_4.8-1_i386.deb ... Unpacking libtasn1-6:i386 (4.8-1) ... Selecting previously unselected package libgnutls30:i386. Preparing to unpack .../libgnutls30_3.4.12-2_i386.deb ... Unpacking libgnutls30:i386 (3.4.12-2) ... Selecting previously unselected package libicu55:i386. Preparing to unpack .../libicu55_55.1-7_i386.deb ... Unpacking libicu55:i386 (55.1-7) ... Selecting previously unselected package libpsl0:i386. Preparing to unpack .../libpsl0_0.11.0-2_i386.deb ... Unpacking libpsl0:i386 (0.11.0-2) ... Selecting previously unselected package wget. Preparing to unpack .../wget_1.17.1-2_i386.deb ... Unpacking wget (1.17.1-2) ... Selecting previously unselected package openssl. Preparing to unpack .../openssl_1.0.2h-1_i386.deb ... Unpacking openssl (1.0.2h-1) ... Selecting previously unselected package ca-certificates. Preparing to unpack .../ca-certificates_20160104_all.deb ... Unpacking ca-certificates (20160104) ... Selecting previously unselected package make. Preparing to unpack .../archives/make_4.1-9_i386.deb ... Unpacking make (4.1-9) ... Selecting previously unselected package unzip. Preparing to unpack .../archives/unzip_6.0-20_i386.deb ... Unpacking unzip (6.0-20) ... Selecting previously unselected package google-android-build-tools-installer. Preparing to unpack .../google-android-build-tools-installer_23.0.2.1_i386.deb ... Unpacking google-android-build-tools-installer (23.0.2.1) ... Processing triggers for libc-bin (2.22-9) ... Setting up libssl1.0.2:i386 (1.0.2h-1) ... Setting up libgmp10:i386 (2:6.1.0+dfsg-2) ... Setting up libnettle6:i386 (3.2-1) ... Setting up libhogweed4:i386 (3.2-1) ... Setting up libidn11:i386 (1.32-3) ... Setting up libffi6:i386 (3.2.1-4) ... Setting up libp11-kit0:i386 (0.23.2-3) ... Setting up libtasn1-6:i386 (4.8-1) ... Setting up libgnutls30:i386 (3.4.12-2) ... Setting up libicu55:i386 (55.1-7) ... Setting up libpsl0:i386 (0.11.0-2) ... Setting up wget (1.17.1-2) ... Setting up openssl (1.0.2h-1) ... Setting up ca-certificates (20160104) ... Setting up make (4.1-9) ... Setting up unzip (6.0-20) ... Setting up google-android-build-tools-installer (23.0.2.1) ... make: Entering directory '/