Re: ca-certificates-java_20170930_source.changes ACCEPTED into unstable
Le 2/10/2017 à 23:16, Tiago Daitx a écrit : > To give an overview of the issue, this happens during install time > when both openjdk and ca-certificates are being installed because > /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/jvm.cfg is a symlink > to /etc/java-8-openjdk/jvm-amd64.cfg (on amd64) which does not exist > until the openjdk package is configured. The patched openjdk looks > instead for the other default jvm.cfg that we ship exactly for this > reason. Hi Tiago, Thanks a lot for the detailed explanation, this is much clearer now. Emmanuel Bourg
Re: ca-certificates-java_20170930_source.changes ACCEPTED into unstable
On Sat, Sep 30, 2017 at 10:18 AM, Emmanuel Bourg wrote: > Hi Matthias, > > Le 30/09/2017 à 02:35, Debian FTP Masters a écrit : > >> - Stop fiddling around with jvm-*.cfg files. ca-certificates-java >>has no business with providing an initial cacerts file. This is >>implemented in the openjdk packages. We are not 2008 anymore. > > Are you suggesting that we should drop ca-certificates-java and just > rely on the root certificates from OpenJDK instead? I would welcome this > simplification, the certificates in OpenJDK are frequently updated > anyway, and that would improve the consistency with the Oracle JDK. This change simply dropped the logic where the postinst script tried to detect a jvm.cfg in /etc/ and then created one in case it wasn't there. This is no longer required because OpenJDK was patched back in 2008 [1] to look for a "jvm.cfg-default" file that we ship with the package and is in a good and known state. The fact that ca-certificates-java failed just now is because of the introduction of aarch32 which does not have a C2 compiler (ie. server) as expected by the temporary jvm.cfg setup it uses. This was never a suggestion to actually drop the package. To give an overview of the issue, this happens during install time when both openjdk and ca-certificates are being installed because /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/jvm.cfg is a symlink to /etc/java-8-openjdk/jvm-amd64.cfg (on amd64) which does not exist until the openjdk package is configured. The patched openjdk looks instead for the other default jvm.cfg that we ship exactly for this reason. $ ls -l /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/jvm.cfg* lrwxrwxrwx 1 root root 33 Aug 23 15:41 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/jvm.cfg -> /etc/java-8-openjdk/jvm-amd64.cfg -rw-r--r-- 1 root root 278 Aug 23 15:41 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/amd64/jvm.cfg-default [1] http://bazaar.launchpad.net/~openjdk/openjdk/openjdk6/revision/315 Regards, Tiago -- Tiago Stürmer Daitx Software Engineer tiago.da...@canonical.com PGP Key: 4096R/F5B213BE (hkp://keyserver.ubuntu.com) Fingerprint = 45D0 FE5A 8109 1E91 866E 8CA4 1931 8D5E F5B2 13BE
Re: ca-certificates-java_20170930_source.changes ACCEPTED into unstable
On 30.09.2017 16:18, Emmanuel Bourg wrote: > Hi Matthias, > > Le 30/09/2017 à 02:35, Debian FTP Masters a écrit : > >> - Stop fiddling around with jvm-*.cfg files. ca-certificates-java >>has no business with providing an initial cacerts file. This is >>implemented in the openjdk packages. We are not 2008 anymore. > > Are you suggesting that we should drop ca-certificates-java and just > rely on the root certificates from OpenJDK instead? I would welcome this > simplification, the certificates in OpenJDK are frequently updated > anyway, and that would improve the consistency with the Oracle JDK. No. Why should we?
Re: ca-certificates-java_20170930_source.changes ACCEPTED into unstable
On Sat, 30 Sep 2017, Emmanuel Bourg wrote: > Are you suggesting that we should drop ca-certificates-java and just > rely on the root certificates from OpenJDK instead? I would welcome this > simplification, the certificates in OpenJDK are frequently updated > anyway, and that would improve the consistency with the Oracle JDK. IMHO consistency within Debian is *much* more important. I would be seriously fucked off if I could connect to a host using something like wget but not a Java™ application, after installing the custom CA into /etc/ssl/certs or similar, or even with the defaults. bye, //mirabilos -- tarent solutions GmbH Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/ Tel: +49 228 54881-393 • Fax: +49 228 54881-235 HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941 Geschäftsführer: Dr. Stefan Barth, Kai Ebenrett, Boris Esser, Alexander Steeg
Re: ca-certificates-java_20170930_source.changes ACCEPTED into unstable
Hi Matthias, Le 30/09/2017 à 02:35, Debian FTP Masters a écrit : > - Stop fiddling around with jvm-*.cfg files. ca-certificates-java >has no business with providing an initial cacerts file. This is >implemented in the openjdk packages. We are not 2008 anymore. Are you suggesting that we should drop ca-certificates-java and just rely on the root certificates from OpenJDK instead? I would welcome this simplification, the certificates in OpenJDK are frequently updated anyway, and that would improve the consistency with the Oracle JDK. Emmanuel Bourg