Bug#1032093: jameica: missing dependencies
* Thomas Uhle [2023-02-28 21:00]: I was not able to reproduce this. On an up to date Debian unstable I tried: $ sudo apt install debvm # create a Debian unstable VM $ debvm-create --size=10G -- --include=task-gnome-desktop --aptopt='Apt::Install-Recommends "true"' --include=linux-image-amd64 --hook-dir=/usr/share/mmdebstrap/hooks/useradd # run it with qemu $ debvm-run -g -- -m 4G # inside the VM install hibiscus $ sudo apt install --no-install-recommends hibiscus # run it $ jameica Can you try this and maybe check the difference to your system? I cannot do this, I am on an ARMv9 platform (Debian's arm64 architecture). It should work on arm64 just as well and I would be interested in your experience with it. However, I still had bcpkix.jar linking to bcpkix-jdk18on-1.72.jar as well as bcprov.jar and bcputil.jar linking to bcprov-jdk18on-1.72.jar and bcutil-jdk18on-1.72.jar resp. which I had been downloading from Maven Central before I prepared the pull request for Olaf Willuhn (upstream). Although I thought they were basically the same, there have to be differences. After reverting the links to the jar files that are provided by Debian, there is no such issue indeed. So I tried to track this down to bcpkix.jar. If only this jar file is exchanged by the one from Maven Central, then it doesn't matter whether the other two are from Debian or Maven Central. Then this issue is happening. So the difference must be within bcpkix.jar. I had a look into both versions and saw that the manifest in Debian's bcpkix.jar specifies Class-Path: bcprov.jar bcutil.jar whereas the manifest in Maven's bcpkix.jar has no class path specified. I guess this is the reason why it works with Debian's BouncyCastle jar files even if the manifest of jameica.jar does not specify a class path with bcutil.jar. Thanks for figuring this out! I cannot confirm this. After removing both bcutil-1.72.jar and bcutil.jar, (even with the other two libraries taken from Debian) I run into this issue when Jameica tries to generate the self-signed certificate for a new user profile. It does not quit after the exception but seems to hang forever, the splash screen stays open saying "generating new keys and certificates ..." for minutes. Eventually I have yet lost my patience and killed the process. I forgot to move away my ~/.jameica/ so yes I can see the error now. Cheers Jochen signature.asc Description: PGP signature
Bug#1032093: jameica: missing dependencies
Hello Jochen, thank you for the immediate response. Please find my answers below. On Tue, 28 Feb 2023, Jochen Sprickerhof wrote: * Thomas Uhle [2023-02-27 20:58]: > Jameica dies with the following messages if it is started for the very > first time, i.e., with an empty user profile directory $HOME/.jameica: > > [Mon Feb 27 18:48:06 CET 2023][INFO][main][de.willuhn.jameica.gui.SplashScreen$3.run] generating new keys and certificates ... > [Mon Feb 27 18:48:06 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] generating rsa keypair > [Mon Feb 27 18:48:09 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] generating selfsigned x.509 certificate > [Mon Feb 27 18:48:09 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] using hostname: localhost > Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/asn1/cms/CMSObjectIdentifiers >at org.bouncycastle.operator.DefaultSignatureNameFinder.(Unknown Source) >at org.bouncycastle.operator.jcajce.OperatorHelper.(Unknown Source) >at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.(Unknown Source) >at de.willuhn.jameica.security.SSLFactory.init(SSLFactory.java:291) >at de.willuhn.jameica.services.SSLService.init(SSLService.java:45) >at de.willuhn.boot.BootLoader.resolve(BootLoader.java:139) >at de.willuhn.boot.BootLoader.resolve(BootLoader.java:119) >at de.willuhn.boot.BootLoader.resolve(BootLoader.java:119) >at de.willuhn.boot.BootLoader.getBootable(BootLoader.java:72) >at de.willuhn.jameica.system.Application.init(Application.java:103) >at de.willuhn.jameica.system.Application.newInstance(Application.java:87) >at de.willuhn.jameica.Main.main(Main.java:78) > Caused by: java.lang.ClassNotFoundException: org.bouncycastle.asn1.cms.CMSObjectIdentifiers >at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) >at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) >at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520) >... 12 more I was not able to reproduce this. On an up to date Debian unstable I tried: $ sudo apt install debvm # create a Debian unstable VM $ debvm-create --size=10G -- --include=task-gnome-desktop --aptopt='Apt::Install-Recommends "true"' --include=linux-image-amd64 --hook-dir=/usr/share/mmdebstrap/hooks/useradd # run it with qemu $ debvm-run -g -- -m 4G # inside the VM install hibiscus $ sudo apt install --no-install-recommends hibiscus # run it $ jameica Can you try this and maybe check the difference to your system? I cannot do this, I am on an ARMv9 platform (Debian's arm64 architecture). However, I still had bcpkix.jar linking to bcpkix-jdk18on-1.72.jar as well as bcprov.jar and bcputil.jar linking to bcprov-jdk18on-1.72.jar and bcutil-jdk18on-1.72.jar resp. which I had been downloading from Maven Central before I prepared the pull request for Olaf Willuhn (upstream). Although I thought they were basically the same, there have to be differences. After reverting the links to the jar files that are provided by Debian, there is no such issue indeed. So I tried to track this down to bcpkix.jar. If only this jar file is exchanged by the one from Maven Central, then it doesn't matter whether the other two are from Debian or Maven Central. Then this issue is happening. So the difference must be within bcpkix.jar. I had a look into both versions and saw that the manifest in Debian's bcpkix.jar specifies Class-Path: bcprov.jar bcutil.jar whereas the manifest in Maven's bcpkix.jar has no class path specified. I guess this is the reason why it works with Debian's BouncyCastle jar files even if the manifest of jameica.jar does not specify a class path with bcutil.jar. I've added this to follow upstream but even when I remove the bcutil-1.72.jar it works fine, so not sure what is going on. I cannot confirm this. After removing both bcutil-1.72.jar and bcutil.jar, (even with the other two libraries taken from Debian) I run into this issue when Jameica tries to generate the self-signed certificate for a new user profile. It does not quit after the exception but seems to hang forever, the splash screen stays open saying "generating new keys and certificates ..." for minutes. Eventually I have yet lost my patience and killed the process. Anyway, I've added both jars and uploaded a new version. Cheers Jochen Thank you! Cheers, Thomas
Bug#1032093: jameica: missing dependencies
Hi Thomas, thanks a lot for your bug report! * Thomas Uhle [2023-02-27 20:58]: Jameica dies with the following messages if it is started for the very first time, i.e., with an empty user profile directory $HOME/.jameica: [Mon Feb 27 18:48:06 CET 2023][INFO][main][de.willuhn.jameica.gui.SplashScreen$3.run] generating new keys and certificates ... [Mon Feb 27 18:48:06 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] generating rsa keypair [Mon Feb 27 18:48:09 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] generating selfsigned x.509 certificate [Mon Feb 27 18:48:09 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] using hostname: localhost Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/asn1/cms/CMSObjectIdentifiers at org.bouncycastle.operator.DefaultSignatureNameFinder.(Unknown Source) at org.bouncycastle.operator.jcajce.OperatorHelper.(Unknown Source) at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.(Unknown Source) at de.willuhn.jameica.security.SSLFactory.init(SSLFactory.java:291) at de.willuhn.jameica.services.SSLService.init(SSLService.java:45) at de.willuhn.boot.BootLoader.resolve(BootLoader.java:139) at de.willuhn.boot.BootLoader.resolve(BootLoader.java:119) at de.willuhn.boot.BootLoader.resolve(BootLoader.java:119) at de.willuhn.boot.BootLoader.getBootable(BootLoader.java:72) at de.willuhn.jameica.system.Application.init(Application.java:103) at de.willuhn.jameica.system.Application.newInstance(Application.java:87) at de.willuhn.jameica.Main.main(Main.java:78) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.asn1.cms.CMSObjectIdentifiers at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520) ... 12 more I was not able to reproduce this. On an up to date Debian unstable I tried: $ sudo apt install debvm # create a Debian unstable VM $ debvm-create --size=10G -- --include=task-gnome-desktop --aptopt='Apt::Install-Recommends "true"' --include=linux-image-amd64 --hook-dir=/usr/share/mmdebstrap/hooks/useradd # run it with qemu $ debvm-run -g -- -m 4G # inside the VM install hibiscus $ sudo apt install --no-install-recommends hibiscus # run it $ jameica Can you try this and maybe check the difference to your system? The reason is that in BouncyCastle version 1.69 some code was moved from bcprov.jar into the new bcutil.jar, and the class path of jameica.jar still references only bcprov.jar and bcpkix.jar but not bcutil.jar (please cf. https://github.com/willuhn/jameica/issues/42#issuecomment-1418240499). This is easily fixed by adding /usr/share/java/bcutil.jar to debian/patches/0001-Update-locations-of-Java-libraries.patch. Maybe it makes sense to also add libbcutil-java to Jameica's package dependencies in debian/control because of its jar file being explicitly on the class path. I've added this to follow upstream but even when I remove the bcutil-1.72.jar it works fine, so not sure what is going on. Another issue comes from switching default-jre to openjdk-17-jre which has been openjdk-11-jre before. The bundled JavaScript engine has been removed in OpenJDK 15 which causes the following warning at the start: [Mon Feb 27 19:05:01 CET 2023][WARN][main][de.willuhn.jameica.services.ScriptingService.init] java does not support scripting (RhinoScript) So Jameica's scripting service is no longer usable unless rhino.jar and rhino-engine.jar is added to the class path of jameica.jar (please cf. https://github.com/willuhn/jameica/issues/43). Similar to the previous fix, you can simply add /usr/share/java/rhino.jar to debian/patches/0001-Update-locations-of-Java-libraries.patch and add librhino-java to Jameica's package dependencies in debian/control. It might make sense to already add /usr/share/java/rhino-engine.jar to the class path as well although Debian's current version of librhino-java contains all the code in one single file js-1.7.7.2.jar that rhino.jar is linking to. This one I can reproduce, thanks! Anyway, I've added both jars and uploaded a new version. Cheers Jochen signature.asc Description: PGP signature
Bug#1032093: jameica: missing dependencies
Package: jameica Version: 2.10.3+dfsg-1 Severity: important Tags: fixed-upstream X-Debbugs-Cc: Jochen Sprickerhoff Dear maintainers, Jameica dies with the following messages if it is started for the very first time, i.e., with an empty user profile directory $HOME/.jameica: [Mon Feb 27 18:48:06 CET 2023][INFO][main][de.willuhn.jameica.gui.SplashScreen$3.run] generating new keys and certificates ... [Mon Feb 27 18:48:06 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] generating rsa keypair [Mon Feb 27 18:48:09 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] generating selfsigned x.509 certificate [Mon Feb 27 18:48:09 CET 2023][INFO][main][de.willuhn.jameica.security.SSLFactory.init] using hostname: localhost Exception in thread "main" java.lang.NoClassDefFoundError: org/bouncycastle/asn1/cms/CMSObjectIdentifiers at org.bouncycastle.operator.DefaultSignatureNameFinder.(Unknown Source) at org.bouncycastle.operator.jcajce.OperatorHelper.(Unknown Source) at org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.(Unknown Source) at de.willuhn.jameica.security.SSLFactory.init(SSLFactory.java:291) at de.willuhn.jameica.services.SSLService.init(SSLService.java:45) at de.willuhn.boot.BootLoader.resolve(BootLoader.java:139) at de.willuhn.boot.BootLoader.resolve(BootLoader.java:119) at de.willuhn.boot.BootLoader.resolve(BootLoader.java:119) at de.willuhn.boot.BootLoader.getBootable(BootLoader.java:72) at de.willuhn.jameica.system.Application.init(Application.java:103) at de.willuhn.jameica.system.Application.newInstance(Application.java:87) at de.willuhn.jameica.Main.main(Main.java:78) Caused by: java.lang.ClassNotFoundException: org.bouncycastle.asn1.cms.CMSObjectIdentifiers at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641) at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188) at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:520) ... 12 more The reason is that in BouncyCastle version 1.69 some code was moved from bcprov.jar into the new bcutil.jar, and the class path of jameica.jar still references only bcprov.jar and bcpkix.jar but not bcutil.jar (please cf. https://github.com/willuhn/jameica/issues/42#issuecomment-1418240499). This is easily fixed by adding /usr/share/java/bcutil.jar to debian/patches/0001-Update-locations-of-Java-libraries.patch. Maybe it makes sense to also add libbcutil-java to Jameica's package dependencies in debian/control because of its jar file being explicitly on the class path. Another issue comes from switching default-jre to openjdk-17-jre which has been openjdk-11-jre before. The bundled JavaScript engine has been removed in OpenJDK 15 which causes the following warning at the start: [Mon Feb 27 19:05:01 CET 2023][WARN][main][de.willuhn.jameica.services.ScriptingService.init] java does not support scripting (RhinoScript) So Jameica's scripting service is no longer usable unless rhino.jar and rhino-engine.jar is added to the class path of jameica.jar (please cf. https://github.com/willuhn/jameica/issues/43). Similar to the previous fix, you can simply add /usr/share/java/rhino.jar to debian/patches/0001-Update-locations-of-Java-libraries.patch and add librhino-java to Jameica's package dependencies in debian/control. It might make sense to already add /usr/share/java/rhino-engine.jar to the class path as well although Debian's current version of librhino-java contains all the code in one single file js-1.7.7.2.jar that rhino.jar is linking to. Best regards, Thomas Uhle